JP2012208863A - Vulnerability determination system, vulnerability determination method and vulnerability determination program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To determine influence of vulnerability of software in a system provided with a computer and a network apparatus.SOLUTION: A vulnerability determination system 10 determines vulnerability of software in a system to be determined provided with a computer and a network apparatus. An influenced software extraction section 31 of the vulnerability determination system 10 determines whether or not software possessed by the system to be determined is influenced by vulnerability based on a vulnerability information database 21 and a software database 24 of software of a computer. A direct pass search section 32 of the vulnerability determination system 10 determines whether or not influenced software can be attacked from an external network when the software possessed by the system to be determined is determined to be influenced by the vulnerability by the influenced software extraction section 31.

Description

  The present invention relates to a vulnerability determination system, a vulnerability determination method, and a vulnerability determination program for determining the influence of vulnerability of software included in a managed system.

  In recent years, various systems have been constructed and services are provided on intranets and the Internet. These systems include a plurality of computers, a plurality of network devices, and the like, and a plurality of software (service program, client program, operating system, etc.) operate on each computer, and these all cooperate.

  In order to operate such a system safely, it is important to take countermeasures against vulnerabilities of software operating in the system. To counter this vulnerability, the system administrator needs to apply patches as needed. However, in a large-scale system, the burden on the system administrator becomes large, and it becomes difficult to grasp which software of which computer of the system is vulnerable.

  Patent Literature 1 calculates the priority of vulnerability response from the software configuration information of the managed system, the publicly available vulnerability information, and the degree of security degradation of the target system, and realizes efficient response to the vulnerability A device has been proposed.

JP 2010-086311 A

  The invention of Patent Document 1 is effective in order for a system administrator to recognize the vulnerability of software constituting the system. However, even if a vulnerability is found in software, depending on the system configuration, it may not always be necessary to deal with the vulnerability immediately.

  For example, let us consider a case where a vulnerability is found in a Web (World Wide Web) server constituting the system. If this Web server does not provide a service to a network that is predicted to be an attack source, an attack against the vulnerability of this Web server does not arrive. Therefore, it is not always necessary to immediately take measures against the vulnerability of the Web server.

  With existing technology, if there is a vulnerability in any of the software that makes up the system, this vulnerability can be a crisis for the system if it is not addressed, or a major problem even if not addressed immediately It was not possible to determine whether it was something that was not. For this reason, there has been a problem that the system administrator is busy with dealing with a vast number of vulnerabilities.

  Therefore, an object of the present invention is to provide a vulnerability determination system, a vulnerability determination method, and a vulnerability determination program that enable determination of the influence of system vulnerability.

  In order to solve the above problems and achieve the object of the present invention, the present invention is configured as follows.

That is, the vulnerability determination system of the present invention is a vulnerability determination system that determines the vulnerability of a managed system including a computer and a network device, and is installed in the computer vulnerability information and the computer. Software that is included in the managed system by the affected software extraction unit that determines whether the software included in the managed system is affected by the vulnerability based on the information of the software that is present, and the affected software extraction unit And a direct path search unit that determines whether or not the affected software can attack directly from an external network when it is determined that the software is affected by the vulnerability.
Other means will be described in the embodiment for carrying out the invention.

  ADVANTAGE OF THE INVENTION According to this invention, it becomes possible to provide the vulnerability determination system, the vulnerability determination method, and vulnerability determination program which can determine the influence of the vulnerability of a system.

