Utilizing Unified VRM
      Back to home
      1. Knowledge Base
      2. Utilizing Unified VRM

      NopSec Risk Scoring and Risk Score Categories

      NopSec Common Vulnerabilities and Exposures

      (CVE) Risk Scoring

      NopSec utilizes a machine learning (ML) algorithm to calculate its CVE risk scores. The algorithm uses a variety of data as features including:

      • Vulnerability age-related information.
      • Multiple CVSS vectors, such as the Access and Authentication Vectors.
      • Other information from the National Vulnerability Database and other CVE data stores including:
        • CVE product identification.
        • CVE vendor identification.
        • Weaknesses and Attack Patterns related to the vulnerability.
        • Text analysis of the CVE description.
      • Social media references to the CVE, such as the count of tweets mentioning the CVE.
      • Attributes of related exploits such as the source, whether the exploit can be utilized remotely, and whether the exploit is proof of concept or weaponized.

      Threat identification is based on information from threat intelligence feeds and prioritizes known threats and sandbox identifications of “in-the-wild” exploits. From the ML model, every known CVE is given a NopSec Risk Score in the range 0 – 10.0.

      NopSec CVE Risk Score Categories

      • Urgent: score >= 9.9 and has malware associated
      • Critical: 7.5 < score <= 10.0
      • High: score 5.0 < score <= 7.5
      • Medium: 2.5 < score <= 5.0
      • Low: 0 < score <= 2.5
      • None: score = 0.  Informational only

      NopSec Scanner Vulnerability Risk Scores

      Scanner Vulnerabilities in UVRM are scored based on the maximum CVE Risk Score associated with the Vulnerability and the importance of the Asset on which it was found. Scanner Vulnerabilities risk scores are in the range of 0 – 100.

      NopSec Asset Risk Scores

      Asset Risk Scores are calculated by taking the weighted average of the OPEN, non-DUPLICATED, non-RISK ACCEPTED, non-FALSE POSITIVE Scanner Vulnerabilities on the asset.

      NopSec Asset Group Risk Scores

      Asset Group Risk Scores are calculated by taking the weighted average of the Asset Risk Scores in the Group.

      NopSec Overall Scores

      A client’s Overall Score is calculated taking the weighted average of all Asset Risk Scores.

      Risk Score Grading

      Scanner Vulnerabilities, Assets, Asset Groups, and the Overall Score all have associated Risk Grades based on the table below.

       

      Risk Grade

      Minimum Score

      Maximum Score

      A

      0

      25

      B

      26

      50

      C

      51

      75

      D

      76

      100