Managing cyber risk entails dealing with sprawling networks, endpoints ranging from work PCs to personal smartphones to countless IoT sensors, and cybercriminals using increasingly sophisticated methods for launching attacks. Tackling these challenges without a systematic approach to understanding and prioritizing security vulnerabilities is overwhelming. And it can mean worrying about relatively minor issues while a potentially major flaw goes unaddressed.
Tracking a variety of metrics over time helps provide a clear picture of your risk and how it evolves as you make changes to your security posture. However, tracking the wrong metrics can be just as detrimental as not tracking any at all.
By tracking vulnerabilities using the following eight metrics, you’ll gain a clear, quantifiable understanding of your risk.
These key metrics are divided into two categories:
- Exploitability metrics that reflect the ease and means by which the vulnerability can be exploited
- Impact metrics that reflect the impact of an attack which exploits the vulnerability. The higher the score, the greater the risk the vulnerability poses.
Let’s take a closer look at what each metric tracks.
Key Exploitability Metrics
1. Attack Vector
This metric scores the context for how a vulnerability can be exploited. The more remote an attacker can be from the vulnerability, the higher the Attack Vector score. That means a vulnerability in your network that can be exploited via the internet will score higher than one that requires physical access to a device by an employee.
2. Attack Complexity
This metric scores the conditions that must exist to exploit the vulnerability, such as information about the target or specific configurations. The more conditions that are outside of the hacker’s control, the less likely the vulnerability will be exploited, lowering the score.
3. Privileges Required
This metric scores the level of privileges required for an attacker to exploit the vulnerability. A vulnerability that doesn’t require authorization, such as a social-engineering attack, will have a higher score than one that requires admin control.
4. User Interaction
This metric scores the requirement for human interaction beyond the hacker to exploit the vulnerability. If no other human is required, that means the hacker can execute the hack whenever they want. However, if another user is involved, then the hacker may have to wait for a user to take an action like downloading a file before the vulnerability can be exploited.
This metric scores whether a vulnerability in one component will impact resources in other components beyond its security scope. For example, a vulnerability in an operating system can impact many other applications and, therefore, receive a high score, whereas a vulnerability in a single database would likely be limited to just that database and represent less overall risk.
Key Impact Metrics
6. Confidentiality Impact
This metric scores the impact on your data’s confidentiality if the vulnerability is exploited. A high score means an attacker can access restricted data, while a low score means the vulnerability won’t affect data confidentiality.
7. Integrity Impact
This metric scores the impact on data integrity in an exploited vulnerability. It measures whether a hacker can modify any or all files protected by an impacted component, and if the hacker’s modification presents a direct, serious consequence to the component. The greater the reduction in the trustworthiness and veracity of the data, the higher the score.
8. Availability Impact
While the Confidentiality and Integrity metrics apply to data, this metric scores the impact of the loss of availability of the impacted component itself, including information resources, bandwidth, processor cycles, and disk space. A total loss of availability scores higher than reduced performance. However, even the reduced performance of a mission-critical application like email can have more of an impact than the total loss of availability for a lower-priority application.
Improve Cybersecurity Performance Using These Metrics
By using vulnerability scanning tools, you can track and quantify these metrics to gain a clear understanding of your cyber risk and track improvement in your performance as you close vulnerabilities. However, not all scanning tools are created equal. Some only conduct occasional scans, while others make it difficult to understand your risk at a glance.
Arctic Wolf™ Managed Risk combines real-time scanning and data from third-party systems to aggregate and quantify your risk indicators based on the industry-standard CVSS. This gives you a single, consolidated risk score that’s tailored to your business needs, helping you organize risks by type and priority. The result is a better sense of your risk and the ability to reduce your attack surface and ultimately prevent cybercrimes before they occur.
To learn more, download the Arctic Wolf Managed Risk datasheet.