ある会社が、複数のシステムをインターネットに公開することを決定しました。これらのシステムは現在、社内でのみ利用可能です。セキュリティ アナリストは、CVSS3.1 の悪用可能性メトリックのサブセットを使用して、システムがインターネットに公開されたときに最も悪用される可能性のある脆弱性を優先順位付けしています。システムと脆弱性を以下に示します。
次のシステムのうち、パッチ適用を優先すべきものはどれですか?
正解:C
The system "blane" with the vulnerability name "snakedoctor" should be prioritized for patching as it has a network attack vector (AV:N), low attack complexity (AC:L), and high availability (A:H). These metrics indicate that it would be relatively easy to exploit this vulnerability over the internet, and the system is highly available. References: According to the CVSS v3.1 Specification Document, the exploitability metrics for CVSS are Attack Vector, Attack Complexity, Privileges Required, User Interaction, and Scope. These metrics measure how the vulnerability is accessed, the complexity of the attack, and the level of interaction and privileges required to exploit the vulnerability. The image shows a table with the values of these metrics for each system and vulnerability. Based on these values, the system "blane" has the highest exploitability score, as it has the most favorable conditions for an attacker. The other systems have either a lower attack vector, higher attack complexity, or lower availability, which make them less exploitable. Therefore, the system
"blane" should be patched first.