Common Vulnerability Score System (CVSS) to calculate the Severity of a vulnerability in the Information Systems
DOI:
https://doi.org/10.38017/2390058X.115Keywords:
vulnerabilities in companies or organizations, cvss (common vulnerability score system) metrics.Abstract
Currently in the field of information security vulnerabilities are found affecting the assets or implemented controls and which can be exploited by external or internal threats, which set a security risk that exposes organizations in its most important asset, information. In this paper, a detailed description of the CVSS (Common Vulnerability Score System) as an open standard and free use to estimate the impact generated by the presence of vulnerabilities in a computer system by quantifying the severity and allowing decision making from the organization for the treatment of risk to an acceptable level.Author Biographies
Pedro Henry Quintero Vivas, Fundación Universitaria Juan de Castellanos
Helena Clara Isabel Alemán Novoa, Fundación Universitaria Juan de Castellanos
References
[1] P. Mell, K. Scarfone, andS. Romanosky, Una guía completa al Common Vulnerability Scoring System Version 2. 0, Foro de Respuesta a Incidentes y Equipos de Seguridad. [Online]. Available: http://www.first.org/cvss/cvss-guide.html.
[2] R. Welive security, Vulnerabilidades: qué es CVSS y cómo utilizarlo, 2014. [Online]. Available: http://www.welivesecu-rity.com/la-es/2014/08/04/vulnerabilidades-que-es-cvss-como-utilizarlo/.
[3] H. Holm, and M. Anderson, Análisis empírico del sistema de nivel de métrica de vulnerabilidad a través de ataques reales, computación confiable y seguro, IEEE Transaction. [Online]. Available: http://ieeexplore.ieee.org/xpl/abstractCitations.jsp?reload=true&tp=&ar-number=5591391&url=http%3A%2F%-2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D5591391
[4] PCI Security Standards Council, Data Security Standard. [Online]. Available: https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf.
[5] S. H. Houmba, N. L. Virginia Franqueirab, and E. A. Engumc, “Quantifying security risk level from CVSS estimates of frequency and impact”, Journal of Systems and Software, vol. 83, no. 9, pp. 1622–1634, 2010. [Online]. Available: http://www.sciencedirect.com/science/article/pii/S0164121209002155
[6] M. Schiffman, Common Vulnerability Scoring System (CVSS). [Online]. Available: https://www.first.org/cvss/specification-document
[7] H. Jara, andF. G. Pacheco, Ethical Hacking: implementación de un sistema para la gestión de seguridad. [Online]. Available: https://books.google.com.co/books?id=joMlAU-seLYC&pg=PA135&lpg=PA135&dq=c-vss+hacking&source=bl&ots=soDd2cG-VdE&sig=XRbGSEp9QcjvBzP_764L1d-bBHBk&hl=es&sa=X&ved=0ahUKEwi-Vwevl7avKAhWDHB4KHVGjD0U-Q6AEIMDAD#v=onepage&q=cvss%20hacking&f=false
[8] FIRTS, Políticas de privacidad. [Online]. Available: http://www.usfirst.org/.
[9] P. Mell, K. Scarfone, and S. Romanosky, A Complete Guide to the Common Vulnerability Scoring System Version 2. 0. [Online]. Available: https://www.first.org/cvss/cvssv2-guide.pdf
[10] OpenBSD, AnonCVS. [Online]. Available: http://www.openbsd.org/anoncvs.html.
[11] A. Caballero, Introducción A CVSS. [Onli-ne]. Available: http://cradpdf.drdc-rddc.gc.ca/PDFS/unc112/p533528_A1b.pdf.
[12] FIRST, Common Vulnerability Scoring System v3. 0: Specification Document. [Online]. Available: https://www.first.org/cvss/v2/meetings.
[13] FIRST, Métricas SIG. [Online]. Available: https://www.first.org/meetings/nm-sig.
[14] FIRST, Métricas SIG. [Online]. Availale: https://www.owasp.org/images/1/19/Owasp-ciso-guide_es.pdf.
