Nvd is publicly available so any organization or

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: also incorporated into many commercial security scanners (agencies can ask their security tool vendors if they provide the NVD CVSS scores within their products). NVD is publicly available, so any organization or individual may freely use its CVSS base scores. The NVD CVSS web page is available at http://nvd.nist.gov/cvss.cfm. Having the base metric score listed for each CVE entry in NVD enables users to quickly determine the severity of each vulnerability. However, the lack of temporal and environment metrics creates an incomplete picture. To remedy this, NVD provides a web-based CVSS version 2.0 calculator at http://nvd.nist.gov/cvss.cfm. By default, when selecting a vulnerability from the NVD and clicking on the “Base score” attribute, users are directed to the calculator and the base metric scores will be filled in automatically, leaving the temporal and environmental metrics to be completed by the user. The Base metrics can be altered by the user to suit their specific needs should the user choose to do so. Once all the information has been submitted, users are presented with an adjusted score that more directly reflects the impact of the vulnerability on their environment. Commercial tools may also offer the ability to customize NVD CVSS base scores with environment-specific information. 4.1.2 Modifying CVSS Scores Using FIPS 199 Ratings CVSS was designed to be used by any organization. This flexibility is a noteworthy strength of the model, but it does require that different sectors and organizations approach the use of CVSS with consideration of their specific requirements. For Federal agencies, consideration of FIPS 199 is particularly important. FIPS 199 defines potential impact levels for the three security objectives defined by FISMA: confidentiality, integrity, and availability. The impact levels are defined as follows:  The potential impact is low if the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals  The potential impact is moderate if the loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals 21 THE COMMON VULNERABILITY SCORING SYSTEM (CVSS) AND ITS APPLICABILITY TO FEDERAL AGENCY SYSTEMS  The potential impact is high if the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. As described in Section 2.3.3, CVSS generally follows these definitions for the impact subscore modifiers in the environmental metric, so Federal agencies can customize CVSS scores to apply to specific government systems. 8 However, CVSS does not require that these definitions be used and provides them merely as a default; organizations other than Federal agencies may choose to define the impact subscore modifiers in ways that more closely suit their particular business goals. For Federal agencies, the FIPS...
View Full Document

This document was uploaded on 03/19/2014 for the course IS 4799 at ITT Tech Flint.

Ask a homework question - tutors are online