Deployed 74c2776 with MkDocs version: 1.5.3

Author: Crashedmind

cvss/CVSS/index.html

@@ -1636,18 +1636,18 @@ <h2 id="cvss-severity-rating-scale"><abbr title="Common Vulnerability Scoring Sy
 intended to help organizations properly assess and prioritize their
 vulnerability management processes."</p>
 <p><figure markdown>
-<img alt="Image title" src="../../assets/images/cvss_ratings_table.png" />
+<img alt="" src="../../assets/images/cvss_ratings_table.png" />
 <figcaption><abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> Rating for all CVEs</figcaption>
 </figure></p>
 <p><em><a href="https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale">https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale</a></em></p>
 </div>
 <figure>
-<p><img alt="Image title" src="../../assets/images/cvss_ratings_all.png" width="500" />
+<p><img alt="" src="../../assets/images/cvss_ratings_all.png" width="500" />
   </p>
 <figcaption>CVSS Rating for all CVEs</figcaption>
 </figure>
 <figure>
-<p><img alt="Image title" src="../../assets/images/cvss_ratings_v3.png" width="500" />
+<p><img alt="" src="../../assets/images/cvss_ratings_v3.png" width="500" />
   </p>
 <figcaption>CVSS Rating for all CVSS v3 CVEs</figcaption>
 </figure>
@@ -1716,22 +1716,22 @@ <h2 id="cvss-confidentiality-integrity-availability-impacts"><abbr title="Common
 <p><a href="https://www.first.org/cvss/v3.1/user-guide#3-2-Confidentiality-and-Integrity-Versus-Availability-Impacts">https://www.first.org/cvss/v3.1/user-guide#3-2-Confidentiality-and-Integrity-Versus-Availability-Impacts</a></p>
 </div>
 <figure>
-<p><img alt="Image title" src="../../assets/images/cvss1.png" width="500" />
+<p><img alt="" src="../../assets/images/cvss1.png" width="500" />
   </p>
 <figcaption>Confidentiality Values for CVSS v3 CVEs (HIGH, LOW, NONE)</figcaption>
 </figure>
 <figure>
-<p><img alt="Image title" src="../../assets/images/cvss2.png" width="500" />
+<p><img alt="" src="../../assets/images/cvss2.png" width="500" />
   </p>
 <figcaption>Integrity Values for CVSS v3 CVEs</figcaption>
 </figure>
 <figure>
-<p><img alt="Image title" src="../../assets/images/cvss3.png" width="500" />
+<p><img alt="" src="../../assets/images/cvss3.png" width="500" />
   </p>
 <figcaption>Availability Values for CVSS v3 CVEs (HIGH, LOW, NONE)</figcaption>
 </figure>
 <figure>
-<p><img alt="Image title" src="../../assets/images/cvss4.png" width="500" />
+<p><img alt="" src="../../assets/images/cvss4.png" width="500" />
   </p>
 <figcaption>Counts of Combinations of CIA for CVSS v3 CVEs <br>e.g. CIA_HHH means that Confidentiality Impact is HIGH, Integrity Impact
 is HIGH, Availability Impact is HIGH</figcaption>
@@ -1804,8 +1804,8 @@ <h3 id="count-of-cves-at-or-above-cvss-base-score-and-cvss-base-and-threat-score
 </figcaption>
 </figure>
 <figure>
-<p><img alt="Image title" src="../../assets/images/cvss_bt_parcat.png" /></p>
-<figcaption>The effect of CVSS Base &amp; Threat is to move some CVEs down a Rating e.g. some Critical CVEs are move to High</figcaption>
+<p><img alt="" src="../../assets/images/cvss_bt_parcat.png" /></p>
+<figcaption>The effect of CVSS Base &amp; Threat is to move some CVEs down a Rating e.g. some Critical CVEs move to High</figcaption>
 </figure>
 <div class="admonition observations">
 <p class="admonition-title">Observations</p>

introduction/Scope/index.html

@@ -1454,11 +1454,11 @@ <h2 id="per-vulnerability">Per Vulnerability<a class="headerlink" href="#per-vul
 <p>A different way of looking at this is that this guide (and the prioritization schemes herein), can be used as a first pass triage and prioritization of vulnerabilities, before the overall asset-specific business and runtime context, and remediation context, is considered, and all the context-specific dependencies that go with that.</p>
 <p>In other words, Relative <abbr title="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr> per vulnerability.</p>
 <figure>
-<p><img alt="Image title" src="../../assets/images/risk_remediation_taxonomy.png" /></p>
+<p><img alt="" src="../../assets/images/risk_remediation_taxonomy.png" /></p>
 <figcaption>The scope for this guide is the "Per Vulnerability" branch</figcaption>
 </figure>
 <figure>
-<p><img alt="Image title" src="../../assets/images/stages.png" /></p>
+<p><img alt="" src="../../assets/images/stages.png" /></p>
 <figcaption>The scope for this guide is up to and including the First Pass Triage</figcaption>
 </figure>
 <div class="admonition tip">

