As we've already (or working towards) identified what the high impact applications and systems are, we should also be identifying the stakeholders who are responsible for fixing these vulnerabilities. Once we start looking at the vulnerabilities, we can then use the CVSS v2.0 as a guide in ranking the vulnerabilities. Notice in the following diagram that we've now placed a high, medium, and low-risk exposure RAG dashboard-esque way to see if we are good, need a little work, or got a lot of work to do:
Of course, the definition of this is up to the organization, but we want to at least begin with understanding what it could be.
For example:
- High severity:
- Red: Average of 10 vulnerabilities per system
- Amber: Average of 7-9 vulnerabilities per system
- Green: Average of 0-6 vulnerabilities per system
- Medium severity
- Red: Average of 20 vulnerabilities per system
- Amber: Average of 10-19 vulnerabilities per system
- Green: Average of 0-9 vulnerabilities per system
- Low severity
- Red: Average of 25 vulnerabilities per system
- Amber: Average of 15-24 vulnerabilities per system
- Green: Average of 0-14 vulnerabilities per system
By applying an average per system, it allows a stakeholder to identify what they should work on first. If they are red in the low severity and red in the high severity categories, they would know that they would need to work on the high severity vulnerabilities first. If the high and low severity ratings are green and the medium severity rating is amber, they would know that they should focus on decreasing the average medium severity vulnerabilities per system.
The preceding example can be used across an enterprise, and even further matured within this phase by decreasing the average number of vulnerabilities per system, per category. The main thing for us to understand is that we need to to be able to control our network to have an acceptable amount of risk exposure for our high impact systems and applications before we think about increasing the scope of reporting. By doing this, we will lay out the foundation to enable cyber intelligence communication channels to continue on to subsequent phases.