Determining test severity
Considerations for determining and altering the severity of Vulnerability Assessment tests.
Guardium® Vulnerability Assessment is designed to help you to alter the severity for each vulnerability assessment (VA) test, including tests that are within different security assessments.
Defining test severity
The Guardium Vulnerability Assessment research and development team determines the severity of specific benchmarks such as Security Technical Implementation Guides (STIG) or Center for Internet Security (CIS), by considering the following references along with Common Vulnerability Scoring System (CVSS) scoring for each specific Common Vulnerabilities and Exposures (CVE) test.
- Type of Vulnerability (CVEs)
- Configuration
- Privileges
- Authentication
- Database vendor’s security guide (in collaboration with database vendor teams)
- Extensive industry research and expertise
- Compliance Benchmarks (STIGs and CIS)
A VA test can reference multiple benchmarks, vendors, and other security references in parallel.
Determining the severity of CRITICAL and MAJOR tests
- Password default and password hardening policies are typically assigned with a CRITICAL severity as they are deemed to be important in making sure that database account authentication cannot be easily hacked.
- Default database ports can be vulnerable to a variety of security risks, including brute-force attacks, exposure of sensitive information, malware distribution, and DDoS attacks.
- Encryption protocols, encryption strengths, encryption at rest and various database defaults, which may have a negative impact to production databases.
- The highest concentration of configuration tests is in the severity: MAJOR, CRITICAL (highest in security impact), CAUTION, MINOR, and INFO. Severity is assigned based on the individual configuration and the database type.
- PUBLIC grants on objects are assigned the CRITICAL severity level based on
CRITICAL system level roles, privileges, and authorities depending on the
database types.
- Most privilege tests are assigned with a CRITICAL or MAJOR severity. Some object types or privileges may be more sensitive than others and they are assigned with different severity levels (CRITICAL, MAJOR, MINOR, and CAUTION).
Guardium VA patch tests are recommendations to the DBA to patch their database server to the latest patch level when comparing to metadata derived from the quarterly DPS upload.
Beginning 2019 Q3 DPS (15 August 2019), changes to the CVE severity is made for new CVE tests. To be synced up based on CVE CVSS 3.0 scoring, each new CVE severity is defined based on the CVSS 3.0 score.
For more information on optimizing tests, see Tuning a test.