METHODS AND SYSTEMS FOR PASSIVELY DETECTING SECURITY LEVELS IN CLIENT DEVICES

US 20140137190A1
Filed: 02/20/2013
Published: 05/15/2014
Est. Priority Date: 11/09/2012
Status: Abandoned Application

First Claim

Patent Images

1. A method for security testing, comprising:

providing, to a server via a network, a security tool operable to be embedded in a web page provided by the server and accessible by a target computing device through the server, wherein the security tool is executed by the target computing device to collect one or more security metrics of the target computing device;

receiving, from the security tool, the one or more security metrics of the target computing device;

comparing the one or more security metrics with a security vulnerability database; and

determining a security level for the target computing device based on comparing the one or more security metrics with the security vulnerability database.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present teachings relate to systems and methods for testing and analyzing the security of a target computing device. The method can include providing, to a server via a network, a security tool operable to be associated with a webpage accessible by a target computing device through the server, wherein security tool is operable to be executable by the target computing device and operable to collect one or more security metrics of the target computing device; receiving, from the server, the one or more security metrics of the target computing device; comparing the one or more security metrics with a security vulnerability database; and determining a level of security vulnerability for the target computing device based on comparing the one or more security metrics with the security vulnerability database.

Citations

30 Claims

1. A method for security testing, comprising:
- providing, to a server via a network, a security tool operable to be embedded in a web page provided by the server and accessible by a target computing device through the server, wherein the security tool is executed by the target computing device to collect one or more security metrics of the target computing device;
  
  receiving, from the security tool, the one or more security metrics of the target computing device;
  
  comparing the one or more security metrics with a security vulnerability database; and
  
  determining a security level for the target computing device based on comparing the one or more security metrics with the security vulnerability database.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein the security tool comprises a scripting language software component that can be placed anywhere on the web page without requiring other modification of the web page.
  - 3. The method of claim 1, the method further comprising:
    - providing the security level to the server.
  - 4. The method of claim 1, wherein the server includes a web server.
  - 5. The method of claim 1, the method further comprising:
    - updating the security vulnerability database;
      
      comparing the one or more security metrics with the updated security vulnerability database; and
      
      determining a new security level for the target computing device based on comparing the one or more security metrics with the updated security vulnerability database.
  - 6. The method of claim 1, wherein the one or more security metrics comprise information related to a software, a hardware, or both a software and hardware configuration of the target computer device.
  - 7. The method of claim 1, further comprising controlling access to the web page based on the security tool.
  - 8. The method of claim 1, further comprising controlling access to the web page or other web pages associated with a website based on the security level of the target computing device.
  - 9. The method of claim 8, wherein the controlling access further comprises embedding the security tool in one or more web pages associated with the website.
  - 10. The method of claim 8, wherein the controlling access further comprises embedding the security tool on a login web page associated with the website and controlling access to other web pages associated with the website based on the security tool.
  - 11. The method of claim 1, wherein output of the security tool is integrated with an access control and permission system of a web site associated with the webpage to control access to the web page or other web pages associated with the web site.
  - 12. The method of claim 1, further comprising dynamically measuring a security level of the target computing device to control access to resources.
  - 13. The method of claim 12, wherein the resources are selected from the following:
    - a web site associated with the web page, an embeddable web component of the web page, a mail server, a mail client, or combinations thereof.
  - 14. The method of claim 6, wherein the information comprises one or more of the following:
    - operating system type, operating system version, operating system version update status, browser type, browser version, browser version update status, browser plug-in type, browser plug-in version, browser plug-in version update status, and combinations thereof.
  - 15. The method of claim 6, the method further comprising:
    - comparing each item of the information with a current security database for each item of the information on the target computing device;
      
      determining a security level for the target computer device;
      
      comparing the security level with a predetermined security level threshold; and
      
      determining access ability of the target computing device to the server.
  - 16. The method of claim 15, the method further comprising:
    - restricting access to the server if the security level does not meet the predetermined security level threshold by redirecting the target computing device to another web page.
  - 17. The method of claim 15, the method further comprising:
    - restricting access to the server if the security level does not meet the predetermined security level threshold by providing an overlay on a screen of the target computing device such that the user of the target computing device cannot access the web page.

