Towards Unifying Vulnerability Information for Attack Graph Construction
Size: px
Start display at page:

Download "Towards Unifying Vulnerability Information for Attack Graph Construction"

Transcription

1 Towards Unifying Vulnerability Information for Attack Graph Construction Sebastian Roschke Feng Cheng, Robert Schuppenies, Christoph Meinel ISC Internet-Technologies and -Systems Prof. Dr. Ch. Meinel

2 Outline 2 Introduction Outline Introduction Attack Graph Workflow Sources of Vulnerability Information Source Comparison CVE, CVSS, and OVAL Implementation of an Extraction Tool Data Model Architecture Proof of Concept Summary & Conclusions

3 Attack Graph Workflow 3 Attack Graph Workflow Phases Information Gathering, Attack Graph Contruction, Analysis & Visualization Introduction Attack Graph Workflow

4 Outline 4 Introduction Outline Introduction Attack Graph Workflow Sources of Vulnerability Information Source Comparison CVE, CVSS, and OVAL Implementation of an Extraction Tool Data Model Architecture Proof of Concept Summary & Conclusions

5 Vulnerabilty Information 5 Sources of Vulnerability Information

6 Sources of Vulnerabilty Information 6 Sources of Vulnerability Information Existing databases are either commercial or community-based Commercial: DragonSoft (D.Soft), Secunia, SecurityFocus (S.Focus), Securiteam, and X-Force Community-based: Cooperative Vulnerability Database (CoopVDB), the Department of Energy Cyber Incident Response Capability (DoE-CIRC), the National Vulnerability Database (NVD), the Open Source Vulnerability Database (OSVDB), and the United States Computer Emergency Readiness Team (US-CERT) Vulnerabilty standardization efforts CVE Common Vulnerabilty and Exposures CVSS - Common Vulnerability Scoring System OVAL - Open Vulnerability and Assessment Language

7 Vulnerabilty Standardization Efforts 7 Sources of Vulnerability Information Standardization CVE Common Vulnerabilty and Exposures Dictionary providing common names and references for vulnerabilites CVSS - Common Vulnerability Scoring System Metric indicates how critial a vulnerability is Metrics: base metrics, temporal metrics, and environmental metrics Base metrics: access vector and complexity information, degree of Confidentiality, Integrity, and Availability (CIA) violations, and number of required authentication steps OVAL - Open Vulnerability and Assessment Language Detailed and structured description of congurations affected by vulnerabilities Defintion Types: vulnerability definitions, compliance definitions, inventory definitions, patch definitions, miscellaneous type

8 Sources of Vulnerabilty Information 8 Comparison Sources of Vulnerability Information Comparison

9 Outline 9 Introduction Outline Introduction Attack Graph Workflow Sources of Vulnerability Information Source Comparison CVE, CVSS, and OVAL Implementation of an Extraction Tool Data Model Architecture Proof of Concept Summary & Conclusions

10 Implementation Data Model 10 Data Model Description of vulnerabilities as set of pre- and post-conditions Condition consists of system properties Extraction Tool Data Model (1/3)

11 Implementation Data Model 11 System Properties Extraction Tool Data Model (2/3)

12 Implementation Data Model 12 Description Example Extraction Tool Data Model (3/3)

13 Automatic Vulnerability Extraction 13 Architecture Extraction Tool Architecture Plugin enabled architecture of readers and writers Reader plugins parse VDBs and create internal vulnerability representation (according to introduced data model) Writer plugins use the data model to transform internal representation, e.g., to create AG creator compatible data

14 Automatic Vulnerability Extraction 14 Extraction Tool Extraction Process Proof of Concept PoC implemented in python with simple web based front end Reader plugins: NVD Reader, OVAL Reader, XML Reader, CVE Reader Writer plugins: MulVAL Writer, XML Writer Extraction Process Main source NVD Utilization of CVSS: CIA impact, access vector Utilization of OVAL: description of environment Extraction based on common patterns and phrases execute arbitrary code" Microsoft Windows 2000 SP4 or later is installed

15 Correctness 15 Evaluation of Textual Extraction NVD comparison of textual description with CVSS counterpart Extraction Tool Correctness

16 Outline 16 Introduction Outline Introduction Attack Graph Workflow Sources of Vulnerability Information Source Comparison CVE, CVSS, and OVAL Implementation of an Extraction Tool Data Model Architecture Proof of Concept Summary & Conclusions

17 Summary 17 Main contributions Comparison of vulnerability databases Data model to unify vulnerabilities Automatic extraction of vulnerability information Transformation to different attack graph tools, e.g., MulVAL (Ou et al.) Summary - Conclusion Conclusions Vulnerability information often is inconsistent, e.g., CVSS compared to textual description Extraction from textual descriptions applicable (70%-90% correctness)

18 Open Issues 18 Improve the extraction process Additional plugins to enrich functionality Reader for new VDBs, e.g.,... Writers for different Attack Graph tools Universal vulnerability database providing unified vulnerability information (extracted from multiple databases) at runtime Summary Open Issues Utilization of data model to describe system and network information Attack Graph toolkit focusing on wide range of vulnerability information

