Versions Compared

Old Version 3

changes.mady.by.user Ryan Seymour

Saved on

compared with

New Version Current

changes.mady.by.user Ryan Seymour

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

...

...

...

...

...

...

...

...

...

...

  1. OS-OUT-OF-SECURITY-SUPPORT

  2. OS-OUT-OF-ACTIVE-SUPPORT

This is found in the Problem Group of ‘Informational’ as shown in the example below:

...

Risk Score Calculations for EOL on Active/Security Support

...

Level

...

Description

...

1

...

Both Active and Security Support have ended; no support is available

...

3

...

If the operating system is within 1 year of its security support end date; limited support

...

4

...

If the operating system is within its Active support but past its Security support; extended support

...

5

...

Panel
panelIconIdatlassian-info
panelIcon:info:
panelIconText:info:
bgColor#DEEBFF

This document covers the various scoring calculations and methods used across the system for various Asset, Company, and Risk Grade scoring.

...

Table of Contents

Table of Contents
minLevel1
maxLevel6
include
outlinefalse
indent
stylenone
excludeTable of Contents
typelist
class
printabletrue

...

Severity and Risk Scoring Descriptions

Severity

This indicates the seriousness or criticality of a vulnerability. Common severity levels include low, medium, high, and critical. Higher severity vulnerabilities typically pose a greater risk and require more immediate attention and mitigation.

...

A numerical value is assigned to a vulnerability based on its characteristics and potential impact. It is often calculated using a standardized formula, such as the Common Vulnerability Scoring System (CVSS), which considers factors like exploitability, impact, and other metrics.

EPSS Impact ScoreEnvironmental Score is a component of the CVSS (Common Vulnerability Scoring System) that considers environmental factors specific to the organization's environment. This score reflects how the vulnerability affects the specific deployment environment and helps assess the risk in real life.

The Impact Score evaluates the potential impact of a vulnerability on the affected system or organization. It considers factors such as data loss, system compromise, service disruption, regulatory compliance impact, and financial repercuss

Exploitability Score

Indicates the ease with which an attacker could exploit the vulnerability to launch an attack. Factors such as the availability of exploits, complexity of exploitation, and required privileges may contribute to this score.

Impact Score

The Impact Score evaluates the potential impact of a vulnerability on the affected system or organization. It considers factors such as data loss, system compromise, service disruption, regulatory compliance impact, and financial repercuss

...

To see these scores, tap on the CVE-ID and then the Base Score link (be sure you are on the correct CVSS Version).

Panel
bgColor#DEEBFF
image-20240617-183654.pngImage Addedimage-20240617-183721.pngImage Added

...

EPSS Score

Exploit Prediction Scoring System is sourced from http://first.org/epss

Info

Download the data/base from here: https://www.first.org/epss/data_stats

...

EPSS is a daily estimate of the probability of observed exploitation activity over the next 30 days. It is designed from the ground up to make the best use of all of the information available, and it does this in five steps:

  1. Collect as much vulnerability information as we can from a variety of sources

  2. Collect evidence of daily exploitation activity

  3. Train a model: discover/learn the relationship between the vulnerability information and the exploitation activity

  4. Measure the performance of the model, tweak and repeat step 3 to optimize the model

  5. Daily: refresh the vulnerability information (step 1) and use the model (step 3) to produce daily estimates of the probability of exploitation in the next 30 days for each published CVE.

...

How is Severity Calculated?

Severity information is imported from the standard vulnerability databases.  So, the standard calculation below is followed by these vulnerability databases.

The Severity score for vulnerabilities is typically derived from the Base Score in the Common Vulnerability Scoring System (CVSS).

The Base Score itself is calculated based on the Exploitability and Impact metrics.

...

These ranges are defined by the CVSS standard and are used to categorize vulnerabilities based on their potential impact and exploitability.

Environmental Metrics (Optional):
In some cases, environmental metrics such as the Environmental Score (EPSS Score) may also influence the Severity rating. These factors can modify the Base Score to reflect the risk in a particular deployment context.

