CVSS
Encyclopedia
Common Vulnerability Scoring System (CVSS) is an industry standard for assessing the severity of computer system security
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...

 vulnerabilities
Vulnerability (computing)
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...

. It attempts to establish a measure of how much concern a vulnerability warrants, compared to other vulnerabilities, so efforts can be prioritized. The score is based on a series of measurements (called metrics
Software metric
A software metric is a measure of some property of a piece of software or its specifications. Since quantitative measurements are essential in all sciences, there is a continuous effort by computer science practitioners and theoreticians to bring similar approaches to software development...

) based on expert assessment.

Metrics

The CVSS assessment measures three areas of concern:
  1. Base Metrics for qualities intrinsic to a vulnerability.
  2. Temporal Metrics for characteristics that evolve over the lifetime of vulnerability.
  3. Environmental Metrics for characteristics of a vulnerability that depend on a particular implementation or environment.

Base Metrics

  1. Is the vulnerability exploitable remotely (as opposed to only locally).
  2. How complex must an attack
    Attack (computer)
    In computer and computer networks an attack is any attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset.- IETF :Internet Engineering Task Force defines attack in RFC 2828 as:...

     be to exploit the vulnerability?
  3. Is authentication required to attack?
  4. Does the vulnerability expose confidential data?
  5. Can attacking the vulnerability damage the integrity of the system?
  6. Does it impact availability of the system?

Temporal Metrics

  1. How complex (or how long will it take) to exploit the vulnerability.
  2. How hard (or how long) will it take to remediate the vulnerability.
  3. How certain is the vulnerability's existence.

Environmental Metrics

  1. Potential to cause collateral damage
    Collateral damage
    Collateral damage is damage to people or property that is unintended or incidental to the intended outcome. The phrase is prevalently used as an euphemism for civilian casualties of a military action.-Etymology:...

    .
  2. How many systems (or how much of a system) does the vulnerability impact.
  3. Security Requirement(CIA)

External links

The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK