{"id":476525,"date":"2023-08-09T07:29:55","date_gmt":"2023-08-09T07:29:55","guid":{"rendered":""},"modified":"2023-09-05T11:12:55","modified_gmt":"2023-09-05T11:12:55","slug":"cvss","status":"publish","type":"wiki","link":"https:\/\/oneproxy.pro\/tr\/wiki\/cvss\/","title":{"rendered":"CVSS"},"content":{"rendered":"<p>CVSS veya Ortak G\u00fcvenlik A\u00e7\u0131\u011f\u0131 Puanlama Sistemi, bilgisayar sistemi g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131n ciddiyetini de\u011ferlendirmek i\u00e7in standartla\u015ft\u0131r\u0131lm\u0131\u015f, a\u00e7\u0131k bir \u00e7er\u00e7evedir. BT profesyonellerinin ve kurulu\u015flar\u0131n\u0131n g\u00fcvenlik risklerine y\u00f6nelik yan\u0131tlar\u0131 tutarl\u0131 ve bilin\u00e7li bir \u015fekilde \u00f6nceliklendirmesine olanak tan\u0131r. CVSS, bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131n temel \u00f6zelliklerini yakalaman\u0131n ve temel, zamansal ve \u00e7evresel \u00f6l\u00e7\u00fcmleri dikkate alarak ciddiyetini yans\u0131tan say\u0131sal bir puan \u00fcretmenin bir yolunu sa\u011flar.<\/p>\n<h2>CVSS&#039;nin Do\u011fu\u015fu<\/h2>\n<p>CVSS, Amerika Birle\u015fik Devletleri&#039;ndeki Ulusal Altyap\u0131 Dan\u0131\u015fma Konseyi&#039;nin (NIAC) bir giri\u015fimi olarak ortaya \u00e7\u0131kt\u0131. 2000&#039;li y\u0131llar\u0131n ba\u015f\u0131nda NIAC, altyap\u0131ya y\u00f6nelik potansiyel tehditleri daha iyi y\u00f6netmek ve azaltmak amac\u0131yla BT g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131 derecelendirmek i\u00e7in standart bir sisteme duyulan ihtiyac\u0131 fark etti.<\/p>\n<p>CVSS&#039;nin ilk s\u00fcr\u00fcm\u00fc (CVSS v1), 2005 y\u0131l\u0131nda Olay M\u00fcdahale ve G\u00fcvenlik Ekipleri Forumu (FIRST) taraf\u0131ndan yay\u0131mland\u0131. Bu ara\u00e7, g\u00fcvenlik m\u00fcdahale ekiplerinin karar verme s\u00fcrecine yard\u0131mc\u0131 olmak \u00fczere birle\u015fik g\u00fcvenlik a\u00e7\u0131\u011f\u0131 derecelendirmeleri sa\u011flamak \u00fczere tasarlanm\u0131\u015ft\u0131r. O zamandan beri g\u00fcncellendi ve geli\u015ftirildi ve \u00fc\u00e7\u00fcnc\u00fc ve en son s\u00fcr\u00fcm (CVSS v3.1) 2019&#039;da yay\u0131nland\u0131.<\/p>\n<h2>CVSS&#039;ye Daha Derin Bir Bak\u0131\u015f<\/h2>\n<p>CVSS \u00f6ncelikle g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131n ciddiyetinin tarafs\u0131z bir \u00f6l\u00e7\u00fcm\u00fcn\u00fc sa\u011flamak i\u00e7in tasarlanm\u0131\u015ft\u0131r. Puanlama sistemi, kurulu\u015flar\u0131n sistemlerinin kar\u015f\u0131la\u015fabilece\u011fi en \u00f6nemli sorunlara odaklanmas\u0131na olanak tan\u0131r. Bu sadece bir s\u0131n\u0131fland\u0131rma arac\u0131 de\u011fil, ayn\u0131 zamanda tehditlere yan\u0131t olarak uygun \u00f6nlemlerin al\u0131nmas\u0131na y\u00f6nelik bir k\u0131lavuzdur.<\/p>\n<p>CVSS puanlar\u0131 0 ila 10 aras\u0131nda de\u011fi\u015fir; 0, hi\u00e7bir riski temsil etmez ve 10, en y\u00fcksek ciddiyet d\u00fczeyini belirtir. Bu puanlar \u00fc\u00e7 metrik gruba g\u00f6re hesaplan\u0131r:<\/p>\n<ul>\n<li>\n<p><strong>Temel Metrikler<\/strong>: Bunlar, sald\u0131r\u0131 vekt\u00f6r\u00fc, karma\u015f\u0131kl\u0131k, gereken ayr\u0131cal\u0131klar, kullan\u0131c\u0131 etkile\u015fimi, kapsam ve gizlilik, b\u00fct\u00fcnl\u00fck ve kullan\u0131labilirlik \u00fczerindeki etkisi gibi zaman ve kullan\u0131c\u0131 ortamlar\u0131 boyunca sabit olan bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131n \u00f6zellikleridir.<\/p>\n<\/li>\n<li>\n<p><strong>Zamansal Metrikler<\/strong>: Bu \u00f6l\u00e7\u00fcmler zamanla de\u011fi\u015fir ve g\u00fcvenlik a\u00e7\u0131\u011f\u0131n\u0131n mevcut durumuyla ilgilenir. Bunlar, kullan\u0131labilirli\u011fi, iyile\u015ftirme d\u00fczeyini ve rapor g\u00fcvenini i\u00e7erir.<\/p>\n<\/li>\n<li>\n<p><strong>\u00c7evresel Metrikler<\/strong>: Bu \u00f6l\u00e7\u00fcmler ikincil hasar potansiyeli, hedef da\u011f\u0131t\u0131m\u0131 ve g\u00fcvenlik gereksinimleri gibi kullan\u0131c\u0131n\u0131n ortam\u0131na \u00f6zeldir.<\/p>\n<\/li>\n<\/ul>\n<h2>CVSS \u00c7er\u00e7evesini \u00c7\u00f6zmek<\/h2>\n<p>CVSS \u00e7er\u00e7evesi, g\u00fcvenlik a\u00e7\u0131klar\u0131 hakk\u0131ndaki bilgileri tutarl\u0131 ve anla\u015f\u0131lmas\u0131 kolay bir bi\u00e7imde yakalamak ve iletmek i\u00e7in tasarlanm\u0131\u015ft\u0131r. Yap\u0131s\u0131 vekt\u00f6r dizilerine ve puanlama mekanizmalar\u0131na dayanmaktad\u0131r:<\/p>\n<ul>\n<li>\n<p><strong>Vekt\u00f6r Dizeleri<\/strong>: Bunlar, puan\u0131 hesaplamak i\u00e7in kullan\u0131lan metriklerin basit metin temsilleridir. Her metri\u011fe, potansiyel etkisini belirten bir de\u011fer verilir. \u00d6rne\u011fin, CVSS v3.1&#039;de bir vekt\u00f6r dizesi \u015fu \u015fekilde g\u00f6r\u00fcnebilir: CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A :H.<\/p>\n<\/li>\n<li>\n<p><strong>Puanlama Mekanizmas\u0131<\/strong>: Vekt\u00f6r dizisindeki metriklere de\u011ferler atand\u0131ktan sonra taban puan\u0131n olu\u015fturulmas\u0131 i\u00e7in bir form\u00fcl uygulan\u0131r. Zamansal ve \u00e7evresel puanlar daha sonra farkl\u0131 form\u00fcller kullan\u0131larak temel puandan elde edilir.<\/p>\n<\/li>\n<\/ul>\n<h2>CVSS&#039;nin Temel \u00d6zellikleri<\/h2>\n<p>CVSS \u00e7er\u00e7evesinin g\u00f6ze \u00e7arpan \u00f6zelliklerinden baz\u0131lar\u0131 \u015funlard\u0131r:<\/p>\n<ul>\n<li>Tutarl\u0131 g\u00fcvenlik a\u00e7\u0131\u011f\u0131 de\u011ferlendirmeleri i\u00e7in standartla\u015ft\u0131r\u0131lm\u0131\u015f puanlama sistemi<\/li>\n<li>\u00c7e\u015fitli sistem t\u00fcrlerine ve g\u00fcvenlik a\u00e7\u0131klar\u0131na geni\u015f uygulanabilirlik<\/li>\n<li>Zamana ve \u00e7evreye \u00f6zel ayarlamalara izin verir<\/li>\n<li>\u015eeffaf ve herkesin kullan\u0131m\u0131na a\u00e7\u0131k<\/li>\n<li>Ayr\u0131nt\u0131l\u0131 \u00f6l\u00e7\u00fcmler g\u00fcvenlik a\u00e7\u0131klar\u0131na ili\u015fkin derinlemesine bilgi sa\u011flar<\/li>\n<li>\u0130yile\u015ftirme \u00e7abalar\u0131n\u0131n \u00f6nceliklendirilmesine yard\u0131mc\u0131 olmak i\u00e7in tasarland\u0131<\/li>\n<\/ul>\n<h2>CVSS T\u00fcrleri<\/h2>\n<p>\u015eu ana kadar yay\u0131nlanm\u0131\u015f \u00fc\u00e7 CVSS s\u00fcr\u00fcm\u00fc bulunmaktad\u0131r:<\/p>\n<ol>\n<li><strong>CVSS v1<\/strong> (2005): BT g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131 derecelendirmek i\u00e7in standartla\u015ft\u0131r\u0131lm\u0131\u015f bir y\u00f6ntem sa\u011flayan ilk s\u00fcr\u00fcm.<\/li>\n<li><strong>CVSS v2<\/strong> (2007): \u0130lk versiyona g\u00f6re daha hassas \u00f6l\u00e7\u00fcmler geli\u015ftirildi ve Zamansal ve \u00c7evresel puanlar eklendi.<\/li>\n<li><strong>CVSS v3.1<\/strong> (2019): Temel, Zamansal ve \u00c7evresel metriklerin tan\u0131mlar\u0131na ili\u015fkin daha fazla iyile\u015ftirme ve a\u00e7\u0131klama sunan en son s\u00fcr\u00fcm.<\/li>\n<\/ol>\n<h2>CVSS&#039;yi Kullanma: Sorunlar ve \u00c7\u00f6z\u00fcmler<\/h2>\n<p>CVSS&#039;nin ana uygulamas\u0131 g\u00fcvenlik a\u00e7\u0131\u011f\u0131 y\u00f6netimi ve olay m\u00fcdahale s\u00fcre\u00e7lerindedir. Kurulu\u015flar, g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131n ciddiyetine g\u00f6re iyile\u015ftirme \u00e7abalar\u0131n\u0131 \u00f6nceliklendirmek i\u00e7in CVSS puanlar\u0131n\u0131 kullan\u0131r. Ancak puanlama sistemi bir kurulu\u015fun i\u015f ba\u011flam\u0131n\u0131 hesaba katmaz; bu da, tek ba\u015f\u0131na kullan\u0131ld\u0131\u011f\u0131nda verimsiz kaynak tahsisine yol a\u00e7abilir.<\/p>\n<p>\u00c7\u00f6z\u00fcm, CVSS puanlar\u0131n\u0131 belirli i\u015f etkilerini ve g\u00fcvenlik gereksinimlerini dikkate alan daha geni\u015f bir risk y\u00f6netimi \u00e7er\u00e7evesine dahil etmektir. Bu \u015fekilde \u015firketler g\u00fcvenlik a\u00e7\u0131\u011f\u0131 y\u00f6netimine y\u00f6nelik dengeli bir yakla\u015f\u0131m olu\u015fturabilir.<\/p>\n<h2>CVSS&#039;nin Di\u011fer Standartlarla Kar\u015f\u0131la\u015ft\u0131r\u0131lmas\u0131<\/h2>\n<p>BT g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131 de\u011ferlendirmek i\u00e7in ba\u015fka sistemler de mevcut ancak CVSS, kapsaml\u0131 yap\u0131s\u0131, a\u00e7\u0131kl\u0131\u011f\u0131 ve yayg\u0131n olarak benimsenmesi nedeniyle \u00f6ne \u00e7\u0131k\u0131yor. \u0130\u015fte k\u0131sa bir kar\u015f\u0131la\u015ft\u0131rma:<\/p>\n<table>\n<thead>\n<tr>\n<th><\/th>\n<th>CVSS<\/th>\n<th>OWASP Risk Derecelendirme Metodolojisi<\/th>\n<th>DEH\u015eET<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>A\u00e7\u0131k Standart<\/td>\n<td>Evet<\/td>\n<td>HAYIR<\/td>\n<td>HAYIR<\/td>\n<\/tr>\n<tr>\n<td>Puan Aral\u0131\u011f\u0131<\/td>\n<td>0-10<\/td>\n<td>Risk seviyeleri (D\u00fc\u015f\u00fck ila Kritik)<\/td>\n<td>0-10<\/td>\n<\/tr>\n<tr>\n<td>Fakt\u00f6rler<\/td>\n<td>Gizlilik, B\u00fct\u00fcnl\u00fck, Kullan\u0131labilirlik, Kullan\u0131labilirlik, \u0130yile\u015ftirme, Rapor G\u00fcvenli\u011fi<\/td>\n<td>Tehdit Arac\u0131s\u0131, G\u00fcvenlik A\u00e7\u0131\u011f\u0131, Etki<\/td>\n<td>Hasar, Tekrarlanabilirlik, Kullan\u0131labilirlik, Etkilenen Kullan\u0131c\u0131lar, Ke\u015ffedilebilirlik<\/td>\n<\/tr>\n<tr>\n<td>Zamansal ve \u00c7evresel Metriklerin Kullan\u0131m\u0131<\/td>\n<td>Evet<\/td>\n<td>HAYIR<\/td>\n<td>HAYIR<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>CVSS&#039;nin Gelece\u011fi<\/h2>\n<p>Siber tehditler geli\u015fmeye devam ettik\u00e7e CVSS de geli\u015fecektir. Topluluk, g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131n ciddiyetini daha iyi yans\u0131tacak \u015fekilde puanlama sistemini iyile\u015ftirmek i\u00e7in aktif olarak \u00e7al\u0131\u015f\u0131yor. CVSS puanlama s\u00fcrecini otomatikle\u015ftirmek ve daha do\u011fru hale getirmek i\u00e7in yapay zeka ve makine \u00f6\u011frenimi teknolojileri entegre edilebilir.<\/p>\n<p>Ayr\u0131ca CVSS&#039;nin gelecekteki s\u00fcr\u00fcmleri, IoT cihazlar\u0131, end\u00fcstriyel kontrol sistemleri ve daha fazlas\u0131 dahil olmak \u00fczere s\u00fcrekli de\u011fi\u015fen siber tehdit ortam\u0131na uyum sa\u011flamak i\u00e7in daha \u00e7e\u015fitli \u00f6l\u00e7\u00fcmler i\u00e7erebilir.<\/p>\n<h2>Proxy Sunucular\u0131 ve CVSS<\/h2>\n<p>OneProxy taraf\u0131ndan sa\u011flananlar gibi proxy sunucular, g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131n y\u00f6netilmesinde ve CVSS puanlar\u0131n\u0131n kullan\u0131lmas\u0131nda \u00f6nemli bir rol oynayabilir. Proxy sunucular\u0131, istemcilerden gelen istekler i\u00e7in arac\u0131 g\u00f6revi g\u00f6rerek k\u00f6t\u00fc niyetli trafi\u011fi filtreleyebilir, sald\u0131r\u0131 y\u00fczeyini ve olas\u0131 g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131 azaltabilir.<\/p>\n<p>Ayr\u0131ca, g\u00fc\u00e7l\u00fc bir g\u00fcvenlik a\u00e7\u0131\u011f\u0131 y\u00f6netimi s\u00fcrecine (CVSS dahil) sahip proxy sunucular\u0131n kullan\u0131lmas\u0131, geli\u015fmi\u015f koruma sa\u011flayabilir. Proxy sunucular\u0131 trafi\u011fi g\u00fcnl\u00fc\u011fe kaydederken, g\u00fcvenlik denetimleri i\u00e7in de\u011ferli veriler sa\u011flayabilir ve potansiyel g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131n belirlenmesine yard\u0131mc\u0131 olabilir.<\/p>\n<h2>\u0130lgili Ba\u011flant\u0131lar<\/h2>\n<p>CVSS hakk\u0131nda daha fazla bilgi i\u00e7in a\u015fa\u011f\u0131daki kaynaklara bak\u0131n:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.first.org\/cvss\/user-guide\" target=\"_new\" rel=\"noopener nofollow\">\u0130LK CVSS K\u0131lavuzu<\/a><\/li>\n<li><a href=\"https:\/\/nvd.nist.gov\/vuln-metrics\/cvss\/v3.1\/specification-document\" target=\"_new\" rel=\"noopener nofollow\">NVD CVSS v3.1 \u00d6zellikleri<\/a><\/li>\n<li><a href=\"https:\/\/www.nist.gov\/cyberframework\/online-learning\/cvss\" target=\"_new\" rel=\"noopener nofollow\">NIST&#039;in CVSS&#039;sine Genel Bak\u0131\u015f<\/a><\/li>\n<li><a href=\"https:\/\/nvd.nist.gov\/vuln-metrics\/cvss\/v3-calculator\" target=\"_new\" rel=\"noopener nofollow\">CVSS Hesaplay\u0131c\u0131<\/a><\/li>\n<\/ul>\n<p>CVSS&#039;yi anlamak ve uygulamak, g\u00fcvenlik a\u00e7\u0131\u011f\u0131 y\u00f6netimini ve genel siber g\u00fcvenlik duru\u015funu geli\u015ftirmek isteyen her kurulu\u015f i\u00e7in hayati \u00f6neme sahiptir. CVSS&#039;yi risk de\u011ferlendirme \u00e7er\u00e7evelerine entegre ederek i\u015fletmeler, g\u00fcvenlik a\u00e7\u0131klar\u0131n\u0131 \u00f6nceliklendirip bunlara etkili bir \u015fekilde yan\u0131t vermelerini sa\u011flayabilir.<\/p>","protected":false},"featured_media":476526,"menu_order":0,"template":"","meta":{"_acf_changed":false,"content-type":"","inline_featured_image":false,"footnotes":""},"class_list":["post-476525","wiki","type-wiki","status-publish","has-post-thumbnail","hentry"],"acf":{"faq_title":"Frequently Asked Questions about <mark>Understanding CVSS: The Common Vulnerability Scoring System<\/mark>","faq_items":[{"question":"What is the Common Vulnerability Scoring System (CVSS)?","answer":"<p>CVSS is a standardized, open framework for assessing the severity of computer system security vulnerabilities. It provides a way to capture the main characteristics of a vulnerability and produce a numerical score reflecting its severity. The scores range from 0 to 10, with 0 representing no risk and 10 indicating the highest level of severity.