Qualitative Risk Analysis Dashboard

by David Schwalenberg
June 25, 2014

Information Security professionals continuously perform various types of risk assessments within their environment.  SecurityCenter users have a secret weapon in the battle to properly assess risk, and that weapon is SecurityCenter’s native ability to fully use the CVSS scoring system.  

The dashboard and its components are available in the SecurityCenter Feed, an app store of dashboards, reports, and assets. The dashboard can be easily located in the SecurityCenter Feed by selecting category <BLAH>, and then selecting tags analysis and CVSS. The dashboard requirements are:

  • SecurityCenter 4.8.1
  • Nessus 5.2.6
  • LCE 4.2.2
  • PVS 4.0.2 

A risk assessment requires a qualitative analysis of vulnerabilities with a network.  The Forum of Incident Response and Security Teams (FIRST) created the Common Vulnerability Scoring System (CVSS) to normalize the methodology of analyzing risk.  The CVSS provides the open framework for assessing the risk of discovered vulnerabilities.  The CVSS methodology uses three metric groups, the Base, Temporal, and Environmental.  This dashboard uses the Base metric group to aid in the performance of qualitative risk analysis.  The dashboard will focus on the CVSS scores of 4.0 to 10.0. 

There are six base metrics used to qualitative assess the risk of a vulnerability. There are two sub groupings of the Base metric, the access metrics and the impact metrics. The access metric assigns a risk level based on the vector used to gain access to the target system.  The access metrics include:

  • Access Vector, which reflects the methods used to exploit a vulnerability
  • Access Complexity, which measures difficulty or complexity of that an attacker faces to exploit a vulnerability once access is obtained
  • Authentication, which measures how many authentication repetitions are required to successfully exploit a vulnerability

The impact metrics use the CIA triad (Confidentiality, Integrity, Availability) to assign an impact score to a vulnerability. The impact metrics include:

  • Confidentiality Impact: Measures the confidentiality after a successful exploit, meaning how well access by unauthorized users can be prevented and limiting access to information that could further aid the covert attack; 
  • Integrity Impact: Measures to what extent the information stored on the system is impacted when successfully exploited, meaning the impact to the accuracy and reliability the information stored on the victim system; 
  • Availability Impact: measures how system resources are effected by the vulnerability being exploited, some attacks can consume CPU, network, or other resources available to target system. 

SecurityCenter can help identify vulnerabilities that must be mitigated in order to satisfy PCI-DSS vulnerability scanning requirements. PCIDSS v3.0 Req. 11.2 states that internal and external network vulnerability scans must be run at least quarterly, and after any significant change in the network. PCI-DSS v3.0 Req. 11.2.1 requires quarterly internal scans and rescans until all “high risk” vulnerabilities are resolved, while PCI-DSS v3.0 Req. 11.2.2 requires quarterly external scans and rescans until no vulnerabilities exist that are scored 4.0 or higher by the CVSS. In addition, PCI-DSS v3.0 Req. 11.2.3 requires internal and external scanning, and rescanning, after any significant change to the network.  PCI DSS v3.0 Req. 6.1 requires companies to establish a formal process for vulnerability identification and risk ranking using reputable outside sources. PCI DSS v3.0 further notes that “Risk rankings should be based on industry best practices as well as consideration of potential impact. For example, criteria for ranking vulnerabilities may include consideration of the CVSS base score, and/or the classification by the vendor, and/or type of systems affected. SecurityCenter can be used to collect vulnerability data, and also to track and monitor other threat considerations that can help your organization determine the appropriate risk ranking for internal scan findings.More information can be found here: https://www.pcisecuritystandards.org

By defining assets for internal or external IP networks or a range of hosts, the compliance manager can run this dashboard for the internal and/or external network.  Please note that the name of the dashboard should be modified to reflect if the dashboard is internal or external. 

To easily apply an asset to the dashboard, first add the dashboard from the feed.  After clicking “Add Dashboard” and selecting the category, locate this dashboard.  Click “Add it Now”, and then click “Configure Now”. Next, select the asset from the drop-down list and change its name.  Shown below is an example of this step: 

Add asset filter when loading a dashboard

Listed below are the components provided with this dashboard. 

Qualitative Risk Analysis - Vulnerability Information by CVSS Score: The Vulnerability Information by CVSS Score matrix provides the cumulative number of vulnerable hosts, the number of vulnerabilities and the percentage of exploitable vulnerabilities. 

Qualitative Risk Analysis - Current Vulnerabilities Last Seen X Days Ago: The Current Vulnerabilities Last Seen X Days Ago table displays the cumulative hosts with vulnerabilities for each CVSS Score range that was created.

Qualitative Risk Analysis - Time to Patch Vulnerabilities: The Time to Patch Vulnerabilities table displays the CVSS Score range 4.0 - 4.9, 5.0 - 5.9, 6.0 - 6.9, 7.0 - 7.9, 8.0 - 8.9, 9.0 - 9.9, and 10.Qualitative Risk Analysis - Severities by Subnet: The Severities by Subnet chart provides a cumulative top ten IP subnets separated by severities of vulnerabilities within each subnet range.

Qualitative Risk Analysis - Percent of Vulnerabilities Patched in Last X Days: The Percent of Vulnerabilities Patched in Last X Days table tracks patched vulnerabilities and detects the time required to apply the patch. 

Qualitative Risk Analysis – Vulnerabilities Patched in Last X Days: The Vulnerabilities Patched in Last X Days table displays the number of hosts with vulnerabilities that were patched in a certain amount of days.

Qualitative Risk Analysis - CVSS Trending for 3 Months: The CVSS Trending for 3 Months chart provides an overview of the different CVSS Scores over the last 3 months.

Qualitative Risk Analysis - Vulnerabilities by Subnet: The Vulnerabilities by Subnet table provides a cumulative number of medium, high, and critical vulnerabilities per the top ten IP subnets.