At 02:02 PM 4/6/2006, mudyo26 CryptoMail User wrote:
Is there any Scoring system / Risk Score based on Nessus output ?
What if an organization does scanning every day and want to know how the
"security score" is increasing or decreasing based on
vulnerabilities found(not found).
I read one posting by Renaud in early 2005 in Nessus lists that it
is being worked upon.
Tenable has used CVSS to score vulnerabilities in Nessus for some
time now. We've not gone back and scored all 10k+ plugins, but the
major ones have been done. Incidentally, our passive scanning product
uses CVSS scores as well.
Tenable's console product, Security Center, also does two types of
scoring.
First, based on the types of data collected by Nessus or through passive
monitoring, it discovers your assets. If you know what an asset list
already you can upload those as well. Assets can be things like "DMZ
Windows 2000 Web Servers" , "Core Cisco Routers" or stuff like the
"Financial Database". You can then use those assets to report on the
discovered vulnerabilities and compare them to each other with tending.
The advantage of doing it by asset, is you get a comparative trend,
for each user's view of which asset groups they are authorized to see.
In other words, small changes in vulns for your Cisco routers don't
mean much in the grand scheme of things, but might mean a lot to the
folks running your routers.
Second, the Security Center assigns point values to the low|medium|high
severity levels. Through the user interface, you can do just about any
type of query (with filters for Nessus IDs, families, ports, .etc) and
ask it to summarize all IPs or ClassA|B|C, along with a score. This way
you can do a report and see which IP is the 'most vulnerable' based on
a score.
If you're dealing with a pure Nessus solution, I would not discount
the severity level of the underlying plugin scores. Tenable puts a
great deal of thought into assigning these severity levels, but they
are a level higher than something like a CVSS score.
Ron Gula, CTO
Tenable Network Security
_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus
