Unit 04: LO 4 - 4.2 - CVSS Scoring Matrix

The Common Vulnerability Scoring System (CVSS) is like a scoring chart in a sports game, but instead of ranking teams or players, it ranks the severity of software vulnerabilities. The scoring matrix in CVSS helps in understanding how "bad" a vulnerability is by giving it a score between 0 to 10. Let's break down the scoring matrix:

Three Main Metric Groups

• Base Metrics: These are the basic "game stats" that don't change over time. They include aspects like how the vulnerability is accessed, whether it needs certain privileges, and how it impacts the system.

  • Attack Vector (AV): How close does an attacker need to be to exploit the vulnerability? Is it over the network, or do they need physical access?

  • Attack Complexity (AC): How easy is it to exploit? Is it as simple as kicking a soccer ball into an open net, or is it more complex?

  • Privileges Required (PR): Does the attacker need special permissions to exploit this vulnerability?

  • User Interaction (UI): Does the vulnerability need the user to do something specific for the attack to work? For example, clicking on a malicious link.

  • Scope (S): Does the vulnerability affect only the vulnerable component, or does it impact other parts of the system?

  • Confidentiality, Integrity, Availability (C, I, A): How does it affect the confidentiality, integrity, and availability of the system? These are like the key performance stats in a game.

• Temporal Metrics: These are like "live updates" during a game. They can change over time and include factors like:

  • Exploitability (E): Is there a known exploit?

  • Remediation Level (RL): Has a fix been released?

  • Report Confidence (RC): How reliable is the information about the vulnerability?

• Environmental Metrics: These are like "home-field advantages" or specific conditions that could make the vulnerability more or less severe in a particular environment.

  • Modified Base Metrics: You can adjust the base metrics to better fit your specific environment.

  • Collateral Damage Potential (CDP): How much damage could be caused?

  • Target Distribution (TD): How widespread is the vulnerable system in your environment?

Scoring

• The CVSS score is calculated based on these metrics, giving you a number between 0 and 10. The higher the score, the more severe the vulnerability is.

  • 0.0 - No impact: This is like encountering a bug in a feature you never use anyway. It doesn't affect your experience because you weren't going to use that feature.

  • 1.0 - 3.9: Low severity: Think of this as discovering a minor glitch in a mobile app's interface. It's a bit annoying, but it doesn't really hinder your ability to use the app.

  • 4.0 - 6.9: Medium severity: Picture this as encountering a software crash while using a common application like your web browser. It's inconvenient and interrupts your workflow, but it's not a critical problem.

  • 7.0 - 8.9: High severity: This is like encountering a virus or malware on your computer that's affecting your ability to access important files or use essential software. It's a serious issue that needs immediate attention to prevent further damage.

  • 9.0 - 10.0: Critical severity: Imagine your computer's operating system crashing and rendering your device completely unusable. This is a catastrophic event that requires urgent action to restore functionality and prevent data loss. It's the highest level of severity and demands immediate intervention.

Just like sports analysts use stats to understand a game, cybersecurity professionals use the CVSS scoring matrix to understand the severity and characteristics of vulnerabilities. This helps them decide how to best defend their "home field," or in this case, their network and systems.