From the course: Vulnerability Management: Assessing the Risks with CVSS, CISA KEV, EPSS, and SSVC
Intro to determining severity with CVSS
From the course: Vulnerability Management: Assessing the Risks with CVSS, CISA KEV, EPSS, and SSVC
Intro to determining severity with CVSS
- [Instructor] Vulnerability severity is defined using the Common Vulnerability Scoring System or CVSS. In fact, CVSS rating is part of the process used when vulnerabilities are published as common vulnerabilities and exposures or CVEs. That's a unique identifier assigned to all vulnerabilities listed in the National Vulnerability Database or NVD. There are several versions of CVSS and the specifics of each version can be found online at www.first.org. We'll be using CVSS version 3.1 for this course because it's most commonly used by leading vendors in vulnerability management. Version 4.0 is released in November of 2023, but it hasn't been broadly adopted by security vendors. Generally, the CVSS formula consists of three key metric types, base, temporal and environmental. Base metrics are the characteristics of a vulnerability that do not change, and they're not dependent on any factors beyond the vulnerability. This includes things like how a vulnerability can be exploited like locally or over a remote connection. Temporal metrics are the metrics about a vulnerability that change over time. This includes the existence of a publicly known exploit and whether or not an official patch for the vulnerability exists. Environmental metrics are characteristics of the system on which the vulnerability exists. That's things like what element or elements of the CIA triad of confidentiality, integrity and availability matter the most, and this is where company knowledge is key. CVSS scores are on a scale of 0 to 10, with 0 being the lowest severity and 10 being the highest. The details of the specific components that make up the metrics are outlined in a format called the vector string, and it looks a little cryptic. Now let's take a look at the CVSS vector string.
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.
Contents
-
-
-
Intro to determining severity with CVSS1m 49s
-
(Locked)
Making sense of the CVSS Vector String1m 3s
-
(Locked)
Attack method or vector when determining severity2m 33s
-
(Locked)
How attack complexity impacts severity53s
-
(Locked)
How access or privileges required affects severity1m 3s
-
(Locked)
How user interaction affects severity48s
-
(Locked)
Security Scope in CVSS v 3.11m 21s
-
(Locked)
How impacts affect severity3m 4s
-
-
-
-
-
-