At this point there may be conflicting technical

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: firmed (C) The vulnerability has been acknowledged by the vendor or author of the affected technology. The vulnerability may also be “Confirmed” when its existence is confirmed from an external event such as publication of functional or proof-of-concept exploit code or widespread exploitation. Not Defined (ND) Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric. 2.3 Environmental Metrics Different environments can have an immense bearing on the risk that a vulnerability poses to an organization and its stakeholders. The CVSS environmental metric group captures the characteristics of a vulnerability that are associated with a user’s IT environment. Since environmental metrics are optional they each include a metric value that has no effect on the score. This value is used when the user feels the particular metric does not apply and wishes to “skip over” it. 2.3.1 Collateral Damage Potential (CDP) This metric measures the potential for loss of life or physical assets through damage or theft of property or equipment. The metric may also measure economic loss of productivity or revenue. The possible values for this metric are listed in Table 10. Naturally, the greater the damage potential, the higher the vulnerability score. Clearly, each organization must determine for itself the precise meaning of “slight, moderate, significant, and catastrophic.” Table 10. Collateral Damage Potential Scoring Evaluation Metric Value Description None (N) There is no potential for loss of life, physical assets, productivity or revenue. Low (L) A successful exploit of this vulnerability may result in slight physical or property damage. Or, there may be a slight loss of revenue or productivity to the organization. Low-Medium (LM) A successful exploit of this vulnerability may result in moderate physical or property damage. Or, there may be a moderate loss of revenue or productivity to the organization. Medium-High (MH) A successful exploit of this vulnerability may result in significant physical or property damage or loss. Or, there may be a significant loss of revenue or productivity. High (H) A successful exploit of this vulnerability may result in catastrophic physical or property damage and loss. Or, there may be a catastrophic loss of revenue or productivity. Not Defined (ND) Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric. 2.3.2 Target Distribution (TD) This metric measures the proportion of vulnerable systems. It is meant as an environment-specific indicator in order to approximate the percentage of systems that could be affected by the vulnerability. 10 THE COMMON VULNERABILITY SCORING SYSTEM (CVSS) AND ITS APPLICABILITY TO FEDERAL AGENCY SYSTEMS The possible values for this metric are listed in Table 11. The greater the proportion of vulnerable systems, the higher the score. Table 11. Target Distribution Scoring Evaluation Metric Value Description None (N) No target systems exi...
View Full Document

Ask a homework question - tutors are online