METHODS AND APPARATUS FOR RATING DEVICE SECURITY AND AUTOMATICALLY ASSESSING SECURITY COMPLIANCE

US 20100333168A1
Filed: 08/31/2009
Published: 12/30/2010
Est. Priority Date: 06/26/2009
Status: Active Grant

First Claim

Patent Images

1. An Automatic Security Compliance Assessment (ASCA) method, the method comprising the steps of:

generating, at a control server, a plurality of Settings Objects, wherein each of the plurality of Settings Objects corresponds to a particular Settings Class of a plurality of different Settings Classes for a wireless computing device and is designed to configure a particular subsystem of a plurality of subsystems of the wireless computing device, wherein the plurality of Settings Objects have an expected overall device security rating (ODSR);

generating, at the control server in response to the plurality of Settings Objects, a security interaction template (SIT) corresponding to the plurality of Settings Objects; and

a security test script comprising overall security test cases corresponding to the plurality of Settings Objects and the security interaction template (SIT);

applying at least some of the plurality of Settings Objects to corresponding ones of the plurality of subsystems at the wireless computing device to configure the corresponding ones of the plurality of subsystems;

sending a request to the subsystems for actual Settings Objects currently applied to the subsystems, and determining if the subsystems are configured as specified by the plurality of Settings Objects by comparing actual Settings Objects currently applied to the subsystems to the plurality of Settings Objects;

when the subsystems are determined to be configured as specified by the plurality of Settings Objects, determining an Actual ODSR for the wireless computing device based on the SIT and the actual Settings Objects currently applied to the subsystems; and

determining, based on the actual Settings Objects currently applied to the subsystems, relevant ones of the overall security test cases that are to be executed, and executing the relevant ones of the overall security test cases on the subsystems to compute a verified ODSR for the wireless computing device.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Automatic Security Compliance Assessment (ASCA) systems and methods are provided. The disclosed systems and methods can automatically determine whether all of the devices in an enterprise network comply with security policies or standards, and can automatically take remedial or corrective action to bring those devices into compliance with security policies or standards if they are determined not to be in compliance. The disclosed systems and methods can automatically ensure that all of the devices in an enterprise network remain in compliance with the security policies or standards, and automatically create records that establish whether each of the devices are in compliance and regularly update those records over time so that the enterprise can quickly and easily provide evidence of compliance and/or corrective actions taken to bring devices into compliance if required to do so.

83 Citations

View as Search Results

23 Claims

1. An Automatic Security Compliance Assessment (ASCA) method, the method comprising the steps of:
- generating, at a control server, a plurality of Settings Objects, wherein each of the plurality of Settings Objects corresponds to a particular Settings Class of a plurality of different Settings Classes for a wireless computing device and is designed to configure a particular subsystem of a plurality of subsystems of the wireless computing device, wherein the plurality of Settings Objects have an expected overall device security rating (ODSR);
  
  generating, at the control server in response to the plurality of Settings Objects, a security interaction template (SIT) corresponding to the plurality of Settings Objects; and
  
  a security test script comprising overall security test cases corresponding to the plurality of Settings Objects and the security interaction template (SIT);
  
  applying at least some of the plurality of Settings Objects to corresponding ones of the plurality of subsystems at the wireless computing device to configure the corresponding ones of the plurality of subsystems;
  
  sending a request to the subsystems for actual Settings Objects currently applied to the subsystems, and determining if the subsystems are configured as specified by the plurality of Settings Objects by comparing actual Settings Objects currently applied to the subsystems to the plurality of Settings Objects;
  
  when the subsystems are determined to be configured as specified by the plurality of Settings Objects, determining an Actual ODSR for the wireless computing device based on the SIT and the actual Settings Objects currently applied to the subsystems; and
  
