This preview shows page 1. Sign up to view the full content.
Unformatted text preview: y any files on the
target system. 2.1.6 Availability Impact (A) This metric measures the impact to availability of a successfully exploited vulnerability. Availability
refers to the accessibility of information resources. Attacks that consume network bandwidth, processor
cycles, or disk space all impact the availability of a system. The possible values for this metric are listed
in Table 6. Increased availability impact increases the vulnerability score.
Table 6. Availability Impact Scoring Evaluation
Value Description None (N) There is no impact to the availability of the system. Partial (P) There is reduced performance or interruptions in resource availability. An example is a networkbased flood attack that permits a limited number of successful connections to an Internet service. Complete
(C) There is a total shutdown of the affected resource. The attacker can render the resource completely
unavailable. 2.2 Temporal Metrics The threat posed by a vulnerability may change over time. Three such factors that CVSS captures are:
confirmation of the technical details of a vulnerability, the remediation status of the vulnerability, and the
availability of exploit code or techniques. Since temporal metrics are optional they each include a metric
value that has no effect on the score. This value is used when the user feels the particular metric does not
apply and wishes to “skip over” it.
2.2.1 Exploitability (E) This metric measures the current state of exploit techniques or code availability. Public availability of easy-to-use exploit code increases the number of potential attackers by including those who are unskilled, thereby increasing the severity of the vulnerability. Initially, real-world exploitation may only be theoretical. Publication of proof of concept code, functional exploit code, or sufficient technical details necessary to exploit the vulnerability may follow. Furthermore, the exploit code available may progress from a proof-of-concept demonstration to exploit code that is successful in exploiting the vulnerability consistently. In severe cases, it may be delivered as the payload of a network-based worm or virus. The possible values for this metric are listed in Table 7. The more easily a vulnerability can be exploited, the higher the vulnerability score. 8 THE COMMON VULNERABILITY SCORING SYSTEM (CVSS) AND ITS APPLICABILITY TO FEDERAL AGENCY SYSTEMS Table 7. Exploitability Scoring Evaluation
Metric Value Description Unproven (U) No exploit code is available, or an exploit is entirely theoretical. Proof-of-Concept
(POC) Proof-of-concept exploit code or an attack demonstration that is not practical for most systems
is available. The code or technique is not functional in all situations and may require
substantial modification by a skilled attacker. Functional (F) Functional exploit code is available. The code works in most situations where the vulnerability
exists. High (H) Either the vulnerability is exploitable by functional mo...
View Full Document
- Spring '14