There are three main components of scoring in Cisco Vulnerability Management. Understanding these scoring concepts for vulnerabilities, assets and risk meters will help you use Cisco Vulnerability Management more effectively.
Component 1: Vulnerability Scoring
In Cisco Vulnerability Management, vulnerabilities from your various scanning vendors are imported during connector runs and normalized based on the CVE ID, CWE ID or the WASC identifier.
For network vulnerabilities, Cisco Vulnerability Management will look at the CVSS base score for the CVE. It then looks at the 20+ threat and exploit feeds to understand the volume and velocity of attacks against that CVE, if there is malware available, if it is easy to exploit, whether it is actively being exploited in the wild, and so on. All of these details help derive the risk score.
For application vulnerabilities, scores are based on the risk score from the scanner or a base CWE score if a scanner score is not available.
Vulnerabilities get a score from 0-100 and are broken out into thirds:
Green 0-33
Amber 34-66
Red 67-100
Component 2: Asset Scoring
When Cisco Vulnerability Management calculates the score for an asset, it looks at the highest scored vulnerability present on the asset. Cisco Vulnerability Management considers an asset to be as at risk as its highest vulnerability. This is an important concept to understand because the asset score is not an average based on all the vulnerabilities that are present. As you remediate vulnerabilities on an asset, if you remediate vulnerabilities that are not the highest scored vulnerabilities, the asset score will not change.
Assets get a score from 0-1000 and are broken out into thirds rounded to the nearest 10:
Green 0-330
Amber 340-660
Red 670-1000
The way the default asset score is calculated is to look at the highest scored vulnerability and multiply it by the asset priority. Asset Priority is set to 10 by default but is adjustable per asset. For more information regarding Asset Priority, refer to the Asset Prioritization In Cisco Vulnerability Management article or discuss with your CX team.
Highest Vuln Score |
X |
Asset Priority |
= |
Default Asset Score |
100 |
X |
10 |
= |
1000 |
80 |
X |
10 |
= |
800 |
100 |
X |
7 |
= |
700 |
70 |
X |
6 |
= |
420 |
Internal vs External IP Scoring
In addition to the default asset score that was discussed above, Cisco Vulnerability Management also applies a 200 point increase in score if the asset has an External IP Address because external facing assets represent a higher risk. Cisco Vulnerability Management, by default, considers any asset with an IP other than a 10.*, 172.16.0.0 -172.31.255.255 and 192.168.* to be an External asset. You will see a score increase of 200 points if the asset is considered external. The highest score will still be 1000 for assets.
Note: This external 200 point increase can be disabled for those customers who use publicly routable IP space internally. For more information, contact your CX team.
Highest Vuln Score |
X |
Asset Priority |
= |
Default Asset Score |
External IP? |
+ |
Final Asset Score |
100 |
X |
10 |
= |
1000 |
yes |
200 |
1000 |
80 |
X |
10 |
= |
800 |
no |
0 |
800 |
100 |
X |
7 |
= |
700 |
yes |
200 |
900 |
70 |
X |
6 |
= |
420 |
yes |
200 |
620 |
Component 3: Risk Meter Score
The last component of scoring is the Risk Meter Score. This score is calculated by taking the average of all of the active, non-zero scored assets in the group. Risk Meters can get a score between 0-1000 and are broken out into thirds rounded to the nearest 10:
Green 0-330
Amber 340-660
Red 670-1000
Comments
Please sign in to leave a comment.