Exam CAS-004 topic 1 question 274 discussion

The impact subscore measures how much damage an attacker could cause if they successfully exploited this vulnerability3. By aligning the impact subscore requirements to the predetermined system categorization, the security analyst can get a better picture of the risk while adhering to the organization’s policy.

I interpret this as the Organization caring about impact. CVSS Impact scores are measure in Low, Medium, and High. If an attack vector's exploitability is High, but the Impact is low, budget consideration would tell me that it is irrelevant. But if the IMPACT is high to the business, it needs to be fixed.

Agree with C. Example of Misalignment: - A medium-severity vulnerability in a public-facing financial application (critical system) might be ignored under the organization's current policy, even though its exploitation could have significant consequences. - Similarly, a high-severity vulnerability in a low-criticality marketing system may be unnecessarily prioritized over issues in critical systems. The organization can align vulnerability prioritization with system categorization by weighting CVSS metrics according to the criticality of the affected system.

A. Align the exploitability metrics to the predetermined system categorization. Here's why: Exploitability metrics in the CVSS (Common Vulnerability Scoring System) take into account factors like how easily a vulnerability can be exploited. By aligning these metrics with the organization's predetermined system categorization, the analyst can adjust the ratings to reflect the specific threat environment, such as the system’s exposure or its criticality. This would help in adjusting the CVSS score to better fit the organization's risk assessment criteria while adhering to the policy of only addressing high and critical vulnerabilities. NOT C. because the impact sub score in CVSS focuses on the consequences of a vulnerability being exploited (e.g., confidentiality, integrity, availability). Aligning these with the system categorization may provide insight into the actual impact, but it doesn’t address the main issue of vulnerabilities breaching thresholds based on their exploitability.