Mohammed Noraden Alsaleh
Ehab Al-Shaer
ABSTRACT
The risk of cyberattacks have become increasingly daunting as most of our socioeconomic activities have gone cyber-based. Comprehensive automated risk management is becoming necessity in today's dynamic networks. In this paper, we present an objective metric to assess the risk of cyberattacks on organizations' networks based on the security compliance reports. Our model considers various risk factors, including vulnerabilities distribution, dependency between them, and network configuration. We take advantage of Security Content Automation Protocol (SCAP) languages and measurement and scoring systems to study vulnerabilities and compute the system exposure. We also describe an evaluation plan to validate the presented metric.
- NIST Special Publication 800-30, Guide for Conducting Risk Assessments. http://csrc.nist.gov/publications/PubsSPs.html#800--30, 2012.Google Scholar
- G. Elahi, E. Yu, and N. Zannone. Security risk management by qualitative vulnerability analysis. In Security Measurements and Metrics (Metrisec), pages 1--10, Sept 2011. Google ScholarDigital Library
- S. H. Houmb, V. N. Franqueira, and E. A. Engum. Quantifying security risk level from CVSS estimates of frequency and impact. Journal of Systems and Software, 83(9):1622--1634, 2010. Google ScholarDigital Library
- H. Joh and Y. K. Malaiya. Defining and assessing quantitative security risk measures using vulnerability lifecycle and cvss metrics. In The 2011 international conference on security and management (sam), 2011.Google Scholar
- NIST. The security content automation protocol (SCAP). http://scap.nist.gov/.Google Scholar
- X. Ou and A. Singhal. Security risk analysis of enterprise networks using attack graphs. In Quantitative Security Risk Assessment of Enterprise Networks, pages 13--23. Springer, 2011.Google Scholar
- N. Poolsappasit, R. Dewri, and I. Ray. Dynamic security risk management using bayesian attack graphs. IEEE Transactions on Dependable and Secure Computing, 9(1):61--74, Jan 2012. Google ScholarDigital Library
- K. Scarfone and P. Mell. The common configuration scoring system (CCSS): Metrics for software security configuration vulnerabilities. http://csrc.nist.gov/publications/nistir/ir7502/nistir-7502_CCSS.pdf, December 2010.Google Scholar
- D. Waltermire, C. Schmidt, K. Scarfone, and N. Ziring. Specification for the extensible configuration checklist description format (XCCDF) v1.2. http://csrc.nist.gov/publications/nistir/ir7275-rev4/NISTIR-7275r4.pdf.Google Scholar
- X. Yin, Y. Fang, and Y. Liu. Real-time risk assessment of network security based on attack graphs. In 2013 International Conference on Information Science and Computer Applications (ISCA 2013). Atlantis Press, 2013.Google ScholarCross Ref
Index Terms
- Enterprise Risk Assessment Based on Compliance Reports and Vulnerability Scoring Systems
Recommendations
Identifying Relevant Information Cues for Vulnerability Assessment Using CVSS
CODASPY '18: Proceedings of the Eighth ACM Conference on Data and Application Security and PrivacyThe assessment of new vulnerabilities is an activity that accounts for information from several data sources and produces a 'severity' score for the vulnerability. The Common Vulnerability Scoring System (CVSS) is the reference standard for this ...
Organizational Risk Assessment Based on Attacks Repetition
ARES '12: Proceedings of the 2012 Seventh International Conference on Availability, Reliability and SecurityRisk assessment is a very critical and important process to protect the organization assets and reputation against security threats and risks. It provides a clear picture of the current threats that the organization is facing and helps the top ...
Vulnerability scoring for security configuration settings
QoP '08: Proceedings of the 4th ACM workshop on Quality of protectionThe best-known vulnerability scoring standard, the Common Vulnerability Scoring System (CVSS), is designed to quantify the severity of security-related software flaw vulnerabilities. This paper describes our efforts to determine if CVSS could be adapted ...
Comments