Identifying unauthorized privilege escalations
First Claim
1. A method of determining potential privilege escalations in a network comprising of one or more hosts, comprising:
- performing configuration scanning in a first time period;
conducting vulnerability scanning in said first time period;
determining transitive closure of all security attacks on the networkproviding an user interface that renders said potential privilege escalations;
storing a first set of results of said network configuration process in said central server for said first time period;
authenticating said first state of results for said first time period by said security administrator;
performing said network configuration process and said vulnerability analysis for a second time period to generate a second results set further comprising configuration scanning result and second vulnerability scanning result; and
comparing said second set of results with the first set of results and identifying new potential privilege escalations, wherein said new potential privilege escalations potentially compromise security.
0 Assignments
0 Petitions
Accused Products
Abstract
Disclosed herein is a method and system of determining and/or managing potential privilege escalation attacks in a system or network comprising one or more potentially heterogeneous hosts. The step of configuration scanning optionally includes making a list of operating system specific protection mechanism on each host. Vulnerability scanning optionally includes the step of identifying the vulnerability position of each identified program. Transitive closure of all security attacks on the network and potential privilege escalations can be determined. A user interface optionally renders the potential privilege escalations as an appropriate representation. The method may include none or one or more of several pre-emptive mechanisms and reactive mechanisms. Further, the method may optionally include a mechanism for a periodic safety check on the system ensuring continued security on the network.
181 Citations
54 Claims
-
1. A method of determining potential privilege escalations in a network comprising of one or more hosts, comprising:
-
performing configuration scanning in a first time period; conducting vulnerability scanning in said first time period; determining transitive closure of all security attacks on the network providing an user interface that renders said potential privilege escalations; storing a first set of results of said network configuration process in said central server for said first time period; authenticating said first state of results for said first time period by said security administrator; performing said network configuration process and said vulnerability analysis for a second time period to generate a second results set further comprising configuration scanning result and second vulnerability scanning result; and comparing said second set of results with the first set of results and identifying new potential privilege escalations, wherein said new potential privilege escalations potentially compromise security. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48)
-
-
49. A method of determining potential privilege escalations in a network comprising of one or more hosts, comprising the steps of:
-
performing configuration scanning; conducting vulnerability scanning; determining transitive closure of all privilege escalations on said network; providing a user interface output that renders said privilege escalations; and
,presenting said user interface output to said cyber security managers.
-
-
50. A system for determining potential privilege escalations in a network comprising a plurality of hosts and operating systems managed by one or more administrators, further comprising:
-
a configuration scanning module for performing a configuration scan on said network at predetermined time periods; a vulnerability scanning module for conducting a vulnerability scan on the result of said configuration scan at said predetermined time periods; a timing module for scheduling the predetermined time periods; a database for storing the configuration scan results of the configuration scanning module and the vulnerability scan results of the vulnerability scanning module; a user interface module to present the results in a suitable interface to one or more administrators and help understand the results; a state differential module for comparing the states of two subsequent configuration scans of the configuration scanning module and the vulnerability scan module; said administrator providing administrative privileges for the configuration scanning module and providing a security policy, wherein said security policy specifies the data each principal can access; and
,a graphical user interface for rendering potential privilege escalations derived from the configuration scan results and vulnerability scan results. - View Dependent Claims (51, 52, 53)
-
-
54. A computer program product comprising computer executable instructions embodied in a computer-readable medium, in a network of hosts comprising a server and a plurality of hosts in the domain of an administrator, said computer program product including:
-
a first computer parsable program code for performing a configuration scan on said network at predetermined time periods; a second computer parsable program code for conducting a vulnerability scan on the result of said configuration scan at said predetermined time periods; a third computer parsable program code for scheduling the predetermined time periods; a fourth computer parsable program code for storing the configuration scan results and the vulnerability scan results; a fifth computer parsable program code for comparing the states of two subsequent configuration scans and the vulnerability scans; and a sixth computer parsable program code for rendering potential privilege escalations derived from the configuration scan results and vulnerability scan results.
-
Specification