- play_arrow What's New for Users in JSA Vulnerability Manager 7.4.0
- play_arrow Installations and Deployments
- Installations and Deployments
- Vulnerability Backup and Recovery
- Ports Used for Communication Between JSA and JSA Vulnerability Manager Managed Hosts
- Options for Moving the Vulnerability Processor in Your JSA Vulnerability Manager Deployment
- Options for Adding Scanners to Your JSA Vulnerability Manager Deployment
- JSA Vulnerability Manager High-availability Scans
- Extending the JSA Vulnerability Manager Temporary License Period
- JSA Vulnerability Manager High-availability Scans
- play_arrow Overview Of JSA Vulnerability Manager
- play_arrow Vulnerability Scanning Strategy and Best Practices
- Vulnerability Scanning Strategy and Best Practices
- Scan Policy Types
- Scan Duration and Ports Scanning
- Tune Your Asset Discovery Configuration
- Tune Your Asset Discovery Performance
- Web Application Scanning
- Scanner Placement in Your Network
- Dynamic Scanning
- Network Bandwidth for Simultaneous Asset Scans
- Network Interface Cards on Scanners
- Vulnerability Management for Asset Owners
- Vulnerability Scan Notifications
- Triggering Scans of New Assets
- Configuring Environmental Risk for an Asset
- External Scanning FAQs
- play_arrow Scan Configuration
- play_arrow False Positives Management
- play_arrow Authenticated Patch Scans
- play_arrow Scanning on Windows-based Assets
- Scanning on Windows-based Assets
- Configuring an Authenticated Scan Of the Windows Operating System
- Remote Registry
- Enabling Remote Registry Access to Assets on the Windows Operating System
- Assigning Minimum Remote Registry Permissions
- Configuring WMI
- Setting Minimum DCOM Permissions
- Setting DCOM Remote Access Permissions
- Administrative Shares
- Enabling Administrative Shares
- Disabling Administrative Shares
- Manually Configuring NTLMv2 Authentication to Prevent Scan Failures
- play_arrow Vulnerability Exception Rules
- play_arrow Scan Investigations
- Scan Investigations
- Searching Scan Results
- Including Column Headings in Asset Searches
- Managing Scan Results
- Republishing Scan Results
- Asset Risk Levels and Vulnerability Categories
- Asset, Vulnerability, and Open Services Data
- Viewing the Status Of Asset Patch Downloads
- Vulnerability Risk and PCI Severity
- Troubleshooting Scan Issues
- Emailing Asset Owners When Vulnerability Scans Start and Stop
- play_arrow Vulnerability Remediation
- play_arrow Vulnerability Reports
- play_arrow Scanning New Assets That Communicate with the Internet
- Scanning New Assets That Communicate with the Internet
- Creating an Asset Saved Search for New Assets
- Creating an On-demand Scan Profile
- Creating a Policy Monitor Question to Test for Internet Communication
- Monitoring Communication Between New Assets and the Internet
- Configuring an Offense Rule to Trigger a Scan
- play_arrow Security Software Integrations
- play_arrow IBM Security SiteProtector Integration
- play_arrow Vulnerability Research, News, and Advisories
- play_arrow JSA Vulnerability Manager Engine for OpenVAS Vulnerability Tests
Custom Risk Classification
Use custom risk scores in JSA Vulnerability Manager to classify vulnerabilities that pose the most risk to your organization. Custom risk classification allows you to override a vulnerability's risk with your own risk classification.
Based on your individual requirements, you might want to override a vulnerability's risk with your own risk classification. A vulnerability that is classified as a high CVSS score by JSA Vulnerability Manager may not actually pose a serious risk for numerous mitigating factors. For example, if a CVSS 9.5 IPv6 vulnerability is published, and an enterprise does not have any IPV6 infrastructure, then the high CVSS score is not justified.
Configuring Custom Risk Scores for Vulnerabilities
In JSA Vulnerability Manager, you can add an internal custom risk score to vulnerabilities that reflects the real risk to your organization. Assigned vulnerabilities have an associated remediation ticket with a due date that can be changed by adding a custom risk.
A nightly auto update job runs to update all the custom risk fields. For reporting and saved search purposes, your custom risk changes do not come into effect right away. You can run the auto update manually to populate the custom risk information that is entered. Run the auto update by clicking the Auto Update icon on the Admin tab.
Click the Vulnerabilities tab.
In the navigation pane, click Research > Vulnerabilitiesor Manage > Vulnerabilities.
To assign a custom risk score to a vulnerability, use the following steps:
Select a vulnerability and click Edit/Triage.
Choose a custom risk type from the Custom Risk Assignment window.
Removing the custom risk for assigned vulnerabilities reverts the vulnerability due date to the PCI severity value.
Tip:If you set the custom risk type to CVSS, the custom risk value is based on the CVSS environmental score.
To reflect the vulnerability assignment, you can add a note by using the RTF text box. For example, you can add a note to explain why you are changing the classification.
Click Save.
When a custom risk is created on any vulnerability, a new column that is called Custom Risk displays in the Research Vulnerabilities or Manage Vulnerabilities screen.
To view the custom risk details and note related to a custom risk assignment, double-click the vulnerability.
To calculate the due date for an assigned vulnerability's remediation ticket, use the Calculate Assigned Vulnerability Due Date setting.
On the Admin tab, click QVM Configuration.
In the QVM Configuration window, set the Calculate Assigned Vulnerability Due Date option to True.
This setting is enabled by default. When enabled, the assigned vulnerability due date is recalculated when a custom risk is applied, to correspond to the risk value's due days set in Vulnerability Assignment > Remediation Settings.
The following table outlines sample scenarios where the custom risk might change the due date of a remediation ticket.
Scenario
Custom Risk Existing Due Date
Updated Due Date
Custom risk used to increase ticket priority.
Increased from existing value
Later than the custom risk due date
Vulnerability takes the custom risk due date.
Custom risk used to decrease ticket priority.
Decreased from existing value
Earlier than custom risk due date
Vulnerability takes the custom risk due date.
Custom risk used to increase ticket priority.
Increased from existing value
Earlier than or equal to custom risk due date
Vulnerability keeps the existing due date.
JSA Vulnerability Manager adds the following note to the vulnerability details if any of these scenarios occur:
Vulnerability Details Note: Custom risk set to ___. Due date has been changed from xxxxxx to xxxxxx.
Tip:If you disable Calculate Assigned Vulnerability Due Date, the due date is not recalculated.
To search for vulnerabilities that are not triaged yet, use the following steps:
In the navigation pane, click Research > Vulnerabilities.
Click Search > New Search.
In the Custom Risk Level section, select one of the following parameters to search:
Table 1: Custom Risk Search Parameters Custom Risk Search Type
Description
All Vulnerabilities
Returns all vulnerabilities regardless of whether a custom risk is assigned.
All triaged vulnerabilities
Returns all vulnerabilities with a custom risk assigned.
All not yet triaged vulnerabilities
Returns all vulnerabilities that do not have an assigned custom risk.
All vulnerabilities with the specific custom risk level
Returns vulnerabilities that are filtered on the custom risk type that is selected, for example, critical, high, or medium.
Click Search.
Export a list of vulnerabilities from the Vulnerability List screen for audit or compliance purposes, by using the following steps:
In the navigation pane, click Research > Vulnerabilities.
Select the CSV or XML export option.