print_page/index.html

@@ -1487,8 +1487,8 @@ <h1 id="risk-based-prioritization-schemes"><abbr title="The likelihood of a vuln
 <h3 id="cvss-temporal-threat-metrics"><abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> Temporal &amp; Threat Metrics<a class="headerlink" href="#cvss-temporal-threat-metrics" title="Permanent link">&para;</a></h3>
 <p>Exploitation data is added per the <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> standard as described in <a href="../../cvss/CVSS/#cvss-exploit-maturity"><abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr></a>.</p>
 <figure>
-<p><img alt="Image title" src="../../assets/images/cvss_bt_parcat.png" /></p>
-<figcaption>The effect of CVSS Base &amp; Threat is to move some CVEs down a Rating e.g. some Critical CVEs are move to High</figcaption>
+<p><img alt="" src="../../assets/images/cvss_bt_parcat.png" /></p>
+<figcaption>The effect of CVSS Base &amp; Threat is to move some CVEs down a Rating e.g. some Critical CVEs move to High</figcaption>
 </figure>
 <h3 id="cvss-base-score-ratings-with-exploitation-focus"><abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> Base Score Ratings with Exploitation Focus<a class="headerlink" href="#cvss-base-score-ratings-with-exploitation-focus" title="Permanent link">&para;</a></h3>
 <p>A simple illustrative scheme that combines Base Score Ratings with Exploitation status is defined here.</p>
@@ -1498,76 +1498,65 @@ <h3 id="cvss-base-score-ratings-with-exploitation-focus"><abbr title="Common Vul
 <table>
 <thead>
 <tr>
-<th></th>
-<th>base_score_category</th>
-<th>Exploitation</th>
 <th>Score</th>
+<th><abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> Base Score Rating</th>
+<th>Exploitation</th>
 </tr>
 </thead>
 <tbody>
 <tr>
-<td></td>
+<td>10</td>
 <td>critical</td>
 <td>kev</td>
-<td>10</td>
 </tr>
 <tr>
-<td></td>
+<td>9</td>
 <td>critical</td>
 <td>weaponized</td>
-<td>9</td>
 </tr>
 <tr>
-<td></td>
+<td>8</td>
 <td>high</td>
 <td>kev</td>
-<td>8</td>
 </tr>
 <tr>
-<td></td>
+<td>7</td>
 <td>high</td>
 <td>weaponized</td>
-<td>7</td>
 </tr>
 <tr>
-<td></td>
-<td>critical</td>
-<td>poc and not kev and not weaponized</td>
 <td>6</td>
+<td>critical</td>
+<td>poc</td>
 </tr>
 <tr>
-<td></td>
-<td>high</td>
-<td>poc and not kev and not weaponized</td>
 <td>5</td>
+<td>high</td>
+<td>poc</td>
 </tr>
 <tr>
-<td></td>
+<td>4</td>
 <td>critical</td>
 <td>-</td>
-<td>4</td>
 </tr>
 <tr>
-<td></td>
+<td>3</td>
 <td>high</td>
 <td>-</td>
-<td>3</td>
 </tr>
 <tr>
-<td></td>
+<td>2</td>
 <td>medium</td>
 <td>-</td>
-<td>2</td>
 </tr>
 <tr>
-<td></td>
+<td>1</td>
 <td>-</td>
 <td>-</td>
-<td>1</td>
 </tr>
 </tbody>
 </table>
-<p>where a <abbr title="CVE Common Vulnerability and Exposures. A standardized list of publicly known vulnerabilities and exposures maintained by the MITRE Corporation.">CVE</abbr> is assigned to a Group if it appears in the Data Source listed:</p>
+<p>where a <abbr title="CVE Common Vulnerability and Exposures. A standardized list of publicly known vulnerabilities and exposures maintained by the MITRE Corporation.">CVE</abbr> is assigned to a group if it appears in the Data Source listed:</p>
 <table>
 <thead>
 <tr>
@@ -1591,15 +1580,15 @@ <h3 id="cvss-base-score-ratings-with-exploitation-focus"><abbr title="Common Vul
 </tbody>
 </table>
 <figure>
-<p><img alt="Image title" src="../../assets/images/cvss_exploitation_parcat.png" /> </p>
+<p><img alt="" src="../../assets/images/cvss_exploitation_parcat.png" /> </p>
 <figcaption>Combination of CVSS Base Score Rating and Exploitation Evidence to Assign a Score (10 is highest risk)</figcaption>
 </figure>
 <h3 id="ssvc-decision-trees"><abbr title="SSVC Stakeholder-Specific Vulnerability Categorization">SSVC</abbr> Decision Trees<a class="headerlink" href="#ssvc-decision-trees" title="Permanent link">&para;</a></h3>
 <p>The <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> Base parameters are used instead of <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> scores or ratings.</p>
 <p>Per the <a href="../../ssvc/decision_trees_from_scratch/"><abbr title="SSVC Stakeholder-Specific Vulnerability Categorization">SSVC</abbr></a> Decision Tree example, the Exploitability and Impact <abbr title="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr> Factors that make up the <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> Base Score are split out separately and used instead of the <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> Base Score.</p>
 <p>This gives more granularity than combining <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> Ratings and Exploitation factors i.e. better <abbr title="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr> Based Prioritization.</p>
 <figure>
-<p><img alt="Image title" src="../../assets/images/dt_sankey.png" /> </p>
+<p><img alt="" src="../../assets/images/dt_sankey.png" /> </p>
 <figcaption>SSVC Decision Tree (Dark Red is highest risk: Exploitation-Active, Automatable-Yes, Technical-Impact Total)</figcaption>
 </figure>
 <div class="admonition observations">
@@ -1631,6 +1620,27 @@ <h3 id="ssvc-decision-trees"><abbr title="SSVC Stakeholder-Specific Vulnerabilit
 <li>Either <a href="#cvss-base-score-ratings-with-exploitation-focus"><abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> Base Score Ratings with Exploitation Focus</a> or  <a href="#ssvc-decision-trees"><abbr title="SSVC Stakeholder-Specific Vulnerability Categorization">SSVC</abbr> Decision Trees</a>, that <a href="../Understanding_Risk/#where-cvss-epss-cisa-kev-fit">Focus on Exploitation</a>, are good starting points or references for a <abbr title="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr> Based Prioritization scheme.</li>
 <li>Apply a <abbr title="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr> Based Prioritization scheme based on your environment, and refine it based on your data.</li>
 </ol>
+<table>
+<thead>
+<tr>
+<th><abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> Temporal &amp; Threat Metrics</th>
+<th><abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> Base Score Ratings with Exploitation Focus</th>
+<th><abbr title="SSVC Stakeholder-Specific Vulnerability Categorization">SSVC</abbr> Decision Trees</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td><img alt="" src="../../assets/images/cvss_bt_parcat.png" /></td>
+<td><img alt="" src="../../assets/images/cvss_exploitation_parcat.png" /></td>
+<td><img alt="" src="../../assets/images/dt_sankey.png" /></td>
+</tr>
+<tr>
+<td>The effect of <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr> Base &amp; Threat is to move some CVEs down a Rating e.g. some Critical CVEs move to High</td>
+<td>Better prioritization - less red</td>
+<td>Better prioritization - less red</td>
+</tr>
+</tbody>
+</table>
 </div>
 