  determining, based on the actual Settings Objects currently applied to the subsystems, relevant ones of the overall security test cases that are to be executed, and executing the relevant ones of the overall security test cases on the subsystems to compute a verified ODSR for the wireless computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 22, 23)
- - 2. The method according to claim 1, further comprising the step of:
    - comparing, at the control server, the Actual ODSR to the expected ODSR to determine whether actual security of the wireless computing device matches expected security of the wireless computing device.
  - 3. The method according to claim 1, further comprising the steps of:
    - generating a security assessment results record, comprising;
      
      the Actual ODSR, the verified ODSR, an indication of when the assessment took place, and an indication for each of the subsystems of whether that particular subsystem passed corresponding ones of the overall security test cases that were executed with respect to that particular subsystem; and
      
      storing the security assessment results record in a security assessment log.
  - 4. The method according to claim 2, further comprising the step of:
    - generating, when the wireless computing device fails security assessment and does not meet security policies, a security failure notification and a rejection indicator.
  - 5. The method according to claim 4, wherein the wireless computing device fails security assessment and does not meet the security policies when:
    - one or more of the subsystems fails one of the overall security test cases;
      
      or the Actual ODSR for the wireless computing device is less than the expected ODSR.
  - 6. The method according to claim 1, wherein each Settings Class defines a plurality of Configurable Attributes that are used to configure a particular subsystem of the wireless computing device, wherein each Settings Object comprises Configurable Attributes and corresponding Values for each of the Configurable Attributes that are used to configure a particular one of the subsystems, wherein the actual Settings Objects currently applied to the subsystems include current actual Configurable Attributes and corresponding Values for each of the current actual Configurable Attributes that are actually set on the subsystems, andwherein the step of comparing the actual Settings Objects currently applied to the subsystems to the plurality of Settings Objects, comprises:
    - comparing the current actual Configurable Attributes and the corresponding Values for each of the current actual Configurable Attributes that are actually set on the subsystems to the Configurable Attributes and the corresponding Values for each of the Configurable Attributes that are specified by the plurality of Settings Objects to determine if the subsystems are configured as specified by the plurality of Settings Objects.
  - 7. The method according to claim 6, wherein the subsystems are determined to be configured as specified by the plurality of Settings Objects when the current actual Configurable Attributes and the corresponding Values for each of the current actual Configurable Attributes that are actually set on the subsystems match the Configurable Attributes and the corresponding Values for each of the Configurable Attributes that are specified by the plurality of Settings Objects.
  - 8. The method according to claim 6, further comprising the steps of:
    - re-comparing, in response to receiving the rejection indicator, the current actual Configurable Attributes and the corresponding Values for each of the current actual Configurable Attributes that are actually set on the subsystems to the Configurable Attributes and the corresponding Values for each of the Configurable Attributes that are specified by the plurality of Settings Objects to determine if the subsystems are configured as specified by the plurality of Settings Objects; and
      
      when the subsystems are not configured as specified by the plurality of Settings Objects, reapplying the plurality of Settings Objects to the subsystems to make sure that the actual Configurable Attributes and corresponding Values that are set on each of the subsystems match those specified by the plurality of Settings Objects; and
      
      generating a new security assessment results record to be stored in the security assessment log.
  - 9. The method according to claim 1, further comprising the steps of:
    - generating an application record that specifies, for each of the plurality of Settings Objects, an identifier and version number for the particular Settings Object;
      
      an identifier for a particular one of the platform and application subsystems that corresponds to the particular Settings Object;
      
      an indicator that indicates whether application of that particular Settings Object to the particular one of the platform and application subsystems was successful; and
      
      a time which indicates when that particular Settings Object was applied to the particular one of the platform and application subsystems if application of that particular Settings Object was successful; and
      
      storing the application record in a settings log to create a historical record of current Setting Objects that are applied to the platform and application subsystems and when they were applied to the platform and application subsystems.
  - 10. The method according to claim 9, further comprising the steps of:
    - generating a configuration verification results record comprising;
      
      an indicator of whether the platform and application subsystems are configured as specified by the plurality of Settings Objects; and
      
