This document covers the various scoring calculations and methods used for the Asset(s) Risk Scoring and various point systems for assets.
Severity and Risk Scoring Descriptions
Severity
This indicates the seriousness or criticality of a vulnerability. Common severity levels include low, medium, high, and critical. Higher severity vulnerabilities typically pose a greater risk and require immediate attention and mitigation.
Base Score
A numerical value is assigned to a vulnerability based on its characteristics and potential impact. It is often calculated using a standardized formula, such as the Common Vulnerability Scoring System (CVSS), which considers factors like exploitability, impact, and other metrics.
Impact Score
The Impact Score evaluates the potential impact of a vulnerability on the affected system or organization. It considers factors such as data loss, system compromise, service disruption, regulatory compliance impact, and financial repercuss
Exploitability Score
Indicates the ease with which an attacker could exploit the vulnerability to launch an attack. Factors such as the availability of exploits, complexity of exploitation, and required privileges may contribute to this score.
To see these scores you can tap on the CVE-ID and then tap on the Base Score link (be sure you are on the correct CVSS Version).
EPSS Score
Exploit Prediction Scoring System is sourced from first.org/epss.
Download the data/base from here: https://www.first.org/epss/data_stats
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. It is designed from the ground up to make the best use of all of the information available and it does this in five steps:
Collect as much vulnerability information as we can from a variety of sources
Collect evidence of daily exploitation activity
Train a model: discover/learn the relationship between the vulnerability information and the exploitation activity
Measure the performance of the model, tweak and repeat step 3 to optimize the model
On a daily basis: refresh the vulnerability information (step 1) and use the model (step 3) to produce daily estimates of the probability of exploitation in the next 30 days for each published CVE.
How is Severity Calculated?
Severity information is imported from the standard vulnerability databases.
So, the standard calculation below is followed by these vulnerability databases.
The Severity score for vulnerabilities is typically derived from the Base Score in the Common Vulnerability Scoring System (CVSS). The Base Score itself is calculated based on the Exploitability and Impact metrics.
Here's a breakdown of how the Severity score is calculated:
Base Score Calculation
The Base Score in CVSS is calculated using the following formula:
Base Score = (0.6 * Impact) + (0.4 * Exploitability)
Impact: This component of the Base Score represents the potential impact of a successful exploit. It is derived from the Confidentiality Impact (C), Integrity Impact (I), and Availability Impact (A) metrics in CVSS, each of which is scored from 0 to 10.
Exploitability: This component of the Base Score represents the ease of exploitation. It is derived from the Attack Vector (AV), Attack Complexity (AC), Privileges Required (PR), User Interaction (UI), and Scope (S) metrics in CVSS, each of which is scored from 0 to 10.
Severity Mapping
Once the Base Score is calculated and mapped to a predefined Severity level. The mapping is typically as follows:
Base Score 0.0 - 3.9: Low Severity
Base Score 4.0 - 6.9: Medium Severity
Base Score 7.0 - 8.9: High Severity
Base Score 9.0 - 10.0: Critical Severity
These ranges are defined by the CVSS standard and are used to categorize vulnerabilities based on their potential impact and exploitability.
Environmental Metrics (Optional):
In some cases, environmental metrics such as the Environmental Score (EPSS Score) may also influence the Severity rating. These factors can modify the Base Score to reflect the risk in a particular deployment context.
In summary, the Severity score for vulnerabilities is calculated based on the Base Score, which is, in turn, calculated from the Impact and Exploitability metrics. The Severity score indicates the seriousness of a vulnerability, ranging from low to critical, based on its potential impact and ease of exploitation.
For more information, check these sources out below:
https://nvd.nist.gov/vuln-metrics/cvss
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
How is EPSS Calculated?
You can find the general calculation on EPSS in the link below:
https://www.cyentia.com/epss-version-2-is-out/
We are calculating using the tool from the below link derived from the above website:
https://epss.cyentia.com/epss_scores-current.csv.gz
Asset Risk Scoring Details
Assets are scored individually and assigned a letter grade: A, B, C, D, E, or F, just like in grade school. Tap on the letter grade of any asset to see the Rubrix breakdown of how we score based on vulnerabilities.
Asset Average Risk Score Calculation
The sum of present Problem Category scores divided by the sum of all Severity Problem Category scores + other Problem Category Scores that are present.