 

risk/Rbp_schemes/index.html

@@ -1495,7 +1495,7 @@ <h1 id="takeaway">Takeaway<a class="headerlink" href="#takeaway" title="Permanen
 <p><a href="../../introduction/Requirements/">Requirements for a <abbr title="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr> Based Prioritization Scheme for First Pass Triage</a>.</p>
 <h2 id="risk-based-prioritization-scheme-for-first-pass-triage"><abbr title="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr> Based Prioritization Scheme for First Pass Triage<a class="headerlink" href="#risk-based-prioritization-scheme-for-first-pass-triage" title="Permanent link">&para;</a></h2>
 <figure>
-<p><img alt="Image title" src="../../assets/images/stages.png" /></p>
+<p><img alt="" src="../../assets/images/stages.png" /></p>
 <figcaption>The scope for this guide is up to and including the First Pass Triage</figcaption>
 </figure>
 <p><abbr title="CVE Common Vulnerability and Exposures. A standardized list of publicly known vulnerabilities and exposures maintained by the MITRE Corporation.">CVE</abbr> data is public.</p>

risk/Takeaway/index.html

@@ -1684,7 +1684,7 @@ <h2 id="risk-definition"><abbr title="The likelihood of a vulnerability being ex
     purposes.</li>
 </ul>
 <p><figure markdown>
-<img alt="Image title" src="../../assets/images/nist_risk.png" />
+<img alt="" src="../../assets/images/nist_risk.png" />
 <figcaption>NIST Generic <abbr title="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr> Model with Key <abbr title="The likelihood of a vulnerability being exploited and the potential impact of such an exploit on an organization.">Risk</abbr> Factors</figcaption>
 </figure></p>
 </div>
@@ -1745,7 +1745,7 @@ <h3 id="where-cvss-epss-cisa-kev-fit">Where <abbr title="Common Vulnerability Sc
 <p>Adding more detail to the Vulnerability branch, to show where <abbr title="Common Vulnerability Scoring System Standard. A framework for scoring the severity of vulnerabilities based on factors such as exploitability and impact.">CVSS</abbr>,
 <abbr title="Exploit Prediction Scoring System">EPSS</abbr>, <abbr title="Cybersecurity &amp; Infrastructure Security Agency">CISA</abbr> <abbr title="Known Exploited Vulnerability">KEV</abbr> fit...</p>
 <figure>
-<p><img alt="Image title" src="../../assets/images/risk_remediation_taxonomy.png" /></p>
+<p><img alt="" src="../../assets/images/risk_remediation_taxonomy.png" /></p>
 <figcaption> Where CVSS, EPSS, CISA KEV Fit with Risk</figcaption>
 </figure>
 <h3 id="threat-likelihood-of-exploit-data-sources">Threat Likelihood of Exploit Data Sources<a class="headerlink" href="#threat-likelihood-of-exploit-data-sources" title="Permanent link">&para;</a></h3>

risk/Understanding_Risk/index.html

@@ -1475,18 +1475,18 @@ <h1 id="vulnerability-landscape">Vulnerability Landscape<a class="headerlink" hr
 </div>
 <h2 id="timeline">Timeline<a class="headerlink" href="#timeline" title="Permanent link">&para;</a></h2>
 <figure>
-<p><img alt="Image title" src="../../assets/images/vuln_timeline_per_year.png" />
+<p><img alt="" src="../../assets/images/vuln_timeline_per_year.png" />
   </p>
 <figcaption>Count of CVEs published per year</figcaption>
 </figure>
 <figure>
-<p><img alt="Image title" src="../../assets/images/vuln_timeline.png" />
+<p><img alt="" src="../../assets/images/vuln_timeline.png" />
   </p>
 <figcaption>CVEs published per year (cumulative), with publication dates of standards</figcaption>
 </figure>
 <h2 id="vulnerability-standards">Vulnerability Standards<a class="headerlink" href="#vulnerability-standards" title="Permanent link">&para;</a></h2>
 <figure>
-<p><img alt="Image title" src="../../assets/images/vuln_landscape.png" />
+<p><img alt="" src="../../assets/images/vuln_landscape.png" />
   </p>
 <figcaption>Vulnerability Landscape Main Efforts</figcaption>
 </figure>
@@ -1505,7 +1505,7 @@ <h2 id="key-risk-factor-standards">Key <abbr title="The likelihood of a vulnerab
 </ul>
 </div>
 <figure>
-<p><img alt="Image title" src="../../assets/images/cwe-cve-capec.png" />
+<p><img alt="" src="../../assets/images/cwe-cve-capec.png" />
   </p>
 <figcaption>From weakness to Impact</figcaption>
 </figure>

risk/Vulnerability_Landscape/index.html

@@ -1506,11 +1506,11 @@ <h3 id="cisa-and-ssvc"><abbr title="Cybersecurity &amp; Infrastructure Security
 <p><a href="https://www.cisa.gov/sites/default/files/publications/cisa-ssvc-guide%20508c.pdf">https://www.cisa.gov/sites/default/files/publications/cisa-ssvc-guide%20508c.pdf</a></p>
 </div>
 <figure>
-<p><img alt="Image title" src="../../assets/images/cisa_ssvcdt.png" width="700" /></p>
+<p><img alt="" src="../../assets/images/cisa_ssvcdt.png" width="700" /></p>
 <figcaption>CISA's SSVC Decision Tree https://www.cisa.gov/ssvc-calculator</figcaption>
 </figure>
 <figure>
-<p><img alt="Image title" src="../../assets/images/cisadt_decisions.png" width="700" /></p>
+<p><img alt="" src="../../assets/images/cisadt_decisions.png" width="700" /></p>
 <figcaption>CISA's SSVC Decision Tree Outcomes https://www.cisa.gov/ssvc-calculator</figcaption>
 </figure>
 <h2 id="exploitation-evidence-of-active-exploitation-of-a-vulnerability">Exploitation: Evidence of Active Exploitation of a Vulnerability<a class="headerlink" href="#exploitation-evidence-of-active-exploitation-of-a-vulnerability" title="Permanent link">&para;</a></h2>