Finally, we've reached phase C. The scope is now including the low impact applications/systems into the reporting. In addition to the increased scope, we should now be looking at making the CVSS more applicable to our environment by including the environment equation. These metrics measure the impact to the confidentiality, integrity, and availability of a vulnerability to an organization if exploited. The flow is depicted in the following diagram:
By including the environmental equation and the level of impact of the systems and application to the organization, we can then further distinguish what our stakeholders need to fix.
For example:
- High impact systems:
- Critical severity:
- Red: Average of 3 vulnerabilities per system
- Amber: Average of 1-2 vulnerabilities per system
- Green: Average of 0 vulnerabilities per system
- High severity:
- Red: Average of 5 vulnerabilities per system
- Amber: Average of 3-4 vulnerabilities per system
- Green: Average of 0-2 vulnerabilities per system
- Medium severity:
- Red: Average of 10 vulnerabilities per system
- Amber: Average of 8-9 vulnerabilities per system
- Green: Average of 0-7 vulnerabilities per system
- Low severity:
- Red: Average of 15 vulnerabilities per system
- Amber: Average of 10-14 vulnerabilities per system
- Green: Average of 0-9 vulnerabilities per system
- Critical severity:
- Medium impact systems:
- Critical severity:
- Red: Average of 3 vulnerabilities per system
- Amber: Average of 1-2 vulnerabilities per system
- Green: Average of 0 vulnerabilities per system
- High severity:
- Red: Average of 9-10 vulnerabilities per system
- Amber: Average of 6-8 vulnerabilities per system
- Green: Average of 1-5 vulnerabilities per system
- Medium severity:
- Red: Average of 15 vulnerabilities per system
- Amber: Average of 10-14 vulnerabilities per system
- Green: Average of 0-9 vulnerabilities per system
- Low severity:
- Red: Average of 15 vulnerabilities per system
- Amber: Average of 10-14 vulnerabilities per system
- Green: Average of 0-9 vulnerabilities per system
- Critical severity:
- Low impact systems:
- Critical severity:
- Red: Average of 3 vulnerabilities per system
- Amber: Average of 1-2 vulnerabilities per system
- Green: Average of 0 vulnerabilities per system
- High severity:
- Red: Average of 5 vulnerabilities per system
- Amber: Average of 3-4 vulnerabilities per system
- Green: Average of 0-2 vulnerabilities per system
- Medium severity:
- Red: Average of 20 vulnerabilities per system
- Amber: Average of 15-19 vulnerabilities per system
- Green: Average of 0-14 vulnerabilities per system
- Low severity:
- Red: Average of 25 vulnerabilities per system
- Amber: Average of 20-44 vulnerabilities per system
- Green: Average of 0-19 vulnerabilities per system
- Critical severity:
This is difficult and it is something to work towards. It is an idea of how we can communicate the prioritization of remediation efforts to the stakeholders.