levels updated

DebLanger · DebLanger · commit 661ad38c5473 · 2024-08-08T12:22:58.000+03:00
diff --git a/exposure-management/predefined-classification-rules-and-levels.md b/exposure-management/predefined-classification-rules-and-levels.md
@@ -27,18 +27,18 @@ Current asset types are:
 
 | Classification                                               | Asset type                 | Default criticality level | Description                                                  | Why is this critical?                                        |
 | ------------------------------------------------------------ | -------------------------- | ------------------------- | ------------------------------------------------------------ | ------------------------------------------------------------ |
-| Microsoft Entra ID Connect                                   | Device                     | High                      | The Microsoft Entra ID Connect (formerly known as AAD Connect) server is responsible for syncing on-premises directory data and passwords to the Microsoft Entra ID tenant. | A compromised Microsoft Entra ID Connect server could result in the entire domain being compromised. An attacker might steal the credentials of synchronized users to execute lateral movements and gain unauthorized access to resources within the network. |
-| ADCS                                                         | Device                     | High                      | ADCS server allows administrators to fully implement a public key infrastructure (PKI) and issue digital certificates that can be used to secure multiple resources on a network. Moreover, ADCS can be used for various security solutions, such as SSL encryption, user authentication, and secure email. | A compromised ADCS server can lead to the compromise of both domain users and servers. An attacker with access to ADCS can execute various attacks, such as manipulating misconfigured templates to impersonate highly privileged users. Mercur |
+| Microsoft Entra ID Connect                                   | Device                     | Medium                      | The Microsoft Entra ID Connect (formerly known as AAD Connect) server is responsible for syncing on-premises directory data and passwords to the Microsoft Entra ID tenant. | A compromised Microsoft Entra ID Connect server could result in the entire domain being compromised. An attacker might steal the credentials of synchronized users to execute lateral movements and gain unauthorized access to resources within the network. |
+| ADCS                                                         | Device                     | Medium                      | ADCS server allows administrators to fully implement a public key infrastructure (PKI) and issue digital certificates that can be used to secure multiple resources on a network. Moreover, ADCS can be used for various security solutions, such as SSL encryption, user authentication, and secure email. | A compromised ADCS server can lead to the compromise of both domain users and servers. An attacker with access to ADCS can execute various attacks, such as manipulating misconfigured templates to impersonate highly privileged users. Mercur |
 | ADFS                                                         | Device                     | High                      | ADFS server provides users with single sign-on access to systems and applications located across organizational boundaries. It uses a claims-based access control authorization model to maintain application security and implement federated identity. | A compromised ADFS server can result in credential theft and token manipulation related attacks. If an attacker gains access to the ADFS certificate's private key, they can impersonate users, thereby gaining unauthorized access to resources. |
-| Backup                                                       | Device                     | High                      | Backup server os responsible for safeguarding data through regular backups, ensuring data protection and disaster recovery readiness. | A compromised backup server can result in the compromise of an organization's sensitive data. An attacker with access to the backup server can access backup files of critical services to export data or even encrypt them. |
+| Backup                                                       | Device                     | Medium                      | Backup server os responsible for safeguarding data through regular backups, ensuring data protection and disaster recovery readiness. | A compromised backup server can result in the compromise of an organization's sensitive data. An attacker with access to the backup server can access backup files of critical services to export data or even encrypt them. |
 | Domain Admin Machines                                        | Device | High                      | Domain admin machines are machines that one or more of the domain admins are frequently logged into. These devices are likely to store related files, documents, and credentials used by the domain admins. | A compromised device with domain admin privileges can lead to the compromise of the entire domain. An attacker might steal cached credentials from domain admin devices to perform lateral movement within the network. |
 | Domain Controller                                            | Device                     | High                      | Domain controller server is responsible for user authentication, authorization, and centralized management of network resources within an active directory domain. | A compromised domain controller can have severe impacts on an organization. It could potentially allow an attacker to gain control over the entire IT infrastructure and gain access to every resource within the network. |
-| Exchange                                                     | Device                     | High                      | Exchange server is responsible for all the mail traffic within the organization. Depending on the setup and architecture, each server might hold several mail databases that store highly sensitive organizational information. | A compromised Exchange server can lead to the theft of an organization's sensitive mail data or even result in the encryption of the entire mail system. Additionally, an Exchange server has control over active directory objects. If these are manipulated by an attacker, it could compromise the active directory. |
