23 the common vulnerability scoring system cvss and

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: n help organizations identify vulnerability trends. Ideally, with an effective security program, organizations will see improvements in their vulnerability metrics over time. 23 THE COMMON VULNERABILITY SCORING SYSTEM (CVSS) AND ITS APPLICABILITY TO FEDERAL AGENCY SYSTEMS 6. Appendix A—Additional Resources for Federal Agencies Below, we present resources that may be useful to Federal agencies and other organizations implementing CVSS.  Vulnerability bulletins are helpful when searching for detailed information about a particular vulnerability. The National Institute of National Institute of Standards and Technology (NIST) maintains the National Vulnerability Database (NVD), a vulnerability bulletin web site that includes CVSS base scores. NIST provides these web-based bulletins in addition to XML and RSS feeds free for use. They can be found at http://nvd.nist.gov/nvd.cfm and http://nvd.nist.gov/download.cfm#XML, respectively.  CVSS calculators are helpful when trying to compute your own base, temporal or environmental scores. The NIST CVSSv2 calculator can be found at http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2. 24 THE COMMON VULNERABILITY SCORING SYSTEM (CVSS) AND ITS APPLICABILITY TO FEDERAL AGENCY SYSTEMS 7. Appendix B—References [1] Mike Schiffman, Gerhard Eschelbeck, David Ahmad, Andrew Wright, Sasha Romanosky, “CVSS: A Common Vulnerability Scoring System”, National Infrastructure Advisory Council (NIAC), 2004. [2] Microsoft Corporation. Microsoft Security Response Center Security Bulletin Severity Rating System. November 2002 [cited 16 March 2007]. Available from URL: http://www.microsoft.com/technet/security/bulletin/rating.mspx. [3] United States Computer Emergency Readiness Team (US-CERT). US-CERT Vulnerability Note Field Descriptions. 2006 [cited 16 March 2007]. Available from URL: http://www.kb.cert.org/vuls/html/fieldhelp. [4] SANS Institute. SANS Critical Vulnerability Analysis Archive. Undated [cited 16 March 2007]. Available from URL: http://www.sans.org/newsletters/cva/. 25 THE COMMON VULNERABILITY SCORING SYSTEM (CVSS) AND ITS APPLICABILITY TO FEDERAL AGENCY SYSTEMS 8. Appendix C—Acronyms and Abbreviations This appendix contains selected acronyms and abbreviations used in the publication. A A AC AR ASN.1 AU AV Adjacent Network Availability Access Complexity Availability Requirement Abstract Syntax Notation 1 Authentication Access Vector C C C CDP CERT/CC CR CVE CWE CVSS Complete Confidentiality Confirmed Collateral Damage Potential CERT Coordination Center Confidentiality Requirement Common Vulnerabilities and Exposures Common Weakness Enumeration Common Vulnerability Scoring System DMA DNS Direct Memory Access Domain Name System E Exploitability F FIPS FIRST FISMA FTP Functional Federal Information Processing Standards Forum of Incident Response and Security Teams Federal Information Security Management Act File Transfer Protocol H High I IEEE IP IR IT ITL Integrity Institute of Electrical and Electronics Engineers Internet Protocol Integrity Requirement Information Technology Information Technology Laboratory L L LM Local Low Low-Medium M M MH Medium Multiple Medium-High N Network 26 THE COMMON VULNERABILITY SCORING SYSTEM (CVSS) AND ITS APPLICABILITY TO FEDERAL AGENCY SYSTEMS N ND NIAC NIST NISTIR NVD None Not Defined National Infrastructure Advisory Council National Institute of Standards and Technology National Institute of Standards and Technology Interagency Report National Vulnerability Database OF OMB OSVDB Official Fix Office of Management and Budget Open Source Vulnerability Database P PAM POC Partial Pluggable Authentication Module Proof of Concept RC RL RPC Report Confidence Remediation Level Remote Procedure Call S SCAP SLA Single Security Content Automation Protocol Service Level Agreement TD TF Target Distribution Temporary Fix U U UC UR URL US-CERT USB Unavailable Unproven Unconfirmed Uncorroborated Uniform Resource Locator United States Computer Emergency Readiness Team Universal Serial Bus W Workaround XML Extensible Markup Language 27...
View Full Document

Ask a homework question - tutors are online