Risk scoring in a penetration test report involves evaluating and prioritizing vulnerabilities discovered during the penetration testing process based on their potential impact and likelihood of exploitation. The goal of risk scoring is to provide a clear understanding of the most critical security issues that need to be addressed to enhance the security posture of the system or network. Here’s an explanation of how risk scoring is typically conducted and its components:
-
Identification of vulnerabilities - During a penetration test, various vulnerabilities are identified through manual testing and automated tools. These vulnerabilities can range from minor misconfigurations to severe security flaws that could be exploited by attackers.
-
Risk factors - Each vulnerability is assessed based on several risk factors:
-
Impact: The potential damage or consequences if the vulnerability is exploited. This includes data loss, unauthorized access, service disruption, financial loss, and damage to reputation.
-
Likelihood: The probability that the vulnerability will be exploited. This is influenced by factors such as the complexity of the exploit, the presence of known exploits, and the level of access required.
-
-
Scoring methodology - A common approach to risk scoring is using a numerical or qualitative scale to rate the impact and likelihood of each vulnerability. The Common Vulnerability Scoring System (CVSS) is one widely used methodology that provides a standardized way to score vulnerabilities.
-
Prioritization - Vulnerabilities are ranked based on their risk scores, with higher scores indicating more critical issues that need immediate attention. This prioritization helps organizations allocate resources effectively to address the most significant security risks first.
-
Reporting - The penetration test report includes detailed information about each vulnerability, its risk score, and recommendations for mitigation or remediation. This enables stakeholders to understand the security posture of their systems and take informed actions to improve it.
Investigating CVE and CWE
Identifying and mitigating vulnerabilities is at the heart of a structured PenTest. As vulnerabilities are identified, they are first rated according to the severity using the Common Vulnerability Scoring System (CVSS). The score is derived using a set of metrics, which helps in prioritizing vulnerabilities. You can learn more by visiting https://www.first.org/cvss/ . The information from the CVSS is then fed into the Common Vulnerabilities and Exposures (CVE).
The CVE is a listing of all publicly disclosed vulnerabilities. Each entry refers to specific vulnerability of a particular product and is cataloged with the following information:
- Name of the vulnerability using the following format: CVE-[YEAR]-[NUMBER].
- Description of the vulnerability, for example: An SQL injection vulnerability exists (with user privileges) in the pets console of Kiddikatz chip records system.
To learn more about the vulnerability, click on the name, which is a hyperlink to the record in the National Vulnerability Database (NVD). Once there, you can read more details about the vulnerability.
The Common Weakness Enumeration (CWE) is a database of software-related vulnerabilities maintained by the MITRE Corporation. Once in the site, you will see a detailed list of weaknesses in hardware and software. For example, if we select Software Development , this will take us to the Software Development page. Once there, you will see a list of common software issues where you can select a topic.
For example, if you select Data Validation Issues, that will take you to a new page where you will find more detailed information on the weakness such as affected platforms, and what possible consequences could result as a result of exploiting this weakness.