Severity computation #73
-
|
How do you exactly compute severity ? For example, in CIS Benchmarks you have only 2 levels : L1, L2. So, how can you add a level ? Is it based on these levels or it's only your own estimation ? Also, what is the definition (exactly) of High, Medium and Low ? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
Level 1 and 2 are specifications from CIS, I have simply adopted them. Therefore, I will not make any adjustments or add more levels there. The severity levels are my personal assessments if the framework does not give any guidelines. In the case of NIST/STIG, they have defined severity levels themselves. Basically, I use CVSS as a guideline, but this is not quite as easy to convert for configuration reviews. Since a missing configuration setting does not directly represent a vulnerability. |
Beta Was this translation helpful? Give feedback.
-
|
Ok ! Thank you ! :) |
Beta Was this translation helpful? Give feedback.
Level 1 and 2 are specifications from CIS, I have simply adopted them. Therefore, I will not make any adjustments or add more levels there.
The severity levels are my personal assessments if the framework does not give any guidelines. In the case of NIST/STIG, they have defined severity levels themselves. Basically, I use CVSS as a guideline, but this is not quite as easy to convert for configuration reviews. Since a missing configuration setting does not directly represent a vulnerability.