      storing the configuration verification results record in the settings log to indicate whether the Attributes and corresponding Values specified by the plurality of Settings Objects match the actual Configurable Attributes and corresponding Values that are actually configured on the platform and application subsystems.
  - 22. The system according to claim 1, wherein the Settings Objects application module is further designed to create an application record that specifies for each of the plurality of Settings Objects:
    - an identifier and version number for the particular Settings Object;
      
      an identifier for a particular one of the platform and application subsystems that corresponds to the particular Settings Object;
      
      an indicator that indicates whether application of that particular Settings Object to the particular one of the platform and application subsystems was successful; and
      
      if application of that particular Settings Object was successful, a time which indicates when that particular Settings Object was applied to the particular one of the platform and application subsystems, andwherein the control server further comprises;
      
      a settings log designed to receive and store the application record generated by the Settings Objects application module to create a historical record of current Setting Objects that are applied to the platform and application subsystems and when they were applied to the platform and application subsystems.
  - 23. The system according to claim 22, wherein the Settings Objects verification module is designed to generate a configuration verification results record comprising:
    - an indicator of whether the platform and application subsystems are configured as specified by the plurality of Settings Objects, andwherein the settings log designed to store the configuration verification results record generated by the Settings Objects verification module to indicate the plurality of Settings Objects and whether the Attributes and corresponding Values specified by the plurality of Settings Objects match the actual Configurable Attributes and corresponding Values that are actually configured on the platform and application subsystems.

11. An Automatic Security Compliance Assessment (ASCA) system, comprising:
- a computer;
  
  a wireless computing device comprising a plurality of subsystems, wherein each particular subsystem is configurable by applying a Settings Object corresponding to that particular subsystem; and
  
  a control server communicatively coupled to the computer and the wireless computing device, the control server being designed to generate, in response to Values input at the computer for a plurality of Configurable Attributes of the wireless computing device;
  
  a plurality of Settings Objects each corresponding to a particular Settings Class of a plurality of different Settings Classes for the wireless computing device, wherein the plurality of Settings Objects have an expected overall device security rating (ODSR);
  
  a security interaction template (SIT) corresponding to the plurality of Settings Objects; and
  
  a security test script comprising overall security test cases corresponding to the plurality of Settings Objects and the security interaction template (SIT);
  
  wherein the wireless computing device further comprises;
  
  a Settings Objects application module designed to;
  
  receive the plurality of Settings Objects from the control server, and apply at least some of the plurality of Settings Objects to corresponding ones of the plurality of subsystems to configure the corresponding ones of the plurality of subsystems;
  
  a Settings Objects verification module designed to;
  
  receive the plurality of Settings Objects from the control server;
  
  send a request to the subsystems for actual Settings Objects currently applied to the subsystems;
  
  compare the actual Settings Objects currently applied to the subsystems to the plurality of Settings Objects to determine if the subsystems are configured as specified by the plurality of Settings Objects; and
  
  generate a begin security assessment command when the subsystems are determined to be configured as specified by the plurality of Settings Objects; and
  
  an automated security assessment module designed to;
  
  determine, in response to the begin security assessment command, an Actual ODSR for the wireless computing device based on the SIT and the actual Settings Objects currently applied to the subsystems; and
  
