188.8.131.52 Lab – Using the CVSS (Instructor Version)
In this lab, you will explain the concepts behind a strong password.
- Part 1: Researching the Details of the CVSS Metrics Used to Compute the CVSS Score
- Part 2: Using the CVSS Calculator to Determine the Severity Level of a Vulnerability
- Part 3: Reflecting on the Use and Results of the CVSS Calculator
Background / Scenario
CVSS refers to the Common Vulnerability Scoring System. It is a vendor-neutral, industry standard that offers an open framework for conveying the severity of vulnerabilities. It helps to determine the urgency and priority of responses to vulnerabilities. The CVSS model is designed to provide users with an overall composite score representing the severity and risk of a vulnerability.
The results of a CVSS calculation are based on metrics and formulas. The metrics are in three distinct categories that can be quantitatively or qualitatively measured.
This lab will provide you with a security vulnerability scenario, and it will be your job to use the CVSS calculator and specification document to determine what the Base Score is.
- PC or mobile device with Internet access
Part 1: Researching the Details of the CVSS Metrics Used to Compute the CVSS Score
To use the CVSS risk assessment scoring system, it is important to understand each of the metrics that are used in the calculation. The Forum of Incident Response and Security Teams (FIRST) has been designated as the custodian of the CVSS to promote its adoption globally. Their specification document is very useful in helping to understand each of the metrics. The following URL describes the metrics used when calculating a CVSS score:
a. Navigate to the CVSS specification document link provided above. Use this resource to answer the questions below.
List the three metric groups and briefly describe each of them.
_____________________________________________________________Base – represents the characteristics of a vulnerability that are constant over time and across contexts. The Base metric is further broken down into the Exploitability and Impact metrics.
Temporal – Measures the characteristics of a vulnerability that may change over time, but not across user environments.
Environmental – This measures the aspects of a vulnerability that are rooted in a specific organization’s environment.
What is the first metric used in the Base Metrics calculation? Describe the metric and all of the possible values for this metric.
_____________________________________________________________Attack Vector (AV) – Reflects the proximity of the threat to the vulnerable component. The more remote the threat, the higher the severity.
Metric Value: Network – Vulnerable component is through OSI layer 3. This value implies that it is remotely exploitable. Adjacent – Vulnerable component is through the network but is bound to the same shared physical or logical network and cannot be accessed past a Layer 3 boundary (router). Local – Attacker is likely logged in locally. Physical – the attacker must be able to physically touch or manipulate the vulnerable component.
What is the difference between the High (H) and Low (L) values for the Attack Complexity (AC) metric?
_____________________________________________________________The Low value indicates that specialized access conditions do not exist. An attacker can expect success against the vulnerable component. The High value means that a successful attack depends on conditions beyond the attacker’s control.
b. Read through the remaining metrics and their possible values for each of the components of for the Base Metrics. Knowing where to find this information will be required for the next part of this lab.
Part 2: Using the CVSS Calculator to Determine the Severity Level of a Vulnerability
Use the following scenario to determine the Base Score using the CVSS. Refer back to the CVSS Specification document for the details regarding each of the required metrics used for this calculation.
Peter is a network manager for XYZ Corporation and has just documented a vulnerability with an IoT device. XYZ Corp uses IoT devices in their manufacturing facility for monitoring and management of a wide variety of equipment. During a security audit, a backdoor was discovered on an IoT device. Security logs indicate that the IoT device has been routinely accessed remotely from outside of the company’s network. It appears that the hackers can gain access whenever they would like without any required privileges to this IoT device. It does not appear that any user interaction was required for this attack to occur. The scope of this vulnerability is local. That is, no other components were impacted. The IoT device did not store or communicate any confidential information and therefore, there was no loss of confidentiality with this vulnerability. However, the attacker had access to information communicated to and from the device which appears to have been altered. Although the attacker did not do anything to impact availability to this device, it does appear that the hackers can take it offline.
For this part, we will use the CVSS Calculator from FIRST.org:
a. Navigate to the link for the calculator.
b. Select the appropriate values based on the description above for the Base Score.
What is the Base Score for the vulnerability described above?
Base Score: 9.1 (Critical) – CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Part 3: Reflecting on the Use and Results of the CVSS Calculator
Reflect on how each of these attacks should be handled to mitigate or minimize the impact? Do research as necessary using the Internet.
a. How should an organization handle a vulnerability with this score?
A score with a critical level usually indicates an immediate response.
b. Experiment with changing the values. What would happen if the Attack Vector required physical access? How would this change the score?
The Base Score changes from 9.1 (Critical) to 6.1 (Medium).
c. Is it possible to select any combination of metrics that would result in a score greater than 0.0 if Confidentiality, Integrity, and Availability had a value of “None”?