I have been working on a talk this week for ShmooCon Epilogue
For the people who missed the talk I will have the slides and video if possible posted on the media blog soon.
Epilogue: Jason Oliver-Risk Reporting Metrics from Georgia Weidman on Vimeo.
In the talk I go over some ideas I have been playing with to answer a few key questions all of us techs get on Risk Assessments;
- What is the X worst machine(s)?
- What is the over all risk level of my network?
- What fix would have the most risk reduction effect?
The first script XMLVulnStats.java will work from a .nessus file or multiple .nessus files and give you the following summery data - this script requires Excel to do some of the front end math. Due to the use of Excel the impact levels can be modified after the fact to gain more accurate results.
The command-line works as follows:
java XMLVulnStats Output.xls *.nessus
The output will be a table with the following columns
Total CVSS Count - This totals the CVSS score for all Vulns on the Host
Host Criticality - Adjustable figure between 100-1000 ranking hosts
Risk Score - Total CVSS * Host Criticality
Total Vuln - Total of Critical, High, Med, Low Vulns
Additionally you will get an Average System Risk Level calculation based on the averages for all hosts.
Note that you will need to set the Host Criticality for your system after the script is run based on system knowledge. In the Federal / NIST space I have been using a spread based on the FIPS 199 level (i.e. if its a moderate system hosts are ranked between 400-600 based on impact, workstations 400, domain controllers 600, etc)
The second script XMLTableStats.java is a simple edit of one of my older scripts that adds a column for Host Count.
The over all value of this is it will allow you to rank fix / repair order by vulnerability.
Simple run the script;
java -Xms32m -Xmx1024m XMLTableStats *.nessus > Output.xls
Then in Excel sort by Risk Factor, CVSS Score, Host Count
This will give you a fix list based on highest level of vulnerability then by quantity of hosts effected thus giving you the biggest bang for your buck if you fix by patch / issue.
Hope this helps - I hope to extend the research a bit and perfect the theory, I have only been playing with the numbers for a month or two so any feed back would be appreciated.
Keep in mind what a measurement really is - for the most part it is anything that helps you understand a figure more than before. This is not designed to be a perfect number that is definitive, its designed to give you a quantifiable baseline to work from that is for sure better than what you had before.
Update: The talk has been posted on the media blog if you are interested.