7.3 - Vulnerability Scoring Systems

 7.3 - Vulnerability scoring systems 

 

Key Terms: 

    • Common vulnerability scoring system (CVSS) - A system that categorises vulnerabilities by threat level. 
    • CVSS calculator – A calculator for determining risk level of vulnerabilities based on base, temporal, and environmental metrics. 
    • Cybersecurity and Infrastructure Security Agency (CISA) - A large government-sponsored organisation that provides many resources for cyber security. 
    • National vulnerability database (NVD) - A government-sponsored, detailed database of known vulnerabilities. 
    • Full disclosure – A public, vendor-neutral forum for the discussion of vulnerabilities and threats that often has the newest information. 

 

Resource 

Description 

Common Vulnerabilities and Exposures (CVE) 

The CVE is a list of standardised identifiers for known software vulnerabilities and exposures. It is free to use, and it is publicly available at cve.mitre.org. Benefits of this system include the following: 

There are currently 94 CVE Numbering Authorities from 16 countries providing a baseline for evaluation. 

The identifiers provide standardisation, which allows data exchange for cybersecurity automation. 

This list aids in determining the best assessment tools. 

The CVE list supplies the National Vulnerability Database. 

National Vulnerability Database (NVD) 

The National Vulnerability Database (NVD) was originally created in 2000. It can be found at nvd.nist.gov. The NVD list: 

    • Includes detailed information for each entry in the CVE list, such as fix information, severity scores, and impact ratings. 
    • Is searchable by product name or version number, vendor, operating system, impact, severity, and related exploit range. 

 

Cybersecurity & Infrastructure Security Agency (CISA) 

CISA is a government agency. Its website is cisa.gov. The government site provides: 

    • Information exchange 
    • Training and exercises 
    • Risk and vulnerability assessments 
    • Data synthesis and analysis 
    • Operational planning and coordination 
    • Watch operations 
    • Incident response and recovery 

 

Common Weakness Enumeration (CWE) 

CWE is a community-developed list of common software security weaknesses. Its website is cwe.mitre.org. The CWE strives to create commonality in the descriptions of weaknesses of software security. This creates a reference for identification, mitigation, and prevention of vulnerabilities. This list provides a standardisation for evaluating assessment tools. This site combines the diverse ideas and perspectives from professionals, academics, and government sources to create a unified standard for cybersecurity. 

Common Attack Pattern Enumeration & Classification (CAPEC) 

CAPEC is a dictionary of known patterns of cyber attack used by hackers. Its website is capec.mitre.org. This list is searchable by mechanisms of attack or domains of attack, as well as by key terms and CAPEC ID numbers. This resource is valuable because you can browse through it to see common attacks used by hackers, and you can search for specific patterns of attack. 

Comments

Post a Comment

Popular posts from this blog

OSA Assignment 1 - Task 3 GUIDE

Image
  OSA Assignment 1 – Task 3 Guide     Exam parameters   Time length – 5 hours (2x 2 ½ sessions)   Marks available – 28     Task 3: Design – Communication Equipment   In this task you are required to submit :   A technical proposal covering the switches, wireless infrastructure and specifications   Justification of planned network architecture and considerations for security, resilience, performance and redundancy   Evidence print screens   Annotated floor plan/network diagram     Technical Proposal   The technical proposal in task 3 follows a similar format as task 2. It's another large document detailing the requirements and recommendations for the company. In task 3, however , it should discuss communication and other digital equipment such as switches, CCTV and APs.   You should recommend multiple hardware solutions and justify between them.   Here are some examples of tables and information ...
Read more

OSA Assignment 1 - Task 1 GUIDE

  OSA Assignment 1 – Task 1 Guide     Exam parameters   Time length – 3 hours   Marks available – 20     Task 1: Planning   In this task you are required to submit :   A project plan   Gantt chart showing th e critical path   Explanation of legal requirements   Physical and digital threat countermeasures   Annotated floor plan     Gantt Chart   The Gantt Chart is the first document you should create. This details each phase of the project alongside the timescale to complete it.   Ensure you make a note of the deadline for the project along with any pre-requisites such as cabling. This should all be implemented into your Gantt Chart.   You can follow a layout like this:   Project:   Pre considerations (Gathering project timescale, risk assessments, ...)   Planning (Devising project plan, identifying budget, ...)   Design (Research hardware, identify topology, ...)   Pre ...
Read more

OSA Summer 2023 Mock - Task 1, Assignment 1

Image
  OSA Summer 2023 Mock – Task 1           Legal requirements   The company must ensure they are compliant with the correct legislation whilst the project is undertaken.   If any person is working at height, the correct safety measures to prevent injury or death must be imposed under The Work at Height Regulations 2005. They must have an appropriate safety harness on and hazardous areas at height should be i dentified in the risk assessment.   By storing data internally on a local file server, the business is responsible for maintaining the confidentiality, availability and integrity of that data. They must comply with The Data Protection Act 2018 and General Data Protection Regulations.   Display screen equipment regulations (DSE) should be considered when installing workstations. Ergonomic and posture-friendly chairs should be installed and employees given appropriate breaks from working around screens.     Data p...
Read more