Issue priority rating
Static and dynamic priority rating
Behind the scenes, each issue and asset in the system has a static priority rating, a static assigned score for this asset or issue (split into the three categories), as well as the dynamic priority rating, the rating shown in the issue diamond and used to calculate priority scores, which is calculated as the static priority rating modified on the fly by Nanitor’s intelligent risk adjustment algorithm. For instance, an issue’s dynamic priority rating will rise over time if the issue isn’t addressed, since an issue going unfixed for some time gives attackers a wider window to discover the issue and exploit it, and an asset’s dynamic priority rating will be raised if the asset shares a domain, user or subnet with another asset that has a higher static priority rating, as access to this asset may then provide attackers with access to the more critical asset.
Static priority ratings are designed to be adjusted and overridden by Nanitor administrators to best reflect the organization’s security priorities for different assets and issues. Static priority ratings are unlikely to change except as directed by Nanitor administrators, or if an asset’s labels or benchmarks change. The dynamic priority rating, on the other hand, will be adjusted automatically on the fly by the Nanitor system, based on the assigned static priority rating and the dynamic factors affecting the rating (further details below).
Setting static asset priority ratings
For issues, the default static priority rating is set based on its issue type, and Nanitor system admins can often customize what issues are created and how important they are to the company, depending on the type:
- For misconfiguration issues, the default static priority rating in all categories is based on the criticality rating in the CIS benchmark (low = 1, medium = 3, high = 6, critical = 9). Individual benchmark rules can be removed from or added to the technical policy baseline when viewing a given benchmark from the Configurations page.
- For patch issues, the default static priority rating in all categories is 7.
- For vulnerability issues, the default static priority rating is calculated from the CVSS score vector assigned by NIST for the vulnerability in the National Vulnerability Database. Vulnerability management can be turned off (resulting in no vulnerability issues being created) under Organization Management → Settings → General in the admin settings.
- For software issues, the default static priority rating in all categories is 5. Specific software can be whitelisted or blacklisted, either on the entire system or for particular asset labels, under Inventory → Software in the top menu, and the software whitelisting policy can be changed under Organization Management → Settings → Issues in the Nanitor admin.
- For PII issues, the feature can be turned on and off for all assets or particular labels, as well as setting a priority rating for each PII type, under Organization Management → PII.
- For user and device issues, each type of possible problem detected by Nanitor can be enabled or disabled (through the “in baseline” checkbox), and a criticality rating of low/medium/high/critical can be set for each (same logic as for misconfigurations), under Organization Management → Settings → Issues. Adding to that, user-issue static priority ratings are higher the more assets the given user can access, as this increases the risk of the user being compromised. For instance, if a user has an expired password, and that issue is in the baseline with high severity, then the static issue priority rating for that issue will generally be 6 (in all categories). However, if the user has access to more than one asset, it is multiplied by 1.1 to become 6.6; if they have access to more than two it will be multiplied by 1.2 and become 7.2; if they have access to more than 10 it will be multiplied by 1.3 and become 7.8; and if they have access to more than 50 it will be multiplied by 1.4 and become 8.4.
Priority scaling factor
Furthermore, under Organization Management → Settings → Issues, an Issue type priority scaling factor can be applied to each issue type individually. If your company considers a certain type of issue more or less important relative to others than the default scores assigned by Nanitor suggest, you can adjust their relative weights by altering these values.
Since an issue can´t get a higher score than 100 you might need to consider lowering the scaling factor when you have hundreds of priority 0 issues (priority score > 81). This helps you to identify the most important issues.
On the issue detail page, you can also adjust the priority scaling factor for that individual issue if desired by clicking on the pencil:
That will bring up a modal like this
Change that to Custom, enter a scaling factor then click Confirm
Dynamic issue priority rating
The dynamic issue priority rating is dependent not only on the issue itself, but also on what assets the issue exists on. The issue may have a different dynamic priority rating on each asset.
The dynamic issue priority rating for a given issue on a given asset consists of the static issue priority rating for that issue multiplied by 1.000595^(number of hours since the issue was found on this asset), capping out at a month (720 hours). This means that as issues remain open on an asset without being addressed, their dynamic priority rating will steadily increase, up to a multiplier of ~1.53x.
The dynamic priority rating in a category for an issue as a whole, as listed on the issue detail page, is the dynamic issue priority rating on the asset where the issue has the highest overall priority score in that category. This means the priority rating is adjusted by how long it has been present on its most critical asset.
For instance, suppose that issue X, with a Confidentiality rating of 8.4, an Integrity rating of 3.8, and an Availability rating of 5.6 has been present on asset A for seven days but on asset B for 30 days. Asset A has Confidentiality 9.6, Integrity 8.6, and Availability 5.4, while asset B has Confidentiality 3, Integrity 5.3, and Availability 7.6.
On asset A, X’s dynamic priority rating will be multiplied by 1.1051 (1.000595^(7*24)), for Confidentiality 8.4 → 9.3, Integrity 3.8 → 4.2, and Availability 5.6 → 6.2. The priority scores will be:
Confidentiality: 9.3 * 9.6 = 89.28
Integrity: 4.2 * 8.6 = 36.12
Availability: 6.2 * 5.4 = 33.48
Meanwhile, on asset B, X’s dynamic priority rating will be multiplied by 1.5346 (1.000595^(30*24)). This makes X’s Confidentiality rating 8.4 → 10 (priority ratings cannot go higher than 10), the Integrity rating 3.8 → 5.8, and the Availability rating 5.6 → 8.6. The priority scores on B will be:
Confidentiality: 10 * 3 = 30
Integrity: 5.8 * 5.3 = 30.74
Availability: 8.6 * 7.6 = 65.36
The overall priority score of X will be 89.28 (the highest of all six priority scores), but it's dynamic issue priority as listed in the issue detail will be Confidentiality 9.3 (from most critical asset A), Integrity 4.2 (from most critical asset A) and Availability 8.6 (from most critical asset B).
The priority score for an issue only takes into account assets where the issue currently exists. When a priority score is displayed for an issue that has already been fully resolved on all assets, it will show the highest priority score on any assets where it previously existed. By default, it is set to OFF
Issue age scaling factor
The priority score of an issue can be raised with the age of the issue. This means once an issue gets detected in Nanitor the issue will get a default priority rating based on the nature of the issue type (e.g. for a vulnerability the priority rating is defined by the publisher of the vulnerability. For more information refer to the chapter above about static issue priority rating). The issue priority rating can get elevated by age when the issue is not getting resolved. From version 2.3 onwards the issue age elevator got disabled by default. It can be enabled in the settings menu of Nanitor.
In Organization Management→Settings→Issues you can turn ON/OFF the priority issue age elevator by clicking on this radio button "Enable priority issue age scaling" and by default, it is set to OFF.
When the issue priority elevator factor is enabled, you will get that information on the issue detail page. In the example below you can see that the issue priority rating got elevated from 7.3 to 10 due to the issue's age. You do have to hover over the info icon next to 7.3 to see this though. Without that you can see that a rating of 7.3 can never get a score of 100, the only way to get a score of 100 is 10x10, so the rating must have been raised from 7.3 to 10 due to aging.