CVSS Base Risk Matrices

by Cody Dumont
April 3, 2014

When performing a detailed risk analysis, the use of risk matrices is a common practice.  The Forum of Incident Response and Security Teams (FIRST) created the Common Vulnerability Scoring System (CVSS) system to normalize the methodology of analyzing risk.  The CVSS provides the open framework for assessing the risk of discovered vulnerabilities.  The scoring system has three metric types, the first being “Base Metric”.  This dashboard provides risk analysis matrices and trend lines showing the change in risk over 25 days.

The dashboard and its components are available in the SecurityCenter 4.7 Dashboard app feed, an app store of dashboards, reports, and assets.  The dashboard requirements are:

  • SecurityCenter 4.8
  • Nessus 5.2.5
  • PVS 4.0.1

The CVSS base metric group tracks the characteristics of vulnerabilities that are constant with time across user environments.  The first three base metrics (Access Vector, Access Complexity, and Authentication) measure how the vulnerability is accessed and whether or not special conditions are needed before it can be exploited.  The last three base metrics are the impact metrics and measure how IT will be impacted if exploited.  The impact is measured in Confidentiality, Integrity, and Availability.  When measuring the impact of the vulnerability, it is important to note that just because a vulnerability may breach confidentiality, the integrity or availability of the data may not be impacted.

The components are configured using the cvss_vector element located in the plugin output text fields.  The cvss_vector is always arranged in the sequential order, following this sequence: 

  • Access Vector (AV): [L,A,N]
  • Access Complexity (AC):[H,M,L]
  • Authentication (Au):[M,S,N]
  • Confidentiality (C):[N,P,C]
  • Integrity (I):[N,P,C]
  • Availability (A):[N,P,C]

 Each metric has a value assigned, and reflects how the metric should be attributed.  For example, the Access Vector (AV) has three metric values. They are: Local (L), Adjacent Network (A), and Network (N).  The value “L” means that local access is required, while the “A” value reflects that an attacker must be in the same broadcast domain to exploit the vulnerability.  The N value means that network access is required and is commonly (but not entirely) seen in client-side browser exploits, such as Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF).

The matrices use two rows for each base metric: the Vulnerabilities and Exploitable.   The Vulnerabilities row shows the vulnerability count found the respective base metric.  The Exploitable row shows the percentage of the vulnerabilities that are exploitable.  The ratio bar will change colors based on a percentage threshold.  The threshold levels are:

  •  0% = Green
  • 1% – 25% = Yellow
  • 26% – 50% = Orange
  • 51% – 75% = Red
  • 76% – 100% = Purple

 More information about how CVSS scoring is available at http://www.first.org/cvss.

Listed below are the components included with this dashboard. 

CVSS Base Risk Matrix - Access Vector (AV), Authentication (Au), Access Complexity (AC) Risk Analysis: This matrix uses the Base Metrics: Access Vector (AV), Access Complexity (AC), and Authentication (Au) and whether or not the vulnerability is exploitable or not to aid in the risk analysis process.

CVSS Base Risk Matrix - Confidentiality (C), Availability (A), Integrity (I) Impact Risk AnalysisThis matrix uses the Base Metrics: Confidentiality (C), Integrity (I), and Availability (A) and whether or not the vulnerability is exploitable or not to aid in the risk analysis process.

CVSS Base Risk Matrix - 25 Day - Access Vector (AV), Authentication (Au), Access Complexity (AC) Risk Trending: The CVSS Metrics are identified with a metric and a value.  This 25-day trend analysis shows the risk trend identified by the CVSS base metric and different values for each metric.  Each data point in the trend line calculates the vulnerabilities discovered within the previous 24 hours.

CVSS Base Risk Matrix - 25 Day - Confidentiality (C), Integrity (I), Availability (A) Risk TrendingThe CVSS Metrics are identified with a metric and a value.  This 25-day trend analysis shows the risk trend identified by the CVSS base metric and different values for each metric.  Each data point in the trend line calculates the vulnerabilities discovered within the previous 24 hours.