It is a schematic block diagram of the vulnerability determination system in 1st Embodiment. It is a figure which shows the connection of the vulnerability determination system and determination target system in 1st Embodiment. It is a figure which shows the structure (the 1) of the determination target system in 1st Embodiment. It is a figure which shows the structure (the 2) of the determination object system in 1st Embodiment. It is a schematic block diagram which shows each server or user terminal in 1st Embodiment. It is a schematic block diagram which shows the administrator terminal in 1st Embodiment. It is a figure which shows the vulnerability information database in 1st Embodiment. It is a figure which shows the system information database in 1st Embodiment. It is a figure which shows the computer database in 1st Embodiment. It is a figure which shows the software database in 1st Embodiment. It is a figure which shows the apparatus database in 1st Embodiment. It is a figure which shows the network connection structure database in 1st Embodiment. It is a figure which shows the service setting database in 1st Embodiment. It is a figure which shows the apparatus setting database in 1st Embodiment. It is a figure which shows the log database in 1st Embodiment. It is a figure which shows the structural example of the administrator database in 1st Embodiment. It is a flowchart which shows operation | movement of the influence software extraction part and notification part in 1st Embodiment. It is a flowchart which shows the direct path | pass search process in 1st Embodiment. It is a flowchart which shows the judgment process of the possibility of attack in 1st Embodiment. It is a flowchart which shows the indirect path | pass search process in 1st Embodiment. It is a flowchart which shows operation | movement of the notification part with respect to browser access in 1st Embodiment. It is a figure which shows the browser screen of the administrator terminal in 1st Embodiment. It is a flowchart which shows the indirect path | pass search process in 2nd Embodiment. It is a flowchart which shows the judgment process of the possibility that the computer in 2nd Embodiment may become a stepping stone for an attack. It is a flowchart which shows the judgment process of the capture possibility of the computer as a server in 2nd Embodiment. It is a flowchart which shows the judgment process of the capture possibility of the computer as a client in 2nd Embodiment.

  Hereinafter, a mode for carrying out the present invention (referred to as “the present embodiment”) will be described in detail with reference to the drawings.

(Configuration of the first embodiment)
FIG. 1 is a schematic configuration diagram of a vulnerability determination system according to the first embodiment. Hereinafter, the database may be abbreviated as “DB” in the drawings and specification.
The vulnerability determination system 10 includes a vulnerability information collection unit 11, a vulnerability information database 21, a system information collection unit 12, a system information database 22, a computer information collection unit 13, a computer database 23, and software information collection. Unit 14, software database 24, device information collection unit 15, device database 25, network connection information collection unit 16, network connection information database 26, service setting collection unit 17, service setting database 27, device A setting collection unit 18, a device setting database 28, an affected software extraction unit 31 that performs an influence software extraction process, a direct path search unit 32 that performs a direct path search process, and an indirect path search unit 33 that performs an indirect path search process , Recording unit 34, log database 36, and tube The user database 37, and a notification unit 35.

  The vulnerability determination system 10 of this embodiment is configured by a single computer (server). However, the present invention is not limited to this, and each unit constituting each function of the vulnerability determination system 10 and each database are distributed and provided in a plurality of computers (servers). It may be connected via.

  The vulnerability information collection unit 11 is connected to the network 100 and the vulnerability information database 21. The system information collection unit 12 is connected to the network 100 and the system information database 22. The computer information collection unit 13 is connected to the network 100 and the computer database 23. The software information collection unit 14 is connected to the network 100 and the software database 24. The device information collection unit 15 is connected to the network 100 and the device database 25. The network connection information collection unit 16 is connected to the network 100 and the network connection information database 26. The service setting collection unit 17 is connected to the network 100 and the service setting database 27. The device setting collection unit 18 is connected to the network 100 and the device setting database 28.

  Vulnerability information database 21, system information database 22, computer database 23, software database 24, device database 25, network connection information database 26, service setting database 27, and device setting database 28 are affected software. The extraction unit 31, the direct path search unit 32, and the indirect path search unit 33 are connected to each other.

  The influence software extraction unit 31 is connected to the recording unit 34 via the direct path search unit 32 and is connected to the recording unit 34 via the direct path search unit 32 and the indirect path search unit 33. The recording unit 34 is connected to the log database 36 and the notification unit 35. The notification unit 35 is connected to the administrator database 37 and the recording unit 34, and is connected to the network 100.

  The influence software extraction unit 31 is installed in the vulnerability information database 21 of software 60-m (FIG. 3) (m is a natural number) described later and a computer 50-n (FIG. 3) (n is a natural number) described later. A function for determining whether or not the software 60-m (FIG. 3) included in the determination target system 40 (FIG. 3), which is a management target system described later, is affected by the vulnerability, based on the software database 24 that is described later Have.

When the direct path search unit 32 determines that the software 60-m (FIG. 3) included in the determination target system 40 (FIG. 2) is affected by the vulnerability by the affected software extraction process, the affected software 60-m (FIG. 3) determines whether or not it is possible to attack directly from an external network (not shown).
The direct path search unit 32 searches for a route directly reachable to the computer 50-n (FIG. 3) equipped with the software 60-m (FIG. 3) affected by the external network, and this direct reachability is possible. The affected software 60-m is determined by determining whether or not the vulnerability of the affected software 60-m (FIG. 3) is protected by a firewall or IPS (Intrusion Prevention System) in a simple path. (FIG. 3) determines whether or not it is possible to attack directly from the external network. In the drawings and specification, the firewall may be abbreviated as “FW”.