19 Questions 19 Any Questions? Summary - Questions

Similar documents

BMC Client Management - SCAP Implementation Statement. Version 12.0

BMC Client Management - SCAP Implementation Statement. Version 12.0 BMC Client Management - SCAP Implementation Statement Version 12.0 BMC Client Management - SCAP Implementation Statement TOC 3 Contents SCAP Implementation Statement... 4 4 BMC Client Management - SCAP

More information

6. Exercise: Writing Security Advisories

6. Exercise: Writing Security Advisories CERT Exercises Toolset 49 49 6. Exercise: Writing Security Advisories Main Objective Targeted Audience Total Duration Time Schedule Frequency The objective of the exercise is to provide a practical overview

More information

How To Use A Policy Auditor 6.2.2 (Macafee) To Check For Security Issues

How To Use A Policy Auditor 6.2.2 (Macafee) To Check For Security Issues Vendor Provided Validation Details - McAfee Policy Auditor 6.2 The following text was provided by the vendor during testing to describe how the product implements the specific capabilities. Statement of

More information

ECS 235A Project - NVD Visualization Using TreeMaps

ECS 235A Project - NVD Visualization Using TreeMaps ECS 235A Project - NVD Visualization Using TreeMaps Kevin Griffin Email: kevgriffin@ucdavis.edu December 12, 2013 1 Introduction The National Vulnerability Database (NVD) is a continuously updated United

More information

Pentests more than just using the proper tools

Pentests more than just using the proper tools Pentests more than just using the proper tools Agenda 1. Information Security @ TÜV Rheinland 2. Security testing 3. Penetration testing Introduction Evaluation scheme Security Analyses of web applications

More information

Pentests more than just using the proper tools

Pentests more than just using the proper tools Pentests more than just using the proper tools Agenda 1. Information Security @ TÜV Rheinland 2. Penetration testing Introduction Evaluation scheme Security Analyses of web applications Internal Security

More information

An Integrated Network Scanning Tool for Attack Graph Construction

An Integrated Network Scanning Tool for Attack Graph Construction published as: Feng Cheng, Sebastian Roschke, Christoph Meinel: An Integrated Network Scanning Tool for Attack Graph Construction In Proceedings of the 6th International Conference on Advances in Grid and

More information

VRDA Vulnerability Response Decision Assistance

VRDA Vulnerability Response Decision Assistance VRDA Vulnerability Response Decision Assistance Art Manion CERT/CC Yurie Ito JPCERT/CC EC2ND 2007 2007 Carnegie Mellon University VRDA Rationale and Design 2 Problems Duplication of effort Over 8,000 vulnerability

More information

Web Application Security. Sajjad Pourali sajjad@securation.com CERT of Ferdowsi University of Mashhad

Web Application Security. Sajjad Pourali sajjad@securation.com CERT of Ferdowsi University of Mashhad Web Application Security Sajjad Pourali sajjad@securation.com CERT of Ferdowsi University of Mashhad Take away Why web application security is very important Understanding web application security How

More information

Anatomy of Cyber Threats, Vulnerabilities, and Attacks

Anatomy of Cyber Threats, Vulnerabilities, and Attacks Anatomy of Cyber Threats, Vulnerabilities, and Attacks ACTIONABLE THREAT INTELLIGENCE FROM ONTOLOGY-BASED ANALYTICS 1 Anatomy of Cyber Threats, Vulnerabilities, and Attacks Copyright 2015 Recorded Future,

More information

EFFECTIVE VULNERABILITY SCANNING DEMYSTIFYING SCANNER OUTPUT DATA

EFFECTIVE VULNERABILITY SCANNING DEMYSTIFYING SCANNER OUTPUT DATA EFFECTIVE VULNERABILITY SCANNING DEMYSTIFYING SCANNER OUTPUT DATA Paul R. Lazarr, CISSP, CISA, CIPP, CRISK Sr. Managing Consultant, IBM Cybersecurity and Biometrics January 21, 2016 PERSONAL BACKGROUND

More information

3 Web Services Threats, Vulnerabilities, and Countermeasures

3 Web Services Threats, Vulnerabilities, and Countermeasures 3 Web Services Threats, Vulnerabilities, and Countermeasures Securing a Web service requires us to protect, as far as possible, all of its basic components, shown in Figure 3.1, and their interactions

More information

A Multi-layer Tree Model for Enterprise Vulnerability Management

A Multi-layer Tree Model for Enterprise Vulnerability Management A Multi-layer Tree Model for Enterprise Vulnerability Management Bin Wu Southern Polytechnic State University Marietta, GA, USA bwu@spsu.edu Andy Ju An Wang Southern Polytechnic State University Marietta,

More information

Secunia Vulnerability Intelligence Manager

Secunia Vulnerability Intelligence Manager TECHNOLOGY AUDIT Secunia Vulnerability Intelligence Manager Secunia Reference Code: OI00070-076 Publication Date: July 2011 Author: Andy Kellett SUMMARY Catalyst Secunia Vulnerability Intelligence Manager

