Method and system for calculating risk in association with a security audit of a computer network

US 20020147803A1
Filed: 01/31/2002
Published: 10/10/2002
Est. Priority Date: 01/31/2001
Status: Abandoned Application

First Claim

Patent Images

1. A method for assessing the security of a system comprising:

selecting a vulnerability for the system;

obtaining an asset value for the system;

determining an exploit probability for the vulnerability;

obtaining a severity value for the vulnerability;

computing a risk value for the vulnerability based on at least one of the asset value, the exploit probability, and the severity value;

if there are additional vulnerabilities associated with the system, repeating the foregoing steps to compute risk values for the additional vulnerabilities; and

calculating a security score for the system based on at least one of the risk values associated with the system.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Calculating risk based on information collected during a security audit of a computing network. The computer network is surveyed to determine the significance of elements in the network and to identify vulnerabilities associated with the elements. Using this information, the security audit system calculates a risk value for each vulnerability. The risk value is a function of the asset value, the probability that the vulnerability will be exploited, and the potential severity of damage to the network if the vulnerability is exploited. The risk value can be adjusted based on the ease with which the vulnerability can be fixed. A network element may have one or more risk values associated with it based on one or more vulnerabilities. The security audit system employs a band calculation method for summing risk values and computing a single security score for the element. The band calculation method can also be used to produce a security score for a group of elements. The band calculation method produces a more accurate score for comparing elements and groups of elements throughout a network.

324 Citations

49 Claims

1. A method for assessing the security of a system comprising:
- selecting a vulnerability for the system;
  
  obtaining an asset value for the system;
  
  determining an exploit probability for the vulnerability;
  
  obtaining a severity value for the vulnerability;
  
  computing a risk value for the vulnerability based on at least one of the asset value, the exploit probability, and the severity value;
  
  if there are additional vulnerabilities associated with the system, repeating the foregoing steps to compute risk values for the additional vulnerabilities; and
  
  calculating a security score for the system based on at least one of the risk values associated with the system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising the step of calculating an adjusted risk value as a function of the risk value and a fix difficulty value.
  - 3. The method of claim 2, further comprising the step of calculating an adjusted security score for the system based on at least one adjusted risk value.
  - 4. The method of claim 1, further comprising the step of using the security score to assess the need for repair of the system.
  - 5. The method of claim 1, further comprising calculating a group security score for a group of systems based on individual security scores for each of the systems.
  - 6. The method of claim 1, wherein the asset value is obtained from at least one of an operating system, a system service, and the system vulnerabilities.
  - 7. The method of claim 1, wherein the severity value is based on the potential access available to the system from exploiting the vulnerability.
  - 8. The method of claim 1, wherein the step of calculating a risk value comprises multiplying the asset value, the probability of exploit value, and the severity value.
  - 9. The method of claim 1, wherein the step of calculating a security score comprises placing a risk value on a banded scale.
  - 10. A computer-readable medium having computer-executable instructions for performing the steps recited in claim 1.

11. A method for computing a security score associated with a host in a distributed computing network comprising:
- selecting a vulnerability for the host, the vulnerability being identified during a security scan;
  
  obtaining an asset value for the host, the asset value obtained from at least one of a host operating system, a host service, and the host vulnerabilities;
  
  determining an exploit probability for the vulnerability, the exploit probability indicating the likelihood that the vulnerability will be exploited to compromise the host;
  
  obtaining a severity value for the vulnerability, the severity value characterizing the potential damage that can be done from exploiting the vulnerability;
  
  computing a risk value for the vulnerability based on at least one of the asset value, the exploit probability, and the severity value;
  
  computing an adjusted risk value as a function of the risk value and a fix difficulty value, the fix difficulty value indicating the difficulty of remedying the vulnerability associated with the risk;
  
  if there are additional vulnerabilities associated with the system, repeating the foregoing steps to compute adjusted risk values for the additional vulnerabilities; and
  