The indirect path search unit 33 is called by the direct path search process, and determines whether the affected software 60-m (FIG. 3) can indirectly attack from the external network.
The indirect path search unit 33 searches for a route that can be indirectly reached by the computer 50-n (FIG. 3) on which the software 60-m (FIG. 3) affected by the external network is mounted, and this indirectly reachable. By determining whether the vulnerability of the affected software 60-m (FIG. 3) is protected by a firewall or an IPS (Intrusion Prevention System) in all of the important paths, the affected software 60-m -M (FIG. 3) determines whether it is possible to attack indirectly from an external network.

FIG. 2 is a diagram illustrating the connection between the vulnerability determination system and the determination target system in the first embodiment.
Vulnerability determination system 10, a plurality of determination target systems 40 (= 40-1 to 40-4), a plurality of administrator terminals 200 (= 200-1 to 200-3), and a vulnerability information providing site 300 ( = 300-1 to 300-3) are connected to each other via the network 100 so that they can communicate with each other.

  In the present embodiment, there are four determination target systems 40, and there are three administrator terminals 200 and three vulnerability information providing sites 300, respectively. However, these numbers are not limited to this embodiment, and may be any number of 1 or more.

The network 100 according to this embodiment includes both a LAN (Local Area Network) and the Internet. However, the present invention is not limited to this, and the network 100 may be configured to include both a WAN (Wide Area Network) and the Internet, or may be configured entirely by the Internet.
The vulnerability determination system 10 has a function of determining whether or not there is a vulnerability in the software 60-m of the determination target system 40 (= 40-1 to 40-4) and its influence.

The determination target system 40 (= 40-1 to 40-4) has a function of providing a service to either the determination target system 40 itself or an external network.
The administrator terminal 200 (= 200-1 to 200-3) is a computer used by an administrator of a system that manages any of the determination target systems 40 (= 40-1 to 40-4).

  Vulnerability information providing site 300 (= 300-1 to 300-3) is a website in Japan and overseas that publishes information on software vulnerabilities. The vulnerability information providing site 300-1 is, for example, JVN (Japan Vulnerability Notes) managed jointly by JPPERT / CC (Japan Computer Emergency Response Team Coordination Center) and the information processing promotion mechanism.

  The vulnerability information providing site 300-2 is, for example, an NVD (National Vulnerability Database) managed by the US NIST (National Institute of Standards and Technology).

  The vulnerability information providing site 300-3 is, for example, an OSVDB (Open Source Vulnerability Database) that is an open source vulnerability database.

FIG. 3 is a diagram showing a configuration (No. 1) of the determination target system in the first embodiment.
The determination target system 40-1 includes a firewall 41, an IPS (Intrusion Prevention System) 42, a router 43, a switch 44, and computers 50 (= 50-1 to 50-5). Yes. The firewall 41, IPS 42, router 43, and switch 44 are network devices 45 connected to the network. An identifier called System01 is assigned to the determination target system 40-1.

  The computer 50-1 is assigned an identifier of Com01 and has software 60-1 and 60-2. The computer 50-2 is assigned an identifier of Com02 and has software 60-3 and 60-4. The computer 50-3 is assigned an identifier of Com03 and has software 60-5 and 60-6. The computer 50-4 is assigned an identifier Com04 and has software 60-7 and 60-8. The computer 50-5 is assigned an identifier of Com05 and has software 60-9 and 60-10.

  In the computer 50-1, a Web server program A (= software 60-1) and an operating system D (= software 60-2) are installed, and a Web service is provided.

  In the computer 50-2, a DB (database) server program S (= software 60-3) and an operating system D (= software 60-4) are installed, and a database service is provided.

  The computer 50-3 is installed with a proxy server program F (= software 60-5) and an operating system D (= software 60-6), and relays communication from an external network to the computer 50-4 described later. A service (Proxy) is provided.

  A mail server program E (= software 60-7) and an operating system C (= software 60-8) are installed in the computer 50-4 to provide a mail service.

  In the computer 50-5, a browser B (= software 60-9) and an operating system G (= software 60-10) are installed, and function as a terminal for an operator.