More information

Structuring a Vulnerability Description for Comprehensive Single System Security Analysis

Structuring a Vulnerability Description for Comprehensive Single System Security Analysis Structuring a Vulnerability Description for Comprehensive Single System Security Analysis Malgorzata Urbanska, Indrajit Ray, Adele E. Howe, Mark Roberts Computer Science Department Colorado State University

More information

Microsoft Patch Analysis

Microsoft Patch Analysis Microsoft Patch Analysis Patch Tuesday - Exploit Wednesday Yaniv Miron aka Lament 1 / About Me Yaniv Miron aka Lament Security Researcher and Consultant Found security vulnerabilities in IBM, Oracle, Microsoft

More information

User s Guide. Skybox Risk Control 7.0.0. Revision: 11

User s Guide. Skybox Risk Control 7.0.0. Revision: 11 User s Guide Skybox Risk Control 7.0.0 Revision: 11 Copyright 2002-2014 Skybox Security, Inc. All rights reserved. This documentation contains proprietary information belonging to Skybox Security and is

More information

CDM Vulnerability Management (VUL) Capability

CDM Vulnerability Management (VUL) Capability CDM Vulnerability Management (VUL) Capability Department of Homeland Security Office of Cybersecurity and Communications Federal Network Resilience Vulnerability Management Continuous Diagnostics and Mitigation

More information

Software Vulnerability Assessment

Software Vulnerability Assessment Software Vulnerability Assessment Setup Guide Contents: About Software Vulnerability Assessment Setting Up and Running a Vulnerability Scan Manage Ongoing Vulnerability Scans Perform Regularly Scheduled

More information

Security Content Automation Protocol for Governance, Risk, Compliance, and Audit

Security Content Automation Protocol for Governance, Risk, Compliance, and Audit UNCLASSIFIED Security Content Automation Protocol for Governance, Risk, Compliance, and Audit presented by: Tim Grance The National Institute of Standards and Technology UNCLASSIFIED Agenda NIST s IT Security

More information

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities Sean Barnum sbarnum@mitre.org September 2011 Overview What is SCAP? Why SCAP?

More information

NIST Interagency Report 7788 Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs

NIST Interagency Report 7788 Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs NIST Interagency Report 7788 Security Risk Analysis of Enterprise Networks Using Probabilistic Attack Graphs Anoop Singhal Ximming Ou NIST Interagency Report 7788 Security Risk Analysis of Enterprise Networks

More information

Quantitative Security Risk Analysis of Enterprise Systems: Techniques and Challenges Tutorial ICISS, December 2014

Quantitative Security Risk Analysis of Enterprise Systems: Techniques and Challenges Tutorial ICISS, December 2014 Quantitative Security Risk Analysis of Enterprise Systems: Techniques and Challenges Tutorial ICISS, December 2014 Anoop Singhal Computer Security Division National Institute of Standards and Technology

More information

SCAP for VoIP Automating Configuration Compliance. 6 th Annual IT Security Automation Conference

SCAP for VoIP Automating Configuration Compliance. 6 th Annual IT Security Automation Conference SCAP for VoIP Automating Configuration Compliance 6 th Annual IT Security Automation Conference Presentation Overview 1. The Business Challenge 2. Securing Voice over IP Networks 3. The ISA VoIP Security

More information

Q: What is CVSS? Q: Who developed CVSS?

Q: What is CVSS? Q: Who developed CVSS? CVSS FAQ Q: What is CVSS? Q: Who developed CVSS? Q: What does CVSS not do? Q: What is involved in CVSS? Q: What are the details of the Base Metrics? Q: What are the details of the Temporal Metrics? Q:

More information

SSA-345442: Multiple Vulnerabilities in WinCC flexible and WinCC V11 (TIA Portal)

SSA-345442: Multiple Vulnerabilities in WinCC flexible and WinCC V11 (TIA Portal) SSA-345442: Multiple Vulnerabilities in WinCC flexible and WinCC V11 (TIA Portal) Publishing Date 2012-01-24 Last Update 2012-01-24 Current Version V1.5 CVSS Overall Score 8.7 Summary: Multiple vulnerabilities

More information

Attack Graph Techniques

Attack Graph Techniques Chapter 2 Attack Graph Techniques 2.1 An example scenario Modern attack-graph techniques can automatically discover all possible ways an attacker can compromise an enterprise network by analyzing configuration

More information

Assuria Auditor The Configuration Assurance, Vulnerability Assessment, Change Detection and Policy Compliance Reporting Solution for Enterprise

Assuria Auditor The Configuration Assurance, Vulnerability Assessment, Change Detection and Policy Compliance Reporting Solution for Enterprise Assuria Auditor The Configuration Assurance, Vulnerability Assessment, Change Detection and Policy Compliance Reporting Solution for Enterprise 1. Introduction Information security means protecting information

More information

Continuous Monitoring

Continuous Monitoring Continuous Monitoring The Evolution of FISMA Compliance Tina Kuligowski Tina.Kuligowski@Securible.com Overview Evolution of FISMA Compliance NIST Standards & Guidelines (SP 800-37r1, 800-53) OMB Memorandums

More information

Inspection of Vulnerabilities through Attack Graphs and Analyzing Security Metrics Used For Measuring Security in A Network.