18. A method for security testing a target computing system using a security tool from a security server, comprising:
- receiving, at a web server from the security server via a network, the security tool operable to be executable by the target computing device and operable to collect one or more security metrics of the target computer device;
  
  embedding the security tool into a web page that is operable to be accessible by the target computing device;
  
  providing the web page with the security tool to the target computing device; and
  
  controlling access to the web page based on a security level as determined based on the one or more security metrics.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26)
- - 19. The method of claim 18, the method further comprising:
    - receiving the security level from the security server; and
      
      providing the security level to the target computing device.
  - 20. The method of claim 18, wherein the security tool is operable to collect one or more security metrics from the target computing device, wherein the one or more security metrics comprise information related to a software, a hardware, or both a software and hardware configuration of the target computing device.
  - 21. The method of claim 18, wherein the embedded security tool is provided by the web server and which is accessible by the target computing device and activated if the web page is accessed by the target computing device.
  - 22. The method of claim 18, wherein the one or more security metrics includes information comprises one or more of the following:
    - operating system type, operating system version, operating system version update status, browser type, browser version, browser version update status, browser plug-in type, browser plug-in version, browser plug-in version update status, and combinations thereof.
  - 23. The method of claim 18, the method further comprising:
    - receiving, from the security server, the security level for the target computing device;
      
      providing access ability of the target computing device based on the security level.
  - 24. The method of claim 23, the method further comprising:
    - restricting access to resources provided by the web server if the security level does not meet the predetermined security level threshold by redirecting the target computing device to another web page.
  - 25. The method of claim 23, the method further comprising:
    - restricting access to resources provided by the web server if the security level does not meet the predetermined security level threshold by providing an overlay on a screen of the target computing device such that the user of the target computing device cannot access the resources.
  - 26. The method of claim 18, the method further comprising:
    - determining if the security tool is installed on the target computing device; and
      
      restricting access to the resources provided by the web server if the security tool is not found to be on the target computing device

27. A device comprising:
- one or more processors; and
  
  a computer readable medium comprising instructions that cause the one or more processors to perform a method comprising;
  
  providing, to a server via a network, a security tool operable to be embedded in a web page accessible by a target computing device through the server, wherein security tool is operable to be executable by the target computing device and operable to collect one or more security metrics of the target computing device;
  
  receiving, from the server, the one or more security metrics of the target computing device;
  
  comparing the one or more security metrics with a security vulnerability database;
  
  determining a security level for the target computing device based on comparing the one or more security metrics with the security vulnerability database; and
  
  controlling access to the web page based on the security level.

28. A device operable to provide security testing of a target computing system using a security tool from a security server, comprising:
- one or more processors; and
  
  a computer readable medium comprising instructions that cause the one or more processors to perform a method comprising;
  
  receiving, at a web server from the security server via a network, the security tool operable to be executable by the target computing device and operable to collect one or more security metrics of the target computing device;
  
  embedding the security tool in a web page that is operable to be accessible by the target computing device;
  
  providing the web page with the security tool to the target computing device; and
  
  controlling access to the web page based on a security level as determined based on the one or more security metrics.

29. A method for security testing, comprising:
- providing a security tool to a target computing device associated with a web page accessible by the target computing device, wherein security tool is executed by the target computing device to collect one or more security metrics of the target computer device;
  
  receiving the one or more security metrics of the target computing device;
  
  comparing the one or more security metrics with a security vulnerability database;
  
  determining a security level for the target computing device based on comparing the one or more security metrics with the security vulnerability database; and
  
  controlling an access capability of the target computing device based on the security level.
- View Dependent Claims (30)
- - 30. The method of claim 29, wherein the security tool is embedded into a web page provided to the target computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Rapid7, Inc.
Original Assignee
Rapid7, Inc.
Inventors
Carey, Marcus J., Kirsch, Johann Christian Felix, Moore, HD

Application Number

US13/771,943
Publication Number

US 20140137190A1
Time in Patent Office

Days
Field of Search
US Class Current

726/3
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/034   Test or assess a computer o...

H04L 63/1433   Vulnerability analysis

METHODS AND SYSTEMS FOR PASSIVELY DETECTING SECURITY LEVELS IN CLIENT DEVICES

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS AND SYSTEMS FOR PASSIVELY DETECTING SECURITY LEVELS IN CLIENT DEVICES

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links