1
00:00:01,710 --> 00:00:09,260
In this section I'm going to talk about the common vulnerability scoring system version 3.0.

2
00:00:10,260 --> 00:00:17,820
The CV ask US provides a way to capture the characteristics of a vulnerability and produce a numerical

3
00:00:17,820 --> 00:00:26,670
score reflecting its spirity the numerical score can then be translated into a representation such as

4
00:00:26,730 --> 00:00:34,590
low medium high and critical to help organizations properly assess and prioritize their vulnerability

5
00:00:34,860 --> 00:00:36,880
management processes.

6
00:00:38,120 --> 00:00:49,930
You can find information about the CBS asked by going to w w w first dot org for Slash CV assets.

7
00:00:50,090 --> 00:00:57,780
Let's take a look at the factors used for the calculations to determine Bonner ability scoring unattacked

8
00:00:57,920 --> 00:01:04,450
factor is the path that an attacker uses to access a system for malicious activity.

9
00:01:04,940 --> 00:01:10,340
This could be an email an open layer for poor or a web page.

10
00:01:10,370 --> 00:01:17,480
This score increases the more remote an attacker needs to be logically or physically to use an attack

11
00:01:17,510 --> 00:01:18,000
vector

12
00:01:21,300 --> 00:01:21,660
attack.

13
00:01:21,660 --> 00:01:28,920
Complexity describes the conditions that are outside of an attacker's control to exploit a vulnerability.

14
00:01:29,830 --> 00:01:36,110
So if an attacker had access to a network all the time then the attack complexity would be low.

15
00:01:36,490 --> 00:01:43,030
But if an attacker had to wait for a certain condition to arise like a pivot point then the attack complexity

16
00:01:43,030 --> 00:01:52,210
would be high privileges required describes the level of privilege that the attacker must have before

17
00:01:52,210 --> 00:01:54,290
exploiting a vulnerability.

18
00:01:55,350 --> 00:02:00,680
So if a system requires admin credentials for access then the risk would be low.

19
00:02:01,080 --> 00:02:10,160
But if a system only required basic user cancels or no logging at all then the risk would be high user

20
00:02:10,160 --> 00:02:17,120
interaction describes the requirement for some type of user activity before an attack can be launched

21
00:02:17,330 --> 00:02:24,570
such as a user logon the score is highest when no user interaction is required.

22
00:02:26,170 --> 00:02:32,400
The scope of an attack refers to the ability for an attack to affect other resources.

23
00:02:32,560 --> 00:02:35,180
Separate from the original target.

24
00:02:35,530 --> 00:02:41,530
An example would be an attacker compromising a web server and then corrupting the database server by

25
00:02:41,530 --> 00:02:43,970
pivoting from the web server.

26
00:02:45,880 --> 00:02:54,430
Then finally we have the CIA a triage of confidentiality integrity and availability you've probably

27
00:02:54,430 --> 00:02:57,380
learned about these topics in earlier security studies.

28
00:02:57,520 --> 00:02:58,970
But just as a refresher.

29
00:02:59,170 --> 00:03:09,520
Confidentiality refers to limiting information access integrity refers to the trustworthiness of information

30
00:03:11,290 --> 00:03:20,300
and availability refers to the loss of availability of the impacted components to calculate your vulnerability

31
00:03:20,300 --> 00:03:21,290
score.

32
00:03:21,290 --> 00:03:28,940
You simply just have to select the values for the base metrics and the website will generate a score

33
00:03:28,940 --> 00:03:30,540
for you.

34
00:03:30,560 --> 00:03:38,290
So let's say my attack factor had to have local access the attack complexity is high high privileges

35
00:03:38,300 --> 00:03:46,700
required user interaction and will say SCO changed.

36
00:03:46,700 --> 00:03:52,230
And then our CIA will be high all the way through.

37
00:03:52,280 --> 00:03:58,440
So with these values we have a score of 7.2 in the high range.

38
00:03:58,700 --> 00:04:03,440
One of the coolest things on this Web site are the example scores.

39
00:04:03,440 --> 00:04:11,720
So if you go over here to the C-v asks us Berzon 3.0 examples it actually takes you through some bonder

40
00:04:11,720 --> 00:04:20,340
ability examples and how the scores were determined based on the criteria for the vulnerability.

41
00:04:20,390 --> 00:04:27,970
So to take a look at this one here we have a reflected cross the site scripting vulnerability.

42
00:04:28,820 --> 00:04:36,380
And I'll kind of just skip down to the person 3.00 base score and let's read through each Mattrick and

43
00:04:36,440 --> 00:04:40,980
the comments to see why it determine the value for each matra.

44
00:04:42,410 --> 00:04:48,830
So for attack vector it chose network because the vulnerability is a web application and reasonably

45
00:04:48,830 --> 00:04:52,380
requires network interaction with the server.

46
00:04:54,700 --> 00:05:02,170
Attack complexity is low because that attacker would need to perform some type of reconnaissance attack

47
00:05:02,530 --> 00:05:05,850
on the targeted system privileges required.

48
00:05:05,860 --> 00:05:10,310
The value is not because an attacker requires no privileges to mount an attack.

49
00:05:11,680 --> 00:05:17,860
User interaction required a successful attack requires the victim to visit the vulnerable component

50
00:05:19,300 --> 00:05:21,670
by clicking a malicious URL for example

51
00:05:24,890 --> 00:05:33,830
scope is changed because the vulnerable component is the web server running the PH P my admin software

52
00:05:34,670 --> 00:05:38,730
and the impacted component as the victims browser.

53
00:05:38,930 --> 00:05:45,470
The confidentiality impact is low because even though the information in the victim's web browser can

54
00:05:45,470 --> 00:05:50,910
be around and sent to an attacker it is constrained to certain information.

55
00:05:52,600 --> 00:05:58,390
The integrity impact is low as well because the information maintained in the victim's web browser can

56
00:05:58,390 --> 00:06:07,420
be modified but only information associated with the Web site running ph my admin.

57
00:06:07,630 --> 00:06:14,620
And then finally we have none for the availability impact because it does not have a major impact on

58
00:06:14,620 --> 00:06:18,860
the availability of the victim's system.

59
00:06:19,000 --> 00:06:22,670
So take some time to look through these different examples.

60
00:06:22,720 --> 00:06:30,610
It really helps to provide some context for each metric and what type of value should be chosen based

61
00:06:30,610 --> 00:06:32,250
on each scenario.