Inspection of Vulnerabilities through Attack Graphs and Analyzing Security Metrics Used For Measuring Security in A Network. Inspection of Vulnerabilities through Attack Graphs and Analyzing Security Metrics Used For Measuring Security in A Network. R.Dhaya 1 D.Deepika 2 Associate Professor, Department of CSE, Velammal Engineering

More information

Manage Vulnerabilities (VULN) Capability Data Sheet

Manage Vulnerabilities (VULN) Capability Data Sheet Manage Vulnerabilities (VULN) Capability Data Sheet Desired State: - Software products installed on all devices are free of known vulnerabilities 1 - The list of known vulnerabilities is up-to-date Desired

More information

ON ATTACK GRAPH MODEL OF NETWORK SECURITY. Hasmik Sahakyan, Daryoush Alipour

ON ATTACK GRAPH MODEL OF NETWORK SECURITY. Hasmik Sahakyan, Daryoush Alipour 26 ON ATTACK GRAPH MODEL OF NETWORK SECURITY Hasmik Sahakyan, Daryoush Alipour Abstract: All types of network systems are subject to computer attacks. The overall security of a network cannot be determined

More information

Secunia Vulnerability Intelligence Manager (VIM) 4.0

Secunia Vulnerability Intelligence Manager (VIM) 4.0 Secunia Vulnerability Intelligence Manager (VIM) 4.0 In depth Real-time vulnerability intelligence brought to you on time, every time, by Secunia s renowned research team Introduction Secunia is the world-leading

More information

Tracking known security vulnerabilities in third-party components

Tracking known security vulnerabilities in third-party components Tracking known security vulnerabilities in third-party components Master s Thesis Mircea Cadariu Tracking known security vulnerabilities in third-party components THESIS submitted in partial fulfillment

More information

Federal Desktop Core Configuration (FDCC)

Federal Desktop Core Configuration (FDCC) Federal Desktop Core Configuration (FDCC) Presented by: Saji Ranasinghe Date: October, 2007 FDCC Federal Desktop Core Configuration (FDCC) Standardized Configuration with Hardened Security Settings to

More information

Copyright (2004) Purdue Research Foundation. All rights reserved.

Copyright (2004) Purdue Research Foundation. All rights reserved. CS390S, Week 1: Introduction to Secure Programming Pascal Meunier, Ph.D., M.Sc., CISSP January 10, 2007 Developed thanks to support and contributions from Symantec Corporation, support from the NSF SFS

More information

Statistical Analysis of Computer Network Security. Goran Kap and Dana Ali

Statistical Analysis of Computer Network Security. Goran Kap and Dana Ali Statistical Analysis of Computer Network Security Goran Kap and Dana Ali October 7, 2013 Abstract In this thesis it is shown how to measure the annual loss expectancy of computer networks due to the risk

More information

Enterprise Software Management Systems by Using Security Metrics

Enterprise Software Management Systems by Using Security Metrics Enterprise Software Management Systems by Using Security Metrics Bhanudas S. Panchabhai 1, A. N. Patil 2 1 Department of Computer Science, R. C. Patel Arts, Commerce and Science College, Shirpur, Maharashtra,

More information

State of Minnesota. Office of Enterprise Technology (OET) Enterprise Vulnerability Management Security Standard

State of Minnesota. Office of Enterprise Technology (OET) Enterprise Vulnerability Management Security Standard State of Minnesota Office of Enterprise Technology (OET) Enterprise Vulnerability Management Security Standard Approval: Enterprise Security Office (ESO) Standard Version 1.00 Gopal Khanna

More information

PASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013

PASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013 2013 PASTA Abstract Process for Attack S imulation & Threat Assessment Abstract VerSprite, LLC Copyright 2013 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

More information

Metrics Suite for Enterprise-Level Attack Graph Analysis

Metrics Suite for Enterprise-Level Attack Graph Analysis Metrics Suite for Enterprise-Level Attack Graph Analysis Cyber Security Division 2012 Principal Investigators Meeting October 11, 2012 Sushil Jajodia (PI), Steven Noel (co-pi) Metrics Suite for Enterprise-Level

More information

REPORT. 2015 State of Vulnerability Risk Management

REPORT. 2015 State of Vulnerability Risk Management REPORT 2015 State of Vulnerability Risk Management Table of Contents Introduction: A Very Vulnerable Landscape... 3 Security Vulnerabilities by Industry... 4 Remediation Trends: A Cross-Industry Perspective...