The firewall 41 is connected to the network 100, and is connected to the computers 50-1 to 50-3 and the computer 50-5 via the IPS 42, the router 43, and the switch 44. The computer 50-3 is further connected to the computer 50-4.
The firewall 41 is given an identifier Dev01. The IPS 42 is given an identifier Dev02. The router 43 is assigned an identifier Dev03. The switch 44 is assigned an identifier Dev04.
The firewall 41 is an information processing apparatus in which a system for preventing intrusion from the outside into a computer network in an organization is generally incorporated.
The IPS 42 has a function of performing real-time protection such as blocking of connection when an unauthorized intrusion from an external network is detected. The IPS 42 stores characteristic patterns of packets such as worms and denial-of-service attacks. When the IPS 42 detects a corresponding connection, the IPS 42 has a function of blocking and recording the information and notifying the administrator.

A worm is a malicious program that performs computer destruction while repeating self-replication. The worm attempts to send the worm to many other computers by exploiting the mail client software of the infected computer. For this reason, the worm not only destroys the infected computer, but may cause a network congestion failure around the infected computer.
A denial-of-service attack is an attack in which a large number of computers are operated simultaneously to send IP packets or the like to a specific site. The denial-of-service attack is performed by a DoS (denial of service) attack program installed in a large number of computers connected by a network, and causes a decrease in performance of the attack target site and system paralysis.

  The router 43 is a communication device that interconnects networks, and has a function of relaying data that flows on one network to the other network. The switch 44 is, for example, a switching hub or an L3 switch, and has a line or packet switching function.

FIG. 4 is a diagram showing a configuration (No. 2) of the determination target system in the first embodiment.
The determination target system 40-2 is given an identifier of System02. The determination target system 40-2 includes a router 43, a switch 44, and a computer 50-6. The router 43 is connected to the network 100 and is connected to the computer 50-6 via the switch 44. The router 43 is assigned an identifier Dev05. The switch 44 is assigned an identifier Dev06.

  The computer 50-6 is assigned an identifier of Com06. Further, a mail server program E (= software 60-11) and an operating system C (= software 60-12) are installed in the computer 50-6 to provide a mail service.

The determination target system 40-3 is assigned an identifier of System03. The determination target system 40-3 includes a firewall 41 and a computer 50-7. The firewall 41 is connected to the network 100 and is also connected to the computer 50-7. The firewall 41 is given an identifier Dev07.
The computer 50-7 is assigned an identifier of Com07. In the computer 50-7, a Web server program A (= software 60-13) and an operating system D (= software 60-14) are installed, and a Web service is provided.

The determination target system 40-4 is given an identifier of System04. The determination target system 40-4 includes a firewall 41 and a computer 50-8. The firewall 41 is connected to the network 100 and is also connected to the computer 50-8. The firewall 41 is given an identifier Dev08.
The computer 50-8 is given an identifier of Com08. In the computer 50-8, a DB server program B (= software 60-15) and an operating system D (= software 60-16) are installed, and a database service is provided.

FIG. 5 is a schematic configuration diagram showing each server or user terminal in the first embodiment.
A computer 50-n (n is a natural number) as a server or user terminal includes a CPU (Central Processing Unit) 51, a memory 52 composed of a RAM (Random Access Memory) and a ROM (Read Only Memory), and a liquid crystal display. The display device 53 includes a display device 53, the input device 54 includes a mouse and a keyboard, the communication device 55 that transmits and receives data via the network 100, and a hard disk drive and a flash memory. Storage device 56. The storage device 56 further stores a program 60-p and an operating system 60-q (p and q are natural numbers).

FIG. 6 is a schematic configuration diagram showing an administrator terminal in the first embodiment. Elements identical to those of the computer 50-n shown in FIG.
The administrator terminal 200-r (r is a natural number) is the same as the computer 50-n, which is a server or user terminal, except that the browser 210-1 and the mail client 210-2 are stored in the storage device 56. It has a configuration.

≪Function of vulnerability information collection unit 11≫
The vulnerability information collection unit 11 has a function of collecting vulnerability information from the vulnerability information providing site 300 via the network 100 and storing it in the vulnerability information database 21. The vulnerability information providing site 300 provides vulnerability information in a format that is easy for humans to read and / or a structured format such as RSS (RDF Site Summary) that can be easily processed by a computer. The vulnerability information collection unit 11 of this embodiment automatically collects information such as RSS provided by the vulnerability information providing site 300 and converts it into a format that can be stored in the vulnerability information database 21. However, the present invention is not limited to this, and a method of manually storing information disclosed in the vulnerability information providing site 300 in the vulnerability information database 21 may be used.

