From the course: Vulnerability Management: Assessing the Risks with CVSS, CISA KEV, EPSS, and SSVC

Unlock this course with a free trial

Join today to access over 25,300 courses taught by industry experts.

Attack method or vector when determining severity

Attack method or vector when determining severity

From the course: Vulnerability Management: Assessing the Risks with CVSS, CISA KEV, EPSS, and SSVC

Start my 1-month free trial Buy for my team

Attack method or vector when determining severity

- [Instructor] Attack vector is all about how exactly a vulnerability can be exploited, specifically the context of when exploitation is possible. In CVSS version 3.1, there are four possible values for attack vector that can be selected: Network, Adjacent, Local, and Physical. In the CVSS vector string, this is the first key value pair and it's represented as AV followed by a colon and then the identifier for the selected value: N for Network, A for Adjacent, L for Local, or P for Physical. To help visualize this concept, we'll use this network diagram for Red30 that shows our vulnerable system Alpha and the User Workstation Segment of the network. There's also a Server Segment, an IOT Segment, and a Demilitarized Zone, and they're all separated from the Internet by a firewall. An attack vector of Network, that's N in the vector string, means that a vulnerability can be exploited remotely over the network. Depending on the system and environment, the possible attackers could include…

Contents