  determine, based on the actual Settings Objects currently applied to the subsystems, relevant ones of the overall security test cases that are to be executed, and execute the relevant ones of the overall security test cases on the subsystems to compute a verified ODSR for the wireless computing device.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 12. The system according to claim 11, wherein the control server is designed to compare the Actual ODSR to the expected ODSR to determine whether actual security of the wireless computing device matches expected security of the wireless computing device.
  - 13. The system according to claim 11, wherein the automated security assessment module is further designed to generate a security assessment results record, the security assessment results record comprising:
    - the Actual ODSR,the verified ODSR,an indication of when the assessment took place, andan indication for each of the subsystems of whether that particular subsystem passed corresponding ones of the overall security test cases that were executed with respect to that particular subsystem.
  - 14. The system according to claim 12, wherein the Actual ODSR for the wireless computing device is different than the expected ODSR when some of the plurality of Settings Objects are currently applied to the subsystems, and wherein the Actual ODSR for the wireless computing device is equal to the expected ODSR when all of the plurality of Settings Objects are currently applied to the subsystems.
  - 15. The system according to claim 12, wherein the SIT includes rules for determining the actual ODSR when only a subset of the plurality of Settings Objects are currently applied to the subsystems and other ones of the plurality of Settings Objects are not currently applied to the subsystems.
  - 16. The system according to claim 12, wherein the control server 110 further comprises:
    - a security assessment log designed to store the security assessment results record.
  - 17. The system according to claim 12, wherein the automated security assessment module is further designed to generate:
    - a security failure notification when the wireless computing device fails security assessment and does not meet the requisite security to indicate that the actual Configurable Attributes and corresponding Values being applied to the subsystems do not meet security policies.
  - 18. The system according to claim 12, wherein the automated security assessment module is further designed to generate:
    - a rejection indicator when the wireless computing device fails security assessment and does not meet the security policies.
  - 19. The system according to claim 18, wherein the wireless computing device fails security assessment and does not meet the security policies when:
    - one or more of the subsystems fails one of the overall security test cases;
      
      orthe Actual ODSR for the wireless computing device is less than the expected ODSR.
  - 20. The system according to claim 11, wherein each Settings Class defines a plurality of Configurable Attributes that are used to configure a particular subsystem of the wireless computing device, wherein each Settings Object comprises Configurable Attributes and corresponding Values for each of the Configurable Attributes that are used to configure a particular one of the subsystems, wherein the actual Settings Objects currently applied to the subsystems include current actual Configurable Attributes and corresponding Values for each of the current actual Configurable Attributes that are actually set on the subsystems, and wherein the Settings Objects verification module is designed to:
    - compare the current actual Configurable Attributes and the corresponding Values for each of the current actual Configurable Attributes that are actually set on the subsystems to the Configurable Attributes and the corresponding Values for each of the Configurable Attributes that are specified by the plurality of Settings Objects to determine if the subsystems are configured as specified by the plurality of Settings Objects,wherein the subsystems are determined to be configured as specified by the plurality of Settings Objects when the current actual Configurable Attributes and the corresponding Values for each of the current actual Configurable Attributes that are actually set on the subsystems match the Configurable Attributes and the corresponding Values for each of the Configurable Attributes that are specified by the plurality of Settings Objects.
  - 21. The system according to claim 20, wherein the Settings Objects verification module is further designed to:
    - re-compare, in response to receiving the rejection indicator, the current actual Configurable Attributes and the corresponding Values for each of the current actual Configurable Attributes that are actually set on the subsystems to the Configurable Attributes and the corresponding Values for each of the Configurable Attributes that are specified by the plurality of Settings Objects to determine if the subsystems are configured as specified by the plurality of Settings Objects; and
      
      send, when the subsystems are not configured as specified by the plurality of Settings Objects, a reapply command to the Settings Objects application module to reapply the plurality of Settings Objects to the subsystems to make sure that the actual Configurable Attributes and corresponding Values that are set on each of the subsystems match those specified by the plurality of Settings Objects; and
      
      generate a new a security assessment results record to be stored in the security assessment log.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Symbol Technologies, LLC (Zebra Technologies Corporation)
Original Assignee
Symbol Technologies, Inc. (Zebra Technologies Corporation)
Inventors
Herrod, Allan

Granted Patent

US 8,353,001 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 41/0813   characterised by the condit...

H04L 41/0843   based on generic templates

H04L 41/28   Restricting access to netwo...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

H04W 12/00   Security arrangements; Auth...

H04W 12/37   Managing security policies ...

METHODS AND APPARATUS FOR RATING DEVICE SECURITY AND AUTOMATICALLY ASSESSING SECURITY COMPLIANCE

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

83 Citations

23 Claims

Specification

Use Cases

Quick Links

Others

METHODS AND APPARATUS FOR RATING DEVICE SECURITY AND AUTOMATICALLY ASSESSING SECURITY COMPLIANCE

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

83 Citations

23 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others