Understanding Risk Ratings and Penetration Testing Results
The entire reason you’re getting penetration testing done is to help with understanding the severity and potential impact of vulnerabilities that are discovered. The findings observed after the penetration testing activity are translated into risk ratings, which help organizations prioritize their response strategies. This process involves a blend of technical evaluation, such as the Common Vulnerability Scoring System (CVSS), and business impact analysis.
Understanding risk ratings post-penetration testing is about striking a balance between technical vulnerability assessments and business impact considerations.
The Role of CVSS in Risk Ratings
Standardizing Vulnerability Assessment
CVSS provides an open framework for communicating the characteristics and severity of vulnerabilities. Its scores range from 0 to 10, with higher scores indicating greater severity. However, CVSS scores are just a starting point in risk assessment. CVSS was created to provide a standardized framework for rating the severity of software vulnerabilities. Before CVSS, there was no universal system for rating vulnerabilities, leading to inconsistencies in how organizations assessed and prioritized security threats. CVSS is not perfect, however, it is a helpful rubric that provides a framework and standardized means by which vulnerabilities can be scored, triaged, and understood across industries and governments.
Key Aspects:
Base Metrics: Measures inherent qualities of a vulnerability.
Temporal Metrics: Considers factors that change over time, like the availability of exploits.
Environmental Metrics: Tailors the CVSS score based on the vulnerability’s impact on your specific environment.
Business Impact Analysis: Beyond Technical Scores
Evaluating the Business Context
While CVSS offers a technical view of vulnerabilities, business impact analysis contextualizes these vulnerabilities within an organization’s unique environment. This involves understanding the criticality of affected systems and the data they handle. The location of the system, its availability to be accessed, the privileges required, the data stored and transmitted; these are all factors that go in to determine the impact. The data from this analysis is typically fed into CVSS scoring mechanism to help adjust the temporal score, to give vulnerabilities contextual scores. For example, if performing a vulnerability scan an NFS share is observed to be open, and world readable, that may show up as a medium finding. However during pen testing the share is observed to contain sensitive data, or if the share is on an Internet accessible endpoint, the vulnerability risk would be made higher, based on CVSS scoring metrics.
Some organizations have different risk rating, or risk classifications that are only known and understood by that organization, as well. Those are used to work with internal teams, to manage things like SLAs on how quickly teams need to mitigate flaws, or what findings need to be reported to regulatory authorities, or the Board of Directors (or shareholders for that matter). Typically, CVSS is the starting point, and the business impact analysis is an important aspect that is used when calculating CVSS.
Experts often use a formula considering both the likelihood of a vulnerability being exploited and its potential impact when performing their analysis. This helps in categorizing risks into levels like Low, Medium, High, and Critical.
Factors Further Influencing Risk Ratings:
Key Considerations:
Data Sensitivity: The level of confidentiality and importance of the data at risk.
System Criticality: How crucial the compromised system is to business operations.
Downtime Costs: The financial and operational impact of potential disruptions.
Likelihood of Exploit: Based on factors like the complexity of the exploit and the presence of known exploits.
Potential Impact: Assessed in terms of data loss, financial damage, and reputational harm.
Conclusion
Understanding risk ratings post-penetration testing is about striking a balance between technical vulnerability assessments and business impact considerations. By integrating CVSS scores with a thorough understanding of business context and the criticality of systems and data, organizations can prioritize their cybersecurity efforts effectively, focusing resources where they are needed most. Risk assessment is a dynamic process. As organizational environments and threat landscapes evolve, so too should the approaches to evaluating and addressing vulnerabilities. By staying informed and adaptable, organizations can maintain a robust defense against an ever-changing array of cyber threats.
Nick Popovich
Nick is the founder and “hacker on staff”. He’s a lifelong learner and loves finding new ways to get under the hood of systems and networks. He is married and has three kids, who will one day appreciate his jokes.