Deployed 69fb338 with MkDocs version: 1.5.3

Author: Crashedmind

print_page/index.html

@@ -5771,7 +5771,7 @@ <h3 id="risk-takeaway-use-a-risk-based-prioritization-scheme-that-supports-explo
 <p>“The focus should be given to those known to be <a href="#vendors-qualys">exploited in the wild (<abbr title="Cybersecurity &amp; Infrastructure Security Agency">CISA</abbr> <abbr title="Known Exploited Vulnerability">KEV</abbr>), those with a high likelihood of exploitation (indicated by a high <abbr title="Exploit Prediction Scoring System">EPSS</abbr> score), and those with weaponized exploit code available</a>”</p>
 <p><img alt="Exploitation Known evidence or activity" src="../assets/images/threat.png" width="400" /></p>
 <ol>
-<li>For those using <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> Scores and Ratings, using <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> v3 Temporal Metric - Exploit Code Maturity (E) that <strong>supports Exploitation</strong> evidence is a small step with a relatively small (de)prioritization of CVEs.</li>
+<li>For those using <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> Scores and Ratings, using <a href="#risk-rbp_schemes-cvss-and-temporal-metric-exploit-code-maturity-e"><abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> v3 Temporal Metric - Exploit Code Maturity (E)</a> that <strong>supports Exploitation</strong> evidence is a small step with a relatively small (de)prioritization of CVEs.</li>
 <li>Either <a href="#risk-takeaway-cvss-base-score-ratings-with-exploitation-focus"><abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> Base Score Ratings with Exploitation Focus</a> or  <a href="#risk-takeaway-ssvc-decision-trees"><abbr title="SSVC Stakeholder-Specific Vulnerability Categorization">SSVC</abbr> Decision Trees</a>, that <a href="#risk-understanding_risk-where-cvss-epss-cisa-kev-fit"><strong>Focus on Exploitation</strong></a>, are bigger steps, with a bigger (de)prioritization of CVEs.</li>
 </ol>
 <p>This can run automatically as a First Pass Triage, before additional business and runtime context is added.</p>
@@ -5780,7 +5780,7 @@ <h3 id="risk-takeaway-use-a-risk-based-prioritization-scheme-that-supports-explo
 </figure></p>
 <h3 id="risk-takeaway-refine-the-risk-based-prioritization-scheme-based-on-your-environment-and-your-data">Refine the <abbr title="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr> Based Prioritization scheme based on your environment and your data.<a class="headerlink" href="#risk-takeaway-refine-the-risk-based-prioritization-scheme-based-on-your-environment-and-your-data" title="Permanent link">&para;</a></h3>
 <ol>
-<li>Use CVEs detected in your Incident Response, Bug Bounty, PenTesting findings) to inform your <abbr title="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr>.</li>
+<li>Use CVEs detected in your Incident Response, Bug Bounty, PenTesting findings to inform your <abbr title="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr>.</li>
 <li>For <abbr title="Exploit Prediction Scoring System">EPSS</abbr>:<ol>
 <li>Assess <a href="#epss-applying_epss_to_your_environment-epss-for-your-environment"><abbr title="Exploit Prediction Scoring System">EPSS</abbr> for YOUR Environment</a></li>
 <li>Start by picking an <abbr title="Exploit Prediction Scoring System">EPSS</abbr> Threshold around 10%, and adjust based on your <abbr title="CVE Common Vulnerability and Exposures. A standardized list of publicly known vulnerabilities and exposures maintained by the MITRE Corporation.">CVE</abbr> data and your capacity to <abbr title="The neutralization or elimination of a vulnerability or the likelihood of its exploitation.">remediate</abbr> the CVEs above that Threshold (in conjunction with <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> Severity or other <abbr title="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr> factors) per <a href="#epss-epss_thresholds-remediation-policy-for-an-enterprise">Remediation Policy for an Enterprise</a></li>

risk/Takeaway/index.html

@@ -1559,7 +1559,7 @@ <h3 id="use-a-risk-based-prioritization-scheme-that-supports-exploitation-eviden
 <p>“The focus should be given to those known to be <a href="../../vendors/Qualys/">exploited in the wild (<abbr title="Cybersecurity &amp; Infrastructure Security Agency">CISA</abbr> <abbr title="Known Exploited Vulnerability">KEV</abbr>), those with a high likelihood of exploitation (indicated by a high <abbr title="Exploit Prediction Scoring System">EPSS</abbr> score), and those with weaponized exploit code available</a>”</p>
 <p><img alt="Exploitation Known evidence or activity" src="../../assets/images/threat.png" width="400" /></p>
 <ol>
-<li>For those using <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> Scores and Ratings, using <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> v3 Temporal Metric - Exploit Code Maturity (E) that <strong>supports Exploitation</strong> evidence is a small step with a relatively small (de)prioritization of CVEs.</li>
+<li>For those using <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> Scores and Ratings, using <a href="../Rbp_schemes/#cvss-and-temporal-metric-exploit-code-maturity-e"><abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> v3 Temporal Metric - Exploit Code Maturity (E)</a> that <strong>supports Exploitation</strong> evidence is a small step with a relatively small (de)prioritization of CVEs.</li>
 <li>Either <a href="#cvss-base-score-ratings-with-exploitation-focus"><abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> Base Score Ratings with Exploitation Focus</a> or  <a href="#ssvc-decision-trees"><abbr title="SSVC Stakeholder-Specific Vulnerability Categorization">SSVC</abbr> Decision Trees</a>, that <a href="../Understanding_Risk/#where-cvss-epss-cisa-kev-fit"><strong>Focus on Exploitation</strong></a>, are bigger steps, with a bigger (de)prioritization of CVEs.</li>
 </ol>
 <p>This can run automatically as a First Pass Triage, before additional business and runtime context is added.</p>
@@ -1568,7 +1568,7 @@ <h3 id="use-a-risk-based-prioritization-scheme-that-supports-exploitation-eviden
 </figure></p>
 <h3 id="refine-the-risk-based-prioritization-scheme-based-on-your-environment-and-your-data">Refine the <abbr title="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr> Based Prioritization scheme based on your environment and your data.<a class="headerlink" href="#refine-the-risk-based-prioritization-scheme-based-on-your-environment-and-your-data" title="Permanent link">&para;</a></h3>
 <ol>
-<li>Use CVEs detected in your Incident Response, Bug Bounty, PenTesting findings) to inform your <abbr title="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr>.</li>
+<li>Use CVEs detected in your Incident Response, Bug Bounty, PenTesting findings to inform your <abbr title="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr>.</li>
 <li>For <abbr title="Exploit Prediction Scoring System">EPSS</abbr>:<ol>
 <li>Assess <a href="../../epss/Applying_EPSS_to_your_environment/#epss-for-your-environment"><abbr title="Exploit Prediction Scoring System">EPSS</abbr> for YOUR Environment</a></li>
 <li>Start by picking an <abbr title="Exploit Prediction Scoring System">EPSS</abbr> Threshold around 10%, and adjust based on your <abbr title="CVE Common Vulnerability and Exposures. A standardized list of publicly known vulnerabilities and exposures maintained by the MITRE Corporation.">CVE</abbr> data and your capacity to <abbr title="The neutralization or elimination of a vulnerability or the likelihood of its exploitation.">remediate</abbr> the CVEs above that Threshold (in conjunction with <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> Severity or other <abbr title="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr> factors) per <a href="../../epss/EPSS_Thresholds/#remediation-policy-for-an-enterprise">Remediation Policy for an Enterprise</a></li>