Frequently Asked Questions

• What is SCORES ?

  Seconize Contextual Risk Enumeration System(SCORES) is a simple and effective way of prioritizing vulnerabilities and misconfigurations alike.

• When to use SCORES ?

  Imagine you have ended up with thousands of issues identified while running vulnerability assessments and penetration testing tools on your IT infrastructure. Often remediating them is a daunting task. SCORES will help you prioritize these vulnerabilities using proven decision science algorithms. So each time you hear a new CVE (log4j, follina and others) don't panic. Keep calm and SCORE.

• Who is using SCORES ?

  SCOREs is developed by Risk-Score. So far it has been used in 1000+ assessments and prioritizing 1000000+ vulnerabilities identified. It is used by Organizations in all verticals like IT, ITES, EdTech, FinTech, Pharma, Healthcare, IOT among many others.

• What is wrong with prioritizing using CVSS ?

  Common Vulnerability Scoring System(CVSS) is predominantly static and does not consider your Organization's context and Asset's context on which vulnerabilities are identified. It is a vulnerability scoring system but not a risk scoring system. Mere existince of vulnerability is not a risk on its own. Often prioritizing of vulnerabilities involves lot of contextual parameters and making tough decisions. For example, A CVSSv3 score of 9.8 considered highly critical but found on a Windows Server that does have minimal customer data versus CVSSv3 score of 7 considered moderate severity but found on an Database server that contains most of your customer data. What if one CVE has a known exploit and other does not have? What if Windows Server is facing the Internet, where as Database server is behind a VPN ? Also, CVSS is not applicable for application security vulnerabilities and misconfigurations like OWASP Top Ten or CIS Benchmarks.

• What is wrong with prioritizing using EPSS ?

  Exploit Prediction Scoring System(EPSS) is the latest standard by first.org predominantly to predict whether an exploit is likely to be developed in near future. It is only of many parameters that are needed to prioritize vulnerabilities.

• So how does SCORES work ?

  SCORES is based on simple foundational principles that are widely accepted by risk community in general i.e risk is function of Likelihood of threat and impact. A risk score is computed for each vulnerability using numerous factors. High level overview is as given below:

  1. Each vulnerability is contextualized using threat intelligence to identify the availability of an exploit, active malware campaigns, industries and geographies impacted.
  2. Asset's Susceptibility to a cyber attack is considered based on whether it is reachable via Internet or behind any existing security controls
  3. Likelihood of threat is subsequently computation based on both enriched vulnerability parameters and assets susceptibility
  4. Impact Factor is derived based on how important is that asset in your infrastructure. Essentially, each asset is ranked.
  5. Risk Score is now computed based on both Likelihood of Threat and Impact. All these computations are made based on proven decision science algorithms called Analytic Hierarchy Process .

• Where can I learn more about the nuances between vulnerabilities, threats and risk ?

  You can learn more about the terminology, definitions and examples here.

• What are the information sources used ?

  National Vulnerability Database (NVD) , AlienVault OTX , ExploitDB , Vuls