Describe these terms as they are defined in the CVSS 3.0: Attack Vector, Attack Complexity, Privileges Required, User Interaction, ScopeImplementing Cisco Cybersecurity Operations (210-255)
The CVSS Base Metrics are defined by the terms Attack Vector, Attack Complexity, Privileges Required, User Interaction, and Scope.
The attack vector (AV) metric measures how an exploit can be used by the attacker. The more remote the attacker can be, the higher the value. There are four levels to this metric.
- Network (N): If the attacker only needs network access to the host to exploit the vulnerability, this attack could be accomplished from any remote network potentially. The vulnerability is tied to the network stack.
- Adjacent (A): For this level, the attacker must be on the same physical media (802.11, Bluetooth, Ethernet) or logical IP network. The vulnerability is tied to the network stack.
- Local (L): The vulnerability for this level is not tied to the network stack. The attacker either uses a local keyboard/mouse, remote access like SSH or some sort of user interaction.
- Physical (P): The attacker must have direct physical access to exploit the vulnerability.
The attack complexity (AC) metric measures the conditions necessary for an attacker to succeed that are not controlled by the attacker. There are two levels for this metric. Low (L) indicates that there are no conditions for the attacker to successfully repeat the attack. High(H) indicates that there are several factors that must be met for the attack to be successful.
The privileges required (PR) metric measures the level of privilege on a system that an attacker must have BEFORE an attack to successfully carry out the attack.
- None (N): The attacker is unauthorized prior to the attack.
- Low (L): The attacker requires authorization at a basic user level.
- High (H): The attacker requires authorization at an administrator level.
This metric measures whether or not the end-user must interact to allow for a successful attack. It is either None (N) or Required (R).
The scope metric measures whether a successful attack remains within the initial security authority or if it breaks into a changed security authority with additional rights. The scope can either be unchanged (U) or changed (C).