CISSP PRACTICE QUESTIONS – 20201125

Effective CISSP Questions

An unknown vulnerability is discovered after conducting a vulnerability scanning against your company’s official web site. You are analyzing it and calculating its score based on CVSS v3.1. Which of the following is not a mandatory metric?
A. Attack Vector (AV)
B. Exploit Code Maturity (E)
C. User Interaction (UI)
D. Privileges Required (PR)

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. Exploit Code Maturity (E).

The following summary and explanation come from FIRST.

The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. It is owned and managed by Forum of Incident Response and Security Teams, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world.

Metric Groups

CVSS consists of three metric groups: Base, Temporal, and Environmental.

  • Base group: the intrinsic qualities of a vulnerability that are constant over time and across user environments. The Base metrics produce a score ranging from 0 to 10, which can then be modified by scoring the Temporal and Environmental metrics.
  • Temporal group: the characteristics of a vulnerability that change over time.
  • Environmental group: the characteristics of a vulnerability that are unique to a user’s environment.

Vector String

A CVSS score is also represented as a vector string like the following example shows:

  • CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

CVSS Metric Groups 

CVSS Metric Groups
CVSS Metric Groups, Image credit: Forum of Incident Response and Security Teams, Inc.

CVSS Metrics and Equations

CVSS Metrics and Equations
CVSS Metrics and Equations, Image credit: Forum of Incident Response and Security Teams, Inc.

Reference

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

對您公司的官方網站進行漏洞掃瞄後,發現了一個未知漏洞。 您正在分析它並基於CVSS計算其分數。 以下哪項不是強制性指標?
A. 攻擊向量 (Attack Vector)
B. 利用代碼成熟度 (Exploit Code Maturity)
C. 用戶交互 (User Interaction)
D. 所需特權 (Privileges Required)

 

Leave a Reply