The Severity Problem Category refers to the severity-based vulnerability classifications below.
We use these base weights for the Risk Score calculations based on ‘severity.'
Critical Severity Vulnerabilities = .90 (or 90%)
High Severity Vulnerabilities = .80 (or 80%)
Medium Severity Vulnerabilities = .50 (or 50%)
Low Severity Vulnerabilities = .30 (or 30%)
To obtain your asset’s present Problem Category scores, tap on the letter grade, check for the ‘Exists?’ column for a 'Y' and add that Score value up. See below for a sample.
Asset Risk Score is 20
Add up the total Score for any Problem Category where vulnerabilities Exist.
Divide that total by the total Weightage possible, which is the sum of each severity category + any custom that exists.
Critical Severity = .9 or 90
High Severity = .8 or 80
Medium Severity = .5 or 50
Low Severity = .3 or 30
The sum of Severity Problem Categories is 250
Asset Risk Score = Total Score / Total Weightage
20 = 250 (Sum of Severity Categories) / 50 (Total Weightage of Problem Categories that Exist)
Security and Compliance Report Card Grading
The table values below are used for our Security Report Card and Compliance Report Card grades.
Category | Grades | Description |
Antivirus | 5 | Anti-virus is installed and up to date |
4 | Anti-virus is installed but not up to date | |
1 | Anti-virus is not installed | |
Local Firewall | 5 | Local firewall is enabled for both public and private networks |
4 | Local firewall is not enabled for private networks | |
3 | Local firewall is not enabled | |
1 | Local firewall is not enabled | |
Insecure Listening Ports | 5 | There are no insecure listening ports |
3 | One insecure listening port detected | |
1 | More than one insecure listening port detected | |
Failed Login | 5 | No failed interactive logins in the past 7 days |
4 | 7 or fewer failed interactive logins in the past 7 days | |
3 | 14 or fewer failed interactive logins in the past 7 days | |
1 | 15 or more failed interactive logins in the past 7 days | |
Network Vulnerabilities | 5 | No network vulnerabilities |
4 | Low network vulnerabilities found (CVSS < 4.0) | |
3 | Medium network vulnerability found (CVSS >= 4.0) | |
1 | Critical network vulnerability found (CVSS >= 9.0) | |
System Aging | 5 | All computers are less than 2 years old |
4 | Some computers between 3 and 4 years old | |
3 | Some computers between 4 and 7 years old | |
1 | Some computers over 8 years old | |
Supported OS | 5 | All computers have supported Operating Systems |
4 | Some Operating Systems are in extended support | |
3 | Some Operating Systems are within 1 year of end of life | |
1 | Some unsupported Operating System | |
LLMNR | 2 | LLMNR not Allowed |
5 | LLMNR Disabled | |
1 | LLMNR Enabled | |
NBTNS | 2 | NBTNS not Allowed |
5 | NBTNS Disabled | |
1 | NBTNS Enabled | |
NTLMV1 | 2 | NTLMV1 not Allowed |
5 | NTLMV1 Disabled | |
1 | NTLMV1 Enabled | |
SMBV1Server | 2 | SMBV1 Server not Allowed |
5 | SMBV1 Server Disabled | |
1 | SMBV1 Server Enabled | |
SMBV1Client
| 2 | SMBV1 Client not Allowed |
5 | SMBV1 Client Disabled | |
1 | SMBV1 Client Enabled | |
SMB Signing | 2 | SMB Signing Disabled |
5 | SMB Signing Enabled | |
1 | SMB Signing Disabled |
Security Report Card
Compliance Report Card
End of Life
ConnectSecure checks against Assets to categorize end-of-life (EOL) in two ways.
OS-OUT-OF-SECURITY-SUPPORT
OS-OUT-OF-ACTIVE-SUPPORT
This is found in the Problem Group of ‘Informational’ as shown in the example below:
Risk Level Descriptions for EOL on Active/Security Support
Level | Description |
---|---|
1 | Both Active and Security Support have ended; no support is available |
3 | If the operating system is within 1 year of its security support end date; limited support |
4 | If the operating system is within its Active support but past its Security support; extended support |
5 | If the operating system is within both Active and Security support timelines; full support |
Need Support?
Contact our support team by sending an email to support@connectsecure.com or by visiting our Partner Portal, where you can create, view, and manage your tickets.
https://cybercns.freshdesk.com/en/support/login