icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

CVSS Temporal Risk Heat Map

by Cody Dumont
May 8, 2014

The use of heat maps is commonplace in all types of risk analysis. Tenable SecurityCenter customers have the ability to combine matrix components together to create a heat map to assess risk with an organization. Information presented within this dashboard uses CVSS temporal metrics to display risk levels of systems and their vulnerabilities. 

    The Common Vulnerability Scoring System (CVSS) provides an open framework for assessing the risk of discovered vulnerabilities. The scoring system has three metric types, the second being “Temporal Metric”. The temporal metric is comprised of three metrics:

    • Exploitability (E) - The exploitability metric represents the current state of exploit techniques and availability of code. Exploitable code can increase the number of potential attackers, as well as the severity of the vulnerability.
    • Remediation Level (RL) - The remediation level of a vulnerability is an important factor in prioritizing remediation efforts. When a vulnerability is initially published, the vulnerability is unpatched. During the life cycle of the vulnerability, the remediation level will change through the respective stages. A higher risk is in direct proportion to the lesser of the degree that a fix is official and permanent.
    • Report Confidence (RC) - When a vulnerability is published, the details may be limited, however as the vulnerability is confirmed by other researchers or by the vendor, details may become more publicized. The urgency to mitigate is higher when more details or proofs of concept are public. The risk to the organization is increased as details become public and validated by reputable sources.

      The exploitability metric has the following values:

      • Unproven (U) - No exploit code is available, or an exploit is entirely theoretical.
      • Proof-of- Concept (POC) - The code or technique is not functional in all situations and may require modification by an attacker.
      • Functional (F) - The code works in most situations where the vulnerability exists.
      • High (H) - The code works in every situation, or is actively being delivered via an autonomous agent (such as a worm or virus).
      • Not Defined (ND) - Assigning this value to the metric will not influence the score, and should be skipped.

        The remediation level metric has the following values:

        • Official Fix (OF) - A complete vendor solution is available.
        • Temporary Fix (TF) - There is an official but temporary fix available.
        • Workaround (W) - There is an unofficial, non-vendor solution available.
        • Unavailable (U) - No solution is available or is impossible to apply.
        • Not Defined (ND) - Assigning this value to the metric will not influence the score, and should be skipped. 

        The report confidence metric has the following values:

        • Unconfirmed (UC) - There is a single unconfirmed source or possibly multiple conflicting reports.
        • Uncorroborated (UR) - There are multiple non-official sources, possibly including independent security companies or research organizations.
        • Confirmed (C) - The vulnerability has been acknowledged by the vendor or author of the affected technology.
        • Not Defined (ND) - Assigning this value to the metric will not influence the score, and should be skipped.

        With respect to the “Not Defined” metric, this metric is included in the heat map as many vulnerabilities have this designation. Tenable would not want to delete data in a risk assessment. If the organization does not use this metric, then an analyst can delete the bottom row. 

        The colors used in this dashboard start with white on green (signifying the least risk) and progressing to white on purple with the highest risk level. The rows and columns were organized by using the calculated factors found within the CVSS guide, which can be found at http://www.first.org/cvss.

        The dashboard and its components are available in the SecurityCenter Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards and assets. The dashboard can be easily located in the SecurityCenter Feed under the category Security Industry Trends.

        The dashboard requirements are:

        • SecurityCenter 4.8.0
        • Nessus 5.2.6
        • LCE 4.2.2
        • PVS 4.0.2

        Tenable automatically analyzes information from active scanning, intelligent connectors, agent scanning, passive listening, and host data in order to provide continuous visibility and critical context. Active scanning periodically examines hosts within the organization to determine risk. Intelligent connectors leverage other security investments to provide additional context and analysis. Agent scanning enables assessing systems without the need for ongoing host credentials. Passive listening detects hosts that were offline during active scans, and provides real-time monitoring of host activity throughout the network. Host data is analyzed to correlate real-time events, monitor firewall traffic, and identify malicious attacks. The combination of these sensors provides organizations with the tools they need to proactively detect, monitor, and respond to threats within the enterprise.