Issues Severity Definitions and Examples
ASM Issue Severity Definitions and Examples | Docs
This document describes how Attack Surface Management (ASM) determines the severity ratings for Issues.
Confidence Level of Issues
ASM uses triage categories to determine whether an Issue needs further investigation or is ready for review.
- Confirmed: ASM has high confidence in the finding.
- Potential: There is a known vulnerability related to this Entity, but ASM cannot confirm that this is true in this case.
Google Threat Intelligence recommends prioritizing Confirmed Issues.
Prioritization of Issues
Google TI recommends giving priority to the resolution of Critical and High severity Issues in order to strengthen the Entities associated with these Issues. As a customer, you iterate on the ASM program. You and other team members discuss how you can effectively triage Medium and Low severity Issues over time. Discussions could be about a ticketing system or whether channels of communication are open to infrastructure or technology owners.
The following table, Issue Severity Definitions, outlines a common understanding of the risks of vulnerability, misconfiguration, and exposure.
Issue Severity | Definitions | Examples |
---|---|---|
Critical | The asset has an increased risk of exploitation based on activity observed in the wild, or the potential exposure and data leakage will negatively affect the organization. Successful exploitation could allow a threat actor to achieve persistence, lateral movement, account compromise, or data exfiltration. A CVE CVSS 9.0-10.0 and a Critical Risk Rating from Mandiant validate the issue severity. Suggested Usage: - Investigate within 24 Hours - Remediate within 7 Days | - Gitlab - Account Takeover via SCIM (CVE-2022-1680) - Atlassian Confluence Server - Arbitrary Code Execution (CVE-2022-26134) - vBulletin Unauthenticated Remote Code Execution (CVE-2019-16759) - Log4j aka Log4Shell Unauthenticated Remote Code Execution (CVE-2021-44228) |
High | The asset has a vulnerability, misconfiguration, or exposure that, when exploited or leveraged by a threat actor, can enable them to achieve persistence or lateral movement or perform unauthenticated actions. CVEs with a CVSS of 7.0-8.9 or a High Risk Rating from Mandiant Threat Intelligence generate high severity Issues. Suggested Usage: - Investigate within 48 Hours - Remediate within 14 Days | - Exposed RDP or SMB - Command and Control (C2) Server Identified - World Writeable AWS S3 Bucket |
Medium | The asset is vulnerable; however, the affect of exploitation is offset by hardening methods such as MFA or additional access requirements that hinder a threat actor from achieving their mission. Suggested Usage: - Investigate within 72 Hours - Remediate within 21 Days | - Exposed VPN Service - Exposed Databases - A 2FA which can be bypassed |
Low | The asset has a vulnerability, misconfiguration, or exposure that can further a threat actor's reconnaissance effort, but does not pose an immediate risk. In some organizations, low severity Issues are considered acceptable. Suggested Usage: - Investigate within 4 Days - Remediate within 28 Days | - World Readable AWS S3 Buckets - Wildcard Certificates - Security Headers Missing from URL |
Informational | Security hygiene insights that do not require immediate attention but should be addressed during ongoing efforts to improve security posture. You may choose to delegate informational Issues to the appropriate team. Suggested Usage: - Investigate within 1 Month - Remediate within 3 Months | - Self-signed Certificates - Deprecated SSL/TLS Protocols - Insecure Cookies |
Numeric Severity
A numeric severity system is used when configuring some ASM outbound integrations. The following table outlines the numbers associated with each Issue Severity level in ASM.
Issue Severity | Numeric representation |
---|---|
Critical | 1 |
High | 2 |
Medium | 3 |
Low | 4 |
Informational | 5 |
Updated 17 days ago