≪Configuration of vulnerability information database 21≫
FIG. 7 is a diagram showing a vulnerability information database according to the first embodiment.
The vulnerability information database 21 includes items of vulnerability identifier 21a, vulnerability information release date 21b, affected software 21c, affected version 21d, vulnerability type 21e, software type 21f, patch information 21g, and avoidance method 21h. .
The item of the vulnerability identifier 21a stores an identifier for uniquely specifying the vulnerability in the vulnerability information database 21. The item of vulnerability information release date 21b stores information on the date when this vulnerability was released to the public.
In the item of the influence software 21c, the name of the software 60-m having this vulnerability is stored, and a value common to the use software 24b of the software database 24 described later is stored.
The item of the affected version 21d stores information for identifying the vulnerable version of the vulnerable software 60-m.
In the item of vulnerability type 21e, information indicating the type of problem caused by this vulnerability is stored. For example, information such as DoS (Denial of Service), arbitrary code execution, information leakage, and data alteration are stored.
The item of the software type 21f is information representing the type of the software 60-m having this vulnerability, and stores values common to the software type 24d of the software database 24 described later, such as services, client programs, and operating systems. Yes.
The item of patch information 21g is information indicating whether a patch for this vulnerability is provided. When a patch is provided, information on the patch, for example, a URL (Uniform Resource Locator) of a website where the patch is published is stored. If no patch is provided, this item is “none”. The item of the avoidance method 21h is to store the method when the software 60-m can be protected from an attack aimed at the vulnerability by a method other than applying a patch. The item is “None”.

<< Functions of System Information Collection Unit 12 >>
The system information collection unit 12 has a function of collecting information related to the determination target system and storing it in the system information database 22. In the present embodiment, the system information collection unit 12 collects system information by displaying a system information collection input screen on the administrator terminals 200-1 to 200-3.

<< Structure of System Information Database 22 >>
FIG. 8 is a diagram showing a system information database according to the first embodiment.
The system information database 22 includes items of a system identifier 22a, a summary 22b, and an administrator identifier 22c. The item of the system identifier 22a stores an identifier for uniquely specifying the determination target systems 40-1 to 40-4. The item of the outline 22b stores information representing the outline of the service of the determination target systems 40-1 to 40-4 or the outline of the system. The item of the administrator identifier 22c is an identifier representing an administrator who manages the determination target systems 40-1 to 40-4, and stores a value common to the item of the administrator identifier 37a of the administrator database 37 described later. Yes.

<< Functions of the computer information collection unit 13 >>
The computer information collection unit 13 has a function of collecting information related to the computer 50 constituting the system to be determined and storing it in the computer database 23. In the present embodiment, the computer information collection unit 13 displays a computer information collection input screen on the administrator terminals 200-1 to 200-3 and collects computer information.

<< Configuration of computer database 23 >>
FIG. 9 is a diagram showing a computer database in the first embodiment.
The computer database 23 includes items of a computer identifier 23a, a system identifier 23b, a server use flag 23c, and a client use flag 23d.
The item of the computer identifier 23a stores an identifier for uniquely identifying the computer 50-n. The item of the system identifier 23b is an identifier representing the determination target system 40 including the computer 50-n, and stores a value common to the item of the system identifier 22a of the system information database 22.

  The item of the server use flag 23c stores a value indicating whether or not the computer 50-n is used as a server providing some service in the system specified by the system identifier 23b. If it is used as a server, “True” is stored. Otherwise, “False” is stored.

  The item of the client use flag 23d stores information indicating whether or not the computer 50-n operates as a client terminal in the system specified by the item of the system identifier 23b, similarly to the item of the server use flag 23c. Has been. “True” is stored when operating as a client terminal, and “False” is stored otherwise.

<< Functions of Software Information Collection Unit 14 >>
The software information collection unit 14 has a function of collecting information related to the software 60-m installed in each computer 50 in the determination target system 40.
In the present embodiment, a software program that outputs a list of software 60 (= 60-1,...) Installed on each computer 50 (= 50-1,. The information is transmitted from the computer 50-n to the software information collection unit 14 via the network 100. However, the present invention is not limited to this, and a method may be used in which the administrator of the determination target system 40 manually inputs information on each software 60-m installed in each computer 50-n.

