Question

"Security Updates" for software (e.g., Microsoft Windows operating systems, Adobe Flash Player, etc.) and firmware (e.g., firmware in a home use, consumer 'Wi-Fi Router') are designed to patch (fix) vulnerabilities.

	True
	False

A company is the victim of a cyber attack in which a previously unknown vulnerability in a webserver is exploited. Which statement is true?

	The company that was attacked will immediately find information on the vulnerability in the National Vulnerability Database (NVD).
	This attack is known as a "Zero Day Attack."

	Previously unknown vulnerabilities always have high CVSS scores.
	All of the above.

A systems administrator installs a software update that removes a vulnerability in a database server. This is known as vulnerability _______________.

	Repudiation
	Elevation

	Propagation
	Mitigation

The Common Vulnerability Scoring System version 3 (CVSS v.3) is composed of the following group(s) of metrics:

	Base Metric Group
	Temporal Metric Group

	Environmental Metric Group
	All of the above

The __________ group represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments.

	Base Metric
	Environmental Metric

	Temporal Metric
	User Metric

The __________ group reflects the characteristics of a vulnerability that may change over time but not across user environments.

	Base Metric
	Temporal Metric

	Environmental Metric
	Impact Metric

The ____________ group represents the characteristics of a vulnerability that are relevant and unique to a particular organization's environment.

	Base Metric
	Temporal Metric

	Environmental Metric
	Exploit Code Maturity Metric

In CVSS v. 3, all vulnerabilities are scored on the metrics in the Base metric group resulting in a Base Score for each vulnerability. However, scoring a vulnerability on the metrics in Temporal and Environmental metric groups is optional.

	True
	False

In CVSS v. 3, while vulnerabilities are typically scored on the Base and Temporal metrics by the broader security community, the scoring on Environmental Metrics is to be done by analysts at the end-user organizations.

	True
	False

According to the CVSS v.3 specification, the Exploitability metrics reflect the ease and technical means by which the vulnerability can be exploited. That is, they represent characteristics of the thing that is vulnerable. CVSS v.3 refers to "the thing that is vulnerable" as:

	The Impacted Component
	The Vulnerable Component

	The Base Component
	The Environmental Component

According to the CVSS v.3 specification, the Impact metrics reflect the direct consequence of a successful exploit, and represent the consequence to the thing that suffers the impact. CVSS v. 3 refers to "the thing that suffers the impact" as:

	The Vulnerable Component
	The Environmental Component

	The Impacted Component
	The Base Component

The Base Metric Group of CVSS v.3 is further divided into two categories: Exploitability Metrics and Impact Metrics. Match each of the following Exploitability Metrics with its description.

Reflects the context by which the vulnerability is possible

                                                            [ Choose ]User interactionAttack complexityAttack vectorPriveleges required

True

False

Answer 1

"Security Updates" for software (e.g., Microsoft Windows operating systems, Adobe Flash Player, etc.) and firmware (e.g., firmware in-home use, consumer 'Wi-Fi Router') are designed to patch (fix) vulnerabilities.

True

• Even the software and firmware are undergone with extreme testing procedures, some of the vulnerabilities may only arise when it comes to the real-life operation, in order to fix them there is of entirely changes the installation packages, rather the vendors come up with security patches or fixes that can fix the problem.

A company is the victim of a cyber attack in which a previously unknown vulnerability in a web server is exploited. Which statement is true?

This attack is known as a "Zero Day Attack."

• Zero Day Attack refers to an attack occurred by exploiting the vulnerability such that at that time there is no patch or fix available to fix it.

A systems administrator installs a software update that removes a vulnerability in a database server. This is known as vulnerability _______________.

Vulnerability Mitigation

• Where the administrator scans for any vulnerabilities and takes appropriate actions to remove the vulnerability

The Common Vulnerability Scoring System version 3 (CVSS v.3) is composed of the following group(s) of metrics:

All of the above

• Common Vulnerability Scoring System version 3 is composed of three metric groups, Base, Temporal, and Environmental

The __________ group represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments.

Base Metric

The __________ group reflects the characteristics of a vulnerability that may change over time but not across user environments.

Exploitability metric

The ____________ group represents the characteristics of a vulnerability that are relevant and unique to a particular organization's environment.

Temporal metric

In CVSS v. 3, all vulnerabilities are scored on the metrics in the Base metric group resulting in a Base Score for each vulnerability. However, scoring a vulnerability on the metrics in Temporal and Environmental metric groups is optional.

True

• The temporal & environmental metric group are optional and used to refine the score to accurately reflect the score

In CVSS v. 3, while vulnerabilities are typically scored on the Base and Temporal metrics by the broader security community, the scoring on Environmental Metrics is to be done by analysts at the end-user organizations.

True

• because the end user organization is the best able to assess the potential impact of a vulnerability within their own computing environment

According to the CVSS v.3 specification, the Exploitability metrics reflect the ease and technical means by which the vulnerability can be exploited. That is, they represent characteristics of the thing that is vulnerable. CVSS v.3 refers to "the thing that is vulnerable" as:

The Vulnerable Component

According to the CVSS v.3 specification, the Impact metrics reflect the direct consequence of a successful exploit and represent the consequence of the thing that suffers the impact. CVSS v. 3 refers to "the thing that suffers the impact" as:

The Impacted Component

The Base Metric Group of CVSS v.3 is further divided into two categories: Exploitability Metrics and Impact Metrics. Match each of the following Exploitability Metrics with its description.

Reflects the context by which the vulnerability is possible: Attack vector