System and method for determining security vulnerabilities

US 20040006704A1
Filed: 07/02/2002
Published: 01/08/2004
Est. Priority Date: 07/02/2002
Status: Abandoned Application

First Claim

Patent Images

1. A method for determining security vulnerabilities, the method comprising:

receiving an organization profile of one or more products used by an organization, the organization profile including characteristics of each of the one or more products;

comparing the characteristics of each of the one or more products to a plurality of product records, each product record identifying one or more security vulnerabilities associated with the product record and one or more fixes associated with the one or more security vulnerabilities; and

determining the presence of at least one of the one or more security vulnerabilities for at least one of the one or more products in response to comparing the characteristics of the at least one of the one or more products to the plurality of product records.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for determining security vulnerabilities includes receiving a profile of one or more products used by an organization, the profile including characteristics of each product. The method further includes comparing the characteristics of each product to a plurality of product records, each product record including one or more security vulnerabilities associated with the product record and one or more fixes associated with each security vulnerability. The method further includes determining at least one of the one or more security vulnerabilities for at least one of the one or more products in response to comparing the characteristics of the at least one of the one or more products to the product record.

206 Citations

40 Claims

1. A method for determining security vulnerabilities, the method comprising:
- receiving an organization profile of one or more products used by an organization, the organization profile including characteristics of each of the one or more products;
  
  comparing the characteristics of each of the one or more products to a plurality of product records, each product record identifying one or more security vulnerabilities associated with the product record and one or more fixes associated with the one or more security vulnerabilities; and
  
  determining the presence of at least one of the one or more security vulnerabilities for at least one of the one or more products in response to comparing the characteristics of the at least one of the one or more products to the plurality of product records.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, and further comprising populating the organization profile using a device scanner.
  - 3. The method of claim 1, and further comprising populating the organization profile using a network mapper.
  - 4. The method of claim 1, and further comprising updating the organization profile in response to the determined at least one security vulnerability.
  - 5. The method of claim 1, and further comprising updating the organization profile in response to the determined at least one security vulnerability by supplementing the characteristics of at least one of the one or more products with the identity of the determined at least one security vulnerability.
  - 6. The method of claim 1, and further comprising updating the organization profile in response to the determined at least one security vulnerability by supplementing the characteristics of at least one of the one or more products with a fix associated with the determined at least one security vulnerability.
  - 7. The method of claim 1, and further comprising updating the organization profile in response to the determined at least one security vulnerability by supplementing the characteristics of at least one of the products with a risk rating associated with the determined at least one security vulnerability.
  - 8. The method of claim 1, and further comprising updating the organization profile in response to the determined at least one security vulnerability by supplementing the characteristics of at least one of the products with a determination date associated with the determined at least one security vulnerability.
  - 9. The method of claim 1, wherein determining at least one security vulnerability includes identifying a fix associated with the determined at least one security vulnerability.
  - 10. The method of claim 9, wherein identifying a fix associated with the determined at least one security vulnerability includes discarding a fix already indicated as completed within the organization profile.
  - 11. The method of claim 9, wherein identifying a fix associated with the determined at least one security vulnerability includes discarding a fix that is determined to be unnecessary in response to at least one other product identified by the organization profile as being used by the organization.
  - 12. The method of claim 1, wherein determining at least one security vulnerability includes identifying a security vulnerability in response to more than one product being identified in the organization profile.
  - 13. The method of claim 1, and further comprising determining a risk rating in response the determined at least one security vulnerability.
  - 14. The method of claim 1, wherein determining the at least one security vulnerability further comprises filtering security vulnerabilities included in at least one of the plurality of product records.

15. A system for tracking vulnerabilities in an organization, the system comprising:
- an organization profile, the organization profile being associated with a particular organization and identifying one or more products used by the particular organization, the organization profile including characteristics of each of the one or more products;
  
  a security vulnerabilities database, the securities vulnerability database having one or more product records, each of the one or more product records being associated with at least one product and including information on one or more security vulnerabilities associated with the at least one product; and
  
  a search engine in communication with the organization profile and the security vulnerability database, the search engine operable to determine at least one security vulnerability of the organization in response to comparing the characteristics of at least one of the one or more products to at least one of the one or more product records.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, and further comprising a tracking system in communication with the organization profile and operable to track the status of security vulnerabilities across the organization.
  - 17. The system of claim 16, wherein the tracking system includes statistical software operable to calculate statistical data in response to receiving a list of at least one of the one or more products that is associated with a particular individual within the organization and tracking information associated with the at least one product.
  - 18. The system of claim 16, wherein the tracking system includes statistical software operable to update the organization profile with statistical data in response to receiving a list of at least one product associated with a particular individual within the organization and tracking information associated with the listed at least one product.
  - 19. The system of claim 16, wherein the organization profile includes product tracking information operable to be updated by the search engine in response to the at least one security vulnerability being determined, the product tracking information operable to be accessed by the tracking system to track the performance of one or more individuals responsible for addressing the determined at least one security vulnerability within the organization.
  - 20. The system of claim 16, wherein the organization profile includes product tracking information associated with the determined at least one security vulnerability, the product tracking information including a risk rating and a fix.