<< Configuration of Software Database 24 >>
FIG. 10 is a diagram illustrating a software database according to the first embodiment.
The software database 24 includes items of a computer identifier 24a, use software 24b, version 24c, and software type 24d. The item of the computer identifier 24a is an identifier for uniquely specifying the computer 50-n, and stores a value common to the item of the computer identifier 23a of the computer database 23.
The item of the used software 24b and the item of the version 24c are respectively the name of the software 60-m introduced into the computer 50-n specified by the computer identifier 24a and the version information of the software 60-m. Stored.
In the item of software type 24d, the type of software 60-m installed in the computer 50-n specified by the computer identifier 24a is stored. If the software 60-m is an operating system, “OS” is stored as the type of the software 60-m. If the software 60-m relates to a service, “service” is stored as the type of the software 60-m. If the software 60-m is client software, “client” is stored as the type of the software 60-m.

<< Functions of Device Information Collection Unit 15 >>
The device information collection unit 15 has a function of collecting information related to the network device 45 configuring the determination target system and storing it in the device database 25. In the present embodiment, the device information collection unit 15 displays a device information collection input screen on the administrator terminals 200-1 to 200-3 and collects device information.

<< Configuration of Device Database 25 >>
FIG. 11 is a diagram showing a device database according to the first embodiment.
The device database 25 includes items of a device identifier 25a, a system identifier 25b, and a type 25c. The item of the device identifier 25a stores an identifier for uniquely identifying the network device 45.
The item of the system identifier 25b is an identifier of the system to which the network device 45 belongs, and stores a value common to the system identifier 22a of the system information database 22. The item of the type 25c is information indicating the type of the network device 45, and stores information such as “switch”, “router”, “firewall”, “IPS”, and “load distribution device”.

<< Function of Network Connection Information Collection Unit 16 >>
The network connection information collection unit 16 has a function of collecting connection states (topologies) between the computers 50 of the determination target system 40 and the network devices 45.
In this embodiment, network connection statuses are collected using SNMP (Simple Network Management Protocol). However, the present invention is not limited to this, and connection information (topology) may be collected using WMI (Windows (registered trademark) Management Instrumentation) or LLDP (Link Layer Discovery Protocol), and further, JP 2010-63058 A The technique described in the above may be used.

<< Configuration of Network Connection Information Database 26 >>
FIG. 12 is a diagram showing a network connection configuration database in the first embodiment.
The network connection information database 26 includes items of a network connection identifier 26a, a system identifier 26b, a layer 26c, and a connected device pair 26d. The network connection information database 26 is connected in which layer (layer) and how in the seven-layer model of communication functions in which the computers 50 and network devices 45 are defined by OSI (Open Systems Interconnection) in the system. It is a database that stores whether or not.
The second layer (Layer 2) in the OSI seven-layer model is a link layer, which is a signal transfer between adjacent devices. The third layer (Layer 3) in the OSI seven-layer model is a network layer, and selects a communication path by determining a partner to which data is sent.

The item of the network connection identifier 26a stores an identifier for uniquely specifying connection information in a certain layer of a pair (combination) of the computer 50 and the network device 45. The item of the system identifier 26b is an identifier indicating to which determination target system 40 this network connection belongs, and a value common to the item of the system identifier 22a of the system information database 22 is stored. In the item of the layer 26c, a value indicating which layer (layer) the network connection is stored is stored.
The item of the connected device pair 26d stores information on a combination of computers 50, a combination of network devices 45, or a combination of the computer 50 and network devices 45. The identifier of the network device 45 is a value common to the device identifier 25a of the device database 25. The identifier of the computer 50 is a value common to the computer identifier 23a of the computer database 23.
By referring to the network connection information database 26, the network topology of the determination target system 40 can be confirmed. That is, it is possible to check whether or not a communication packet can reach a specific computer 50 of the determination target system 40 from an external network, and the communication packet can reach another computer 50 from the specific computer 50 of the determination target system 40. It can be confirmed whether or not.

