34034 100 exploitability 2003507040395 19 fimpact

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: [Complete] (0.66) ---------------------------------------------------FORMULA BASE SCORE ---------------------------------------------------Impact = 10.41*(1-(0.34*0.34*0.34)) == 10.0 Exploitability = 20*0.35*0.704*0.395 == 1.9 f(Impact) = 1.176 BaseScore =((0.6*10)+(0.4*1.9)–1.5)*1.176 == (6.2) ------------------------------------------------------------------------------------------------------TEMPORAL METRIC EVALUATION SCORE ---------------------------------------------------Exploitability [Proof-Of-Concept](0.90) Remediation Level [Official-Fix] (0.87) Report Confidence [Confirmed] (1.00) ---------------------------------------------------FORMULA TEMPORAL SCORE ---------------------------------------------------round(6.2 * 0.90 * 0.87 * 1.00) == (4.9) ------------------------------------------------------------------------------------------------------ENVIRONMENTAL METRIC EVALUATION SCORE ---------------------------------------------------Collateral Damage Potential [None - High] {0 - 0.5} Target Distribution [None - High] {0 - 1.0} Confidentiality Req. [Medium] (1.0) Integrity Req. [Medium] (1.0) Availability Req. [Medium] (1.0) ---------------------------------------------------FORMULA ENVIRONMENTAL SCORE ---------------------------------------------------AdjustedTemporal == 4.9 EnvScore = round((4.9+(10-4.9)*{0-0.5})*{0-1}) == (0.00 - 7.5) ---------------------------------------------------- 20 THE COMMON VULNERABILITY SCORING SYSTEM (CVSS) AND ITS APPLICABILITY TO FEDERAL AGENCY SYSTEMS 4. CVSS Applicability to Federal Information Systems This section describes the applicability of CVSS to U.S. Federal government systems. It first discusses NIST’s National Vulnerability Database (NVD), and then explains how organizations can incorporate Federal Information Processing Standards (FIPS) 199 impact ratings into their CVSS scores. It ends with a brief discussion of the Security Content Automation Protocol (SCAP). 4.1.1 The National Vulnerability Database CVSS Scores The NIST National Vulnerability Database (NVD) is a comprehensive cyber security vulnerability database that integrates all publicly available U.S. government vulnerability resources and provides references to industry resources. The NVD Web site is located at http://nvd.nist.gov/. NVD is based on and synchronized with the Common Vulnerabilities and Exposures (CVE) vulnerability dictionary of software flaws applicable to U.S. government systems. NVD provides vulnerability summaries for all CVE vulnerabilities. NVD includes a fine-grained search engine that allows users to search for vulnerabilities by various characteristics. For all of these vulnerabilities, NVD uses the scoring guidelines in this document to create CVSS base metric scores. A CVE identifier is assigned to each new vulnerability. NVD analysts review the new vulnerability, assign a CVSS base score and then add the information to the corresponding CVE entry within the database. The CVSS base scores in the NVD are available for use by Federal agencies, so that they do not have to manually calculate their own base scores. These scores are...
View Full Document

Ask a homework question - tutors are online