Abstract
Assessing the vulnerability of large heterogeneous systems is crucial to IT operational decisions such as prioritizing the deployment of security patches and enhanced monitoring. These assessments are based on various criteria, including (i) the NIST National Vulnerability Database which reports tens of thousands of vulnerabilities on individual components, with several thousand added every year, and (ii) the specifics of the enterprise IT infrastructure which includes many components.
Defining and computing appropriate vulnerability metrics to support decision making remains a challenge. Currently, several IT organizations make use of the CVSS metrics that score vulnerabilities on individual components. CVSS does allow for environmental metrics, which are meant to capture the connectivity among the components; unfortunately, within Section 2.3 of [1] there are no guidelines for how these should be defined and, consequently, environmental metrics are rarely defined and used.
We present a systematic approach to quantify and automatically compute the risk profile of an enterprise from information about individual vulnerabilities contained in CVSS scores. The metric we propose can be used as the CVSS environmental score. Our metric can be applied to the problem of prioritizing patches, customized to the connectivity of an enterprise. It can also be used to prioritize vulnerable components for purposes of enhanced monitoring.
Chapter PDF
Similar content being viewed by others
References
Common Vulnerability Scoring System, http://www.first.org/cvss/cvss-guide.html
Bandhakavi, S., Bhatt, S., Okita, C., Rao, P.: End-to-end network access analysis. In: HP Laboratories Technical Report HPL-2008-28R1. HP Labs (2008)
Forbath, T., Kalaher, P., O’Grady, T.: The total cost of security patch management. Technical report, Wipro Technologies (2005), http://wipro.com/webpages/insights/security_patch_mgmt.htm
Ingols, K., Chu, M., Lippmann, R., Webster, S., Boyer, S.: Modeling modern network attacks and countermeasures using attack graphs. In: ACSAC 2009: Proceedings of the 22nd Annual Computer Security Applications Conference. IEEE Computer Society, Washington, DC, USA (2009)
Ingols, K., Lippmann, R., Piwowarski, K.: Practical attack graph generation for network defense. In: ACSAC 2006: Proceedings of the 22nd Annual Computer Security Applications Conference. IEEE Computer Society, Washington, DC, USA, pp.121–130 (2006)
Noel, S., Jajodia, S.: Optimal ids sensor placement and alert prioritization using attack graphs. Journal of Network and Systems Management 16 (2008)
Ou, X., Boyer, W.F., McQueen, M.A.: A scalable approach to attack graph generation. In: CCS 2006: Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 336–345. ACM, New York (2006)
Pamula, J., Jajodia, S., Ammann, P., Swarup, V.: A weakest-adversary security metric for network configuration security analysis. In: 2nd ACM Workshop on Quality of Protection. ACM Press, New York (2006)
Sawilla, R.E., Ou, X.: Identifying critical attack assets in dependency attack graphs. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 18–34. Springer, Heidelberg (2008)
Singhal, A., Ou, X.: Techniques for enterprise network security metrics. In: Cyber Security and Information Intelligence Research Workshop. ACM, New York (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 IFIP International Federation for Information Processing
About this paper
Cite this paper
Bhatt, S., Horne, W., Rao, P. (2011). On Computing Enterprise IT Risk Metrics. In: Camenisch, J., Fischer-Hübner, S., Murayama, Y., Portmann, A., Rieder, C. (eds) Future Challenges in Security and Privacy for Academia and Industry. SEC 2011. IFIP Advances in Information and Communication Technology, vol 354. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-21424-0_22
Download citation
DOI: https://doi.org/10.1007/978-3-642-21424-0_22
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-21423-3
Online ISBN: 978-3-642-21424-0
eBook Packages: Computer ScienceComputer Science (R0)