Risk scores measure endpoint vulnerability and help you identify which endpoints have the most serious exposures based on two factors: threats discovered and endpoint importance. When you run a security check against an endpoint, Secure Configuration Manager evaluates the endpoint and includes a risk score in the report. When you run a policy template, Secure Configuration Manager assigns a risk score for each selected endpoint for each applicable security check in the template. Except for information-only security checks, Secure Configuration Manager assigns the risk score as expressed in the following equation:
Risk Score = Threat * Vulnerability
You can control how Secure Configuration Manager calculates its weighted risk scores by adjusting the following settings:
Threat factors for each security check
Endpoint importance
Importance weighting factors
When you edit or create a security check, you can specify the way the score is determined so each check can satisfy a specific need.
Every security check follows a specific method for reporting the number of violations found for each endpoint. The scoring method is the manner in which you want to accumulate the violations. When you create a custom check, you must assign the check to one of the following scoring methods:
Counts violations for every row returned by the check that exceeds the value for the Expected number of rows returned. For example, the Local - Powerful Groups security check returns three rows of groups: Administrators, Domain Admins, and Enterprise Admins. The check counts three violations.
Counts each unique row of returned data as a violation and ignores duplicate results. The number of unique rows must exceed the value for the Expected number of rows returned. Secure Configuration Manager uses the first column of information in the report to determine whether a returned row contains unique data. For example, the Port Scan security check returns four rows of data, reporting the same process on different ports. The check counts four violations because each port number is unique.
Counts all returned violations as only one violation for a more simplified result. For example, the Accounts With Passwords More Than 90 Days Old security check returns 50 rows of data (that is, 50 accounts with old passwords). The check counts all rows as one violation. If you want no rows found to count as a violation, you can use this option, and then set the Expected number of rows returned value to greater than zero. Simple Value scoring applies to checks written in VQL programming language.
Counts a single violation when the actual returned value does not match the specified Expected value. For example, the Advanced Audit Policy security check returns a result of Not Compliant when the specified policy is not set to the specified value. Single Value scoring applies to checks written in TCL programming language. TCL checks cannot be edited.
Sets the vulnerability to zero regardless of the number of violations. This option is useful when you want to create a report showing the attributes for an object.
For more information about rows returned by the check, see Section 6.3.3, Expected Number of Rows Returned. For more information about applying the scoring method to a custom security check, see Section 6.4.3, Creating Custom Security Checks.
Each security check measures different attributes that can put your system at risk. Secure Configuration Manager lets you assign a threat factor, or penalty, for each discovered compliance or configuration risk the checks find, based on the importance of the threat in your environment. The threat factor is the relative weight, or numeric penalty, you associate with the compliance or configuration issue.
For example, you may consider the presence of a virus signature, indicating that a system has been exploited, an extremely threatening risk. Another vulnerability, such as remote access to a floppy disk, might be considered less risky. Both examples are threats, but by increasing the penalty for the presence of a virus signature you increase the resulting risk score for systems that test positive.
By default, Secure Configuration Manager assigns a threat factor of 10 to each security check. You can change the threat factor of any security check on the Parameters window in the Policy Template wizard.
Each security check tests for a specific potential vulnerability in an endpoint’s configuration. For each endpoint response that varies from the expected configuration (a discovered threat or violation), Secure Configuration Manager adds a row of data to the report. The expected number of rows returned is the number of rows of data you allow in the report before you begin penalizing the endpoint or system for the discovered violations. The resulting total exposure score indicates the system’s exposure to potential vulnerabilities or threats.
The calculation for the total exposure score varies by the scoring method of the security check:
|
Scoring Method |
Total Exposure Score Calculation |
|---|---|
|
Count |
Total exposure score = Threat factor * (Number of rows returned - Expected number of rows returned) |
|
Unique Count |
Total exposure score = Threat factor * (Number of rows returned - Expected number of rows returned) |
|
Simple Value |
Total exposure score = Threat factor if Number of rows returned does not match Expected number of rows returned |
|
Single Value |
Total exposure score = Threat factor if Actual value does not match Expected value |
|
Information only |
Total exposure score = 0 |
For example, you create a security check to determine whether all user accounts on a specific system have a password expiration date. You specify Count scoring method and a threat factor of 10 for the security check. You expect only two accounts to return without expiration dates, so you set the expected number of rows returned to a value of 2. When you run the check, Secure Configuration Manager does not count the first two returned rows when calculating the exposure score. If the report contains seven rows of returned data, the system’s total exposure score is 50, as expressed in the following equation:
50 = 10 * (7 - 2)
The expected number of rows returned applies to security checks using the Count, Unique Count, and Simple Value scoring methods. For more information, see Section 6.3.1, Scoring Method.
When you run a security check, Secure Configuration Manager first totals all threat factors for discovered violations on each asset. To calculate the risk score, Secure Configuration Manager multiplies the total exposure score by the importance factor associated with each asset importance rank, using the following equation:
Risk score = Total exposure score * Importance factor
Each asset importance rank corresponds to an importance factor that you can specify. By default, Secure Configuration Manager applies the following factors.
|
Asset Importance |
Importance Factor |
|---|---|
|
Very Low |
25% |
|
Low |
50% |
|
Medium |
100% |
|
High |
125% |
|
Very High |
150% |
For example, you run a security check to determine whether all user accounts have a password expiration date. An endpoint with a Very High importance factor reports five accounts without an expiration date, for a total exposure score of five. Secure Configuration Manager calculates the endpoint’s risk score as 7.5 based on Total exposure score (5) * Importance factor (150%). For more information about calculating the total exposure score, see Section 6.3.3, Expected Number of Rows Returned.
You can change the importance factors on the Tools > Assign Importance menu. Factors under 100% result in lower overall risk scores. For more information about ranking the importance of an endpoint, see Section 2.5.2, Assigning Importance to Endpoints.
As an example of risk scoring, suppose you create a policy template that includes only one security check, the TCP/IP Security check. When you run the policy template on two endpoints, Secure Configuration Manager determines that neither endpoint has TCP/IP Security enabled. The threat factor, or penalty, for not having TCP/IP security enabled is 10.
However, one endpoint is rated medium importance and the other endpoint is rated very high importance. The following table displays the resulting risk score for the endpoints included in this check.
|
Threat Factor |
Importance Factor |
Risk Score |
|---|---|---|
|
10 |
100% (medium) |
10 |
|
10 |
150% (very high) |
15 |
An asset with a higher importance factor tends to result in higher overall risk scores. Highest-scoring assets appear in the report summary at the top of reports, making it easy for you to identify high-exposure assets.
When you run a security check or policy template, the completed report displays a pie chart showing the distribution of endpoints in each risk score range. By default, Secure Configuration Manager assigns the following risk scoring distribution levels.
|
Risk Level |
Risk Score Range |
|---|---|
|
Low Risk |
0 - 100 |
|
Medium Risk |
101 - 200 |
|
High Risk |
201 or higher |
You can change the risk scoring levels on the Properties window in the Policy Template wizard.