Firsts only request is that those organizations who

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: publish scores conform to the guidelines described in this document and provide both the score and the scoring vector (described below) so others can understand how the score was derived. 5 See www.first.org/cvss. 3 THE COMMON VULNERABILITY SCORING SYSTEM (CVSS) AND ITS APPLICABILITY TO FEDERAL AGENCY SYSTEMS 1.6 Who is Using CVSS? Many organizations are using CVSS, and each are finding value in different ways. Below are some examples:  Vulnerability Bulletin Providers: Both non-profit and commercial organizations are publishing CVSS base and temporal scores and vectors in their free vulnerability bulletins. These bulletins offer much information, including the date of discovery, systems affected and links to vendors for patching recommendations.  Software Application Vendors: Software application vendors are providing CVSS base scores and vectors to their customers. This helps them properly communicate the severity of vulnerabilities in their products and helps their customers effectively manage their IT risk.  User Organizations: Many private-sector organizations are using CVSS internally to make informed vulnerability management decisions. They use scanners or monitoring technologies to first locate host and application vulnerabilities. They combine this data with CVSS base, temporal and environmental scores to obtain more contextual risk information and remediate those vulnerabilities that pose the greatest risk to their systems.  Vulnerability Scanning and Management: Vulnerability management organizations scan networks for IT vulnerabilities. They provide CVSS base scores for every vulnerability on each host. User organizations use this critical data stream to more effectively manage their IT infrastructures by reducing outages and protecting against malicious and accidental IT threats.  Security (Risk) Management: Security risk management firms use CVSS scores as input to calculating an organization’s risk or threat level. These firms use sophisticated applications that often integrate with an organization’s network topology, vulnerability data, and asset database to provide their customers with a more informed perspective of their risk level.  Researchers: The open framework of CVSS enables researchers to perform statistical analysis on vulnerabilities and vulnerability properties. 1.7 Quick Definitions Throughout this document the following definitions are used:  Vulnerability: a bug, flaw, weakness, or exposure of an application, system, device, or service that could lead to a failure of confidentiality, integrity, or availability  Threat: the likelihood or frequency of a harmful event occurring  Risk: the relative impact that an exploited vulnerability would have to a user’s environment. 4 THE COMMON VULNERABILITY SCORING SYSTEM (CVSS) AND ITS APPLICABILITY TO FEDERAL AGENCY SYSTEMS 2. CVSS Metrics and Metric Groups This section defines the metrics that comprise the CVSS version 2 standard. The metrics are organized into three groups: bas...
View Full Document

This document was uploaded on 03/19/2014 for the course IS 4799 at ITT Tech Flint.

Ask a homework question - tutors are online