More information

Continuous security audit automation with Spacewalk, Puppet, Mcollective and SCAP

Continuous security audit automation with Spacewalk, Puppet, Mcollective and SCAP Continuous security audit automation with Spacewalk, Puppet, Mcollective and SCAP Vasileios A. Baousis (Ph.D) Network Applications Team Slide 1 Agenda Introduction Background - SCAP - Puppet &Mcollective

More information

Enhancing Security for Next Generation Networks and Cloud Computing

Enhancing Security for Next Generation Networks and Cloud Computing V1.0 Enhancing Security for Next Generation Networks and Cloud Computing Tony Rutkowski Yaana Technologies Georgia Tech ITU-T Q.4/17 Rapporteur ETSI Workshop 19-20 January 2011 Sophia Antipolis, France

More information

VEA-bility Security Metric: A Network Security Analysis Tool

VEA-bility Security Metric: A Network Security Analysis Tool VEA-bility Security Metric: A Network Security Analysis Tool Melanie Tupper Dalhousie University tupper@cs.dal.ca A. Nur Zincir-Heywood Dalhousie University zincir@cs.dal.ca Abstract In this work, we propose

More information

Information Security and Continuity Management Information Sharing Portal. Category: Risk Management Initiatives

Information Security and Continuity Management Information Sharing Portal. Category: Risk Management Initiatives Information Security and Continuity Management Information Sharing Portal Category: Risk Management Initiatives Contact: Chip Moore, CISO State of North Carolina Office of Information Technology Services

More information

Vulnerability Control Product Tour

Vulnerability Control Product Tour Skybox Trial Vulnerability Control Product Tour 7.5.300 Revision 11 Copyright 2002-2015 Skybox Security, Inc. All rights reserved. This documentation contains proprietary information belonging to Skybox

More information

Risk Analytics for Cyber Security

Risk Analytics for Cyber Security Risk Analytics for Cyber Security Justin Coker, VP EMEA, Skybox Security IT Challenges 2015, Belgium 2nd October 2014 www.skyboxsecurity.com justin.coker@skyboxsecurity.com +44 (0) 7831 691498 Risk Analytics

More information

Cloud Infrastructure Security Management

Cloud Infrastructure Security Management www.netconsulting.co.uk Cloud Infrastructure Security Management Visualise your cloud network, identify security gaps and reduce the risks of cyber attacks. Being able to see, understand and control your

More information

Is Penetration Testing recommended for Industrial Control Systems?

Is Penetration Testing recommended for Industrial Control Systems? Is Penetration Testing recommended for Industrial Control Systems? By Ngai Chee Ban, CISSP, Honeywell Process Solutions, Asia Pacific Cyber Security Assessment for Industrial Automation Conducting a cyber-security

More information

Cybersecurity Awareness. Part 2

Cybersecurity Awareness. Part 2 Part 2 Objectives Discuss the Evolution of Data Security Define and Discuss Cybersecurity Review Threat Environment Part 1 Discuss Information Security Programs s Enhancements for Cybersecurity Risks Threat

More information

Challenges of Security Risks in Service-Oriented Architectures

Challenges of Security Risks in Service-Oriented Architectures UMR 5205 Challenges of Security Risks in Service-Oriented Architectures Youakim Badr 1, Frederique Biennier 1, Pascal Bou Nassar 3, Soumya Banerjee 2!! 1 LIRIS Lab, INSA-Lyon, France! 2 Agence Universitaire

More information

Faculty of Information & Communication Technologies Swinburne University of Technology TR-001

Faculty of Information & Communication Technologies Swinburne University of Technology TR-001 Faculty of Information & Communication Technologies Swinburne University of Technology TECHNICAL REPORT TR-001 Collaboration Based Cloud Computing Security Management Framework Galactic Case Study Prepared

More information

Vulnerability Management Nirvana: A Study in Predicting Exploitability

Vulnerability Management Nirvana: A Study in Predicting Exploitability SESSION ID: TECH-F01 Vulnerability Management Nirvana: A Study in Predicting Exploitability Kymberlee Price Senior Director of Operations Bugcrowd @Kym_Possible Michael Roytman Senior Data Scientist Risk

More information

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

THREAT VISIBILITY & VULNERABILITY ASSESSMENT THREAT VISIBILITY & VULNERABILITY ASSESSMENT Date: April 15, 2015 IKANOW Analysts: Casey Pence IKANOW Platform Build: 1.34 11921 Freedom Drive, Reston, VA 20190 IKANOW.com TABLE OF CONTENTS 1 Key Findings

More information

The Importance of Patching Non-Microsoft Applications

The Importance of Patching Non-Microsoft Applications The Importance of Patching Non-Microsoft Applications Technical WHITE PAPER The Importance of Patching Non-Microsoft Applications In the past, organizations patched only Microsoft operating systems. As

More information

AN XML-BASED DATA MODEL FOR VULNERABILITY ASSESSMENT REPORTS

AN XML-BASED DATA MODEL FOR VULNERABILITY ASSESSMENT REPORTS AN XML-BASED DATA MODEL FOR VULNERABILITY ASSESSMENT REPORTS George Valvisland Despina polemi2 ' University of Pireaus, Informatics Department, Karaoli & Dimitriou 80 Pireaus 18534, Greece gvr~lvi,si@honko/kreece.gt~;

More information

strategic white paper

strategic white paper strategic white paper AUTOMATED PLANNING FOR REMOTE PENETRATION TESTING Lloyd Greenwald and Robert Shanley LGS Innovations / Bell Labs Florham Park, NJ US In this work we consider the problem of automatically

