Vulnerability Scan Results and CVSS Scores

  • The vulnerability database: what makes a scanner good or bad

  • SCAP – Security Content Automation Protocol

  • Mitre developed SCAP

  • Identifiers

    • CVE – Common vulnerability enumeration

    • CPE – Common platform enumeration

    • CCE – Common configuration enumeration

    • CWE – Common weakness enumeration

    • CAPEC – Common attack pattern enumeration and classification

    • OVAL – Open Vulnerability and Assessment Language

    • XCCDF – Extensible Configuration Checklist description format

  • Vulnerability Scan Reports

    • Usually includes: asset – vulnerability – CVSS score

    • CVSS score: metric for comparing and prioritizing vulnerabilities based on several factors.

    • False positives happen. Verify results.

    • True positives. True negatives. Good.

    • False Positive. False negatives. Bad.

  • Avoiding False Results

    • Is scanning traffic allowed?

    • Credentialed?

    • Fine tuning?

    • Baseline OK?

    • Applies to you?

    • Worth considering?

  • CVSS Score and CVE

    • A picture containing timeline Description automatically generated

    • Help priotize, but not only factor

    • CVE = Base Metrics + Temporal Metrics (Optional) + Environment Metrics (Optional)

    • CVSS Base Metrics

      • Attack Vector (AV)

        • Network (N), Adjacent (A), Local (L), Physical (P)

      • Attack complexity (AC)

        • Low (L), High (H)

      • Privileges Require (PR)

        • None (N), Low (L), High (H)

      • User Interaction (UI)

        • None (N), Required (R)

      • Scope (S)

        • Unchanged (U), Change (C)

      • Impact metrics

        • Confidentiality: High, Low, None

        • Integrity: High, Low, None

        • Availability: High, Low, None

    • Temporal Metrics

      • Exploit Code Maturity (E) – Current state of exploit

        • Not defined (X), High (H), Functional (F), Proof-of-Concept (P), Unproven (U)

      • Remediation Level (RL)

        • Not Defined (X), Unavailable (U), Workaround (W), Temporary Fix (T), Official fix (O)

      • Report Confidence

        • Not defined (X), Confirmed (C), Reasonable (R), Unknown (U)

      • Security Requirements (CR, IR, AR) – Environmental metric

        • Not defined (X), High (H), Medium (M), Low (L)

PreviousVulnerability Identification and ValidationNextNmap and Enumeration

Last updated