This preview shows page 1. Sign up to view the full content.
Unformatted text preview: e, temporal, and environmental metrics.
2.1 Base Metrics The base metric group captures the characteristics of a vulnerability that are constant with time and across
user environments. The Access Vector, Access Complexity, and Authentication metrics capture how the
vulnerability is accessed and whether or not extra conditions are required to exploit it. The three impact
metrics measure how a vulnerability, if exploited, will directly affect an IT asset, where the impacts are
independently defined as the degree of loss of confidentiality, integrity, and availability. For example, a
vulnerability could cause a partial loss of integrity and availability, but no loss of confidentiality.
2.1.1 Access Vector (AV) This metric reflects how the vulnerability is exploited. The possible values for this metric are listed in
Table 1. The more remote an attacker can be to attack a host, the greater the vulnerability score.
Table 1. Access Vector Scoring Evaluation
Value Description Local (L) A vulnerability exploitable with only local access requires the attacker to have either physical
access to the vulnerable system or a local (shell) account. Examples of locally exploitable
vulnerabilities are peripheral attacks such as Firewire/USB DMA attacks, and local privilege
escalations (e.g., sudo). Adjacent
Network (A) A vulnerability exploitable with adjacent network access requires the attacker to have access to
either the broadcast or collision domain of the vulnerable software. Examples of local networks
include local IP subnet, Bluetooth, IEEE 802.11, and local Ethernet segment. Network (N) A vulnerability exploitable with network access means the vulnerable software is bound to the
network stack and the attacker does not require local network access or local access. Such a
vulnerability is often termed “remotely exploitable”. An example of a network attack is an RPC
buffer overflow. 2.1.2 Access Complexity (AC) This metric measures the complexity of the attack required to exploit the vulnerability once an attacker
has gained access to the target system. For example, consider a buffer overflow in an Internet service:
once the target system is located, the attacker can launch an exploit at will.
Other vulnerabilities, however, may require additional steps in order to be exploited. For example, a
vulnerability in an email client is only exploited after the user downloads and opens a tainted attachment.
The possible values for this metric are listed in Table 2. The lower the required complexity, the higher
the vulnerability score. 5 THE COMMON VULNERABILITY SCORING SYSTEM (CVSS) AND ITS APPLICABILITY TO FEDERAL AGENCY SYSTEMS Table 2. Access Complexity Scoring Evaluation
High (H) Description
Specialized access conditions exist. For example:
• The attack depends on social engineering methods that would be easily detected by
knowledgeable people. For example, the victim must perform several suspicious or atypical
actions. • The vulnerable configuration is seen very rarely in...
View Full Document
- Spring '14