Resources
Resources

Managing Risk

When the Uleska platform runs security testing, it will apply a default level of risk based on CVSS values coming back from security tools run as part of the toolkit.

The Uleska platform can enhance risk analysis of issues by combining vulnerabilities returned by security tools, and incorporating security risk information provided within Uleska.

To configure overall risk information:

  • Go to Configuration from the left menu bar, then the Value At Risk tab.

Managing Risk

This information is specific to the FAIR Institute model of running cyber Value At Risk (VAR). More details can be found in their documentation, or contact Uleska and we will be able to help you in setting this up.

These elements help define what kind of risk configurations and inputs are used to determine the overall risk of each individual vulnerability found.

You can edit:

  • Max Time

  • Response Cost Per Day - how much you would expect to spend per day as an organisation, responding to vulnerability at technical level

  • Single Response Cost - cost outside of technical handling of vulnerability

  • Reputation Value Per User - if sensitive information is leaked, what you expect the cost to be per user

Loss Event Frequency Modifiers Change the definition of how likely an issue is to occur, into a numerical value, to allow risk calculation to happen.

Refer to your organisation’s risk teams for more information of the configuration, or the FAIR institute documentation.

When you click Save, risk calculations will then be used for any subsequent test

If you have modified the values and want them to be applied retrospectively. Clicking Save & Recalculate will go back through historical tests and vulnerabilities, and recalculate risk based on the new values you have provided. This will take a few minutes to take effect.

For specific risk information, click the Edit on your Application.

Managing Risk2

On the right, there are configurations that let the cyber Value At Risk calculation understand better the context of the Application.

You can specify:

  • Number of Users

  • Internal - whether it is exposed to the wider internet or not, and if it internal, will reduce the number of attacks for the Application

  • Authenticated

  • Down Time Cost Per Day - how much it would cost the organisation if the system were down for a day

  • Restoration Cost - how much it would cost to restore the Application if it could not be brought back to its current state and needed to be restored

If you’re not sure what values to use, there are many defaults you can apply based on your estimations, which will help the risk calculations provide a more specific result.

For more specific information, click Edit for the Version you would like to view, then select the Web Pages tab.

Managing Risk3

You can specify the types of assets that will be used.

Affected Assets:

  • Public Information

  • Personally Identifiable Information

  • Personal Finance Information

  • Personal Health Information

  • Intellectual Property (IP)

Path:

You can assign a Path to a particular part of the system through URL or code file. Or you can enter Wildcard, which will specify all parts of the Application, while you manually specify the Affected Assets.

Managing Risk4#

This makes it easier for the system’s risk analysis to understand the context of the data that is being applied by this part of the code.

When you have more specific files or areas of the code into the Path, this will apply data sensitivity to any issues that directly meet these Paths being returned by the tool.