📖 What is Common Vulnerability Scoring System (CVSS)?
Common Vulnerability Scoring System (CVSS) is a standardized numerical system used to assess the severity of software vulnerabilities. It provides a score from 0 to 10 based on metrics like attack vector, complexity, and the impact on confidentiality and integrity.
"Pay attention to the difference between Base, Temporal, and Environmental scores when analyzing vulnerability priority."
📚 Certification: CompTIA Security+ Certification Exam (SY0-701)
🔑 What are the Key Concepts of Common Vulnerability Scoring System (CVSS)?
- ▸ The Base Score represents intrinsic qualities of a vulnerability, focusing on attack vectors, complexity, and the impact on confidentiality, integrity, and availability.
- ▸ Temporal Scores account for factors that change over time, such as the availability of an official patch or the existence of functional exploit code.
- ▸ Environmental Scores allow organizations to customize the severity based on the importance of the affected asset and the specific security controls in place.
- ▸ CVSS scores are mapped to qualitative severity ratings: Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), and Critical (9.0-10.0) for easier prioritization.
- ▸ The system provides a standardized language for security professionals to communicate risk consistently across different vendors, platforms, and organizational boundaries.
🎯 How does Common Vulnerability Scoring System (CVSS) appear on the SY0-701 Exam?
You may be asked to prioritize vulnerabilities where one has a high Base score but a low Environmental score because the affected system is isolated from the network.
A scenario might describe a vulnerability that recently received an official patch; you will need to identify how this affects the Temporal score and overall priority.
Expect questions asking you to distinguish between metrics, such as identifying whether 'Network' refers to the Attack Vector or the Attack Complexity of a vulnerability.
❓ Frequently Asked Questions
Why is the Base score insufficient for prioritizing patches in a real-world environment?
The Base score is generic and doesn't know your network. Environmental scores are critical because a 'Critical' vulnerability on a sandbox server is less urgent than a 'Medium' vulnerability on a primary database.
What is the difference between Attack Vector and Attack Complexity?
Attack Vector describes the path an attacker takes to reach the vulnerability (e.g., Network vs. Physical), while Attack Complexity describes the level of difficulty or specific conditions required to execute the exploit.