Skip to content

Rule severity

AQtive Guard (AQG) assigns a severity level to each identified cryptographic vulnerability and compliance issue, as specified in its associated rule. This severity helps you prioritize remediation efforts by indicating the potential risk and impact of a detected issue.

AQG severity ratings are calibrated to provide a realistic assessment of threats, balancing immediate exploitability with long-term security posture.

How AQtive Guard determines severity

AQG bases severity assignment on guiding principles and a well-defined classification system to ensure consistent and actionable insights. These principles include:

  • Minimizing false positives. For issues classified as Critical, AQG prioritizes minimizing false positives. This ensures that high-priority alerts genuinely indicate the most urgent potential threats.
  • Actionability vs. severity. Your ability to act on an issue doesn’t directly influence whether AQG categorizes it as Critical. Instead, actionability primarily guides prioritization within the High, Medium, and Low tiers.
  • CVEs are not inherently critical. A Common Vulnerabilities and Exposures (CVE) identifier doesn’t automatically classify an issue as Critical. Severity is assessed based on the reasonable risk an issue poses.
  • Contextual assessment. When issue severity depends on the specific context (for example, whether SHA-1 is used for a signature in a certificate), AQG assumes the context is acceptable unless definitive data proves otherwise.

Severity level criteria

This section explains the security criteria AQtive Guard uses to determine severity levels.

Critical

A Critical severity indicates an immediate and severe security risk. These vulnerabilities are typically:

  • Exploitable by a network attacker. Attackers can exploit them remotely, potentially through Machine-in-the-Middle (MITM) attacks or precise timing attacks.
  • Likely to cause an outage. Issues that could lead to service disruption.
  • Data leakage. Cryptographic protections that are easily breakable (for example, weakly encrypted data with known feasible attacks).
  • Certificates (on the fly):
    • Certificates with 10-20% remaining valid period and less than one month until expiry.
    • Certificates that are no longer valid.
  • Certificates (on disk). Certificates with a short period before or after their validity end date (either days after or weeks before).

Note

AQtive Guard doesn’t classify unencrypted data as Critical.

High

High severity issues represent known vulnerabilities that are harder to exploit than Critical issues but still pose a significant risk. These include:

  • Vulnerabilities difficult to exploit:
    • Attacks requiring specific environmental conditions, such as VM2VM attacks (for example, CPU hammering attacks).
    • Timing attacks proven only in laboratory settings.
    • Attacks requiring root access, such as unencrypted credentials on a compromised system.
  • NIST disallowed primitives. Use of cryptographic primitives that the National Institute of Standards and Technology (NIST) no longer permits for cryptographic protection.
  • Certificates with a wider window. Certificates that are invalid within a wider time window than those considered Critical.
  • Unknown certificates with long validity. Untrusted certificates that have an extended validity period.

Medium

Medium severity issues indicate configurations that reflect bad practices or use cryptographic elements approaching deprecation or currently deprecated. These are:

  • NIST upcoming deprecation: Use of cryptographic primitives that NIST has designated for deprecation in a future timeframe.
  • NIST deprecated: Use of cryptographic primitives that NIST has already deprecated.
  • Bad practices on unknown cryptography: Poor cryptographic practices applied to implementations not specifically recognized or categorized by AQG.

Low

Low severity issues are generally minor concerns or configurations that could become problematic in the distant future. These include:

  • NIST upcoming deprecation: Use of cryptographic primitives that NIST will deprecate in a more distant future timeframe.
  • Bad practices on known cryptography: Minor poor practices applied to known cryptographic elements.

Info

Info level findings indicate issues that AQG has identified but deems to pose minimal to no practical risk. AQG retains these for full transparency and ensure the issue wasn’t overlooked.

By default, Info level findings are hidden in the AQG user interface.

Tip

Issue severity can be downgraded to Info level using Data enrichment.