Describe terms as defined in CVSS (attack vector, complexity, privileges, etc.)

📘Cisco Certified CyberOps Associate (200-201 CBROPS)

The Common Vulnerability Scoring System (CVSS) is a standardized way to measure the severity of security vulnerabilities in software, systems, or networks. Each vulnerability gets a score from 0.0 to 10.0, where 0 = no risk and 10 = critical risk.

CVSS is split into three groups of metrics: Base, Temporal, and Environmental. For the exam, focus is mostly on Base Metrics, which describe the intrinsic characteristics of a vulnerability.

The key CVSS terms you need to know are:

1. Attack Vector (AV)

  • Definition: This tells us how an attacker can exploit the vulnerability.
  • Options:
    1. Network (N): The attack can be launched over a network, such as through the internet. Example: Exploiting a web server vulnerability remotely.
    2. Adjacent (A): The attacker needs to be on the same network segment. Example: Exploiting a Wi-Fi network vulnerability from within the office.
    3. Local (L): The attacker must have local access to the system. Example: Exploiting a vulnerability by logging in to a server.
    4. Physical (P): The attacker must physically touch or plug in a device. Example: Exploiting a USB firmware vulnerability.

Key point: The more remote the attacker can be, the higher the risk.

2. Attack Complexity (AC)

  • Definition: Describes how hard it is to successfully exploit the vulnerability.
  • Options:
    1. Low (L): Easy to exploit, no special conditions needed. Example: A misconfigured web server allows anyone to access admin functions.
    2. High (H): Requires special conditions, advanced knowledge, or timing. Example: Exploiting a buffer overflow that only works under specific network traffic conditions.

Key point: Easier exploits increase the severity score.

3. Privileges Required (PR)

  • Definition: Tells what level of access the attacker already needs before exploiting the vulnerability.
  • Options:
    1. None (N): The attacker doesn’t need any login or access. Example: Exploiting an open web application.
    2. Low (L): Requires basic access. Example: Exploiting a user account to gain administrative access.
    3. High (H): Requires full admin/root access. Example: Exploiting a service as root to take over the system further.

Key point: Vulnerabilities that require no privileges are more severe.

4. User Interaction (UI)

  • Definition: Indicates if a human must do something for the attack to succeed.
  • Options:
    1. None (N): No user action needed. Example: Remote code execution on a server that runs automatically.
    2. Required (R): A user must take some action, like opening a file or clicking a link. Example: Phishing emails that trick employees into opening a malicious attachment.

Key point: No user interaction = higher severity score.

5. Scope (S)

  • Definition: Determines whether the vulnerability affects only the targeted system or can affect other connected systems.
  • Options:
    1. Unchanged (U): The impact stays within the vulnerable system. Example: Exploiting a database vulnerability that only affects that database.
    2. Changed (C): The impact can extend to other systems. Example: Exploiting a web server that then allows attacks on the backend database server.

Key point: Scope change usually increases the risk rating.

6. Confidentiality (C)

  • Definition: Measures how much sensitive information can be accessed by exploiting the vulnerability.
  • Options:
    1. None (N): No information is exposed.
    2. Low (L): Some non-critical information can be accessed. Example: Reading user email addresses.
    3. High (H): Critical information is exposed. Example: Accessing passwords, encryption keys, or customer PII.

7. Integrity (I)

  • Definition: Measures how much the attacker can modify or corrupt data.
  • Options:
    1. None (N): Data cannot be altered.
    2. Low (L): Limited changes possible. Example: Changing non-critical user settings.
    3. High (H): Major changes possible. Example: Altering financial records in a database.

8. Availability (A)

  • Definition: Measures how much the vulnerability can disrupt system operations.
  • Options:
    1. None (N): No impact on availability.
    2. Low (L): Minor disruption, temporary downtime. Example: Restarting a service.
    3. High (H): Major disruption, complete system outage. Example: DoS attack taking down a web server.

Quick CVSS Exam Tip:

Think of CVSS as a formula to measure how bad a vulnerability is, using these questions:

  1. Can the attacker reach it remotely? (Attack Vector)
  2. Is it easy or hard to exploit? (Attack Complexity)
  3. Do they need access already? (Privileges Required)
  4. Does anyone have to do something? (User Interaction)
  5. Can it spread beyond the target? (Scope)
  6. Can they see sensitive data? (Confidentiality)
  7. Can they change data? (Integrity)
  8. Can they disrupt services? (Availability)

If you answer these, you can figure out the CVSS score, which helps prioritize fixing the vulnerability.

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by