CyberCNS Risk Score Grading

The Risk Scores are graded as below:

The Company Score is the sum of Vulnerability, External Vulnerability, Compliance, Security Report Card & Active Directory.

Company Risk Score Grade: A ( 0 - 40 ): Very Low

Company Risk Score Grade: B ( 40 - 45 ): Low

Company Risk Score Grade: C ( 45 - 60 ): Medium

Company Risk Score Grade : D ( 60 - 75 ): High

Company Risk Score Grade: E ( 75 - 90 ): Critical

Company Risk Score Grade: F ( 90 - 100 ): Very Critical

Risk Score Grade: A (0 - 40):
  A represents Very Low (Issues are present and an organization should aim to be in the 0-40 range, however broadly all significant issues have been taken care of).

Risk Score Grade: B (40 - 45):
  B represents Low (Issues are present and the value ranges from 40-45, however, significant issues have been taken care of).

Risk Score Grade: C (45 - 60):
  C represents Medium (A small number of issues that need immediate attention and the value ranges from 45-60).

Risk Score Grade: D (60 - 75):
  D represents High (Significant number of issues that require attention and the value ranges from 60-75).

Risk Score Grade: E (75 - 90):
  E represents Critical (The network is susceptible to attack and needs remediation to be performed on a war footing and the value ranges from 75-90).

Risk Score Grade: F (90 - 100):
  F represents Very Critical (The network is highly susceptible to attack and needs remediation to be performed on a war footing and the value ranges from 90-100).

Calculation of Vulnerability Risk:

CyberCNS uses CVSS 3.0 as a base system for the calculation of vulnerability risk.

  • The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities.

  • CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritise responses and resources according to the threat.

  • Scores are calculated based on a formula that depends on several metrics that approximate ease of exploit and the impact of exploit. Scores range from 0 to 10, with 10 being the most severe. While many utilize only the CVSS Base score for determining severity, temporal and environmental scores also exist, to factor in the availability of mitigations and how widespread vulnerable systems are within an organisation, respectively.

  • Navigate to Vulnerabilities on a company level and click on any Severity numbers (Critical, High, Medium, or Low) for mentioned OS to get more details about that Vulnerability. These numbers are the total of that category of vulnerabilities.

  • Further, you need to select any of the vulnerabilities from the Product name and you can get the details of the Base Score, Impact Score, and Exploitability Score per CVE as shown below.

  • Here the maximum Base score and the maximum exploitability score will be considered while calculating the Vulnerability Risk Score.

  • In the edit device page, you get the Severity importance, which is, ‘Low’ by default for all Assets. You can set the value as Low, Medium, High, Or Critical depending on the importance of that asset in your network.

  • For CyberCNS, the CVSS is used to map the vulnerability score to an asset and then we compute the overall vulnerability score based on the weights of different vulnerabilities. 

  • Also, we use a weighted table of:

CVSS Base score 50 percent.
CVSS Exploitability Score 20 percent.
Asset Importance Score 10 percent.
Impact based on actual malware being released 10 per cent.
Impact score 10 percent.

For example,

  • Vulnerability Maximum BaseScore = 9.8

  • Vulnerability Maximum Exploitability Score = 3.9

  • Asset Importance = 25 (By default, the Asset importance will be taken as 25 for Low importance).

=>(Vulnerability Maximum BaseScore * 5) + (Vulnerability Maximum exploitabilityScore * 2) + (Asset Importance / 10) * 3

Asset Importance values for severity:

Critical -100

High - 75

Medium - 50

Low - 25

=>(9.8 * 5) + (3.9 * 2) + (25 / 10) * 3

=>49 + 7.8 + 7.5

=>64.3

CyberCNS Vulnerability Risk Score is 64.3

  • It’s then computed for each asset and then we compute a mode and mean and give the higher of the two as a risk score. So if you had no vulnerabilities you get zero risks. A risk of 100 is you do something or you will land up with issues.

How to Improve the Risk Grade of any asset:

Please act on the recommendations provided in the Remediation Plan.

  • Update a version of an Application/OS to the latest version.

  • Uninstall an application that is not supported, e.g. End of Support.

  • Use EPSS Categorization to decide which actions should be taken first on a priority basis.

HeatMap ( Graphical representation)

  • The Risk Score is a value from 1 to 100, where 100 represents significant risk and potential issues.

  • The risk score is computed based on several factors such as the number and severity of vulnerabilities and importance that is assigned to an asset and the ability of an attacker to exploit the vulnerability remotely or with little or no knowledge of the credentials.

  • In the HeatMap the vulnerability score is represented Graphically.

  • A vulnerability Risk score is categorised using four colors. They are:

Green represents Low (Issues are present and an organisation should aim to be in the 0-50 range however broadly all significant issues have been taken care of).

Yellow represents Medium (A small number of issues that need immediate attention and the value ranges from 50-70).

Orange represents a High (Significant number of issues that require attention and the value ranges from 70-85).

Red represents Critical (The network is susceptible to attack and needs remediation to be performed on a war footing and the value ranges from 85-100).

  • This completes Risk score Grading.