The attacker is able to modify any files on the

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: y any files on the target system. 2.1.6 Availability Impact (A) This metric measures the impact to availability of a successfully exploited vulnerability. Availability refers to the accessibility of information resources. Attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system. The possible values for this metric are listed in Table 6. Increased availability impact increases the vulnerability score. Table 6. Availability Impact Scoring Evaluation Metric Value Description None (N) There is no impact to the availability of the system. Partial (P) There is reduced performance or interruptions in resource availability. An example is a networkbased flood attack that permits a limited number of successful connections to an Internet service. Complete (C) There is a total shutdown of the affected resource. The attacker can render the resource completely unavailable. 2.2 Temporal Metrics The threat posed by a vulnerability may change over time. Three such factors that CVSS captures are: confirmation of the technical details of a vulnerability, the remediation status of the vulnerability, and the availability of exploit code or techniques. Since temporal metrics are optional they each include a metric value that has no effect on the score. This value is used when the user feels the particular metric does not apply and wishes to “skip over” it. 2.2.1 Exploitability (E) This metric measures the current state of exploit techniques or code availability. Public availability of easy-to-use exploit code increases the number of potential attackers by including those who are unskilled, thereby increasing the severity of the vulnerability. Initially, real-world exploitation may only be theoretical. Publication of proof of concept code, functional exploit code, or sufficient technical details necessary to exploit the vulnerability may follow. Furthermore, the exploit code available may progress from a proof-of-concept demonstration to exploit code that is successful in exploiting the vulnerability consistently. In severe cases, it may be delivered as the payload of a network-based worm or virus. The possible values for this metric are listed in Table 7. The more easily a vulnerability can be exploited, the higher the vulnerability score. 8 THE COMMON VULNERABILITY SCORING SYSTEM (CVSS) AND ITS APPLICABILITY TO FEDERAL AGENCY SYSTEMS Table 7. Exploitability Scoring Evaluation Metric Value Description Unproven (U) No exploit code is available, or an exploit is entirely theoretical. Proof-of-Concept (POC) Proof-of-concept exploit code or an attack demonstration that is not practical for most systems is available. The code or technique is not functional in all situations and may require substantial modification by a skilled attacker. Functional (F) Functional exploit code is available. The code works in most situations where the vulnerability exists. High (H) Either the vulnerability is exploitable by functional mo...
View Full Document

Ask a homework question - tutors are online