Security Basics mailing list archives
cvss questions
From: fire0088 () gmail com
Date: Sun, 20 Nov 2011 00:31:14 GMT
Recently,my company has started using CVSS v2 for our metrics. Im satisfied with the corresponding values I get from the score calculator *until* I add in the "Target Distribution" score, which drastically cuts down on the vulnerability's "Overall CVSS Score." As I understand it, and as the CVSS v2 manual states, the field "Target Distribution" is "the portion of vulnerable systems on the network." Since my client has a large and varied network, vulnerabilities will always get the "target distribution" of 0%-25%. This means my "Overall CVSS Score" gets dropped from a high rating between 8-10 to around 1.5 - 2.5 when target distribution is set to 0%-25%. Even if the targeted computers are mission critical, and their failure can result in loss of life, the corresponding value gets reduced. Is my understadning of "Target Distribution" incorrect? Is it ethical to set the "Target Distribution" to "Not Defined," even if I know exactly how many machines will be affected? If it is ok to do this, what justification can I provide if questioned on why the value was skipped. Thanks for your help! ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- cvss questions fire0088 (Nov 20)
- <Possible follow-ups>
- Re: cvss questions krymson (Nov 22)