20010049734 | Use-limitation homepage providing system | December, 2001 | Suwabe et al. |
20130166656 | SYSTEM AND METHOD FOR SHARING DIGITAL IMAGES | June, 2013 | Taub et al. |
20130067013 | MESSAGE SYNCHRONIZATION | March, 2013 | Dgani et al. |
20090241180 | System and Method for Data Transport | September, 2009 | Fiatal |
20120296962 | MEDICAL IMAGE PROCESSING SYSTEM AND A MEDICAL IMAGE PROCESSING SERVER | November, 2012 | Tada |
20010047430 | Perspective-based shared scope address resolution method and apparatus | November, 2001 | Dev et al. |
20090228580 | COMPUTING ENVIRONMENT SENSITIVE DATA SYNCHRONIZATION | September, 2009 | Celi Jr. |
20100125421 | System and method for determining a dosage for a treatment | May, 2010 | Snortland |
20140310520 | METHOD FOR COMMUNICATING DATA AND ELECTRONIC DEVICE THEREOF | October, 2014 | Cho et al. |
20100257223 | Method and System For Changing A Subscription To A Tuple Based On A Changed State Of A Subscribing Principal | October, 2010 | Morris |
20140304356 | Wireless Aggregator | October, 2014 | Allen Sr. et al. |
[0001] The present application claims priority to provisional patent application entitled, “Method and System for Configuring and Scheduling Security Audits of a Computer Network,” filed on Jan. 31, 2001 and assigned U.S. Application Serial No. 60/265,519. The present application also references and incorporates herein a related U.S. non-provisional patent application entitled, “Method and System for Configuring and Scheduling Security Audits of a Computer Network,” filed concurrently herewith and having attorney docket number
[0002] The present invention is generally directed to managing the security of a network. More specifically, the present invention facilitates computing a security score for elements in a distributed computing network.
[0003] The security of computing networks is an increasingly important issue. With the growth of wide area networks (WANs), such as the Internet and the World Wide Web, people rely on computing networks to transfer and store an increasing amount of valuable information. This is also true of local area networks (LANs) used by companies, schools, organizations, and other enterprises. LANs typically are used by a bounded group of people in an organization to communicate and store electronic documents and information. LANs generally are coupled to or provide access to other local or wide area networks. Greater use and availability of computing networks produces a corresponding increase in the size and complexity of computing networks.
[0004] With the growth of networks and the importance of information available on the networks, there is also a need for better and more intelligent security. One approach to securing larger and more complex computer networks is to use a greater number and variety of security assessment devices. Security assessment devices can be used to evaluate elements in the network, such as desktop computers, servers, and routers, and to determine their respective vulnerability to security problems, such as an attack from hackers. Security assessment devices can also be used more frequently to monitor the activity or status of the elements in a computing network. These network elements are commonly referred to as hosts. Throughout this specification the terms “host” and “element” will be used interchangeably to refer to the various components that can be found in a distributed computing network.
[0005] However, simply increasing the number of security assessment devices and the frequency with which they are used does not solve the problems presented in conventional network security. With increased security activity, a network administrator or other user must decide which elements in the network need to be audited, how frequently they should be audited, and what checks need to be run. These are decisions that often involve a variety of complicated factors and they are decisions that in practicality cannot be made every time a security audit is conducted. Increased assessment also produces a corresponding increase in the amount of security data that must be analyzed. A network administrator that is overwhelmed with security data is unable to make intelligent decisions about which security vulnerabilities should be addressed first.
[0006] An additional difficulty associated with maintaining adequate network security is finding the time to conduct security audits. Security audits generally must be initiated by a security professional and can hinder or entirely interrupt network performance for several hours at a time. These limitations place a premium on the time available to conduct security auditing and maintenance. Conventional network security systems do not support a means to accurately quantify security vulnerabilities so that they can be easily compared and prioritized.
[0007] In view of the foregoing, there is a need in the art for a system that will support the auditing of a distributed computing network. Specifically, a need exists to be able to automatically survey a network and prioritize any security issues identified by the survey. A further need exists to be able to assess the security risk of each element in the network. The assessment should reflect the importance of the element and, for each security vulnerability that exists on the element, the ease with which the vulnerability can be exploited, and the impact of exploiting the vulnerability. Moreover, a need exists to accurately quantify the risk posed by vulnerabilities so that they can be compared in association with a particular host and so that hosts can be compared over the entire network.
[0008] The present invention satisfies the above-described needs by providing a system and quantitative method for evaluating the security of elements in a network. A security audit system can collect data concerning elements in a network. This data can include the operating system and services running on the element and any vulnerabilities associated therewith. This information can be used to calculate a risk for each vulnerability associated with an element. Certain elements may have few vulnerabilities and other elements may have many vulnerabilities. In order to give each element a meaningful security score, a banded calculation method is used. The banded calculation method prevents many low-risk vulnerabilities associated with one element from overshadowing an element with a single high-risk vulnerability. This approach provides a simple means for a user to identify and address high-risk issues in a network.
[0009] In one aspect, the present invention comprises a method for computing a security score associated with a host in a distributed computing network. A security audit system can select a vulnerability identified in a host and obtain an asset value for the host. The asset value is typically assigned to the host based on its characteristics and functions. The security audit system can also retrieve an exploit probability and a severity value for the vulnerability. Security personnel generally consider the various types of vulnerabilities and select predetermined exploit probabilities and severity values. A risk value for a vulnerability can be computed from the host asset value, the exploit probability of the vulnerability, and the vulnerability's severity value. The risk value computation can be repeated for other vulnerabilities identified in the network. Because an element typically has multiple vulnerabilities, it is also useful to be able to compute a total security score for the element. The security audit system can use a banded calculation model to compute the total security score by placing the risk values in selected bands on a risk scale. The banded calculation model prevents several low risk values from being summed and producing a disproportionately and inaccurately large security score.
