Knowledge Base

Ask A Question

Questions

0

Standard measure for "Average asset risk score"

Good day, a client presented the following case: "I would like your help to know which are the best practices or standards that Rapid7/Nexpose recommends based on the "Average asset risk score", since we are in an audit process and we see that Nexpose gives us a level of risk, but we do not know what is the optimum level, medium or minimum. For example, in a report that was made, "Average asset risk score: 96,585", what would be the optimum level of this score recommended by the Rapid7 engineers? What is the standard that is taken for this type of score or who defines what is the optimal level and what is not? In one of the previous reports, an objective of 30,000 was defined internally in terms of the "Average asset risk score", but it was an internal agreement and what we want to know is what would this objective be based on a standard, or what number we should take as a basis for this "Average asset risk score" and that in front of an audit we can check, since we could put instead of 30,000 maybe less or more, but we want to base ourselves better on a standard." We investigate that to measure the "Average asset risk score" it is known that the risk score report provides grades for each of your Nexpose groups which can be organized by Sites, Tags, or Asset Groups based on how you want to organize your environment. The grading system works on the A through F range and is based on a curved scale system of your environment. In this case, the closer you are to the letter A is good and the further you move towards the F is critical (information from: https://blog.rapid7.com/2014/08/13/improving-visibility-into-your-security-program-the-risk-scorecard-report/). We want to know if you can suggest that "standard measure" to evaluate the "Average asset risk score" or if in this case it does not exist and everything depends on the evaluations carried out by other methods. First of all, Thanks. Best regards.

nexpose

Posted by Julio César Sánchez 2 months ago

1

standard measure for "Average asset risk score"

Good day, a client presented the following case: "I would like your help to know which are the best practices or standards that Rapid7/Nexpose recommends based on the "Average asset risk score", since we are in an audit process and we see that Nexpose gives us a level of risk, but we do not know what is the optimum level, medium or minimum. For example, in a report that was made, "Average asset risk score: 96,585", what would be the optimum level of this score recommended by the Rapid7 engineers? What is the standard that is taken for this type of score or who defines what is the optimal level and what is not? In one of the previous reports, an objective of 30,000 was defined internally in terms of the "Average asset risk score", but it was an internal agreement and what we want to know is what would this objective be based on a standard, or what number we should take as a basis for this "Average asset risk score" and that in front of an audit we can check, since we could put instead of 30,000 maybe less or more, but we want to base ourselves better on a standard." We investigate that to measure the "Average asset risk score" it is known that the risk score report provides grades for each of your Nexpose groups which can be organized by Sites, Tags, or Asset Groups based on how you want to organize your environment. The grading system works on the A through F range and is based on a curved scale system of your environment. In this case, the closer you are to the letter A is good and the further you move towards the F is critical (information from: https://blog.rapid7.com/2014/08/13/improving-visibility-into-your-security-program-the-risk-scorecard-report/). We want to know if you can suggest that "standard measure" to evaluate the "Average asset risk score" or if in this case it does not exist and everything depends on the evaluations carried out by other methods. First of all, Thanks. Best regards.

nexpose .

Posted by Julio César Sánchez 2 months ago

0

Medida estándar para “Average asset risk score"

Buen día, un cliente expuso el siguiente tema: "Me gustaría de su ayuda para saber cuáles son las mejores prácticas o estándares que recomienda Rapid7/Nexpose en base al “Average asset risk score” aceptable, ya que estamos en un proceso de auditoría y vemos que Nexpose nos da un nivel de riesgo, pero no sabemos cuál es el nivel óptimo, mediano o mínimo. Por ejemplo, en un reporte que se realizó nos indica “Average asset risk score: 96,585", ¿cuál sería el nivel óptimo de este score que recomienda el fabricante? ¿Cuál es el estándar que se toma para este tipo de puntaje o quién define cuál es el nivel óptimo y cuál no? En uno de los reportes anteriores, internamente se definió un objetivo de 30,000 en cuanto al “Average asset risk score”, pero fue un acuerdo interno y lo que queremos saber es cuál sería este objetivo basado en un estándar, o bien, qué numero al respecto deberíamos de tomar como base para este “Average asset risk score” y que frente de una auditoria podamos comprobar, ya que pudimos poner en vez de los 30,000 tal vez menos o más, pero queremos basarnos mejor en un estándar.". Nosotros investigamos que para medir el “Average asset risk score” se sabe que el informe de puntaje de riesgo proporciona calificaciones para cada uno de sus grupos de Nexpose, que pueden organizarse por sitios, etiquetas o grupos de activos según la forma en que desea organizar su entorno. El sistema de clasificación funciona en el rango de la A a la F y se basa en un sistema de escala curva de su entorno. En este caso, entre más cercano esté a la letra A es bueno y cuanto más se aleja hacia la F es crítico (información de: https://blog.rapid7.com/2014/08/13/improving-visibility-into-your-security-program-the-risk-scorecard-report/). Queremos saber si nos pueden sugerir esa "medida estándar" para evaluar el Average asset risk score o si en este caso no existe y todo depende de las evaluaciones que se realicen mediante otros métodos. Quedamos en espera de sus comentarios y de antemano gracias. Saludos cordiales.

Posted by Julio César Sánchez 2 months ago