8 table

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: 8 Table 7. Exploitability Scoring Evaluation ....................................................................................9 Table 8. Remediation Level Scoring Evaluation ..........................................................................9 Table 9. Report Confidence Scoring Evaluation ........................................................................10 Table 10. Collateral Damage Potential Scoring Evaluation .......................................................10 Table 11. Target Distribution Scoring Evaluation.......................................................................11 Table 12. Security Requirements Scoring Evaluation................................................................12 Table 13. Base, Temporal and Environmental Vectors .............................................................12 v THE COMMON VULNERABILITY SCORING SYSTEM (CVSS) AND ITS APPLICABILITY TO FEDERAL AGENCY SYSTEMS 1. Introduction Currently, IT management must identify and assess vulnerabilities across many disparate hardware and software platforms. They need to prioritize these vulnerabilities and remediate those that pose the greatest risk. But when there are so many to fix, with each being scored using different scales [2][3][4], how can IT managers convert this mountain of vulnerability data into actionable information? The Common Vulnerability Scoring System (CVSS) is an open framework that addresses this issue. It offers the following benefits:  Standardized Vulnerability Scores: When an organization normalizes vulnerability scores across all of its software and hardware platforms, it can leverage a single vulnerability management policy. This policy may be similar to a service level agreement (SLA) that states how quickly a particular vulnerability must be validated and remediated.  Open Framework: Users can be confused when a vulnerability is assigned an arbitrary score. “Which properties gave it that score? How does it differ from the one released yesterday?” With CVSS, anyone can see the individual characteristics used to derive a score.  Prioritized Risk: When the environmental score is computed, the vulnerability now becomes contextual. That is, vulnerability scores are now representative of the actual risk to an organization. Users know how important a given vulnerability is in relation to other vulnerabilities. 1.1 What is CVSS? CVSS is composed of three metric groups: Base, Temporal, and Environmental, each consisting of a set of metrics, as shown in Figure 1. Figure 1. CVSS Metric Groups These metric groups are described as follows:  Base: represents the intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments. Base metrics are discussed in Section 2.1.  Temporal: represents the characteristics of a vulnerability that change over time but not among user environments. Temporal metrics are discussed in Section 2.2.  Environmental: represents the characteristics of a vulnerability that are r...
View Full Document

Ask a homework question - tutors are online