Skip to content

Issues

What are issues?

Within the Nanitor system, an issue is a possible problem with your system’s security posture. Once the Nanitor agent has been installed on an asset or a Nanitor collector has been configured to monitor it, the Nanitor system will automatically detect issues on your assets and collect them on the Nanitor server.

An issue can be detected on one or multiple assets but will be only listed once in the Nanitor issue list.

The assets an issue has been found on can be seen on the issue detail page.

The Issue Diamond

Navigating to the Issues menu will reveal the Nanitor Issue diamond.

The tilted table on the issue prioritization page is the Nanitor Issue Prioritization Diamond. It shows an overview of the criticality of issues found in your system. Issues have a score (priority score) between 0 and 100 with 100 indicating the highest possible priority. The priority groups on the right-hand side of the issue diamond are P0 (for issues with a priority score of 81-100), P1 (for issues with a priority score of 64-80), and P2 (for issues with a priority score of 49-63). Ensure that your operations teams are actively monitoring the prioritized list of issues identified by Nanitor. They should be actively addressing ALL critical (P0) issues and striving to keep issues in P1 (imminent) and P2 (project) to a low number.

The two dimensions of the diamond are labeled Dynamic asset priority rating and Dynamic issue priority rating. Meaning the diamond is visualizing how the criticality of the asset combined with the criticality of the issue determines the overall criticality of the actions needed.

Priority rating

A priority rating can be fractional but is rounded to the nearest integer for display in the diamond. For instance, if an issue has a dynamic issue priority rating of 9.8, and the issue exists on assets with a dynamic asset priority rating of 9.4, then it will be counted towards the square corresponding to issue priority rating 10 and asset priority rating 9 - the one just to the right side of the top square.

The priority ratings are Nanitor’s assessment of how critical an asset or issue is for the overall security posture of the system, expressed as a number from 1 to 10.

Each integer (rounded priority rating) is represented by a square in the diamond from 1 to 10.

When you start with Nanitor it is not unlikely that your issue diamond looks similar to the screenshot below where all reported issues have a dynamic asset rating of 5. Assets get by default a priority rating of 5 unless they get applied a label with a different rating or the asset rating is set on the asset itself.

If we take a closer look at the reddest squares at the top of the diamond, we can for example see the number 24 in the square corresponding to the issue priority rating of 10 and asset priority rating of 10, and the number 12 in the square corresponding to issue priority rating 8 and asset priority rating 10. This means that there are 24 issues that should be addressed right away.

Each issue is counted in the square corresponding to the highest asset priority rating of any asset the issue exists on, so that for instance if an issue exists only on one single asset with a priority rating of 10, one with a priority rating of 8 and one with priority rating 5, it will still only appear in the square corresponding to asset priority 9. If we click on the number 24 on top of the diamond, it will take us to the list of the top 24 issues with an issue priority score between 81 and 100.

In the "Assets" row we will get notified on how many assets the issue is persistent (4 in the example above). Clicking on the number "4" will bring up a list of the assets that are affected by the discovered issue.

Now we see that the issue is only rated with a priority score of 84 on three assets out of 4. But that is enough to rate the issue itself with a score of 84 and therefore treat it as a high-priority issue. The reason for a different score between the assets is a different asset rating.

Since these are critical issues (high issue priority rating) that exist on important assets (high asset priority rating), these issues are likely to be particularly urgent and should be prioritized ahead of other issues that are less critical or occur on less important assets.

Issue Types

Issues are split into several issue types, representing different kinds of problems:

  • Misconfiguration issues are known as insecure asset configurations as identified by benchmarks issued by the Center for Internet Security (CIS).
  • Patch issues are patches that are missing on particular assets.
  • Vulnerability issues are known vulnerabilities in an asset’s operating system or software installed on the asset, as identified by the National Cybersecurity Federally Funded Research and Development Center and collected from the National vulnerability database (NVD). Vulnerabilities are often caused by missing software updates or patches.
  • Software issues are blacklisted (or not whitelisted, if the ‘strict’ software policy has been enabled) software found on the organization’s assets, or software missing from assets where that software has been set as mandatory.
  • PII issues are personally identifiable information such as credit card numbers or social security numbers that have been discovered on an asset’s file system (if the PII feature is enabled).
  • Device issues are problems with the presence of assets on the network. These may be assets that have been officially decommissioned but are still checking into the Nanitor system (indicating an asset may not have been properly reformatted and may still contain company data), assets discovered on the network that do not have a Nanitor agent installed and are not monitored by a Nanitor collector (if the network discovery feature has been enabled), or assets with blacklisted ports open (or non-whitelisted, if the ‘strict’ port whitelisting policy has been enabled).
  • User issues are problems with users that can access assets within the system, such as users with expired passwords, domain admins that can access non-domain controller assets, or users that are local admins on multiple different assets.

