Info |
---|
This document covers the various scoring calculations and methods used for the Asset(s) Risk Scoring and various point systems for assetsvarious Asset, Company, and Risk Grade scoring across the system. |
Table of Contents | ||
---|---|---|
|
...
Severity and Risk Scoring Descriptions
Severity
This indicates the seriousness or criticality of a vulnerability. Common severity levels include low, medium, high, and critical. Higher-severity vulnerabilities typically pose a greater risk and require immediate attention and mitigation.
...
Collect as much vulnerability information as we can from a variety of sources
Collect evidence of daily exploitation activity
Train a model: discover/learn the relationship between the vulnerability information and the exploitation activity
Measure the performance of the model, tweak and repeat step 3 to optimize the model
Daily: refresh the vulnerability information (step 1) and use the model (step 3) to produce daily estimates of the probability of exploitation in the next 30 days for each published CVE.
...
How is Severity Calculated?
Severity information is imported from the standard vulnerability databases.
...
...
How is EPSS Calculated?
You can find the general calculation on EPSS in the link below:
...
https://epss.cyentia.com/epss_scores-current.csv.gz
...
Calculation of Vulnerability Risk
ConnectSecure uses CVSS 3.0 as a base system for calculating vulnerability risk. Click here for more information on CVSS calculations: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities.
CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to the threat.
Scores are calculated using a formula that depends on several metrics that approximate the ease of exploitation and its impact. Scores range from 0 to 10, with 10 being the most severe.
While many utilize only the CVSS Base score to determine severity, temporal and environmental scores also exist to factor in the availability of mitigations and the widespread vulnerability of systems within an organization.
...
Viewing Discovered Vulnerabilities and Scoring Data
Navigate to the Vulnerabilities module to see the details of discovered vulnerabilities, including their respective Severity, Base Score, Impact Score, Exploitability Score, and EPSS Score.
...
Info |
---|
NOTE: You may need to adjust your column view/order to match the view above: |
...
Scoring Calculations
For ConnectSecure, the CVSS maps the vulnerability score to an asset, and then we compute the overall vulnerability score based on the weights of different vulnerabilities.
The following table is used to determine the weightage of each scored category:
...
It’s then computed for each asset, and then we compute a mode and mean and give the higher of the two as a risk score.
...
Asset Risk Grade Scoring Details
Assets are scored individually and assigned a letter grade: A, B, C, D, E, or F, just like in grade school. Tap on the letter grade of any asset to see the Rubrix breakdown of how we score based on vulnerabilities.
...
Asset Average Risk Score Calculation
The sum of present Problem Category scores divided by the sum of all Severity Problem Category scores + other Problem Category Scores that are present.
...
20 = 250 (Sum of Severity Categories) / 50 (Total Weightage of Problem Categories that Exist)
...
Improving Asset Risk Score Grade
Please act on the recommendations provided in the Solutions / Remediation Plan.
Update a version of an Application/OS to the latest version.
Uninstall an application that is not supported, e.g., End of Support.
Use EPSS Categorization to decide which actions should be taken on a priority basis first.
Critical and High-category vulnerability will have the highest impact on the grade.
...
Company Risk Score Details
Panel | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
What is the Company Risk Score? The Company Risk Score Grade is a function of the X sub-score equations. Company Risk Score is the Sum of Vulnerability, External Vulnerability, Compliance, Security Report Card, and Active Directory data. |
Company Risk Score Grade Factors
...
Risk Score Category | Weightage |
---|---|
...
Company Risk Score Grade: A (0 - 40) = Very Low
...
Company Risk Score Grade: B (40 - 45) = Low
Company Risk Score Grade: C (45 - 60) = Medium
Company Risk Score Grade : D (60 - 75) = High
Company Risk Score Grade: E (75 - 90) = Critical
Company Risk Score Grade: F (90 - 100) = Very Critical
...
Company Risk Score Grade Descriptions
Risk Score Grade: A (0 - 40) represents Very Low.
Problems are present, and an organization should aim to be in the 0 to 40 range; however, all significant issues have been addressed broadly.
Risk Score Grade: B (40 - 45) represents Low.
Problems are present, and the value ranges from 40 to 45. However, significant issues have been addressed.
Risk Score Grade: C (45 - 60) represents Medium.
A few problems need immediate attention, with the score ranging from 45 to 60.
Risk Score Grade: D (60 - 75) represents High.
Many problems require attention, with a score ranging from 60 to 75.
Risk Score Grade: E (75 - 90) represents Critical.
The network is susceptible to attack and needs remediation; the value ranges from 75 to 90.
Risk Score Grade: F (90 - 100) represents Very Critical.
