Skip to main content

Prioritize Security Findings

Mondoo scores and ranks security findings to help you prioritize fixes to your infrastructure. Our unique algorithms calculate risk score, blast radius, and rank based on a combination of contextual risk factors in your environment. You can spend more time closing security gaps and less time sifting through irrelevant or low-priority findings.

Security findings are potential issues that can make your infrastructure vulnerable to attack. The Mondoo Console reveals security findings in all the assets you integrate with Mondoo. Findings include:

  • Misconfigurations that can expose your infrastructure to attackers

  • Known vulnerabilities (or CVEs, common vulnerabilities and exposures) in the software installed on your assets

  • Advisories published by software makers to alert the public about gaps in their products

Mondoo scans your assets and discovers any of these issues that exist on each asset, assigns each one a risk score and blast radius unique to your environment, and ranks them compared to other findings. This rank helps you decide which findings are most important to fix.

Risk score

Mondoo assigns a risk score of Low, Medium, High, or Critical to each finding. The risk score is calculated using a base score and contextual risks.

Begin with a base score

Each finding has a base score associated with it, which Mondoo uses as a foundation for calculating the risk score.

For misconfigurations exposed by Mondoo's security policies, the base score comes from the policy. Each finding is the result of a check in a policy. The base score is based on the impact score of a check. For example, if an asset fails the check "Ensure / and /home are encrypted" in the Linux Workstation Security policy, that finding has a high base score because of its high impact score in the policy. To learn about policies and checks, read Policy as Code.

For CVEs and advisories, the base score is the CVSS score.

Factor contextual risk

Base scores essentially evaluate in a vacuum the threat of a finding. They don't take into consideration any properties of the asset or environment. For example, they don't consider whether an asset is internet-facing or has enhanced security measures in place. These are called contextual risk factors, and they're Mondoo's second consideration when calculating a finding's risk score.

These are the contextual risk factors that Mondoo uses when calculating risk:

Risk factorDescriptionAffect on risk score
Accessible keysKey or credential information is exposed on the asset.Raise
End-of-life (EOL)The asset is running an operating system version that is approaching or has reached EOL (no longer supported).Raise
DatabaseThe asset hosts a running database (MySQL or PostgreSQL).Raise
In useThe asset has a running service or is in active use. Examples are assets running sshd, OpenSSH, NGINX, or Apache, or assets with open or listening ports.Raise
DefensiveThe asset has defensive countermeasures in place (SELinux or AppArmor).Lower

Contextual risk factors allow Mondoo to more accurately assess the risk of a finding because they consider the asset, the environment in which the finding exists.

You can customize the degree of impact that different risk factors have on asset security scores. To learn how, read Customize How Risk Factors Affect Asset Scores.

Blast radius

The blast radius of a finding is the impact that the finding has on a space. Mondoo can expose the same finding on multiple assets in a space. It calculates blast radius of the finding using the risk scores of all of the assets in the space that have that finding.

If Mondoo discovers a finding on many assets in a space and the risk scores of that finding on those assets is high, then the blast radius is high. If Mondoo discovers a finding on fewer assets or the risk score of the finding on assets is low, then the blast radius is lower.

Rank

Even with contextual risks considered, there can be many findings scored as Critical—enough to be overwhelming. Mondoo addresses this by ranking the highest-priority findings in a space. You can find lists of the top-ranked security findings and vulnerabilities on the Space Dashboard and Security Overview.

Space dashboard in the Mondoo Console

Mondoo ranks findings based on a combination of their risk scores and blast radii. The highest-ranked findings for a space have both high risks scores and high blast radii. By considering the ideal calculation of CVSS score, priority, contextual risks on affected assets, and number of affected assets, Mondoo is able to provide lists of the top important issues to resolve in your infrastructure.

See also