-| SCCM                                                         | Device                     | High                      | SCCM is used for managing endpoints in a large network, including patch management, software distribution, and inventory management. | A compromised SCCM server can put the entire domain's assets at risk. An attacker with access to the SCCM server can use the SCCM agent to perform various high-privilege tasks on targeted assets within the domain. |
+| Exchange                                                     | Device                     | Medium                      | Exchange server is responsible for all the mail traffic within the organization. Depending on the setup and architecture, each server might hold several mail databases that store highly sensitive organizational information. | A compromised Exchange server can lead to the theft of an organization's sensitive mail data or even result in the encryption of the entire mail system. Additionally, an Exchange server has control over active directory objects. If these are manipulated by an attacker, it could compromise the active directory. |
+| SCCM                                                         | Device                     | Medium                      | SCCM is used for managing endpoints in a large network, including patch management, software distribution, and inventory management. | A compromised SCCM server can put the entire domain's assets at risk. An attacker with access to the SCCM server can use the SCCM agent to perform various high-privilege tasks on targeted assets within the domain. |
 | ITAdminDevice                                                | Device | Medium                    | Critical devices used to configure, manage, and monitor the assets within the organization are vital for IT administration and are at high risk of cyber threats. They require top-level security to prevent unauthorized access. | A compromised IT admin device can result in the entire domain of the organization being compromised. An attacker with access to the IT admin device can compromise the credentials of privileged users and carry out lateral movement to critical services across the domain. |
-| NetworkAdminDevice                                           | Device | NA                        | Critical devices used to configure, manage, and monitor the network assets within the organization are vital for network administration and are at high risk of cyber threats. They require top-level security to prevent unauthorized access. | A compromised network admin device can result in the entire networking infrastructure of the organization being compromised. An attacker with access to the network admin device can steal credentials of network equipment and perform lateral movement. |
-| VMware ESXi                                                  | Device                     | NA                        | The VMware ESXi hypervisor is essential for running and managing virtual machines within your infrastructure. As a bare-metal hypervisor, it's providing the foundation for creating and managing virtual resources. | A compromised ESXi server can result in compromising all the virtual machines it holds. Attackers often target ESXi servers to disrupt the organization's operations by modifying, encrypting, or deleting virtual machines. |
-| VMware vCenter                                               | Device                     | NA                        | The VMware vCenter Server is crucial for managing virtual environments. It provides centralized management of virtual machines and ESXi hosts. If it fails, it could disrupt the administration and control of your virtual infrastructure, including provisioning, migration, load balancing of virtual machines, and datacenter automation. However, as there are often redundant vCenter Servers and High Availability configurations, the immediate halt of all operations might not occur. Its failure could still cause significant inconvenience and potential performance issues | A compromised vCenter server can result in the entire virtual infrastructure of the organization being compromised. Attackers often target vCenter servers to disrupt the organization's operations by modifying, encrypting, or deleting virtual machines, and in some cases, even their backups. |
+| NetworkAdminDevice                                           | Device | Medium                        | Critical devices used to configure, manage, and monitor the network assets within the organization are vital for network administration and are at high risk of cyber threats. They require top-level security to prevent unauthorized access. | A compromised network admin device can result in the entire networking infrastructure of the organization being compromised. An attacker with access to the network admin device can steal credentials of network equipment and perform lateral movement. |
+| VMware ESXi                                                  | Device                     | High                        | The VMware ESXi hypervisor is essential for running and managing virtual machines within your infrastructure. As a bare-metal hypervisor, it's providing the foundation for creating and managing virtual resources. | A compromised ESXi server can result in compromising all the virtual machines it holds. Attackers often target ESXi servers to disrupt the organization's operations by modifying, encrypting, or deleting virtual machines. |
+| VMware vCenter                                               | Device                     | High                        | The VMware vCenter Server is crucial for managing virtual environments. It provides centralized management of virtual machines and ESXi hosts. If it fails, it could disrupt the administration and control of your virtual infrastructure, including provisioning, migration, load balancing of virtual machines, and datacenter automation. However, as there are often redundant vCenter Servers and High Availability configurations, the immediate halt of all operations might not occur. Its failure could still cause significant inconvenience and potential performance issues | A compromised vCenter server can result in the entire virtual infrastructure of the organization being compromised. Attackers often target vCenter servers to disrupt the organization's operations by modifying, encrypting, or deleting virtual machines, and in some cases, even their backups. |
 
 ##### Identity
 
