This chapter looks at the Common Vulnerability Scoring System v3.0 (CVSS v3.0) in order to introduce common terminology, as well as to split the large topic of cyber-threat into three areas of impact, and five areas of vulnerability. Candidates for 210-255 must be able to define these terms.

CVSS 3.0 terms and definitions are 5% of the 210-255 certification exam, and they are marks which only require memory; no analysis is required. This will ease you into the book and provides a baseline that you can work from. CVSS 3.0 is also important because part of your future role in a SOC may involve briefing non-technical staff about CVSS reports.

The following topics will be covered in this chapter:

• Categorizing and communicating threats
• Exploitability metrics
• Impact metrics
• Scope