In summary, the Severity score for vulnerabilities is calculated based on the Base Score, which is, in turn, calculated from the Impact and Exploitability metrics. The Severity score indicates the seriousness of a vulnerability, ranging from low to critical, based on its potential impact and ease of exploitation.

For more info, refer to the NVD links information, check these sources out below:

https://nvd.nist.gov/vuln-metrics/cvss

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

https://www.first.org/epss/

...

How is EPSS

...

Calculated?

You can find the general calculation on EPSS in the link below:

...

https://epss.cyentia.com/epss_scores-current.csv.gz

...

Calculation of Vulnerability Risk

  • ConnectSecure uses CVSS 3.0 as a base system for calculating vulnerability risk. Click here for more information on CVSS calculations: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

  • The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities.

  • CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to the threat.

  • Scores are calculated using a formula that depends on several metrics that approximate the ease of exploitation and its impact. Scores range from 0 to 10, with 10 being the most severe.

  • While many utilize only the CVSS Base score to determine severity, temporal and environmental scores also exist to factor in the availability of mitigations and the widespread vulnerability of systems within an organization.

...

Viewing Discovered Vulnerabilities and Scoring Data

Please navigate to the Problems module to see the details of discovered vulnerabilities, including their respective Severity, ConnectSecure Score, Base Score (NVD), Impact Score (NVD), Exploitability Score (NVD), and EPSS Score.

...

Info

NOTE: You may need to adjust your column view/order to match the view above:

image-20240823-160048.pngImage Added

...

ConnectSecure Scoring Calculations

  • For ConnectSecure, the CVSS maps the vulnerability score to an asset, and then we compute the overall vulnerability score based on the weights of different vulnerabilities. 

  • The following table is used to determine the weightage of each scored category:

Scoring Category

Weightage

CVSS Base Score

50%

CVSS Impact Score

10%

CVSS Exploitability Score

20%

Asset Importance Score

10%

Impact based on actual malware being released

10%

Here are the asset importance default values used for the calculations:

Importance

Default Value/Score

Critical

100

High

75

Medium

50

Low

25

For example:

  • Vulnerability Maximum BaseScore = 9.8

  • Vulnerability Maximum Exploitability Score = 3.9

  • Asset Importance = 25 (for Low)

=>(Vulnerability Maximum BaseScore * 5) + (Vulnerability Maximum exploitabilityScore * 2) + (Asset Importance / 10) * 3

=>(9.8 * 5) + (3.9 * 2) + (25 / 10) * 3

=>49 + 7.8 + 7.5

=>64.3

ConnectSecure's Vulnerability Risk Score for the above example is 64.3.

It’s then computed for each asset, and then we compute a mode and mean and give the higher of the two as a risk score.

...

Asset Risk Grade Scoring Details

Assets are scored individually and assigned a letter grade: A, B, C, D, E, or F. Tap on the letter grade of any asset to see the Rubrix breakdown of how we score based on vulnerabilities.

...

Asset Average Risk Score Calculation

The sum of present Problem Category scores divided by the sum of all Severity Problem Category scores + other Problem Category Scores that are present.

The Severity Problem Category refers to the severity-based vulnerability classifications below.

We use these base weights for the Risk Score calculations based on ‘severity.'

  • Critical Severity Vulnerabilities = .90 (or 90%)

  • High Severity Vulnerabilities = .80 (or 80%)

  • Medium Severity Vulnerabilities = .50 (or 50%)

  • Low Severity Vulnerabilities = .30 (or 30%)

To obtain your asset’s present Problem Category scores, tap on the letter grade, check for the ‘Exists?’ column for a 'Y' and add that Score value up. See below for a sample.

...

Asset Risk Score is 20

  1. Add up the total Score for any Problem Category where vulnerabilities Exist.

...

  1. Divide that total by the total Weightage possible, which is the sum of each severity category + any existing custom.

...

  • Critical Severity = .9 or 90

  • High Severity = .8 or 80

  • Medium Severity = .5 or 50

  • Low Severity = .3 or 30

The sum of Severity Problem Categories is 250

Asset Risk Score = Total Score / Total Weightage

20 = 250 (Sum of Severity Categories) / 50 (Total Weightage of Problem Categories that Exist)

...