  calculating an adjusted security score for the host based on at least one of the adjusted risk values associated with the host.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 30, 31, 32, 33, 34, 35, 36, 37, 39, 40, 41, 42)
- - 12. The method of claim 11, further comprising the step of using the adjusted security score to decide when to fix a host.
  - 13. The method of claim 11, further comprising calculating a group adjusted security score for a group of hosts based on individual adjusted security scores.
  - 14. The method of claim 11, wherein the severity value is based on the potential access available to the network from exploiting the vulnerability.
  - 15. The method of claim 11, wherein the step of computing a risk value comprises multiplying the asset value, the probability value, and the severity value.
  - 16. The method of claim 11, wherein the step of calculating a security score comprises placing a risk value on a banded scale.
  - 17. A computer-implemented medium having computer-executable instructions for performing the steps recited in claim 11.
  - 19. The method of claim 18, further comprising the step of computing a risk value for additional vulnerabilities associated with the element by repeating the foregoing steps.
  - 20. The method of claim 18, further comprising the step of calculating a security score from at least one of the risk values associated with the element.
  - 21. The method of claim 18, further comprising the step of computing an adjusted risk value as a function of the risk value and a fix difficulty value.
  - 22. The method of claim 21, further comprising the step of calculating an adjusted security score from at least one adjusted risk value.
  - 23. The method of claim 20, further comprising the step of calculating a group security score for a group of elements based on individual security scores.
  - 24. The method of claim 18, wherein the asset value is based on at least one of a host operating system, a host service, and the host vulnerabilities.
  - 25. The method of claim 18, wherein the severity value is based on the potential access available to the network from exploiting the vulnerability.
  - 26. The method of claim 18, wherein the step of calculating a risk value comprises multiplying the asset value, the probability of exploit value, and the severity value.
  - 27. The method of claim 18, wherein the step of calculating a security score comprises placing a risk value on a banded scale.
  - 28. A computer-readable medium having computer-executable instructions for performing the steps recited in claim 18.
  - 30. The method of claim 29, further comprising the step of computing a risk value for additional vulnerabilities associated with the element by repeating the foregoing steps.
  - 31. The method of claim 30, further comprising the step of calculating a security score from at least one of the risk values associated with the element.
  - 32. The method of claim 29, further comprising the step of computing an adjusted risk value as a function of the risk value and a fix difficulty value.
  - 33. The method of claim 32, further comprising the step of calculating an adjusted security score from at least one adjusted risk value.
  - 34. The method of claim 31, further comprising the step of calculating a group security score for a group of elements based on individual security scores.
  - 35. The method of claim 29, wherein the step of calculating a risk value comprises multiplying the asset value, the probability of exploit value, and the severity value.
  - 36. The method of claim 29, wherein the step of calculating a security score comprises placing a risk value on a banded scale.
  - 37. A computer-readable medium having computer-executable instructions for performing the steps recited in claim 29.
  - 39. The computer-readable medium of claim 38, having further computer-executable instructions for performing the step of using the adjusted security score to decide when to fix a host.
  - 40. The computer-readable medium of claim 38, having further computer-executable instructions for performing the step of calculating a group adjusted security score for a group of hosts based on individual adjusted security scores.
  - 41. The computer-readable medium of claim 38, having further computer-executable instructions for performing the step of computing a risk value by multiplying the asset value, the probability value, and the severity value.
  - 42. The computer-readable medium of claim 38, having further computer-executable instructions for performing the step of calculating a security score by placing a risk value on a banded scale.

18. A method for determining a risk value for a vulnerability detected by a security audit system in a network comprising:
- receiving an asset value from the security audit system for an element with which the vulnerability is associated;
  
  receiving an exploit probability value for the vulnerability from the security audit system;
  
  receiving a severity value from the security audit system; and
  
  computing a risk value for the vulnerability, the computation comprising at least one of the asset value, the exploit probability value, and the severity value.

29. A method for computing a risk value associated with an element in a network comprising:
- receiving a vulnerability for the element, the vulnerability being identified by a security audit system;
  
  receiving an asset value for the element from the security audit system, wherein the asset value is based on at least one of an operating system, an element service, and the element vulnerabilities;
  
  receiving an exploit probability value for the vulnerability from the security audit system;
  
  receiving a severity value from the security audit system; and
  
  computing a risk value for the vulnerability, the computation comprising at least one of the asset value, the exploit probability value, and the severity value.

38. A computer-readable medium having computer-executable instructions for performing steps comprising:
- receiving a vulnerability for a host, the vulnerability being identified during a security scan;
  
  obtaining an asset value for the host, the asset value based on at least one of a host operating system, a host service, and the host vulnerability;
  
  determining an exploit probability for the vulnerability;
  
  obtaining a severity value for the vulnerability;
  
  computing a risk value for the vulnerability based on at least one of the asset value, the exploit probability, and the severity value;
  
  computing an adjusted risk value as a function of the risk value and a fix difficulty value;
  
  if there are additional vulnerabilities associated with the system, repeating the foregoing steps to compute adjusted risk values for the additional vulnerabilities; and
  
  calculating an adjusted security score for the host based on at least one of the adjusted risk values associated with the host.

43. A system for computing a security score associated with a security audit of a distributed computing system comprising:
- an manager software module operable for selecting a vulnerability for a host;
  
  a storage module operable for storing an asset value for the host, an exploit probability for the vulnerability, and a severity value for the vulnerability; and
  
  a computation module operable for computing a risk value.
- View Dependent Claims (44, 45, 46, 47, 48, 49)
- - 44. The system of claim 43, wherein the asset value for the host is based on at least one of the host'"'"'s operating system, the host'"'"'s services, and the host'"'"'s vulnerabilities.
  - 45. The system of claim 43, wherein computing the risk value is based on at least one of the asset value, the exploit probability, and the severity value.
  - 46. The system of claim 43, wherein the computation module is further operable for computing risk values for multiple vulnerabilities.
  - 47. The system of claim 46, wherein the computation module is further operable for computing a security score from multiple vulnerabilities.
  - 48. The system of claim 46, wherein the computation module computes a security score by placing multiple risk values on a banded risk scale.
  - 49. The system of claim 47, wherein the computation module is further operable for computing a group security score from multiple security scores.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Accenture SPA (Accenture PLC), International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Dodd, Timothy David, Heinrich, Nicolas

Application Number

US10/066,461
Publication Number

US 20020147803A1
Time in Patent Office

Days
Field of Search
US Class Current

709/223
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1433   Vulnerability analysis

Method and system for calculating risk in association with a security audit of a computer network

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

324 Citations

49 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for calculating risk in association with a security audit of a computer network

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

324 Citations

49 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links