Common vulnerability scoring system is simply a framework to communicate the severity of vulnerabilities for software, hardware, and firmware and includes numerical scores. There are three metric groups, base, temporal and the environment. Base includes metrics like CIA impacts, attack vector and complexity, privileges required, while temporal metric group has exploit code maturity and remediation level that are time based and environmental has CIA requirements and base metrics which are based on user’s unique environment.
For cysa exam, you only need to know the base metric group which is broken down into exploitability metrics and the impact metrics. Exploitability metrics simply represents things that are vulnerable. The attack vectors, attack complexity, privileges required, user interaction, and scope are exploitability metrics. The impact is simply representing the consequences.
Attack vectors metric value are network, adjacent, local, and physical. They get the set number of attacks that is possible to use on the vulnerabilities to score it. An example will be an attacker exploiting the vulnerability by accessing the target system locally by using SSH which would fall under local metric. Attack complexity is simply how much work needs to be involved and can be low or high. Privileges metrics are none, low, and high and they represent scores on how much access are needed before successfully exploiting the identified vulnerabilities. User interaction metrics are none or required and base score is higher when no user interaction is required. Scope metrics include unchanged and change and it simply means would the exploited vulnerability affect other resources as well. If it doesn’t, it’ll be unchanged while if it does it means changed. Impacting other components gives higher severity scores. CIA impacts metric values are all the same, high, low, or none.
HansITAcademy 