[0010] In another aspect, the present invention provides a method for computing a risk value for quantifying a vulnerability identified in a network. A network security system can receive an asset value for an element on which the vulnerability is detected. The asset value can be based on information collected during a security audit of the element. The network security system can also receive a predetermined exploit probability and severity value for the vulnerability. Taking the asset value, the exploit probability, and the severity value, the network security system can compute a risk value that is useful in comparing other vulnerabilities in the network. The risk value can also be adjusted by a factor that reflects the difficulty of remedying the vulnerability.
[0011] These and other aspects of the invention will be described below in connection with the drawing set and the appended specification and claim set.
[0012]
[0013]
[0014]
[0015]
[0016]
[0017]
[0018]
[0019]
[0020]
[0021]
[0022]
[0023] The present invention supports the assessment of the security risks of a computing network by providing a precise means to calculate and compare the risks posed by security vulnerabilities. Specifically, the present invention allows a security auditing system to identify security vulnerabilities in various elements throughout a network. The security auditing system also can collect information about the function and importance of elements in a computing network. Using this information, the invention calculates a risk value for each security vulnerability that is identified. The risk value can be prioritized based on the ease with which the vulnerability can be repaired. Prioritizing risk values for a particular network element assists a user or network administrator in deciding which vulnerabilities to address first. The invention also supports the calculation of a security score for a network element that accumulates the risk values of each vulnerability associated with the element. For example, employing a band calculation method ensures that a large number of low-risk vulnerabilities does not produce a higher security score than a smaller number of high-risk vulnerabilities. Calculating a security score for each element with the band calculation method allows for a more meaningful comparison of elements across a network.
[0024] Although the exemplary embodiments will be generally described in the context of software modules running in a distributed computing environment, those skilled in the art will recognize that the present invention also can be implemented in conjunction with other program modules for other types of computers. In a distributed computing environment, program modules may be physically located in different local and remote memory storage devices. Execution of the program modules may occur locally in a stand-alone manner or remotely in a client/server manner. Examples of such distributed computing environments include local area networks of an office, enterprise-wide computer networks, and the global Internet.
[0025] The detailed description that follows is represented largely in terms of processes and symbolic representations of operations in a distributed computing environment by conventional computer components, including database servers, application servers, mail servers, routers, security devices, firewalls, clients, workstations, memory storage devices, display devices, and input devices. Each of these conventional distributed computing components is accessible via a communications network, such as a wide area network or local area network.
[0026] The processes and operations performed by the computer include the manipulation of signals by a client or server and the maintenance of these signals within data structures resident in one or more of the local or remote memory storage devices. Such data structures impose a physical organization upon the collection of data stored within a memory storage device and represent specific electrical or magnetic elements. These symbolic representations are the means used by those skilled in the art of computer programming and computer construction to most effectively convey teachings and discoveries to others skilled in the art.
[0027] The present invention also includes a computer program that embodies the functions described herein and illustrated in the appended flow charts. However, it should be apparent that there could be many different ways of implementing the invention in computer programming, and the invention should not be construed as limited to any one set of computer program instructions. Further, a skilled programmer would be able to write such a computer program to implement the disclosed invention based on the flow charts and associated description in the application text, for example. Therefore, disclosure of a particular set of program code instructions is not considered necessary for an adequate understanding of how to make and use the invention. The inventive functionality of the claimed computer program will be explained in more detail in the following description in conjunction with the remaining figures illustrating the program flow.
[0028] Referring now to the drawings, in which like numerals represent like elements throughout the several figures, aspects of the present invention and the preferred operating environment will be described.
[0029]
[0030] The active scan engine's
[0031] Referring to
[0032]
[0033] In step
[0034]
[0035]
[0036] In step
[0037] Referring to
[0038]
[0039]
[0040] the first term, r
[0041] Referring to
[0042]
[0043]
[0044] In conclusion, the present invention enables and supports security auditing of a distributed computing network by providing a useful numerical value of the risk associated with a vulnerability or group of vulnerabilities. The security audit system can collect information about the elements of a network and compute a risk value for vulnerabilities detected therein. The risk value can be based on the importance of the network element, the likelihood of exploit, and the potential for damage to the network in the event the vulnerability is exploited. The risk value can also be adjusted to reflect the difficulty of remedying the vulnerability. The security audit system can also collect risk values for a particular element and compute a total security score for the element. The security audit system uses a banded calculation method to ensure that a host with several low risk values does not have a higher security score than a host with a few high risk values. Security scores are useful for comparing individual elements or groups of elements on the network.
[0045] It will be appreciated that the present invention fulfills the needs of the prior art described herein and meets the above-stated objects. While there has been shown and described the preferred embodiment of the invention, it will be evident to those skilled in the art that various modifications and changes may be made thereto without departing from the spirit and the scope of the invention as set forth in the appended claims and equivalence thereof. Although the present invention has been described as operating on a local area network, it should be understood that the invention can be applied to other types of distributed computing environments. Furthermore, it should be readily apparent that portions of the calculation can be varied in order modify the results without departing from the scope of the invention.