You will learn how UVRM allows users to manage a Target's criticality and how it leverages Target Criticality in its risk scoring.
Last Updated: 2/15/2024
Overview
In order to provide clients with contextual risk prioritization where the goal is to focus the VM team's work using risk as a primary factor we need to understand where vulnerabilities are located. Target criticality is one way we can do this.
In the near future we will expand our goals for contextual risk and start identifying how targets are related, allow clients to help provide business context for targets, and overall enable UVRM to understand the unique environmental factors found within each client network.
Target Criticality
Manual Criticality
Targets can be categorized as Critical, High, Medium, Low, None. These values are meant to be used by each client subjectively.
However, you have an option within the Settings page to determine if you'd like to manage Target Criticality manually or allow NopSec to attempt to categorize targets using its own ruleset.
If managing criticality manually, clients may choose how to interpret the criticality values. For instance one client may choose to leverage a revenue based methodology to determine criticality and can create a mapping between value and criticality, for example:
- Any Target related to an Application which brings in more than $10 million is Critical.
Another client may choose to categorize based on Risk such as Any Target that is internet facing is Critical.
If managing your Criticality manually, you will have to leverage the manual File Upload for Criticality (found within Settings | File Uploads | Criticality) to set the value for your targets. To do this, just upload a file with two columns, target_id and criticality. You can then leverage any methodology to categorize your targets. Typically the process would be as follows:
- Create a query that identifies the types of targets you'd like to update, for instance, if you've categorized Critical targets as targets with a value of 5m or more and you've tagged your targets with that value you could find your targets with a query of:
- tags.name = "Value : $5m"
- Create a column preset with the only columns (minimum) of:
- Target ID
- Criticality
- Save a Report with the above Query, above Column Preset, and set to Group By Targets.
- Download your CSV report of all targets.
- Update the CSV columns to:
- target_id
- criticality
- Update all Criticality Values to "Critical" and Save.
- Upload file.
- Repeat as often you need to; daily, weekly, monthly.
- Repeat for each Report you've created for managing Criticality.
NopSec Auto Criticality
If you decide to allow NopSec to automatically categorize target criticality then NopSec will follow the following rule set:
- NopSec attempts to categorize Scanner Plugin IDs such as QIDs to specific operating systems and functions (servers, printers, network device, databases, etc.)
- Depending on the category and function NopSec will assign a criticality to the target. For example, if the target has a category of Server and Database then it is marked Critical. If it is a Printer it is marked Low.
- NopSec attempts to do some analysis based on the known ports that are available (from the scanner's perspective) and determine if it is above the average number of ports across all targets which could indicate a more active device which increases its criticality.
- Similarly, NopSec will attempt to analyze a target's known Services (from the scanner's perspective) to determine if it is both more utilized and risky and determines if the criticality should be set higher or lower.