More information

The Importance of Patching Non-Microsoft Applications

The Importance of Patching Non-Microsoft Applications The Importance of Patching Non-Microsoft Applications Technical WHITE PAPER The Importance of Patching Non-Microsoft Applications In the past, organizations patched only Microsoft operating systems. As

More information

Focus on Security Xerox and the P2600 Hardcopy Device and System Security Working Group

Focus on Security Xerox and the P2600 Hardcopy Device and System Security Working Group Focus on Security Xerox and the P2600 Hardcopy Device and System Security Working Group Table of Contents 3 Introduction 3 What The Working Group Provides 4 The Xerox Role 4 What This Means To Xerox Customers

More information

The Emergence of Security Business Intelligence: Risk

The Emergence of Security Business Intelligence: Risk The Emergence of Security Business Intelligence: Risk Management through Deep Analytics & Automation Mike Curtis Vice President of Technology Strategy December, 2011 Introduction As an industry we are

More information

Value Driven Security Threat Modeling Based on Attack Path Analysis

Value Driven Security Threat Modeling Based on Attack Path Analysis Value Driven Security Threat Modeling Based on Attack Path Analysis Yue Chen, Barry Boehm Center for Software Engineering Abstract University of Southern California Los Angeles, CA, 90089-0781, USA {yuec,

More information

PAKITI Patching Status System

PAKITI Patching Status System PAKITI Patching Status System EGI-InSPIRE A Race for Security: Identifying Vulnerabilities on 50 000 Hosts Faster then Attackers Michal Procházka 1, Daniel Kouřil 1, Romain Wartel 2, Christos Kanellopoulos

More information

Vulnerability Management

Vulnerability Management Vulnerability Management Buyer s Guide Buyer s Guide 01 Introduction 02 Key Components 03 Other Considerations About Rapid7 01 INTRODUCTION Exploiting weaknesses in browsers, operating systems and other

More information

Security compliance automation with Red Hat Satellite

Security compliance automation with Red Hat Satellite Security compliance automation with Red Hat Satellite Matt Micene Solution Architect, DLT Solutions @cleverbeard @nzwulfin Created with http://wordle.net Compliance is a major problem About half of the

More information

Technical Report. The KNIME Text Processing Feature:

Technical Report. The KNIME Text Processing Feature: Technical Report The KNIME Text Processing Feature: An Introduction Dr. Killian Thiel Dr. Michael Berthold Killian.Thiel@uni-konstanz.de Michael.Berthold@uni-konstanz.de Copyright 2012 by KNIME.com AG

More information

Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme

Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme NIST Special Publication 800-51 Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme Recommendations of the National Institute of Standards and Technology Peter Mell Tim Grance

More information

How To Build A Vulnerability Chain

How To Build A Vulnerability Chain Acta Universitatis Sapientiae Electrical and Mechanical Engineering, 6 (2014) xx-yy Identifying Chains of Software Vulnerabilities: A Passive Non-Intrusive Methodology Béla GENGE 1, Călin ENĂCHESCU 1 1

More information

Best Practices for Threat & Vulnerability Management. Don t let vulnerabilities monopolize your organization.

Best Practices for Threat & Vulnerability Management. Don t let vulnerabilities monopolize your organization. Best Practices for Threat & Vulnerability Management Don t let vulnerabilities monopolize your organization. Table of Contents 1. Are You in the Lead? 2. A Winning Vulnerability Management Program 3. Vulnerability

More information

Metasploit The Elixir of Network Security

Metasploit The Elixir of Network Security Metasploit The Elixir of Network Security Harish Chowdhary Software Quality Engineer, Aricent Technologies Shubham Mittal Penetration Testing Engineer, Iviz Security And Your Situation Would Be Main Goal

More information

How To Monitor Your Entire It Environment

How To Monitor Your Entire It Environment Preparing for FISMA 2.0 and Continuous Monitoring Requirements Symantec's Continuous Monitoring Solution White Paper: Preparing for FISMA 2.0 and Continuous Monitoring Requirements Contents Introduction............................................................................................

More information

Advances in Topological Vulnerability Analysis

Advances in Topological Vulnerability Analysis Advances in Topological Vulnerability Analysis Steven Noel 1, Matthew Elder 2, Sushil Jajodia 1, Pramod Kalapa 1, Scott O Hare 3, Kenneth Prole 3 1 Center for Secure Information Systems, George Mason University,

More information

Penetration Testing Guidelines For the Financial Industry in Singapore. 31 July 2015

Penetration Testing Guidelines For the Financial Industry in Singapore. 31 July 2015 For the Financial Industry in Singapore 31 July 2015 TABLE OF CONTENT 1. EXECUTIVE SUMMARY 3 2. INTRODUCTION 4 2.1 Audience 4 2.2 Purpose and Scope 4 2.3 Definitions 4 3. REQUIREMENTS 6 3.1 Overview 6

More information

Models for Cyber Security Analysis

Models for Cyber Security Analysis Enterprise Architecture t Models for Cyber Security Analysis Teodor Sommestad Royal Institute of Technology KTH Stockholm, Sweden 1 Consequences of Cyber Security Incidents (?) CIA senior analyst Tom Donahue:

More information

EXTENSIVE FEATURE DESCRIPTION SECUNIA CORPORATE SOFTWARE INSPECTOR. Non-intrusive, authenticated scanning for OT & IT environments. secunia.

