By Jason McNicholas
Cyber Essentials Assessor
During Cyber Essentials Plus Audits we’re often asked the question “How is it decided which vulnerabilities are a fail and which ones are not?”. To decide this, we use the CVSS v3.0 metrics and score provided for the vulnerabilities.
The first thing to be checked is the score, if the vulnerability scores higher than 7.0 (making it a high or critical) we then move on to the metrics. The metrics used are defined as follows;
- Attack Vector (AV)
- Attack Complexity (AC)
- Privileges Required (PR)
- User Interaction (UI)
- Exploit Code Maturity (E)
- Report Confidence (RC)
These metrics give an overview on different aspects of the vulnerability. Although there are other metrics, these are the only ones used in Cyber Essentials Plus and a fail only occurs when a specific scenario is met which is as follows: AV:N/AC:L/PR:N/UI:N/E:H/RC:C. These mean;
- Attack Vector (AV) – Network
- Attack Complexity (AC) – Low
- Privileges Required (PR) – None
- User Interaction (UI) – None
- Exploit Code Maturity (E) – High (Or Functional would be “F”)
- Report Confidence (RC) – Confirmed
It is only when these specific metrics are met that a fail will be issued, this is the case if any vulnerability is found on any machine that meets these criteria.
If you are about to undertake a Cyber Essentials Plus assessment and have access to vulnerability scanning software, it could be beneficial to check for these vulnerabilities and remediate them before the audit date.