From the course: Ethical Hacking: Vulnerability Analysis

Common Vulnerability Scoring System

From the course: Ethical Hacking: Vulnerability Analysis

Start my 1-month free trial

Common Vulnerability Scoring System

- [Instructor] Vulnerabilities are ranked as to severity level, critical, high, medium, and low, which helps us to prioritize and plan when doing our security mitigation. I'm at this webpage NIST Special Publication 800-30. I'm on page 78 where here we can see an assessment scale. Now, as you can see, the values range from very low to very high. Now, you will see some vulnerabilities listed with a score of zero or two. Most likely they've been reduced because there's been a patch that has been released or enough time has passed and that reduces the score. This gives us an indication of the severity of the vulnerability, and I'll highlight this right here. For example, when looking at a very high level, the exploitation could result in severe impacts. The common vulnerability scoring system is an industry standard that rates the severity of vulnerabilities, and it's used in Common Vulnerabilities and Exposures listings to aid in prioritizing vulnerabilities. The scoring system is based on a set of metrics that determine the overall score. Metrics include values to define categories such as impact, exploitability, and environmental. First we will look at exploitability metrics. One value is the access vector. This question means how the threat exploits the vulnerability. Is it local, an adjacent network, or the network? How about the attack complexity? This asks how easy or difficult for the threat to be exploit the vulnerability. Is it high, medium, or low? Privileges required describes how the threat gains access. Do they have to provide authentication? None, low, or high? And even single factor or multi-factor authentication. And user interaction, either none or required. For example, required means a user must click on a phishing email link to activate the exploit. Next we'll look at impact metrics, meaning what impact will this have if the threat is able to exploit the vulnerability? We ask the question, will it be a violation of confidentiality, integrity, or availability? Temporal metrics indicates the current state of the exploit, which of course will change over the lifetime of the vulnerability, meaning maybe there has been a patch release that reduces the score. Environmental metrics allows the ability to customize the severity of the vulnerability in the way that the product or software is deployed. I'm at this webpage, NIST, National Vulnerability Database. This is a really handy calculator to show how the values add together and give us a score as to how severe the vulnerability is. So let's take a look. We'll scroll down here. We'll start here, on exploitability metrics that include the following. Attack vector, well, okay. I'm going to scroll up here and here you're going to watch these values change. So we'll say that we can get onto it via the network, and when you scroll over it, it'll give you more detailed explanation. Attack complexity. We'll say it's low. Privileges required. We'll say that's low as well, and user interaction, we'll say it's required. Over here, the scope, we'll say changed, and the impact metrics. We'll say that it will impact confidentiality and integrity, but not availability. And the temporal score metrics, well, we'll just put a couple of things here, proof of concept code, workaround, and report confidence, well, we'll say this is confirmed. And down below, we might want to change some of these base modifiers and just add some values. And we'll go up here and you can actually see the calculations that have occurred and showing right here, the overall score is 6.2. So the common vulnerability scoring system is an industry standard that rates the severity of vulnerabilities.

Contents