Qualitative Risk Analysis with CVSS Scores

by Michael Willison
June 20, 2014

Information Security professionals continuously perform various types of risk assessments within their environment.  SecurityCenter users have a secret weapon in the battle to properly assess risk, and that weapon is SecurityCenter's native ability to fully use the CVSS scoring system. 

The report is available in the SecurityCenter Feed, an app store of dashboards, reports, and assets. The report can be easily located in the SecurityCenter Feed by selecting category Threat Detection & Vulnerability Assessments, and then selecting tags analysis and CVSS The report requirements are:

  • SecurityCenter 4.8.1
  • Nessus 5.2.6
  • LCE 4.2.2
  • PVS 4.0.2

A risk assessment requires a qualitative analysis of vulnerabilities with a network.  The Forum of Incident Response and Security Teams (FIRST) created the Common Vulnerability Scoring System (CVSS) to normalize the methodology of analyzing risk.  The CVSS provides the open framework for assessing the risk of discovered vulnerabilities.  The CVSS methodology uses three metric groups, the Base, Temporal, and Environmental.  This report uses the Base metric group to aid in the performance of qualitative risk analysis.  The report will focus on the CVSS scores of 4.0 to 10.0. 

There are six base metrics used to qualitative assess the risk of a vulnerability. There are two sub groupings of the Base metric, the access metrics and the impact metrics. The access metric assigns a risk level based on the vector used to gain access to the target system. 

The access metrics include:

  • Access Vector: which reflects the methods used to exploit a vulnerability
  • Access Complexity: which measures difficulty or complexity of that an attacker faces to exploit a vulnerability once access is obtained
  • Authentication: which measures how many authentication repetitions are required to successfully exploit a vulnerability

The impact metrics use the CIA triad (Confidentiality, Integrity, Availability) to assign an impact score to a vulnerability. The impact metrics include:

  • Confidentiality Impact: Measures the confidentiality after a successful exploit, meaning how well access by unauthorized users can be prevented and limiting access to information that could further aid the covert attack
  • Integrity Impact: Measures to what extent the information stored on the system is impacted when successfully exploited, meaning the impact to the accuracy and reliability the information stored on the victim system
  • Availability Impact: measures how system resources are effected by the vulnerability being exploited, some attacks can consume CPU, network, or other resources available to target system

The CVSS report shows vulnerabilities within each of the different CVSS score ranges (4.0 – 4.9, 5.0 – 5.9, 6.0 – 6.9, 7.0 – 7.9, 8.0 – 8.9, 9.0 – 9.9, and 10.0). The colors for CVSS Scores are orange for medium severity with a rating of 4.0 – 6.9, red for high severities that have a rating of 7.0 – 9.9, and purple for critical severities with a rating of 10.0. 

SecurityCenter can help identify vulnerabilities that must be mitigated in order to satisfy PCI DSS vulnerability scanning requirements. PCI DSS v3.0 Req. 11.2 states that internal and external network vulnerability scans must be run at least quarterly, and after any significant change in the network. PCI DSS v3.0 Req. 11.2.1 requires quarterly internal scans and rescans until all 'high risk' vulnerabilities are resolved, while PCI DSS v3.0 Req. 11.2.2 requires quarterly external scans and rescans until no vulnerabilities exist that are scored 4.0 or higher by the CVSS. In addition, PCI DSS v3.0 Req. 11.2.3 requires internal and external scanning, and rescanning, after any significant change to the network.  PCI DSS v3.0 Req. 6.1 requires companies to establish a formal process for vulnerability identification and risk ranking using reputable outside sources. PCI DSS v3.0 further notes that 'Risk rankings should be based on industry best practices as well as consideration of potential impact. For example, criteria for ranking vulnerabilities may include consideration of the CVSS base score, and/or the classification by the vendor, and/or type of systems affected.' SecurityCenter can be used to collect vulnerability data, and also to track and monitor other threat considerations that can help your organization determine the appropriate risk ranking for internal scan findings.  More information can be found here: https://www.pcisecuritystandards.org

By defining assets for internal or external IP networks or a range of hosts, the compliance manager can run this report for the internal and/or external network.  Please note that the name of the report should be modified to reflect if the report is internal or external. 

To edit the report template, click the edit button and then change the name of the report, In this example, the report will be called "External CVSS Report."  Next, click on the definition tab, and select the find/update link and click it. When windows comes up the top search option is called 'Search Filters', select the add button in the search filter area and select the first drop down box and select Assets.  A new drop down list will appear and select 'is not set', followed by clicking the save button in the Search Filter area. Next under the 'Update Actions' section, select the add button. Select the Asset in the first drop down box, and then select the 'is set to' in the second drop down box. In the third drop down box select the external asset group and select save. The last step is to click the 'Update' button in the middle of the window on the left hand side. After the button is clicked, the window at the bottom will be updated with filters that have been modified. Finally, click the close button on the bottom of the 'Find/Update Filters' window and click submit at the bottom of the page.  Now the report has been customized and can be launched, and only the IP addresses that are part of the 'External' assets will be covered in the report. 

While this report can often result in a file with more than 1000 pages, this scalability of this report allows the user to select only the chapters that is needed.  One approach would be to have seven separate reports, one with each CVSS level.  This can be easily accomplished by only selecting the desired report when importing from the feed, or by making a local copy of the report and deleting the unused chapters.