[15] INSIBE Instituto Nacional de Ciberseguridad de España, Métricas de evaluación de CVSS 3. 0. [Online]. Available: http://www.incibe.es/blogs/cat/Seguridad/BlogSeguridad/Articulos_seleccionados/?categor-yID=1000080657.
[16] J. Jiménez Unzueta, Auditoría de Sistemas y Código. [Online]. Available: http://www.ptolomeo.unam.mx:8080/xmlui/bitstream/handle/132.248.52.100/2736/Tesina.pdf?sequence=1
[17] M. A. Hernández, CVSS, Calculadora de métricas y vulnerabilidades, 2012. [Online]. Available: https://seguinfo.wordpress.com/2012/10/10/cvss-calculadora-de-metricas-y-vulnerabilidades/
[18] Richrumble, Stoned boot DIDN’T work that way (at first). [Online]. Available: https://codex.wordpress.org/Theme_Development
[19] JVNRSS, CVSSv2, Feasibility Study Team. [Online]. Available: http://jvnrss.ise.chuo-u.ac.jp/jtg/cvss/es/CVSSv2.html.
[20] IPA, Reporting Status of Vulnerability-related Information about Software Products and Websites. [Online]. Available: http://www.ipa.go.jp/files/000033082.pdf
[21] Vulnerability Chaser, Herramienta para la gestión de vulnerabilidades. [Online]. Available: http://ibrapk.github.io/Vulnerability-Chaser/
[22] C. Rincón, Análisis de vulnerabilidades - Seguridad Informática. [Online]. Available: https://seguridadinformaticaufps.wikispaces.com
[23] Highsec, Cómo Valorar Nuestras Vulnerabilidades en nuestra Auditoría – parte I - Calcular CVSS Base Score. [Online]. Available: http://highsec.es/.../como-valorar-las-vulnerabilidades-en-nuestra-auditoria-par.
[24] CLCERT-ED07-006, El Common Vulnerability Scoring System (CVSS). [Online]. Available: http://www.clcert.cl/show.php?xml=xml/editoriales/doc_07-06.xml&xsl=xsl/editoriales.xsl.
[25] IBM, Puntuaciones CVSS, IBM Security AppScan Enterprise 9. 0. [Online]. Available: http://www.ibm.com/developerworks/ssa/xml/tutorials/x-epubtut/
[26] IBM, Valores CVSS. [Online]. Available: http://www.01.ibm.com/support/knowled-gecenter/SSPH29_9.0.1/com.ibm.help.common.infocenter.aps/r_CVSSSettings014.ht-ml?lang=es.
[27] Docplayer, Recomendación UIT-T X.1521 - Sistema común, Sistema común de puntua-ción de vulnerabilidades. [Online]. Available: http://docplayer.es/1874436-Seguridad-informatica-y-proteccion-de-datos.html
[28] M. A. Sánchez, Priorización de vulnerabilidades técnicas con CVSS2.0, 2015. [Online]. Available: https://technologyincontrol2.wordpress.com/2015/01/23/priorizacion-de-vulnerabilidades-tecnicas-con-cvss-2-0.
[29] Seguridad Apple, Criticidad de un Bug: Common Vulnerability Scoring System, 2012. [Online]. Available: http://www.seguridadapple.com/2012/03/criticidad-de-un-bug-common.html
[30] H. Jara, and F. G. Pacheco, Ethical Hacking 2. 0, 2009, p. 353. [Online]. Available: https://books.google.com.co/books?id=joMlAU4seLYC&pg=PA136&l-pg=PA136&dq=impacto+de+integridad+c-vss&source=bl&ots=soCkX6M_5E&sig=D-2yWkWZtPqSlkDS1-mVJniV87LI&hl=es-
[31] Asset, CVSS Calculator - French Version, CVSS 2.0. [Online]. Available: http://asset.rue89.com/files/AmbroiseBouleis/Microsoft%20Security%20Intelligence%20Report%20volume%206%20-%20Key%20Findings%20Summary%20-%20French.pdf
[32] RedHat, Clasificación de severidad e impacto de los parches de seguridad de JBoss. [Online]. Available: https://access.redhat.com/documentation/es-ES/JBoss_Enterprise_Application_Platform/6.2.