21. A method of assessing the vulnerability of an organization, the method comprising:
- identifying at least one security vulnerability associated with one or more products used by the organization; and
  
  determining a risk rating for the security vulnerability in response to characteristics of the security vulnerability.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The method of claim 21, wherein the method further comprises determining the risk rating in response to a simplicity rating of the security vulnerability.
  - 23. The method of claim 21, wherein the method further comprises determining the risk rating in response to a probability rating of the security vulnerability.
  - 24. The method of claim 21, wherein the method further comprises determining the risk rating in response to an impact rating of the security vulnerability.
  - 25. The method of claim 21, wherein the method further comprises determining the risk rating in response to the level of access exposed by the security vulnerability.
  - 26. The method of claim 21, wherein determining the risk rating includes calculating a numerical risk rating.
  - 27. The method of claim 21, wherein determining the risk rating includes calculating a numerical risk rating in response to receiving a numerical simplicity rating, a numerical probability rating, and a numerical impact rating.
  - 28. The method of claim 21, wherein determining the risk rating includes assigning a numerical risk rating in response to calculating an average of a numerical simplicity rating, a numerical probability rating, and a numerical impact rating.
  - 29. The method of claim 21, wherein determining the risk rating includes assigning a numerical risk rating in response to calculating a weighted average of a numerical simplicity rating, a numerical probability rating, and a numerical impact rating.
  - 30. The method of claim 21, and further comprising displaying a graphical representation of the risk rating.

31. A method of tracking security vulnerabilities across an organization, the method comprising:
- assigning one or more security vulnerabilities to a particular individual within the organization, each of the one or more assigned security vulnerabilities being associated with one or more products used by the organization;
  
  assigning a pending designation to a status for each of the one or more assigned security vulnerabilities; and
  
  changing the status of one of the one or more security vulnerabilities from a pending designation to a complete designation in response to the one of the one or more security vulnerabilities being addressed by the individual.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 32. The method of claim 31, and further comprising assigning a risk rating to each of the assigned one or more security vulnerabilities.
  - 33. The method of claim 31, and further comprising assigning a determination date to each of the assigned one or more security vulnerabilities.
  - 34. The method of claim 31, and further comprising assigning a fix date to at least one of the assigned one or more security vulnerabilities in response to changing the status of the one of the assigned one or more security vulnerabilities from the pending designation to the complete designation.
  - 35. The method of claim 31, and further comprising creating a report for tracking the assigned one or more security vulnerabilities, the report including a designation of the total number of the one or more security vulnerabilities assigned to the individual.
  - 36. The method of claim 31, and further comprising displaying a designation of the total number of the assigned one or more security vulnerabilities associated with each of a plurality of risk ratings.
  - 37. The method of claim 31, and further comprising calculating the total number of pending designations and complete designations associated with the one or more security vulnerabilities assigned to the particular individual.
  - 38. The method of claim 37, wherein calculating the total number of pending designations and complete designations further includes calculating the total number of pending designations and complete designations for each of a plurality of risk ratings.
  - 39. The method of claim 31, and further comprising calculating an average fix delay for the one or more security vulnerabilities assigned to the particular individual in response to a determination date and a fix date associated with each of the assigned one or more security vulnerabilities.
  - 40. The method of claim 31, and further comprising calculating statistical data for an organization in response to combining statistical data for the particular individual with statistical data associated with other individuals within the organization.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SecureInfo Corp. (Kratos Defense & Security Solutions Incorporated)
Original Assignee
Silicon Valley Bank (SVB Financial Group)
Inventors
Dahlstrom, Dale A., Frederick, Keith P.

Application Number

US10/189,164
Publication Number

US 20040006704A1
Time in Patent Office

Days
Field of Search
US Class Current

713/200
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

System and method for determining security vulnerabilities

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

206 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for determining security vulnerabilities

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

206 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links