EXTENSIVE FEATURE DESCRIPTION SECUNIA CORPORATE SOFTWARE INSPECTOR. Non-intrusive, authenticated scanning for OT & IT environments. secunia. Non-intrusive, authenticated scanning for OT & IT environments The situation: convenience vs. security Interconnectivity between organizations and corporate networks, the internet and the cloud and thus

More information

Increase In Vulnerabilities Of Mobile Broadband Network Infrastructure

Increase In Vulnerabilities Of Mobile Broadband Network Infrastructure THE AVALANCHE OF VULNERABILITIES A PERSPECTIVE Mike Ahmadi Global Director of Critical Systems Security, Codenomicon Ltd @codenomicon UNKNOWN VULNERABILITIES ARE BAD KNOWN VULNERABILITIES ARE A HUGE PROBLEM

More information

Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains (DRAFT)

Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains (DRAFT) NIST Interagency Report 7800 (Draft) Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains (DRAFT) David Waltermire, Adam Halbardier,

More information

Data Driven Assessment of Cyber Risk:

Data Driven Assessment of Cyber Risk: Data Driven Assessment of Cyber Risk: Challenges in Assessing and Mitigating Cyber Risk Mustaque Ahamad, Saby Mitra and Paul Royal Georgia Tech InformationSecurity Center Georgia Tech Research Institute

More information

CPNI TECHNICAL NOTE 04/2008 VULNERABILITY ASSESSMENT TOOLS

CPNI TECHNICAL NOTE 04/2008 VULNERABILITY ASSESSMENT TOOLS CPNI TECHNICAL NOTE 04/2008 VULNERABILITY ASSESSMENT TOOLS DECEMBER 2008 CPNI would like to acknowledge and thank NCC for their help in the preparation of this report. Disclaimer: Reference to any specific

More information

Vulnerability Management with the Splunk App for Enterprise Security

Vulnerability Management with the Splunk App for Enterprise Security Copyright 2014 Splunk Inc. Vulnerability Management with the Splunk App for Enterprise Security Randal T. Rioux Principal Security Strategist and Minister of Offense Splunk Inc. Disclaimer During the course

More information

Review: McAfee Vulnerability Manager

Review: McAfee Vulnerability Manager Review: McAfee Vulnerability Manager S3KUR3, Inc. Communicating Complex Concepts in Simple Terms Tony Bradley, CISSP, Microsoft MVP September 2010 Threats and vulnerabilities are a way of life for IT admins.

More information

Secure Remote Substation Access Interest Group Part 3: Review of Top Challenges, CIPv5 mapping, and looking forward to 2014!

Secure Remote Substation Access Interest Group Part 3: Review of Top Challenges, CIPv5 mapping, and looking forward to 2014! Secure Remote Substation Access Interest Group Part 3: Review of Top Challenges, CIPv5 mapping, and looking forward to 2014! October 3, 2013 Scott Sternfeld, Project Manager Smart Grid Substation & Cyber

More information

The Importance of Patching Non-Microsoft Applications

The Importance of Patching Non-Microsoft Applications The Importance of Patching Non-Microsoft Applications Technical WHITE PAPER The Importance of Patching Non-Microsoft Applications In the past, organizations patched only Microsoft operating systems. As

More information

76% Secunia Vulnerability Review. Key figures and facts from a global IT-Security perspective. Published February 26, 2014. secunia.

76% Secunia Vulnerability Review. Key figures and facts from a global IT-Security perspective. Published February 26, 2014. secunia. Secunia Vulnerability Review 2014 Key figures and facts from a global IT-Security perspective Published February 26, 2014 76% Browser Vulnerabilities 7540 893 7540 731 7540 727 7540 441 7540 208 7540 207

More information

Evaluation of Computer Network Security based on Attack Graphs and Security Event Processing

Evaluation of Computer Network Security based on Attack Graphs and Security Event Processing based on Attack Graphs and Security Event Processing Igor Kotenko 1,2 and Elena Doynikova 1 1 Laboratory of Computer Security Problems St. Petersburg Institute for Informatics and Automation (SPIIRAS)

More information

Massively Scaled Security Solutions for Massively Scaled IT

Massively Scaled Security Solutions for Massively Scaled IT Massively Scaled Security Solutions for Massively Scaled IT Michael Smith, SecTor 2009 Who is Michael Smith? 8 years active duty army Graduate of Russian basic course, Defense Language Institute, Monterey,

More information

Analysis of the 3S CoDeSys Security Vulnerabilities for Industrial Control System Professionals

Analysis of the 3S CoDeSys Security Vulnerabilities for Industrial Control System Professionals Tofino Security SCADAhacker.com White Paper Version 1.1 Published November 20, 2012 Analysis of the 3S CoDeSys Security Vulnerabilities for Industrial Control System Professionals Contents Executive Summary...

