NISTIR-7435

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: ulnerability score. Vectors are further explained in Section 2.4. 2 3 4 Certain commercial equipment, instruments, or materials are identified in this paper in order to adequately specify and describe the use of CVSS. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the materials, instruments, or equipment identified are necessarily the best available for the purpose. See http://www.dhs.gov/xinfoshare/programs/Copy_of_press_release_0046.shtm and http://isc.sans.org/. See http://cve.mitre.org/ , http://cwe.mitre.org/index.html, and http://cwe.mitre.org/about/process.html. 2 THE COMMON VULNERABILITY SCORING SYSTEM (CVSS) AND ITS APPLICABILITY TO FEDERAL AGENCY SYSTEMS 10 0 S core f(x1, x2, … xn) Base Metrics Base Metrics Base Metrics f(y1, y2, … yn) f(z1, z2, … zn) Exploitability Temporal Exploitability Metrics Vector CVS S Environmental Metrics Optional Figure 2. CVSS Metrics and Equations Optionally, the base score can be refined by assigning values to the temporal and environmental metrics. This is useful in order to provide additional context for a vulnerability by more accurately reflecting the risk posed by the vulnerability to a user’s environment. However, this is not required. Depending on one’s purpose, the base score and vector may be sufficient. If a temporal score is needed, the temporal equation will combine the temporal metrics with the base score to produce a temporal score ranging from 0 to 10. Similarly, if an environmental score is needed, the environmental equation will combine the environmental metrics with the temporal score to produce an environmental score ranging from 0 to 10. Base, temporal and environmental equations are fully described in Section 3.2. 1.4 Who Performs the Scoring? Generally, the base and temporal metrics are specified by vulnerability bulletin analysts, security product vendors, or application vendors because they typically have better information about the characteristics of a vulnerability than do users. However, CVSS was designed to make it easy for users to check a vendor’s calculations if desired. The environmental metrics are specified by users because users are best able to assess the potential impact of a vulnerability within their own environments. Environmental metrics, in particular the impact subscore modifiers, have a direct correlation to the security categories and ratings defined in FIPS 199. Section 4 of this document provides details on how agencies can use FIPS 199 to achieve accurate and compliant results when determining values for the environmental metrics. 1.5 Who Owns CVSS? CVSS is under the custodial care of the Forum of Incident Response and Security Teams (FIRST). 5 However, it is a completely free and open standard. No organization “owns” CVSS and membership in FIRST is not required to use or implement CVSS. FIRST’s only request is that those organizations who...
View Full Document

This document was uploaded on 03/19/2014 for the course IS 4799 at ITT Tech Flint.

Ask a homework question - tutors are online