CVSS Temporal Risk Heat Map

by Cody Dumont
May 8, 2014

The use of heat maps is commonplace in all types of risk analysis.  SecurityCenter customers have the ability to combine matrix components together to create a heat map to assess risk with an organization.  This dashboard uses CVSS temporal metrics to display risk levels of systems and their vulnerabilities.  The Common Vulnerability Scoring System (CVSS) provides an open framework for assessing the risk of discovered vulnerabilities.  

The dashboard and its components are available in the SecurityCenter Feed, an app store of dashboards, reports, and assets.  The dashboard requirements are:

  • SecurityCenter 4.8
  • Nessus 5.2.6
  • LCE 4.2.2
  • PVS 4.0.2

The scoring system has three metric types, the second being “Temporal Metric”.  The temporal metric is comprised of three metrics:

  • Exploitability - The exploitability metric represents the current state of exploit techniques and availability of code.  As the exploit code becomes easier to use and the number of attackers increase, the severity of the vulnerability will also increase. 
  • Remediation Level - The remediation level of a vulnerability will factor into prioritization.  When initially published, a vulnerability is unpatched.  During the life cycle of the vulnerability, the remediation level will change through the respective stages.  The higher risk is in direct proportion to the lesser the degree that a fix is official and permanent.
  • Report Confidence (RC) - When a vulnerability is published, the details maybe limited, however as the vulnerability is confirmed by other researchers or by the vendor, details may become more publicized. The urgency to mitigate is higher when the details are more public.   The risk is increased as the details are made public and validated by reputable sources.

The exploitability metric has the following values:

  • Unproven (U) - No exploit code is available, or an exploit is entirely theoretical.
  • Proof-of- Concept (POC) - The code or technique is not functional in all situations and may require substantial modification by a skilled attacker.
  • Functional (F) - The code works in most situations where the vulnerability exists.
  • High (H) - The code works in every situation, or is actively being delivered via a mobile autonomous agent (such as a worm or virus).
  • Not Defined (ND) - Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric. 

The remediation level metric has the following values:

  • Official Fix (OF) - A complete vendor solution is available.
  • Temporary Fix (TF) - There is an official but temporary fix available.
  • Workaround (W) - There is an unofficial, non-vendor solution available.
  • Unavailable (U) - There is either no solution available or it is impossible to apply.
  • Not Defined (ND) - Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric. 

The report confidence metric has the following values:

  • Unconfirmed (UC) - There is a single unconfirmed source or possibly multiple conflicting reports.
  • Uncorroborated (UR) - There are multiple non-official sources, possibly including independent security companies or research organizations.
  • Confirmed (C) - The vulnerability has been acknowledged by the vendor or author of the affected technology.
  • Not Defined (ND) - Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric. 

With respect to the “Not Defined” metric, this metric is included in the heat map as many vulnerabilities have this designation, and we would not want to delete data in your risk assessment.  If your organization does not use this metric, then you can delete the bottom row. 

The colors used in this dashboard start with white on green (signifying the least risk) and progressing to white on purple with highest risk level.  The rows and columns were organized by using the calculated factors found with in the CVSS guide, which can be found at http://www.first.org/cvss.