CVSS Base Risk Host Matrices

by Cody Dumont
April 10, 2014

When performing a detailed risk analysis, the use of risk matrices is a common practice.  The Forum of Incident Response and Security Teams (FIRST) created the Common Vulnerability Scoring System (CVSS) system to normalize the methodology of analyzing risk.  The CVSS provides the open framework for assessing the risk of discovered vulnerabilities.  The scoring system has three metric types, the first being “Base Metric”.  This dashboard is comprised of four risk analysis matrices.  The top two matrices provide analysis of hosts with vulnerabilities with the respective CVSS metric, while the bottom two provide analysis of the percentage of total hosts that are found to have the designated risk level.

The dashboard and its components are available in the SecurityCenter 4.7 Dashboard app feed, an app store of dashboards, reports, and assets. The dashboard requirements are:

  • SecurityCenter 4.8
  • Nessus 5.2.5
  • PVS 4.0.1

The ratio bar in the bottom components will change colors based on a percentage threshold.  The threshold levels are:

  •  0% = Green
  • 1% – 25% = Yellow
  • 26% – 50% = Orange
  • 51% – 75% = Red
  • 76% – 100% = Purple

The matrices are also separated by the access and impact CVSS base metrics groups.  On the left side are the metrics Access Vector (AV), Access Complexity (AC), and Authentication (Au), while the right side has Confidentiality (C), Integrity (I), and Availability (A).  The AV, AC, and Au metrics measure how the vulnerability is accessed and whether or not special conditions are needed before it can be exploited.  The C, I, & A metrics measure the impact of the vulnerability. It is important to note that just because a vulnerability may breach integrity, the confidentiality or availability of the data may not be impacted.

The components are configured using the cvss_vector element located in the plugin output text fields.  The cvss_vector is always arranged in the sequential order, following this sequence:

  • Access Vector (AV): [L,A,N]
  • Access Complexity (AC):[H,M,L]
  • Authentication (Au):[M,S,N]
  • Confidentiality (C):[N,P,C]
  • Integrity (I):[N,P,C]
  • Availability (A):[N,P,C]

The Confidentiality, Integrity, and Availability metric values are common for all the metrics.  The metric values are:

  • None (N) - There is no Confidentiality, Integrity, or Availability impact to the system.
  • Partial (P) – The system’s Confidentiality, Integrity, or Availability could be considerably impacted.  An example of the impact would be if confidentiality is compromised and sedative information is disclosed. The attacker may have access to some system properties, but control over the system was not obtained, or the loss of information is limited. An example is a vulnerability that divulges routing tables in a compromised router.
  • Complete (C) – The system’s Confidentiality, Integrity, or Availability could be completely compromised.  An example of such an impact is if information disclosure resulted in all system files being revealed, or if unfettered arbitrary command execution were to be allowed.

More information about how CVSS scoring is available at Common Vulnerability Scoring System (CVSS-SIG). The dashboard components are:

CVSS Base Risk Host Matrix - Access Vector (AV), Authentication (Au), Access Complexity (AC) Risk Matrix: This matrix provides analysts with a traditional risk matrix using the CVSS Base Metrics.  The cells in the matrix contain the number of hosts with vulnerabilities with applicable risk vector.  For each Access Vector (AV) / Access Complexity (AC) combination, the number of hosts in each Authentication (Au) category is given. 

CVSS Base Risk Host Matrix - Access Vector (AV), Authentication (Au), Access Complexity (AC) Risk Ratios:  This matrix provides a ratio analysis using a traditional risk matrix comprised of the CVSS Base Accessibility Metrics.  The cells in the matrix contain the number of hosts with vulnerabilities with applicable risk vector.  For each Access Vector (AV) / Access Complexity (AC) combination, a ratio is provided for the Total IP’s with a low, medium, high and critical severity over the respective Authentication (Au) category. 

CVSS Base Risk Host Matrix - Confidentiality (C), Integrity (I), Availability (A) Impact Risk Matrix: This matrix provides analysts with a traditional risk matrix using the CVSS Base Metrics.  The cells in the matrix contain the number of hosts with vulnerabilities with applicable risk vector.  For each - Confidentiality (C) / Integrity (I) combination, the number of hosts in each Availability (A) category is given. 

CVSS Base Risk Host Matrix - Confidentiality (C), Integrity (I), Availability (A) Impact Risk Ratios: This matrix provides a ratio analysis using a traditional risk matrix comprised of the CVSS Base Accessibility Metrics.  The cells in the matrix contain the number of hosts with vulnerabilities with applicable risk vector.  For each Confidentiality (C) / Integrity (I) combination, a ratio is provided for the Total IP’s with a low, medium, high and critical severity over the respective Availability (A) category.