High h either the vulnerability is exploitable by

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: bile autonomous code, or no exploit is required (manual trigger) and details are widely available. The code works in every situation, or is actively being delivered via a mobile autonomous agent (such as a worm or virus). Not Defined (ND) Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric. 2.2.2 Remediation Level (RL) The remediation level of a vulnerability is an important factor for prioritization. The typical vulnerability is unpatched when initially published. Workarounds or hotfixes may offer interim remediation until an official patch or upgrade is issued. Each of these respective stages adjusts the temporal score downwards, reflecting the decreasing urgency as remediation becomes final. The possible values for this metric are listed in Table 8. The less official and permanent a fix, the higher the vulnerability score is. Table 8. Remediation Level Scoring Evaluation Metric Value Description Official Fix (OF) A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available. Temporary Fix (TF) There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool, or workaround. Workaround (W) There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate the vulnerability. Unavailable (U) There is either no solution available or it is impossible to apply. Not Defined (ND) Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric. 2.2.3 Report Confidence (RC) This metric measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details. Sometimes, only the existence of vulnerabilities are publicized, but without specific details. The vulnerability may later be corroborated and then confirmed through acknowledgement by the author or vendor of the affected technology. The urgency of a vulnerability is higher when a vulnerability is known to exist with certainty. This metric also suggests the level of technical knowledge available to would-be attackers. The possible values for this metric are listed in Table 9. The more a vulnerability is validated by the vendor or other reputable sources, the higher the score. 9 THE COMMON VULNERABILITY SCORING SYSTEM (CVSS) AND ITS APPLICABILITY TO FEDERAL AGENCY SYSTEMS Table 9. Report Confidence Scoring Evaluation Metric Value Description Unconfirmed (UC) There is a single unconfirmed source or possibly multiple conflicting reports. There is little confidence in the validity of the reports. An example is a rumor that surfaces from the hacker underground. Uncorroborated (UR) There are multiple non-official sources, possibly including independent security companies or research organizations. At this point there may be conflicting technical details or some other lingering ambiguity. Con...
View Full Document

This document was uploaded on 03/19/2014 for the course IS 4799 at ITT Tech Flint.

Ask a homework question - tutors are online