Improving Asset Risk Score Grade

Please act on the recommendations provided in the Solutions / Remediation Plan.

  • Update a version of an Application/OS to the latest version.

  • Uninstall an application that is not supported, e.g., End of Support.

  • Use EPSS Categorization to decide which actions should be taken on a priority basis first.

  • Critical and High-category vulnerability will have the highest impact on the grade.

...

Company Risk Score Details

Panel
panelIconIdatlassian-question_mark
panelIcon:question_mark:
panelIconText:question_mark:
bgColor#DEEBFF

What is the Company Risk Score?

The Company Risk Score is the sum of all the Max Risk Scores divided by the Total Assets.

The Max Risk Score shows the highest possible risk score based on the most severe confirmed vulnerability.

Company Risk Score Grade Factors

...

Tip

Based on the score, the Company Risk Score Grade is displayed with a letter grade, as shown below.

Company Risk Score Grade: A (0 - 40) = Very Low

...

Company Risk Score Grade: B (40 - 45) = Low

Company Risk Score Grade: C (45 - 60) = Medium

Company Risk Score Grade : D (60 - 75) = High

Company Risk Score Grade: E (75 - 90) = Critical

Company Risk Score Grade: F (90 - 100) = Very Critical

...

Company Risk Score Grade Descriptions

Risk Score Grade: A (0 - 40) represents Very Low.

Problems are present, and an organization should aim to be in the 0 to 40 range; however, all significant issues have been addressed broadly.

Risk Score Grade: B (40 - 45) represents Low.

Problems are present, and the value ranges from 40 to 45. However, significant issues have been addressed.

Risk Score Grade: C (45 - 60) represents Medium.

A few problems need immediate attention, with the score ranging from 45 to 60.

Risk Score Grade: D (60 - 75) represents High.

Many problems require attention, with a score ranging from 60 to 75.

Risk Score Grade: E (75 - 90) represents Critical.

The network is susceptible to attack and needs remediation; the value ranges from 75 to 90.

Risk Score Grade: F (90 - 100) represents Very Critical.

The network is highly susceptible to attack and needs remediation; the value ranges from 90 to 100.

...

External Scan Risk Scoring Details

External Assets are configured and scored at the Company level under the Assets > External Assets module. The Results tab displays a table view of any scanned external asset with various scan details.

...

Tap on the external asset IP to see the details:

...

Tap directly on the letter grade assigned to see the scoring details:

...

External Scan Risk Score Calculation

The sum of the Problem Category scores where Exists? is true divided by the sum of all Severity Problem category scores and other Problem Category score(s) if present.

The Severity Problem Category refers to the severity-based vulnerability classifications below.

We use these base weights for the Risk Score calculations based on ‘severity.' The total score for all severity category groups is 250. (90+80+50+30).

  • Critical Severity Vulnerabilities = .90 (or 90%)

  • High Severity Vulnerabilities = .80 (or 80%)

  • Medium Severity Vulnerabilities = .50 (or 50%)

  • Low Severity Vulnerabilities = .30 (or 30%)

We start all scoring at the total base of 250 (using the above info) and then add any scores based on the problem category showing as Exists? Y in the scoring rubric.

To obtain your asset’s present Problem Category scores, tap on the letter grade, check for the ‘Exists?’ column for a 'Y' and add that Score value up. See below for a sample.

...

Pay attention to the ‘Exists’ to determine if the ‘Weightage’ is included in the sum calculations.

...

In the above example, the Asset Risk Score is shown as 60.

  1. Add up the total Score for any Problem Category where vulnerabilities Exist. (260)

...

2. Divide that by the Sum of all the Severity Problem Category scores + any other Problem Category Score if present)

...

The sum of the present Problem Category scores is 260

The sum of the Severity Problem Categories plus other present is 430 (250+180)

260 / 430 = .60% or 60

Info

Only the confirmed vulnerabilities and insecure open ports are considered; the filtered ports and other categories are not included in the calculation.

