Bandolier Severity Ratings

From SCADApedia

Nessus categorizes compliance check results as compliant, non-compliant, or inconclusive. Non-compliant results do not always represent a vulnerability but they do indicate that the system is not configured according to the security best practice. The Bandolier compliance checks go a step further and provide a severity rating to help asset owners understand the impact of being "non-compliant" with a specific check. This impact reflected in the severity rating is the impact to the workstation or server under test, not the impact to the control system or process being monitored and controlled.

The internal severity rating are listed in each test result and each security test result also links to a Digital Bond subscriber page containing additional information.

Contents 1 Severity Ratings 1.1 Severe 1.1.1 Example 1.2 Moderate 1.2.1 Example 1.3 Informational 1.3.1 Example 2 See Also 3 External Links

Severity Ratings

Severe

This category represents the most serious potential impact to the workstation or server under test. A check that is non-compliant and has an internal rating of severe generally indicates that the workstation or server under test is at risk unless other specific mitigation measures are in place. Poorly configured directory permissions or network services, for example, can lead to system compromise and would have the severe rating.

Example

• Incorrectly configured permissions on critical directories such as /etc/passwd

• Web server or FTP server with improper user restrictions

Moderate

This category represents a variety of checks with potential control system security impact. They may not cause a compromise of the workstation or server under test, but could aid an attacker or become a more serious problem in the event of some other failure or compromise. Included in this category are items such as unnecessary services, inadequate password strength, insufficient logging, etc..

Example

• Network share that exposes sensitive information

• Incorrectly configured security event log settings

• Weak password requirements such as inadequate length or complexity requirements

Informational

This category represents checks that may not pose a threat to the workstation or server under test or are simply informational in nature. These will typically identification checks that indicate the role or version of a particular control system application.

Example

• Configuration file indicates that the system is serving in a particular role (e.g. historian, real time, etc...)

See Also

Bandolier

Bandolier Compliance Check Categories

External Links

Nessus Compliance Checks FAQ