Understanding Vulnerability, Asset and Risk Meter Scoring

There are three main components of scoring in Cisco Vulnerability Management. Understanding these scoring concepts for vulnerabilities, assets and risk meters will help you use Cisco Vulnerability Management more effectively.

Component 1: Vulnerability Scoring

In Cisco Vulnerability Management, vulnerabilities from your various scanning vendors are imported during connector runs and normalized based on the CVE ID, CWE ID or the WASC identifier. 

For network vulnerabilities, Cisco Vulnerability Management will look at the CVSS base score for the CVE. It then looks at the 20+ threat and exploit feeds to understand the volume and velocity of attacks against that CVE, if there is malware available, if it is easy to exploit, whether it is actively being exploited in the wild, and so on. All of these details help derive the risk score.

For application vulnerabilities, scores are based on the risk score from the scanner or a base CWE score if a scanner score is not available.

Vulnerabilities get a score from 0-100 and are broken out into thirds:

Green 0-33

Amber 34-66

Red 67-100


Component 2: Asset Scoring

When Cisco Vulnerability Management calculates the score for an asset, it looks at the highest scored vulnerability present on the asset. Cisco Vulnerability Management considers an asset to be as at risk as its highest vulnerability. This is an important concept to understand because the asset score is not an average based on all the vulnerabilities that are present. As you remediate vulnerabilities on an asset, if you remediate vulnerabilities that are not the highest scored vulnerabilities, the asset score will not change. 

Assets get a score from 0-1000 and are broken out into thirds rounded to the nearest 10:

Green 0-330

Amber 340-660

Red 670-1000

The way the default asset score is calculated is to look at the highest scored vulnerability and multiply it by the asset priority. Asset Priority is set to 10 by default but is adjustable per asset. For more information regarding Asset Priority, refer to the Asset Prioritization In Cisco Vulnerability Management article or discuss with your CX team.

Highest Vuln Score

X

Asset Priority

=

Default Asset Score

100

X

10

=

1000

80

X

10

=

800

100

X

7

=

700

70

X

6

=

420

 

Internal vs External IP Scoring

In addition to the default asset score that was discussed above, Cisco Vulnerability Management also applies a 200 point increase in score if the asset has an External IP Address because external facing assets represent a higher risk. Cisco Vulnerability Management, by default, considers any asset with an IP other than a 10.*, 172.16.0.0 -172.31.255.255 and 192.168.* to be an External asset. You will see a score increase of 200 points if the asset is considered external. The highest score will still be 1000 for assets. 

Note: This external 200 point increase can be disabled for those customers who use publicly routable IP space internally. For more information, contact your CX team.

 

Highest Vuln Score

X

Asset Priority

=

Default Asset Score

External IP?

+

Final Asset Score

100

X

10

=

1000

yes

200

1000

80

X

10

=

800

no

0

800

100

X

7

=

700

yes

200

900

70

X

6

=

420

yes

200

620

 

Component 3: Risk Meter Score

The last component of scoring is the Risk Meter Score. This score is calculated by taking the average of all of the active, non-zero scored assets in the group. Risk Meters can get a score between 0-1000 and are broken out into thirds rounded to the nearest 10:

Green 0-330

Amber 340-660

Red 670-1000

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.