Asset scores are a composite score based on the asset fingerprint, configuration, and vulnerabilities found. Vulnerabilities are weighted based on impact (CVSS scores), in-the-wild exploitation signals (CISA KEV), and likelihood of exploitation (EPSS), time since public disclosure, and time of exposure (time to remediation). The required level of access for successful exploitation is also considered, as well as the visibility of the vulnerable service (internet-facing vs. LAN vs. on-device).
This methodology can result in a few high impact, low complexity vulnerabilities drastically affecting the score, for example a remote code execution (RCE) vulnerability on an internet facing server that can be exploited without user interaction required. Also, the aggregate impact is considered, having many critical vulnerabilities or lower scoring exploited vulnerabilities on a machine with criticals also present.
Vulnerability Categories
Nodeware measures vulnerabilities based on the Common Vulnerability Scoring System (CVSS) score, as discussed in the CVSS knowledge base article in the Scoring section. Individual vulnerabilities are categorized into 5 bins based on severity. The categories are Critical, High, Medium, Low, and Info.
Critical Vulnerabilities
A vulnerability categorized as critical requires immediate attention, as they represent vulnerabilities that have a public exploit widely available or have a large impact on the information security of the system and the network at large.
Nodeware identifies critical vulnerabilities with a red exclamation point (!) icon in the status column of network view and via Critical Vulnerability Alerts, as discussed in the Alerts knowledge base article in the How-To section.
High Vulnerabilities
A high severity rating of a vulnerability means that remediation should take place as soon as possible. Publicly available exploits may not exist or be widespread, but it is likely a proof-of-concept exploit exists, or it is feared that black hat individuals or groups have developed one.
Both Critical and High vulnerabilities often require updates to the operating system or system software and are usually directly related to a security bulletin published by the software and hardware vendors.
Medium and Low Vulnerabilities
Vulnerabilities that fall into the Medium and Low bins are often configuration related where remediation is often filtering ports, disabling unused services, and keeping SSL certificates current.
Informational Messages
Vulnerabilities marked Info are not vulnerabilities per se, and usually don't pose any security risk, but rather are meant to inform about accessible services and ports. Informational messages represent data that can be gathered by anyone with authorized or unauthorized access to your network and devices.
Comments
0 comments
Please sign in to leave a comment.