One of the primary roles of technical staff is to communicate threat severity to non-technical members of staff. This technical judgment informs operational decision-making, so it is important to have standard measurements and vocabulary. In this section, you will learn about the need for a common framework to describe threats; specifically, we will look at two important analysis tools to identify differences between their outputs.

All information systems carry inherent risks. Even paper-based systems have vulnerabilities (how is paper stored? What happens if there's a fire or flood? Can the records be lost?). In cybersecurity, endpoint threat analysis covers all threats that affect a computer system that a user interacts with. Whilst this seems self-explanatory, it is important to dig down into the terms. Endpoint is specified as distinct...

Exploitability is a series of metrics in CVSS 3.0 that describe how difficult it would be for an attacker to exploit a vulnerability. In this section, you will learn how to define the four areas of vulnerability and how these relate to the ease of exploitation of the threat.

To understand the importance of exploitability, consider an example from the retail world. A generally acknowledged principle in retail is that shrinkage (or shoplifting) increases if it is easier to do. For most people, the value that's gained from an attack is rarely worth the effort or risk of being caught. In the same way, the easier it is to exploit a vulnerability and conduct an attack, the more likely it is to happen, and therefore the more dangerous the vulnerability is.

The most common model that's used to understand a threat's impact on information security is the confidentiality, integrity, availability (CIA) triad. In this section, you will learn how to explain these three types of consequence that result from a threat. The CIA triad is very common across the whole industry.

In CVSS v3.0, these three components are referred to collectively as impact metrics. Each is scored independently as either high, low, or none to give the user an overview of how severe the effects of the threat would be if they were realized. If multiple components are vulnerable to the threat, the scores are taken from the component which suffers the most severe consequences.

CVSS v3.0 incorporated a new measure which reflects the ability for a vulnerability in one component to impact other resources and components. In this section, you will come to understand that a threat can sometimes have impacts beyond its individual capacity, and this must be captured in CVSS v3.0 under the scope metric.

The authorization scope or scope metric refers to the privileges associated with a computing authority (for example, process, application, operating system, or sandbox environment) when granting access to computing resources (for example, files, processing, RAM, permanent storage, and so on). If a vulnerability is able to gain more (or different) access to resources than the original (normal working) authority is able to assign. The base score is greater when a scope change has occurred.

A clear example of scope change is a vulnerability escaping a sandbox...

Threats are classified using a number of different applications and methods, including AMP Threat Grid and Cuckoo Sandbox. Each threat prevention/detection/reparation tool works slightly differently, and their scores are not always transparent. The CVSS v3.0 system is open source and transparent, giving comparable results across the board. How exploitable vulnerability is depends on how far away an attacker can be from the target (attack vector), how difficult the exploit is (attack complexity), how trusted an attacker would have to become to be successful (privileges required), and whether anyone else is involved (user interaction). The impact of a vulnerability is measured against the (C)onfidentiality (I)ntegrity (A)vailability triad.

In the next chapter, we will be looking at the fundamental differences between the Windows and Linux operating systems.

1. Which metric relates to "the context by which vulnerability exploitation is possible"?
   1. Attack Vector
   2. Attack Complexity
   3. Attack Pathway
   4. Attack Vulnerability
2. Which metric relates to "conditions beyond the attacker's control that are required in order to successfully exploit a vulnerability"?
   1. Privileges Required
   2. Attack Complexity
   3. Attack Prerequisites
   4. Attack Vector
3. An attacker is able to place a call and listen to a victim's microphone without the victim accepting the call. Which CVSS 3.0 metric will rate the highest?
   1. Availability
   2. Confidentiality
   3. Integrity
   4. Scope

4. An...

• A user guide to CVSS v3.0 can be found at https://www.first.org/cvss/cvss-v30-user_guide_v1.6.pdf.
• Cisco also uses CVSS. A guide to CVSS usage within Cisco can be found at https://tools.cisco.com/security/center/resources/cvss.html.