How is the threat severity level determined?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How is the threat severity level determined?

Not applicable

How is the threat severity level determined?

Critical, High, Medium, Low or Informational

1 accepted solution

Accepted Solutions

L4 Transporter

Great question Neil. We look at the CVSS score but also do our own analysis of the vulnerabilities based on how easy it is to exploit the vulnerability, pervasiveness of the vulnerable product, impact of the vulnerability, etc. Here's a quick summary definition of each of the severity levels for vulnerabilities.

CRITICAL vulnerabilities are those vulnerabilities that typically affect default installations of very widely deployed software, result in root compromise of servers, and the information required for exploitation (such as example exploit code) is widely available to attackers. Further, exploitation is usually straightforward, in the sense that the attacker does not need any special authentication credentials, knowledge about individual victims, and does not need to social engineer a target user into performing any special functions.

HIGH vulnerabilities are typically those that have the potential to become CRITICAL, but have one or a few mitigating factors that make exploitation less attractive to attackers. For example, vulnerabilities that have many CRITICAL characteristics but are difficult to exploit, do not result in elevated privileges, or have a minimally sized victim pool are usually rated HIGH. Note that HIGH vulnerabilities where the mitigating factor arises from a lack of technical exploit details will become CRITICAL if these details are later made available. Thus, the paranoid administrator will want to treat such HIGH vulnerabilities as CRITICAL, if it is assumed that attackers always possess the necessary exploit information.

MODERATE vulnerabilities are those where the scales are slightly tipped in favor of the potential victim. Denial of service vulnerabilities are typically rated MODERATE, since they do not result in compromise of a target. Exploits that require an attacker to reside on the same local network as a victim, only affect nonstandard configurations or obscure applications, require the attacker to social engineer individual victims, or where exploitation only provides very limited access are likely to be rated MODERATE.

LOW vulnerabilities by themselves have typically very little impact on an organization's infrastructure. These types of vulnerabilities usually require local or physical system access or may often result in client side privacy or denial of service issues and information leakage of organizational structure, system configuration and versions, or network topology.Another type of low signature may indicate traffic that is necessary for attacking a server, such as Microsoft RPC Endpoint Mapper. In order to successfully attack Microsoft RPC vulnerabilities, an attack must first query an RPC endpoint first.

INFORMATIONAL vulnerabilities may not actually be vulnerabilities, but rather suspicious events that are reported to call attention to security professionals that deeper problems could possibly exist. 

View solution in original post

1 REPLY 1

L4 Transporter

Great question Neil. We look at the CVSS score but also do our own analysis of the vulnerabilities based on how easy it is to exploit the vulnerability, pervasiveness of the vulnerable product, impact of the vulnerability, etc. Here's a quick summary definition of each of the severity levels for vulnerabilities.

CRITICAL vulnerabilities are those vulnerabilities that typically affect default installations of very widely deployed software, result in root compromise of servers, and the information required for exploitation (such as example exploit code) is widely available to attackers. Further, exploitation is usually straightforward, in the sense that the attacker does not need any special authentication credentials, knowledge about individual victims, and does not need to social engineer a target user into performing any special functions.

HIGH vulnerabilities are typically those that have the potential to become CRITICAL, but have one or a few mitigating factors that make exploitation less attractive to attackers. For example, vulnerabilities that have many CRITICAL characteristics but are difficult to exploit, do not result in elevated privileges, or have a minimally sized victim pool are usually rated HIGH. Note that HIGH vulnerabilities where the mitigating factor arises from a lack of technical exploit details will become CRITICAL if these details are later made available. Thus, the paranoid administrator will want to treat such HIGH vulnerabilities as CRITICAL, if it is assumed that attackers always possess the necessary exploit information.

MODERATE vulnerabilities are those where the scales are slightly tipped in favor of the potential victim. Denial of service vulnerabilities are typically rated MODERATE, since they do not result in compromise of a target. Exploits that require an attacker to reside on the same local network as a victim, only affect nonstandard configurations or obscure applications, require the attacker to social engineer individual victims, or where exploitation only provides very limited access are likely to be rated MODERATE.

LOW vulnerabilities by themselves have typically very little impact on an organization's infrastructure. These types of vulnerabilities usually require local or physical system access or may often result in client side privacy or denial of service issues and information leakage of organizational structure, system configuration and versions, or network topology.Another type of low signature may indicate traffic that is necessary for attacking a server, such as Microsoft RPC Endpoint Mapper. In order to successfully attack Microsoft RPC vulnerabilities, an attack must first query an RPC endpoint first.

INFORMATIONAL vulnerabilities may not actually be vulnerabilities, but rather suspicious events that are reported to call attention to security professionals that deeper problems could possibly exist. 

  • 1 accepted solution
  • 6111 Views
  • 1 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!