Which statement about CVSS metrics is correct?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the PCI Approved Scanning Vendor (ASV) Test. Study with flashcards, multiple choice questions, hints, and explanations. Get exam ready!

Multiple Choice

Which statement about CVSS metrics is correct?

Explanation:
CVSS scoring is built from three metric groups: Base, Temporal, and Environmental. The Base metrics measure the inherent severity of a vulnerability—how severe it would be if it were exploited—using factors like how the attacker could reach the target, the prerequisites required, and the potential impact on confidentiality, integrity, and availability. The Temporal metrics adjust that base score over time by considering how easily the vulnerability could be exploited in practice, the availability of remediation, and how confident researchers are about the information. The Environmental metrics tailor the score to a specific context, letting you account for how important the affected security properties are in a given environment and any modifications to the metric values that reflect that environment. That’s why the statement is correct: CVSS uses these three groups, not four, and there isn’t a metric category called Accessibility. Stating that CVSS uses only two groups or only environmental metrics, or adding a non-existent fourth category, does not align with how the system is defined.

CVSS scoring is built from three metric groups: Base, Temporal, and Environmental. The Base metrics measure the inherent severity of a vulnerability—how severe it would be if it were exploited—using factors like how the attacker could reach the target, the prerequisites required, and the potential impact on confidentiality, integrity, and availability. The Temporal metrics adjust that base score over time by considering how easily the vulnerability could be exploited in practice, the availability of remediation, and how confident researchers are about the information. The Environmental metrics tailor the score to a specific context, letting you account for how important the affected security properties are in a given environment and any modifications to the metric values that reflect that environment.

That’s why the statement is correct: CVSS uses these three groups, not four, and there isn’t a metric category called Accessibility. Stating that CVSS uses only two groups or only environmental metrics, or adding a non-existent fourth category, does not align with how the system is defined.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy