Versions Compared

Old Version 2

changes.mady.by.user Ryan Seymour

Saved on

compared with

New Version 3

changes.mady.by.user Ryan Seymour

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

ConnectSecure checks against all assets to categorize end-of-life (EOL) in two ways.

...

This is found in the Problem Group of ‘Informational’ as shown in the example below:

...

Risk Score Calculations for EOL on Active/Security Support

Level

Description

1

Both Active and Security Support have ended; no support is available

3

If the operating system is within 1 year of its security support end date; limited support

4

If the operating system is within its Active support but past its Security support; extended support

5

If the operating system is within both Active and Security support timelines; full support

...

Severity and Risk Scoring Descriptions

Severity

This indicates the seriousness or criticality of a vulnerability. Common severity levels include low, medium, high, and critical. Higher severity vulnerabilities typically pose a greater risk and require more immediate attention and mitigation.

Base Score

A numerical value is assigned to a vulnerability based on its characteristics and potential impact. It is often calculated using a standardized formula, such as the Common Vulnerability Scoring System (CVSS), which considers factors like exploitability, impact, and other metrics.

EPSS Score

Environmental Score is a component of the CVSS (Common Vulnerability Scoring System) that considers environmental factors specific to the organization's environment. This score reflects how the vulnerability affects the specific deployment environment and helps assess the risk in real life.

Exploitability Score

Indicates the ease with which an attacker could exploit the vulnerability to launch an attack. Factors such as the availability of exploits, complexity of exploitation, and required privileges may contribute to this score.

Impact Score

The Impact Score evaluates the potential impact of a vulnerability on the affected system or organization. It considers factors such as data loss, system compromise, service disruption, regulatory compliance impact, and financial repercuss

...

How is ‘Severity’ calculated?

Severity information is imported from the standard vulnerability databases.  

So, the standard calculation below is followed by these vulnerability databases.

The Severity score for vulnerabilities is typically derived from the Base Score in the Common Vulnerability Scoring System (CVSS). The Base Score itself is calculated based on the Exploitability and Impact metrics.

Here's a breakdown of how the Severity score is calculated:

Base Score Calculation
The Base Score in CVSS is calculated using the following formula:

Base Score = (0.6 * Impact) + (0.4 * Exploitability)

Impact: This component of the Base Score represents the potential impact of a successful exploit. It is derived from the Confidentiality Impact (C), Integrity Impact (I), and Availability Impact (A) metrics in CVSS, each of which is scored from 0 to 10.

Exploitability: This component of the Base Score represents the ease of exploitation. It is derived from the Attack Vector (AV), Attack Complexity (AC), Privileges Required (PR), User Interaction (UI), and Scope (S) metrics in CVSS, each of which is scored from 0 to 10.

Severity Mapping
Once the Base Score is calculated and mapped to a predefined Severity level. The mapping is typically as follows:

Base Score 0.0 - 3.9: Low Severity
Base Score 4.0 - 6.9: Medium Severity
Base Score 7.0 - 8.9: High Severity
Base Score 9.0 - 10.0: Critical Severity

These ranges are defined by the CVSS standard and are used to categorize vulnerabilities based on their potential impact and exploitability.

Environmental Metrics (Optional):
In some cases, environmental metrics such as the Environmental Score (EPSS Score) may also influence the Severity rating. These factors can modify the Base Score to reflect the risk in a particular deployment context.

In summary, the Severity score for vulnerabilities is calculated based on the Base Score, which is, in turn, calculated from the Impact and Exploitability metrics. The Severity score indicates the seriousness of a vulnerability, ranging from low to critical, based on its potential impact and ease of exploitation.

For more info, refer to the NVD links below:
https://nvd.nist.gov/vuln-metrics/cvss
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

https://www.first.org/epss/

...

How is EPSS calculated?

You can find the general calculation on EPSS in the link below:

https://www.cyentia.com/epss-version-2-is-out/

We are calculating using the tool from the below link derived from the above website:

https://epss.cyentia.com/epss_scores-current.csv.gz

...

Security and Compliance Report Card Grading

Info

The table values below are used for our Security Report Card and Compliance Report Card grades.

...

Security Report Card

...

Compliance Report Card

...

Need Support?

Contact our support team by sending an email to support@connectsecure.com or by visiting our Partner Portal, where you can create, view, and manage your tickets.

...