NS Risk Score, or in short NS Score is all about evaluating the risk an existing vulnerability induces on an asset. Time and capability is scarce. A strong vulnerability management should prioritize the findings by using the risk pose by those vulnerabilities. Risk stems from both the value of an asset and severity of vulnerability on that asset. Therefore, the owners choose one of four levels of priorities for their created assets.
The asset priority levels are;
While owners can assign whatever meaning they choose to assign for the levels above;
- If impairment to an asset even for a small amount of time could cause serious business interruption then the related asset can be labelled as critical.
- If impairment to an asset could cause significant losses in the long term but the company can still function then the related asset can be labelled as high.
- If impairment to an asset could cause some losses but the company can still function then the related asset can be labelled as medium.
- If impairment to an asset could cause little to no loss and the company can easily function then the related asset can be labelled as low.
Vulnerability Severity Levels
Another key factor that adds up to a risk of an asset is the severity of a vulnerability affecting that asset. Vulnerability severity levels are;
Unfortunately there's no wide consensus about the levels of severity for information security vulnerabilities, however, schemes like CVSS constituted a base line. However, especially for web application vulnerabilities the assignment is still vague.
- Urgent level vulnerabilities are the ones that can be applied by non-technical parties, like script kiddies, but that create substantial data loss. SQL injection and critical Windows patches are some of the urgent level vulnerabilities.
- Critical level vulnerabilities are the ones that can be applied by equipped attackers remotely, and that create substantial data. Reflected cross site scripting and DoS level Windows patches are some of the critical level vulnerabilities.
- High level vulnerabilities are the ones that can be applied by equipped attackers remotely and that create substantial service loss.
- Medium level vulnerabilities are the ones that can be applied by non-technical and equipped attackers locally and that create substantial data and service loss.
- Low level vulnerabilities are the ones that can be applied by equipped attackers that may or may not create non-significant service or data loss.
- Information level vulnerabilities don't pose any security risk to the related assets. Open port or non-significant header information are some of the information level vulnerabilities.
NS Risk Score Calculation
With four levels of priorities and five levels severity levels, the product of these two denotes the risk score for an asset, vulnerability pair.
NS Risk Score = Asset Priority x Vulnerability Severity
Therefore, a risk score can be minimum of 1 and maximum of 20. Asset owners should prioritize their efforts according to this number that will be presented in every vulnerability.