<\/p>"},{"question":"Who developed CVSS and when was it first introduced?","answer":"<p>CVSS was initially developed by the Forum of Incident Response and Security Teams (FIRST) under the recommendation of the National Infrastructure Advisory Council (NIAC) in the United States. The first version of CVSS (CVSS v1) was introduced in 2005.<\/p>"},{"question":"What are the three metric groups used in CVSS?","answer":"<p>The three metric groups used in CVSS are Base Metrics, Temporal Metrics, and Environmental Metrics. Base Metrics are constant characteristics of a vulnerability, Temporal Metrics change over time and deal with the current state of the vulnerability, and Environmental Metrics are specific to a user\u2019s environment.<\/p>"},{"question":"What does a CVSS score range signify?","answer":"<p>CVSS scores range from 0 to 10. A score of 0 represents no risk, while a score of 10 indicates the highest level of severity or risk. The scores help organizations prioritize their responses and remediation efforts towards security vulnerabilities.<\/p>"},{"question":"How many versions of CVSS exist?","answer":"<p>There have been three versions of CVSS published so far: CVSS v1 in 2005, CVSS v2 in 2007, and CVSS v3.1 in 2019. Each version has brought refinements and improvements to the system.<\/p>"},{"question":"How does CVSS compare to other vulnerability assessment standards?","answer":"<p>While there are other systems for assessing IT vulnerabilities, CVSS stands out due to its comprehensive nature, openness, and widespread adoption. It uses a numerical scoring system and considers various factors such as confidentiality, integrity, availability, exploitability, remediation, and report confidence. It also uses temporal and environmental metrics, unlike many other standards.<\/p>"},{"question":"How can proxy servers be used with CVSS?","answer":"<p>Proxy servers, like those provided by OneProxy, can play a significant role in managing vulnerabilities and utilizing CVSS scores. They can filter out malicious traffic, reducing the attack surface and potential vulnerabilities. Additionally, they can provide valuable data for security audits and assist in identifying potential vulnerabilities when used as part of a robust vulnerability management process.<\/p>"},{"question":"What is the future perspective of CVSS?","answer":"<p>The future of CVSS includes refining the scoring system to better reflect the severity of vulnerabilities. It might incorporate AI and machine learning technologies to automate the CVSS scoring process. Furthermore, future versions may include more diverse metrics to accommodate new types of cyber threats, such as those involving IoT devices and industrial control systems.<\/p>"}]},"_links":{"self":[{"href":"https:\/\/oneproxy.pro\/tr\/wp-json\/wp\/v2\/wiki\/476525","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/oneproxy.pro\/tr\/wp-json\/wp\/v2\/wiki"}],"about":[{"href":"https:\/\/oneproxy.pro\/tr\/wp-json\/wp\/v2\/types\/wiki"}],"version-history":[{"count":0,"href":"https:\/\/oneproxy.pro\/tr\/wp-json\/wp\/v2\/wiki\/476525\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/oneproxy.pro\/tr\/wp-json\/wp\/v2\/media\/476526"}],"wp:attachment":[{"href":"https:\/\/oneproxy.pro\/tr\/wp-json\/wp\/v2\/media?parent=476525"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}