Issue Opened age vs Issue Published age

Issue published age: This is our best estimate of when the issue was first reported; for vulnerabilities, it’s when they were published, while for patches it’s when our system first detected them. Issue types other than patches and vulnerabilities don’t have a published age.

Issue opened age: This is just when the issue in question was last opened - if the issue is closed and then opened again at some point, that timer resets.

Priority categories

Priority ratings are actually split into three categories, Confidentiality, Integrity, and Availability, which you can see when you view a single issue or asset. Within the Nanitor system, the highest of these three values is generally treated as the issue or asset’s overall priority rating. Confidentiality refers to the risk of confidential information being leaked, Integrity refers to the risk of data being corrupted or manipulated, and Availability refers to the risk of critical systems becoming unavailable.

Priority Score

A priority score for an issue on a given asset is calculated by multiplying together the priority ratings of the issue and asset. A priority score is calculated independently for each of the three categories (Confidentiality, Integrity, and Availability), with the highest of the resulting ratings treated as the overall priority score for the issue on the asset. This allows the priority score to take into account how different issues might not have the same impact on every asset.

For example, imagine asset A has a Confidentiality rating of 9.6, an Integrity rating of 8.6, and an Availability rating of 5.4. This might for instance be a database that stores sensitive data. Meanwhile, issue X, an exploit that enables unauthorized read access to data and can disrupt other access, has a Confidentiality rating of 8.4, an Integrity rating of 3.8, and an Availability rating of 5.6. If issue X is found on asset A, then its priority score on that asset will be

Confidentiality: 9.6 * 8.4 = 80.64

Integrity: 8.6 * 3.8 = 32.68

Availability: 5.4 * 5.6 = 30.24

This issue has a very high impact on this asset - this is a database of sensitive data, and this issue means the data could be leaked to attackers. This is reflected in how since the Confidentiality rating is high both on the asset and the issue, the Confidentiality priority score is very high. Since the overall priority score on the asset is the highest of the three, the overall priority score for X on asset A will be 80.64, showing this is a critical, high-priority issue that should be fixed as soon as possible.

Meanwhile, another issue Y has a Confidentiality rating of 1 and an Integrity rating of 2.4, but a high Availability rating of 9.8 - perhaps a vulnerability that enables a critical denial-of-service attack vector, but leaks no data to the attacker. If this issue is found on asset A, then the resulting priority scores will be

Confidentiality: 9.6 * 1 = 9.6

Integrity: 8.6 * 2.4 = 20.64

Availability: 5.4 * 9.8 = 52.92

Since availability, what this issue targets, isn’t nearly as important on this asset, the overall priority score for issue Y on this asset is only 52.92, even though issue Y’s overall priority rating is higher than issue X’s.

The overall priority score shown for a given issue in the Nanitor issue lists is the highest priority score that this issue has on any asset where the issue exists. Thus, if A is the only asset issue Y is found on, then 52.92 will be issue Y’s overall priority score, and it will be ranked as less important than issue X because its potential impact on this asset is lower. If issue Y came up on another asset B with a higher Availability rating, on the other hand, asset B would have a higher priority score for issue Y, and that would become issue Y’s overall priority score.

Static and Dynamic priority

Behind the scenes, each issue and asset in the system has a static priority rating, a static assigned score for this asset or issue (split into the three categories), as well as the dynamic priority rating, the rating shown in the issue diamond and used to calculate priority scores, which is calculated as the static priority rating modified on the fly by Nanitor’s intelligent risk adjustment algorithm. For instance, an issue’s dynamic priority rating will rise over time if the issue isn’t addressed, since an issue going unfixed for some time gives attackers a wider window to discover the issue and exploit it, and an asset’s dynamic priority rating will be raised if the asset shares a domain, user or subnet with another asset that has a higher static priority rating, as access to this asset may then provide attackers with access to the more critical asset.

Static priority ratings are designed to be adjusted and overridden by Nanitor administrators to best reflect the organization’s security priorities for different assets and issues. Static priority ratings are unlikely to change except as directed by Nanitor administrators, or if an asset’s labels or benchmarks change. The dynamic priority rating, on the other hand, will be adjusted automatically on the fly by the Nanitor system, based on the assigned static priority rating and the dynamic factors affecting the rating.