...

Security and Compliance Report Card Grading

Info

The table values below are used for our Security Report Card and Compliance Report Card grades.

 Category

Grades

Description

Antivirus

5

Anti-virus is installed and up to date

4

Anti-virus is installed but not up to date

1

Anti-virus is not installed

Local Firewall

5

Local firewall is enabled for both public and private networks

4

Local firewall is not enabled for private networks

3

Local firewall is not enabled

1

Local firewall is not enabled

Insecure Listening Ports

 5

There are no insecure listening ports

3

One insecure listening port was detected

1

More than one insecure listening port was detected

 Failed Login

5

No failed interactive logins in the past 7 days

4

7 or fewer failed interactive logins in the past 7 days

3

14 or fewer failed interactive logins in the past 7 days

1

15 or more failed interactive logins in the past 7 days

Network Vulnerabilities

5

No network vulnerabilities

4

Low network vulnerabilities found (CVSS < 4.0)

3

Medium network vulnerability found (CVSS >= 4.0)

1

Critical network vulnerability found (CVSS >= 9.0)

System Aging

5

All computers are less than 2 years old

4

Some computers between 3 and 4 years old

3

Some computers between 4 and 7 years old

1

Some computers over 8 years old

 Supported OS

5

All computers have supported Operating Systems

4

Some Operating Systems are in extended support

3

Some Operating Systems are within 1 year of end of life

1

Some unsupported Operating System

 LLMNR

2

LLMNR not Allowed

5

LLMNR Disabled

1

LLMNR Enabled

NBTNS

2

NBTNS not Allowed

5

NBTNS Disabled

1

NBTNS Enabled

 NTLMV1

2

NTLMV1 not Allowed

5

NTLMV1 Disabled

1

NTLMV1 Enabled

 SMBV1Server

2

SMBV1 Server not Allowed

5

SMBV1 Server Disabled

1

SMBV1 Server Enabled

SMBV1Client

 

 

2

SMBV1 Client not Allowed

5

SMBV1 Client Disabled

1

SMBV1 Client Enabled

 SMB Signing

2

SMB Signing Disabled

5

SMB Signing Enabled

1

SMB Signing Disabled

Security Report Card

...

Compliance Report Card

...

End of Life (ConnectSecure Score)

Warning

ConnectSecure considers EOL a maximum-risk scoring event since the application no longer receives security updates.

ConnectSecure checks against Assets to categorize end-of-life (EOL) in two ways.

  1. OS-OUT-OF-SECURITY-SUPPORT

  2. OS-OUT-OF-ACTIVE-SUPPORT

...

Info

ConnectSecure Score (cs score) will display the same as NVD Base Score for any confirmed problem that is not classified as END OF LIFE.

image-20240823-194409.pngImage Added

...

Risk Level Descriptions for EOL on Active/Security Support

Level

Description

1

Both Active and Security Support have ended; no support is available

3

If the operating system is within 1 year of its security support end date; limited support

4

If the operating system is within its Active support but past its Security support; extended support

5

If the operating system is within both Active and Security support timelines; full support

...

Calculation of Vulnerability Risk

  • ConnectSecure uses CVSS 3.0 as a base system for calculating vulnerability risk. Click here for more information on CVSS calculations: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

  • The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities.

  • CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to the threat.

  • Scores are calculated using a formula that depends on several metrics that approximate the ease of exploitation and its impact. Scores range from 0 to 10, with 10 being the most severe.

  • While many utilize only the CVSS Base score to determine severity, temporal and environmental scores also exist to factor in the availability of mitigations and the widespread vulnerability of systems within an organization.

...

Viewing Discovered Vulnerabilities and Scoring Data

Navigate to the Vulnerabilities module to see the details of discovered vulnerabilities, including their respective Severity, Base Score, Impact Score, Exploitability Score, and EPSS Score.

...

Tap on the Problem Name link to see additional scoring details from the source:

...

Need Support?

Contact our support team by sending an email to support@connectsecure.com or by visiting our Partner Portal, where you can create, view, and manage your tickets.

...