Washington DC Security User Group

 View Only
  • 1.  CCS Standard Check Risk Score

    Posted Jan 15, 2013 04:55 PM

    I need some documentation to explain how the risk score is calculated for each check. Setting C,I,A,AV,Ac and Au to maximum values does not give me value of 10 but 8.6 using the formula in the CCS manual.

    Base score = round_to_1_decimal (((0.6*Impact) + (0.4*Exploitability) – 1.5) * f(Impact))

     

    Any reference?



  • 2.  RE: CCS Standard Check Risk Score

    Posted Jan 15, 2013 05:07 PM

    Just got the links in case someone is interested:

    http://www.first.org/cvss/cvss-guide.html

     

    All explanations



  • 3.  RE: CCS Standard Check Risk Score

    Posted Jan 28, 2013 02:42 PM

    The CIA Ratings on the Asset also are in play as well.  The CVSS calculation is what we use, but you also have to classify your assets as well.



  • 4.  RE: CCS Standard Check Risk Score

    Posted May 28, 2013 09:47 AM

    Recently i wrote a Script related to a "CIS Benchmark - Word Export". If you have little knowledge of powershell you'll be able to calculate resulting Risk Scores for Checks (based on A;A;A and C,I,A).

     
     

    #########################################################################################
    # Function for CVSS Score #
    ###########################
    #
    # Examlpe [High Risk]: CalculateBaseCVSS -AccessVector "network accessible" -AccessComplexity "low" -Authentication "no authentication" -ConfImpact "complete" -IntegImpact "complete" -AvailImpact "complete"
    #         [Low Risk]:  CalculateBaseCVSS
    #
    # BaseScore6 = round_to_1_decimal(((0.6*Impact)+(0.4*Exploitability)–1.5)*f(Impact))
    # Impact = 10.41*(1-(1-ConfImpact)*(1-IntegImpact)*(1-AvailImpact))
    # Exploitability = 20* AccessVector*AccessComplexity*Authentication
    # f(impact)= 0 if Impact=0, 1.176 otherwise
    #
    # AccessVector = case AccessVector of
    #   not defined: 0.15    # Added for SIX and CCS Not Defined Values
    # requires local access: 0.395
    #   @CCS local accessible
    # adjacent network accessible: 0.646
    # network accessible: 1.0
    #
    # AccessComplexity = case AccessComplexity of
    #   not defined: 0.15    # Added for SIX and CCS Not Defined Values
    # high: 0.35
    # medium: 0.61
    # low: 0.71
    #
    # Authentication = case Authentication of
    #   not defined: 0.15    # Added for SIX and CCS Not Defined Values
    # requires multiple instances of authentication: 0.45
    # requires single instance of authentication: 0.56
    # requires no authentication: 0.704
    #
    # ConfImpact = case ConfidentialityImpact of
    #   not defined: 0.15    # Added for SIX and CCS Not Defined Values
    # none: 0.0
    # partial: 0.275
    # complete: 0.660
    #
    # IntegImpact = case IntegrityImpact of
    #   not defined: 0.15    # Added for SIX and CCS Not Defined Values
    # none: 0.0
    # partial: 0.275
    # complete: 0.660
    #
    # AvailImpact = case AvailabilityImpact of
    #   not defined: 0.15    # Added for SIX and CCS Not Defined Values
    # none: 0.0
    # partial: 0.275
    # complete: 0.660
    #

    Function CalculateBaseCVSS {
        param(
        $AccessVector="undefined",
        $AccessComplexity="undefined",
        $Authentication="undefined",
        $ConfImpact="undefined",
        $IntegImpact="undefined",
        $AvailImpact="undefined"
        )
       
    # Default f Impact
    $fImpact=0
    $CVal = @()
    $DefaultScoring = @( "`$ConfImpact", "`$IntegImpact", "`$AvailImpact" )

    # Scoring for Access Vector
    switch ($AccessVector)
        {
            "localaccess" { $CVal += 0.395;$tmpCheckVal += "0" }
            "AdjacentNetworkAccessible" { $CVal += 0.646;$tmpCheckVal += "1" }
            "NetworkAccessible" { $CVal += 1.0;$tmpCheckVal += "2" }
            default { $CVal += 0.15;$tmpCheckVal += "3" }
        }

    # Scoring for Access Complexity 
    switch ($AccessComplexity)
        {
            "high" { $CVal += 0.35;$tmpCheckVal += "#0" }
            "medium" { $CVal += 0.61;$tmpCheckVal += "#1" }
            "low" { $CVal += 0.71;$tmpCheckVal += "#2" }
            default { $CVal += 0.15;$tmpCheckVal += "#3" }
        }

    # Scoring for Authentication   
    switch ($Authentication)
        {
            "multipleinstanc" { $CVal += 0.35;$tmpCheckVal += "#0" }
            "singleinstance" { $CVal += 0.61;$tmpCheckVal += "#1" }
            "noauthentication" { $CVal += 0.71;$tmpCheckVal += "#2" }
            default { $CVal += 0.15;$tmpCheckVal += "#3" }
        }

    # Scoring for defaults in $DefaultScoring
    foreach ( $imp in $DefaultScoring )
    {
    switch ($ExecutionContext.InvokeCommand.ExpandString($imp))
        {
            "none" { $CVal += 0.0;$tmpCheckVal += "#0" }
            "partial" { $CVal += 0.275;$tmpCheckVal += "#1" }
            "complete" { $CVal += 0.660;$tmpCheckVal += "#2" }
            default { $CVal += 0.15;$tmpCheckVal += "#3" }
        }
    }


    $Impact = 10.41 * (1 - (1 - $CVal[3]) * (1 - $CVal[4]) * (1 - $CVal[5]))
    $Exploitability = 20 * $CVal[0]*$CVal[1]*$CVal[2]
    if (! $Impact -eq 0) {
    $fImpact=1.176
    }

     

    $BaseScore = [System.Math]::round((((0.6 * $Impact) + (0.4 * $Exploitability) – 1.5) * $fImpact), 1)
    "$BaseScore" + " " + "$tmpCheckVal"
    Remove-Variable tmpCheckVal
    }