Nessus is a very popular vulnerability scanner that is used by thousands of organizations to test networks for vulnerabilities. Nessus is able to find the latest vulnerabilities and exposures on a variety of operating systems. These vulnerabilities range from minor, such as an inconsequential information disclosure like the version of a specific service running on the system, to major, such as a remotely exploitable application that allows a full system compromise. Nessus can detect thousands of problems, and it classifies each as one of four different “risk severities”: Critical, High, Medium, and Low. These severities are determined by the associated Common Vulnerability Scoring System (CVSS) score of the vulnerability.
I want to discuss the difference between Nessus “risk severities” and our meaning of risk at HealthGuard. Nessus “risk severities” are based on CVSS, which is a classification system for the exploitability of software vulnerabilities and exposures. That is, it only provides information on how easily a vulnerability can be exploited by an attacker, given the opportunity, and what the vulnerability allows an attacker to do with the specific system. This does not provide any measurement for the probability of a successful attack and the associated monetary loss from the attack. Vulnerability ratings based on a Critical to Low scale are qualitative measurements. To make clear decisions on true vulnerability risk, we must convert these ratings into quantitative measurements.
This is also not to say the Nessus ratings are useless. They provide a great indicator of the types of patches missing on specific systems, as well as the services running and other informational items. This is good from a network visibility standpoint. It also helps provide a general baseline for how well an organization maintains its individual systems.
As an aside, the problem with the term “risk” is a difference in semantics, but it does highlight a common problem in the IT security industry. In this case, Nessus speaks of “risk” as a qualitative measurement, while we refer to “risk” as a quantitative measurement. As an industry, we do not have common and widely accepted definitions for even simple terms like “risk”. However, many industry leaders are beginning to recognize this and push for a high degree of consistency.
