User interaction

User interaction refers to whether another user (other than the attacker) is required to participate in a successful attack. The metric has possible values of required or none.

Required (R) is defined as follows:

"CVSS 3.0 Definition: Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited. For example, a successful exploit may only be possible during the installation of an application by a system administrator."

Imagine that a vulnerability exists which allows an attacker to print their own ID card so that they can pretend to be from the local utilities company. The attacker shows up at a victim's door and asks for access. The victim is required to open the door in order for the attacker to gain access.

None (N) is defined as follows:

 "CVSS 3.0 Definition: The vulnerable system can be exploited without interaction from any user."

If the system had automatic ID card recognition, an attacker could walk straight in.

The following diagram demonstrates the difference between complete automation and human interaction. A computerized (even AI) system allows choices based on rules rather than with any context or ability to question actions:

User interaction – fully automated or personal touch?

Two-factor authentication is the classic method of demanding user interaction in a security system. The person attempting to gain access has to provide a code for different means. From a home access point of view, the homeowner could ring the utility firm directly and ensure that they had sent someone with those credentials before opening the door, hence defeating the attack.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.143.231.26