The network is highly susceptible to attack and needs remediation; the value ranges from 90 to 100.
...
External Scan Risk Scoring Details
External Assets are configured and maintained at the Company level under the portal's Assets > External Assets section. The Results tab displays a table view of any scanned asset, including various details and the Security Grade.
...
Tap directly on the letter grade assigned to see the scoring details:
...
External Scan Risk Score Calculation
The sum of the present Problem Category scores divided by the sum of all Severity Problem category scores and other Problem Category score(s) if present.
...
Info |
---|
Only the confirmed vulnerabilities and insecure open ports are considered; the filtered ports and other categories are not included in the calculation. |
...
Security and Compliance Report Card Grading
Info |
---|
The table values below are used for our Security Report Card and Compliance Report Card grades. |
Category | Grades | Description |
Antivirus | 5 | Anti-virus is installed and up to date |
4 | Anti-virus is installed but not up to date | |
1 | Anti-virus is not installed | |
Local Firewall | 5 | Local firewall is enabled for both public and private networks |
4 | Local firewall is not enabled for private networks | |
3 | Local firewall is not enabled | |
1 | Local firewall is not enabled | |
Insecure Listening Ports | 5 | There are no insecure listening ports |
3 | One insecure listening port was detected | |
1 | More than one insecure listening port was detected | |
Failed Login | 5 | No failed interactive logins in the past 7 days |
4 | 7 or fewer failed interactive logins in the past 7 days | |
3 | 14 or fewer failed interactive logins in the past 7 days | |
1 | 15 or more failed interactive logins in the past 7 days | |
Network Vulnerabilities | 5 | No network vulnerabilities |
4 | Low network vulnerabilities found (CVSS < 4.0) | |
3 | Medium network vulnerability found (CVSS >= 4.0) | |
1 | Critical network vulnerability found (CVSS >= 9.0) | |
System Aging | 5 | All computers are less than 2 years old |
4 | Some computers between 3 and 4 years old | |
3 | Some computers between 4 and 7 years old | |
1 | Some computers over 8 years old | |
Supported OS | 5 | All computers have supported Operating Systems |
4 | Some Operating Systems are in extended support | |
3 | Some Operating Systems are within 1 year of end of life | |
1 | Some unsupported Operating System | |
LLMNR | 2 | LLMNR not Allowed |
5 | LLMNR Disabled | |
1 | LLMNR Enabled | |
NBTNS | 2 | NBTNS not Allowed |
5 | NBTNS Disabled | |
1 | NBTNS Enabled | |
NTLMV1 | 2 | NTLMV1 not Allowed |
5 | NTLMV1 Disabled | |
1 | NTLMV1 Enabled | |
SMBV1Server | 2 | SMBV1 Server not Allowed |
5 | SMBV1 Server Disabled | |
1 | SMBV1 Server Enabled | |
SMBV1Client
| 2 | SMBV1 Client not Allowed |
5 | SMBV1 Client Disabled | |
1 | SMBV1 Client Enabled | |
SMB Signing | 2 | SMB Signing Disabled |
5 | SMB Signing Enabled | |
1 | SMB Signing Disabled |
Security Report Card
...
Compliance Report Card
...
End of Life
Warning |
---|
ConnectSecure considers EOL a maximum-risk scoring event since the application no longer receives security updates. |
...
OS-OUT-OF-SECURITY-SUPPORT
OS-OUT-OF-ACTIVE-SUPPORT
...
Risk Level Descriptions for EOL on Active/Security Support
Level | Description |
---|---|
1 | Both Active and Security Support have ended; no support is available |
3 | If the operating system is within 1 year of its security support end date; limited support |
4 | If the operating system is within its Active support but past its Security support; extended support |
5 | If the operating system is within both Active and Security support timelines; full support |
...
Calculation of Vulnerability Risk
ConnectSecure uses CVSS 3.0 as a base system for calculating vulnerability risk. Click here for more information on CVSS calculations: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities.
CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to the threat.
Scores are calculated using a formula that depends on several metrics that approximate the ease of exploitation and its impact. Scores range from 0 to 10, with 10 being the most severe.
While many utilize only the CVSS Base score to determine severity, temporal and environmental scores also exist to factor in the availability of mitigations and the widespread vulnerability of systems within an organization.
...
Viewing Discovered Vulnerabilities and Scoring Data
Navigate to the Vulnerabilities module to see the details of discovered vulnerabilities, including their respective Severity, Base Score, Impact Score, Exploitability Score, and EPSS Score.
...
Tap on the Problem Name link to see additional scoring details from the source:
...
Need Support?
Contact our support team by sending an email to support@connectsecure.com or by visiting our Partner Portal, where you can create, view, and manage your tickets.
...