More information

A Framework for Analysis A Network Vulnerability

A Framework for Analysis A Network Vulnerability A Framework for Analysis A Tito Waluyo Purboyo 1, Kuspriyanto 2 1,2 School of Electrical Engineering & Informatics, Institut Teknologi Bandung Jl. Ganesha 10 Bandung 40132, Indonesia Abstract: administrators

More information

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK

WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK WHITE PAPER ON SECURITY TESTING IN TELECOM NETWORK DATE OF RELEASE: 27 th July 2012 Table of Contents 1. Introduction... 2 2. Need for securing Telecom Networks... 3 3. Security Assessment Techniques...

More information

Copyright 2005-2010 Soleran, Inc. esalestrack On-Demand CRM. Trademarks and all rights reserved. esalestrack is a Soleran product Privacy Statement

Copyright 2005-2010 Soleran, Inc. esalestrack On-Demand CRM. Trademarks and all rights reserved. esalestrack is a Soleran product Privacy Statement

More information

Security Orchestration with IF-MAP

Security Orchestration with IF-MAP Security Orchestration with IF-MAP Gary Holland, Lumeta/IMRI 2 November 2011 Copyright 2010 Trusted Computing Group Agenda Threat Landscape and Federal Networks Trusted Network Connect Explanation of IF-MAP

More information

Network Security and Risk Analysis Using Attack Graphs

Network Security and Risk Analysis Using Attack Graphs Network Security and Risk Analysis Using Attack Graphs Anoop Singhal National Institute of Standards and Technology Coauthors: Lingyu Wang and Sushil Jajodia Concordia University George Mason University

More information

Relationship between Attack Surface and Vulnerability Density: A Case Study on Apache HTTP Server

Relationship between Attack Surface and Vulnerability Density: A Case Study on Apache HTTP Server Int'l Conf. Internet Computing ICOMP'12 197 Relationship between Attack Surface and Vulnerability Density: A Case Study on Apache HTTP Server 1 Awad A. Younis and 1 Yashwant K. Malaiya 1 Computer Science

More information

INFORMATION SUPPLEMENT. Migrating from SSL and Early TLS. Version 1.0 Date: April 2015 Author: PCI Security Standards Council

INFORMATION SUPPLEMENT. Migrating from SSL and Early TLS. Version 1.0 Date: April 2015 Author: PCI Security Standards Council Version 1.0 Date: Author: PCI Security Standards Council Executive Summary The time to migrate is now. For over 20 years Secure Sockets Layer (SSL) has been in the market as one of the most widely-used

More information

AtlSecCon 2012, 01 March 2012. 2012 Intru-Shun.ca Inc.

AtlSecCon 2012, 01 March 2012. 2012 Intru-Shun.ca Inc. OSSAMS -Security Testing Automation and Reporting penetration testing efficiently. Adrien de Beaupré Intru-Shun.ca Inc. SANS Internet Storm Center Handler AtlSecCon 2012, 01 March 2012 About me 32+, 22+,

More information

A Complete Guide to the Common Vulnerability Scoring System Version 2.0

A Complete Guide to the Common Vulnerability Scoring System Version 2.0 A Complete Guide to the Common Vulnerability Scoring System Version 2.0 June, 2007 Peter Mell, Karen Scarfone National Institute of Standards Sasha Romanosky Carnegie Mellon University and Technology Acknowledgements:

More information

Analytics and Continuous monitoring Engine (ACE) for Enterprise Risk and Compliance Management

Analytics and Continuous monitoring Engine (ACE) for Enterprise Risk and Compliance Management WHITE PAPER Analytics and Continuous monitoring Engine (ACE) for Enterprise Risk and Compliance Management Threat of Cyber Security is 24/7. New attack vectors are being designed daily and the bad actors

More information

Using Vulnerable Hosts to Assess Cyber Security Risk in Critical Infrastructures

Using Vulnerable Hosts to Assess Cyber Security Risk in Critical Infrastructures Workshop on Novel Approaches to Risk and Security Management for Utility Providers and Critical Infrastructures Using Vulnerable Hosts to Assess Cyber Security Risk in Critical Infrastructures Xiaobing

More information

Date: 9/19/2013 Windows Server 2003 EndoWorks 7 Windows Updates Description Tested Pass/Fail Date

Date: 9/19/2013 Windows Server 2003 EndoWorks 7 Windows Updates Description Tested Pass/Fail Date Date: 9/19/2013 The following list of Microsoft Windows Server 2003 updates have been tested and approved for EndoWorks 7 compatibility. Prior to applying Server Updates, make sure your system is current

More information

Active Defense and Prevention

Active Defense and Prevention Active Defense and Prevention Coleman Kane Coleman.Kane@ge.com October 15, 2014 Cyber Defense Overview Active Defense 1 / 11 Active Defense and Prevention are the strategies employed to prevent, obstruct,

More information
2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback | Do Not Sell My Personal Information