Scribd
Upload
74 views23 pages

CySA+Mod6 - Performing Vulnerability Analysis

The document outlines a lesson plan for performing vulnerability analysis, focusing on key concepts such as the Security Content Automation Protocol (SCAP) and the Common Vulnerability Scoring System (CVSS). It discusses the importance of vulnerability validation, scoring metrics, and contextual considerations for assessing vulnerabilities. Additionally, it includes review and lab activities to reinforce understanding of these concepts.

Uploaded by

stevenyawhonsing71
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
74 views23 pages

CySA+Mod6 - Performing Vulnerability Analysis

The document outlines a lesson plan for performing vulnerability analysis, focusing on key concepts such as the Security Content Automation Protocol (SCAP) and the Common Vulnerability Scoring System (CVSS). It discusses the importance of vulnerability validation, scoring metrics, and contextual considerations for assessing vulnerabilities. Additionally, it includes review and lab activities to reinforce understanding of these concepts.

Uploaded by

stevenyawhonsing71
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd

Comptia Cybersecurity Series

Lesson Plan
Performing Vulnerability Analysis

Copyright © 2023 CompTIA, Inc. All Rights Reserved. | [Link]


1
Objectives
• Review Security Content Automation Protocol (SCAP).
• Explore the Common Vulnerability Scoring System (CVSS).
• Understand vulnerability validation concepts.
• Understand important contextual considerations.

2
Vulnerability

Session A
Understanding Vulnerability Scoring
Concepts

Copyright © 2023 CompTIA, Inc. All Rights Reserved. | [Link]


3
Explain Security Content Automation Protocol (SCAP)
• Suite of specifications
• Standardize identification
• Software flaws
• Misconfigurations
• Vulnerabilities

4
SCAP Languages
• Open Vulnerability and Assessment Language (OVAL)
• Consistent and interoperable

• Assess information regardless of the security tools

• Asset Reporting Format (ARF)


• Correlate reporting formats

• Independent from any specific application or vendor product

• Extensible Configuration Checklist Description Format (XCCDF)


• Written in XML

• Standardized benchmark definitions and security checks


5
SCAP Identification Schemes
• Common Platform Enumeration (CPE)
• Syntax like Uniform Resource Identifiers (URI)
• Standardized naming format to identify systems and software

• Common Vulnerabilities and Exposures (CVE)


• Each item contains a unique identifier used to
• Describe publicly known vulnerabilities
• Unique identifiers - CVE-YEAR-#####

• Common Configuration Enumeration (CCE)


• Similar to CVE
• Focused on configuration issues
6
Explore Common Vulnerability Scoring System (CVSS)
• Industry-standard method for assessing the severity of vulnerabilities
• Allowing IT teams to prioritize remediation efforts
• CVSS assigns a score based on a wide range of factors
• CVSS Vector String
• Vulnerability identifier

• Impact

• Environmental concerns

• "Additional information"
7
Benefits of CVSS
• Objective measure of risk
• Provide insight into vulnerabilities
• Helps teams to focus efforts
• Provides insight into a vulnerability's potential impact
• Different scanning tools, same nomenclature

8
Challenges of CVSS
• Does not identify or describe exploitability
• Scoring methodology changes from version to version
• CVSS v2 vs V3

• "Severe" vs "Informational" labels may not reveal the entire risk


profile
• "Informational" label but highly exploitable

• "Severe" label but practically impossible to exploit

9
Common Vulnerability Scoring System (CVSS) Metrics
• Generate a score from 0 to 10 based on:
• Intrinsic characteristics of the vulnerability (base)
• Environment in which the exposure occurs
• Changing characteristics of the vulnerability over time (temporal)

10
Common Vulnerability Scoring System (CVSS) Metrics

Score Description

0+ None

0.1+ Low

4+ Medium

7+ High

9+ Critical

11
Understanding Vulnerability Scoring Concepts
Common Vulnerability Scoring System (CVSS v3.1) Metrics

Base Metrics Possible Value

Attack Vector (AV) Physical (P), Local (L), Adjacent


network (A), or Network (N)

Attack Complexity (AC) High (H) or Low (L)

Privileges Required (PR) None (N), Low (L), or High (H)

User Interaction (UI) None (N) or Required (R)

Scope (S) Unchanged (U) or Changed (C)

Confidentiality (C), Integrity (I), High (H), Low (L), or None (N)
and Availability (A)

12
National Vulnerability Database

(Screenshot courtesy of NIST - National Vulnerability Database.)


13
Review Activity: Vulnerability Scoring Concepts
1. What is the attack complexity identified in the following vector?
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

2. What is the impact to integrity identified in the following vector?


CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

3. Physical (P), Local (L), Adjacent network (A), or Network (N) are all
values for which base metric?

14
Vulnerabilities

Session B
Exploring Vulnerability Context
Considerations

Copyright © 2023 CompTIA, Inc. All Rights Reserved. | [Link]


15
Explore Vulnerability Validation Concepts
• False positive
• True positive
• False negative
• True negative

16
Explore CVSS Scoring Considerations
• Vulnerability scores are not static
• Consider a variety of special considerations
• Availability of patches
• Impact of the vulnerability
• Level of sophistication needed

• Organizations can adjust scores accordingly

17
Explore CVSS Scoring Considerations
• Factors influencing score adjustments
• Availability of patches
• Impact of the vulnerability
• Level of sophistication of threat actors
• Asset value
• Weaponization/Exploitability

18
Exploring Vulnerability Context Considerations
• Factors influencing score adjustments - Example
• Hypothetical remote code execution (RCE) vulnerability
• CVSS score of 10
• Requires attacker connected to same network

• Vulnerable application runs on a fully air-gapped system


• Justifiable reason to lower the score

19
CVSS Score Calculations
• Categories • Metrics
• Impact • Scope
• Exploitability • Confidentiality
• Remediation • Integrity
• Availability
• Privacy
• Operations
• Other
20
Metric Categories

21
Review Activity: Exploring Vulnerability Context Considerations
1. This describes when a vulnerability scan incorrectly indicates that
a vulnerability or misconfiguration is present when it is not.

2. What type of vulnerability cannot be detected by vulnerability


scanning tools?

3. The three categories in a CVSS score include impact, exploitability,


and __________________.

22
Lab Activity
• Assisted Lab: Establishing Context Awareness

23

You might also like