Risk Scoring

With so many possible threats, Appthority MTP provides risk scoring to help sort through and prioritize them. TI Risk (also called Risk Level) is the basis for scoring the risk assigned to devices, policies, and apps.

TI Risk and Description

The MTT researchers assign each Threat Indicator a Risk that reflects the potential risk of a violation, on a scale of 0-10. For ease-of-use in the MTP Mobile App app, these are described as High/Med/Low.

TI Risk Desc in MTP Mobile App TI Risk TI Risk Description
High 10 Malicious behaviors that affect not only mobile devices but also company networks and other components.
9 Malicious behaviors that directly cost money, such as ransomware, bill fraud, sending unauthorized SMSes, making unauthorized calls, or backdoor attacks. The Appthority blacklist is in this category.
8 Adware, spyware, stealing device and personal information (PII).
Med 7 Sending enterprise related information such as a calendar and an address book.
6 Accessing information or sending identifiable information such as International Mobile Equipment Identity (IMEI).
5 Vulnerable to remote exploits due to open ports and/or disabled SSL validation.
4 Vulnerable to exploits due to not following best practices regarding storage encryption, rooting/jailbreaking, and enabling developer mode.
Low 3 Contains suspicious behaviors related to malware, such as running exec or using JS patching.
2 Contains suspicious behaviors related to adware, such as changing a home screen icon and preventing devices from being locked.
1 Contains suspicious behaviors related to data leakage, such as asking for permissions that are not currently used.
None 0 Metadata that is gathered and adds informational value, but does not necessarily indicate a threat or lack of threat. Some Information TIs are positive in nature, such as "Uses Security Framework", and are useful for identifying good app coding practices.
Risk level 0 TIs cannot be added to policies. If an Informational TI is something that you want to track in a policy for your Organization, first change its Risk level in the Compliance > Threat Indicators tab and then add it to a policy.

TI Risk Low/Med/High color-coded descriptions are used solely in the MTP Mobile App interface. The numbers are used in various screens of the MTP Manager.

TI Risk and Policy Risk Score

Appthority MTP assesses the Risk of the TIs in a policy and assigns a Risk Score to the policy. The Risk Score for a policy is equal to the TI that has the highest Risk (not an average of the TI risk scores) in the policy.

  • A high Risk Score policy has a TI with a Risk of 8, 9, or 10. For example:
  • A medium Risk Score policy has a TI with a Risk of 4, 5, 6, or 7. For example:
  • A low Risk Score policy has a TI with a Risk of 1, 2, or 3. For example:
  • A Risk of 0 indicates an informational TI. They cannot be added to a policy, unless you raise the Risk level in the Compliance > Threat Indicators tab.

Policy Risk Scores are used:

  • To help you see at a glance the Risk profiles of your set of policies.
  • To determine what policy violations appear in the Active High-Risk Threats dashlet on the Dashboard.
  • To sort the violations shown in the Threat Impact dashlet on the Dashboard.
  • On the Devices > Device ID Details > Policy Violations tab.
  • To sort the violations shown on the MTP Mobile App dashboard.

Modifying TI Risk

As you review TIs and decide how to use them for your organization, you can modify their Risk Level numbers, except for TIs that are High risk (malicious). You can change a TI Risk number at the Organizational level in the Compliance > Threat Indicators tab.

For example your company may have reason to raise or lower the global Risk Level of a camera app threat, depending on how your end users are expected to use camera apps.

Tips:

  • In addition to the risk level, TIs can be active or inactive, except for those considered to be High risk (malicious). High risk TIs are active by default and cannot be deactivated. Med/Low/No-risk TIs are inactive by default and you can activate them. For a TI to affect a policy score it must be active.
  • Due to the large number of TIs you would not want all of them to be active, considering that your Organization probably does not encounter all of them.
  • In some cases you may want to customize a TI Risk at the policy level instead of at the global Organization level. If so, contact your Customer Support Manager for assistance.

App Risk Score

In addition to App Policy Risk Scores, Appthority MTP assigns each app an App Risk Score.

The App Risk Score is determined by what active TI behaviors the app exhibits, if any. The number of the highest Risk active TI is assigned to the app as its App Risk Score. For example, if an app exhibits three active Threat Indicators, and TI_A has a Risk of 2, TI_B is at Risk 7, and TI_C is Risk 4, then the App Risk Score is 7.

The High/Med/Low categories are the same as those for App Policy Risk Scores.

The App Risk Score displays in the Apps tab.

App Risk Scores are used:

  • To quickly see the risk profile of each app.
  • To sort apps in the Apps tab.
  • As a threshold for a filter on an App Policy.
  • To sort the violations shown on the MTP Mobile App dashboard.

Device Risk Score

In the Devices tab the Risk is based on the highest risk active TI in an active App Policy or active Device Policy that has been violated.

Tip: The Device Risk Score is based on active policy violations, whereas App Risk Score is based on active TI behaviors.

The Device Risk Score should match the score shown in the MTP Mobile App.

Device Risk Scores are used:

  • To quickly see device risk profiles in the MTP Manager.
  • To sort devices by risk in the Devices tab.
  • As a threshold for a filter on a Device Policy.
  • To assign High/Med/Low risk violations that display in the MTP Mobile App.

Copyright ©Appthority, Inc. 2017-2018 All Rights Reserved. Contact Support