Adjusting risk with criticality

The Risk Score Adjustment setting allows you to customize your assets’ risk score calculations according to the business context of the asset. For example, if you have set the Very High criticality level for assets belonging to your organization’s senior executives, you can configure the risk score adjustment so that those assets will have higher risk scores than they would have otherwise. You can specify modifiers for your user-applied criticality levels that will affect the asset risk score calculations for assets with those levels set.

Note that you must enable Risk Score Adjustment for the criticality levels to be taken into account in calculating the risk score; it is not set by default.

To enable and configure Risk Score Adjustment:

  1. On the Administration page, in Global and Console Settings, click the Manage link for global settings.
  2. In the Global Settings page, select Risk Score Adjustment.
  3. Select Adjust asset risk scores based on criticality.
  4. Change any of the modifiers for the listed criticality levels, per the constraints listed below.

Constraints:

  • Each modifier must be greater than 0.
  • You can specify up to two decimal places. For example, frequently-used modifiers are values such as .75 or .25.
  • The numbers must correspond proportionately to the criticality levels. For example, the modifier for the High criticality level must be less than or equal to modifier for the Very High criticality level, and greater than or equal to the modifier for the Medium criticality level. The numbers can be equal to each other: For example, they can all be set to 1.

The default values are:

  • Very High: 2
  • High: 1.5
  • Medium: 1
  • Low: 0.75
  • Very Low: 0.5

Interaction with risk strategy

The Risk Strategy and Risk Score Adjustment are independent factors that both affect the risk score.

To calculate the risk score for an individual asset, Nexpose uses the algorithm corresponding to the selected risk strategy. If Risk Score Adjustment is set and the asset has a criticality tag applied, the application then multiplies the risk score determined by the risk strategy by the modifier specified for that criticality tag.

The risk score for a site or asset group is based upon the scores for the assets in that site or group. The calculation used to determine the risk for the entire site or group depends on the risk strategy. Note that even though it is possible to apply criticality through an asset group, the criticality actually gets applied to each asset and the total risk score for the group is calculated based upon the individual asset risk scores.

Viewing risk scores

If Risk Score Adjustment is enabled, nearly every risk score you see in your console installation will be the context-driven risk score that takes into account the risk strategy and the risk score adjustment. The one exception is the Original risk score available on the page for a selected asset. The Original risk score takes into account the risk strategy but not the risk score adjustment. Note that the values displayed are rounded to the nearest whole number, but the calculations are performed on more specific values. Therefore, the context-driven risk score shown may not be the exact product of the displayed original risk score and the multiplier.

When you first apply a criticality tag to an asset, the context-driven risk score on the page for that asset should update very quickly. There will be a slight delay in recalculating the risk scores for any sites or asset groups that include that asset.

Real Risk score

The Security Console uses a Real Risk scoring strategy which calculates a vulnerability risk score on a scale of 1-1000. The goal of the Real Risk scoring strategy is to provide an appraisal of each vulnerability as close as possible to performing a manual risk assessment on each individual vulnerability finding. In contrast to traditional CVSS scores that use a 1-10 system, this algorithm allows for greater incrementation throughout our risk score assessments. Thousands of vulnerabilities may have a CVSS score of 10, which makes it difficult to distinguish which vulnerabilities pose the most risk and should be addressed first. By using a 1-1000 scale, it is easier to prioritize the remediation of key vulnerabilities.

Vulnerability risk score scale

Real Risk scores can be used in conjunction with CVSS scores for an additional level of data scrutiny. CVSS scores may show a different severity level than Real Risk scores due to scan configuration or user adjustment during verification. For example, you review a vulnerability with a low Real Risk and a high CVSS score. Despite the high CVSS score initially flagging the vulnerability, you may determine that the asset is isolated and the risk score is actually low. For significant severity score differences, review vulnerability history and details to verify the correct severity level.

SEVERITYCVSS V3 SCORE RANGE
Low0.1 - 3.9
Medium4.0 - 6.9
High7.0 - 8.9
Critical9.0 - 10.0

How is a Real Risk score calculated?

After the Security Console discovers a vulnerability, the Real Risk algorithm analyzes potential types of exposures to provide you with a deeper understanding of the threats your environment faces and the value of different mitigation approaches. This strategy applies exploit and malware exposure metrics for each vulnerability to CVSS base metrics for asset impact (confidentiality, integrity, and availability) and likelihood of compromise (access vector, access complexity, and authentication requirements) in relation to time.

Risk score hierarchy

The risk score from every vulnerability found on a particular asset is aggregated to obtain an overall asset risk score. This score is normalized to a range between 0 and 1000. To ensure that not too many low-severity vulnerability risk scores overwhelm important high-severity ones, asset risk scores are skewed towards the highest vulnerability risk scores found on an asset. Assets can be organized into Asset Groups. Asset groups are used to categorize similar or related assets for monitoring purposes. An asset group’s risk score is an aggregate of all individual asset risk scores found within the group. A Site risk score is also generated. It is a calculation derived from all assets within a given site. In addition to asset risk scores, you can create a Criticality Tag to prioritize and label the level of urgency required when performing remediation on a specific asset.

Apply criticality tags

When applying criticality tags, an asset risk score multiples by the risk score factor associated with the tag. Adjust the risk score factor associated with individual criticality tags:

  1. Go to Administration > Global and Console Settings > Manage > Risk Score Adjustment
  2. Select the Adjust asset risk scores based on criticality box.
  3. In the Criticality Tags section, fill out the fields with the value you want for each tag.

Remediation reporting

The Top Remediation report advises you on which solutions to implement and which actions to take, to reduce the most amount of risk based on your Real Risk score. This type of reporting differs from the traditional CVSS score reporting method, which restricts you to the time consuming and tedious process of fixing vulnerabilities with a score of 10 one by one. The goal of the Real Risk remediation reporting method is to provide you better insight into how you can produce the greatest amount of positive impact to your overall risk score with the least amount of action taken.