IT Learning | Security | CVSS

Everything might be not exactly correct in this article but it’s very useful for beginners to understand IT terms. If you want to learn IT but you don’t have any experiences to work in IT industries, I wish it helps you to understand IT and you like to study IT more.

What is CVSS?

The scoring way to evaluate how much dangerous a vulnerability is.
CVSS is provided by IPA.
You can standardize all vulnerability’s impacts with CVSS.
CVSS is an abbreviation for Common Vulnerability Scoring System

1. Definition

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to threat. Scores are calculated based on a formula that depends on several metrics that approximate ease of exploit and the impact of exploit. Scores range from 0 to 10, with 10 being the most severe. While many utilize only the CVSS Base score for determining severity, temporal and environmental scores also exist,
to factor in availability of mitigations and how widespread vulnerable systems are within an organization, respectively.
Common Vulnerability Scoring System – Wikipedia

CVSS is provided by IPA, whose score reflects the impact of threat caused by vulnerabilities.

2. IPA and Vulnerability

What is IPA?

IPA is kind of the national organization which promote enhancing IT levels in Japan.
IPA is also known as organizing the exam for national IT certificate.

What is “Vulnerability”?

“Vulnerability” is kind of the defect of IT systems, such as software problems, weaknesses, lack of design consideration.

**Most of systems have vulnerabilities**

3. Common Vulnerability Scoring System

CVSS is an abbreviation for Common Vulnerability Scoring System.

Common

the same in a lot of places or for a lot of people
https://dictionary.cambridge.org/dictionary/english/common

Vulnerability

the quality of being vulnerable (= able to be easily hurt, influenced, or attacked), or something that is vulnerable
https://dictionary.cambridge.org/dictionary/english/vulnerability

Common + vulnerability + scoring + system = Common system of scoring vulnerabilities

4. Example of CVSS

Here is an example of CVSS with the story of pirates.

There are the god and pirates.
The god wants to rule the world, and pirates also wants to rule the same world.

The bounty of the god is evaluated his threat with Extol which is the currency of his world.

The bounty of the pirates are evaluated his threat with Gold which is the currency of other world.

Then people in their world wonder which is more big threat to them.
They can’t compare with it because they are evaluated with the different currency.

They need the common currency.
It’s like you can’t compare with 10 kilograms and 10 meters.

IPA provides the standard how to measure the severity of vulnerabilities as a score.
That Score is calculated based on a formula that depends on several metrics that approximate ease of exploit and the impact of exploit. You can check the details with following sites.
共通脆弱性評価システムCVSS概説：IPA 独立行政法人情報処理推進機構
 Common Vulnerability Scoring System – Wikipedia