- (Topic 3)
During a recent vulnerability assessment of a major corporation's IT systems, the security team identified several potential risks. They want to use a vulnerability scoring system to quantify and prioritize these vulnerabilities. They decide to use the Common Vulnerability Scoring System (CVSS). Given the characteristics of the identified vulnerabilities, which of the following statements is the most accurate regarding the metric types used by CVSS to measure these vulnerabilities?
Correct Answer:
B
The base metric represents the inherent qualities of a vulnerability, according to the Common Vulnerability Scoring System (CVSS). CVSS is a framework that numerically characterizes the severity of software vulnerabilities between the range of 0-10. CVSS consists of three metric groups: Base, Temporal, and Environmental. The base metric group captures the characteristics of a vulnerability that are constant over time and across user environments. The base metric group consists of six sub-metrics: Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, and Impact. The impact sub-metric further consists of three sub-metrics: Confidentiality, Integrity, and Availability. The base metric group produces a score ranging from 0 to 10, which reflects the intrinsic and fundamental properties of a vulnerability12.
The other options are not correct for the following reasons:
✑ A. Temporal metric represents the inherent qualities of a vulnerability: This option is incorrect because the temporal metric group captures the characteristics of a vulnerability that change over time due to events external to the vulnerability. The temporal metric group consists of three sub-metrics: Exploit Code Maturity, Remediation Level, and Report Confidence. The temporal metric group modifies the base score to reflect the current state of the vulnerability, such as the availability of exploit code, the existence of patches or workarounds, and the degree of verification of the vulnerability report12.
✑ C. Environmental metric involves the features that change during the lifetime of the vulnerability: This option is incorrect because the environmental metric group captures the characteristics of a vulnerability that are relevant and unique to a user??s environment. The environmental metric group consists of three sub-metrics: Modified Attack Vector, Modified Attack Complexity, and Modified Privileges Required. The environmental metric group also allows the user to assign importance values to the impact sub-metrics: Confidentiality Requirement, Integrity Requirement, and Availability Requirement. The environmental metric group modifies the base and temporal scores to reflect the impact of the vulnerability on the user??s specific environment, such as the network configuration, the security objectives, and the asset value12.
✑ D. Temporal metric involves measuring vulnerabilities based on a specific environment or implementation: This option is incorrect because the temporal metric group does not involve measuring vulnerabilities based on a specific environment or implementation, but rather on the factors that change over time due to events external to the vulnerability. The environmental metric group, not the temporal metric group, involves measuring vulnerabilities based on a specific environment or implementation, as explained in option C.
References:
✑ 1: What is CVSS - Common Vulnerability Scoring System - SANS Institute
✑ 2: Common Vulnerability Scoring System - Wikipedia
- (Topic 1)
The ??Gray-box testing?? methodology enforces what kind of restriction?
Correct Answer:
D
White-box testing (also known as clear box testing, glass box testing, transparent box testing, and structural testing) is a method of software testing that tests internal structures or workings of an application, as opposed to its functionality (i.e. black-box testing). In white-box testing, an internal perspective of the system, as well as programming skills, are used to design test cases. The tester chooses inputs to exercise paths through the code and determine the expected outputs. This is analogous to testing nodes in a circuit, e.g. in- circuit testing (ICT). White-box testing can be applied at the unit, integration and system levels of the software testing process. Although traditional testers tended to think of white- box testing as being done at the unit level, it is used for integration and system testing more frequently today. It can test paths within a unit, paths between units during integration, and between subsystems during a system-level test. Though this method of test design can uncover many errors or problems, it has the potential to miss unimplemented parts of the specification or missing requirements. Where white-box testing
is design-driven,[1] that is, driven exclusively by agreed specifications of how each component of the software is required to behave (as in DO-178C and ISO 26262 processes) then white-box test techniques can accomplish assessment for unimplemented or missing requirements.
White-box test design techniques include the following code coverage criteria:
· Control flow testing
· Data flow testing
· Branch testing
· Statement coverage
· Decision coverage
· Modified condition/decision coverage
· Prime path testing
· Path testing
- (Topic 2)
Which command can be used to show the current TCP/IP connections?
Correct Answer:
A
- (Topic 3)
Which of the following statements is TRUE?
Correct Answer:
B
- (Topic 1)
Which system consists of a publicly available set of databases that contain domain name registration contact information?
Correct Answer:
A