[33] Magazcitum, Retomando el valor de un análisis de vulnerabilidades. [Online]. Available: http://www.magazcitum.com.mx/?p=1805#.Vl-yzHYvfIU.
[34] Scribd, Una Guía para Construir Aplicaciones y Servicios Web Seguros, 2nd ed. (Black Hat), OWASP, 2005. [Online]. Available: https://es.scribd.com/doc/284988164/OWASP-Development-Guide-2-0-1-Spanish
[35] INTECO, Qué son las vulnerabilidades del software. [Online]. Available: http://www.egov.ufsc.br/portal/sites/default/files/vulnerabilidades_notasobs.pdf.
[36] DarFe, Proceso de hacking Ético. [Online]. Available: http://149.62.170.30/joomla/index.php/2-uncategorised/15-presentacion-he
[37] L. E. Ramírez, and W. G. Rodríguez, Seguridad informática, 2012. [Online]. Available: http://seguridadinformaticaufps.wikispaces.com/.../Actividad+en+Clase.doc
[38] Eleventphats, Ocho siglas relacionadas con las vulnerabilidades (III): CVSS. [Online]. Available: http://blog.elevenpaths.com/2014/04/ocho-siglas-relacionadas-con-las.html.
[39] Qualys, CVSS Escoring-Qualys, CVSS y su puntuación, 2013. [Online]. Available: https://qualysguard.qualys.com/.../cvss_scoring.htm
[40] FIRTS, Preguntas frecuentes de FIRTS, 2014. [Online]. Available: https://www.first.org/cvss/specification-document.
[41] CVSS-CISCO, Common Vulnerability Scoring Systems, 2014. [Online]. Available: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html.
[42] CVSS-CISCO, Métricas Temporales, 2014. [Online]. Available: http://www.cisco.com/web/about/.../cvss-qandas.html.
[43] BLACKBERRY, Sistema de Calificación de Vulnerabilidades Comunes Temporales, 2015. [Online]. Available: http://global.blackberry.com/es/.../common-vulnerability-sco-ring.html.
[44] Tenable Network Security, CVSS Relación Temporal, 2014. [Online]. Available: https://www.tenable.com/sc-dashboards/cvss-temporal-ratio.
[45] J. A. Wang, F. Zhang, and M. Xia, Temporal Metrics for Software Vulnerabilities, 2009. [Online]. Available: http://www.cs.wayne.edu/fengwei/paper/wang-csiirw08.pdf.
[46] P. Mell, K. Scarfone, and S. Romanosky, Una complete Guía de la Common Vulnerability Scoring System (CVSS), Versión 2.0, 2006. [Online]. Available: http://firts.org/cvss/cvss-gude.html.
[47] J. A. Wang, Modelos de seguridad de la información y métricas, Actas de ACM, Conferencia Sudeste, vol. 2, pp. 178-184.
[48] Highsec, Cómo valorar las vulnerabilidades en nuestra auditoría, 2013. [Online]. Available: http://highsec.es/2013/11/como-valorar-las-vulnerabilidades-en-nuestra-auditoria-parte-i-calcular-cvss-base-score/
[49] Oracle Corporation, La actualización crítica. [Online]. Available: http://www.oracle.com/technology/deploy/security/critical-patch.
[50] CISCO, Asesor de Seguridad, Vulnerabilidad de Inspección Aplicación en CISCO: Módulo de Servicios de Firewall. [Online]. Available: http://www.cisco.com/en/US/products/products_security_advisory09186a008091b11d.shtm.
How to Cite
Downloads
Downloads
Published
Issue
Section
License
Copyright (c) 2015 Ciencia, Innovación y Tecnología
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