<< Function of Service Setting Collection Unit 17 >>
The service setting collection unit 17 has a function of collecting setting information of services operating on the computer 50 constituting the determination target system 40 and storing the setting information in the service setting database 27. In the present embodiment, the service setting collection unit 17 displays a service setting collection input screen on the administrator terminals 200-1 to 200-3 and collects service setting information.

<< Configuration of Service Setting Database 27 >>
FIG. 13 is a diagram showing a service setting database according to the first embodiment.
The service setting database 27 includes items of a computer identifier 27a, software 27b, and a service providing network 27c.
The item of the computer identifier 27a is an identifier that uniquely identifies on which computer 50-n the service is operating, and stores a value common to the computer identifier 23a of the computer database 23.
The item of software 27b stores the name of software 60-m related to this service. The item of the service providing network 27c stores information on the service providing destination. If the service providing destination is inside the determination target system 40 itself, “internal” is stored in the item of the service providing network 27c. If the service providing destination is outside the determination target system 40, “external” is stored in the item of the service providing network 27c.

<< Function of Device Setting Collection Unit 18 >>
The device setting collection unit 18 has a function of collecting setting information of the network devices 45 constituting the determination target system and storing the collected information in the device setting database 28. In the present embodiment, the device setting collection unit 18 displays a device setting collection input screen on the administrator terminals 200-1 to 200-3 and collects device setting information.

<< Configuration of Device Setting Database 28 >>
FIG. 14 is a diagram showing a device setting database according to the first embodiment.
The device setting database 28 includes items of a device identifier 28a and setting information 28b. The item of the device identifier 28a stores a value common to the device identifier 25a of the device database 25. In the item of setting information 28b, information indicating what setting is made in the network device 45 is stored.

<< Configuration of Log Database 36 >>
FIG. 15 is a diagram illustrating a log database according to the first embodiment.
The log database 36 includes items of a log identifier 36a, a system identifier 36b, a time 36c, a log type 36d, a computer identifier 36e, a software identifier 36f, a version identifier 36g, a vulnerability identifier 36h, a log content 36i, and a countermeasure 36j. .
The item of the log identifier 36a stores an identifier for uniquely specifying a log related to each record.
The item of the system identifier 36b is an identifier indicating to which determination target system 40 this log has been output, and a value common to the item of the system identifier 22a of the system information database 22 is stored.
In the item of time 36c, the date and time when each record was recorded is recorded.
In the log type 36d item, any one of urgent / warning / information is recorded and indicates the urgency related to the vulnerability. “Emergency” has the highest urgency level, and the urgency level decreases in the order of “warning” and “information”.
The item of the computer identifier 36e is a value for identifying the computer related to this vulnerability, and stores a value common to the computer identifier 23a of the computer database 23.
The item of the software identifier 36f is the name of the software 60-m related to this vulnerability, and stores a value common to the used software 24b of the software database 24. In FIG. 15, “software” is simply described in the software identifier 36 f column.
The item of the version identifier 36g is a value for identifying the version of the software 60-m related to this vulnerability, and stores a value common to the version 24c of the software database 24. In FIG. 15, “version” is simply written in the column of the version identifier 36g.
The item of the vulnerability identifier 36h is a value for identifying this vulnerability, and a value common to the vulnerability identifier 21a of the vulnerability information database 21 is stored.
In the item of the log content 36i, text relating to this vulnerability is recorded.
In the item of countermeasure 36j, text relating to countermeasures against this vulnerability is recorded.

<< Configuration of administrator database 37 >>
FIG. 16 is a diagram illustrating a configuration example of an administrator database according to the first embodiment.
The administrator database 37 has items of an administrator identifier 37a, a name 37b, and a mail address 37c. The item of the manager identifier 37a stores an identifier for uniquely identifying the manager. The name of the administrator is stored in the item of the name 37b. The e-mail address of this administrator is stored in the mail address 37c item.
The above is a description of each collection unit that collects information and each database that stores the collected information. The following describes how to determine the impact of the vulnerability on the system based on this information.

(Operation of the first embodiment)
FIG. 17 is a flowchart showing the operations of the affected software extraction unit and the notification unit in the first embodiment.

The influence software extraction unit 31 is activated once a day, for example, and performs the processing of FIG.
When the process starts, in step S10, the vulnerability information collection unit 11 acquires vulnerability information of the software 60-m from the vulnerability information providing site 300 (= 300-1 to 300-3).

  In steps S <b> 11 to S <b> 16, the affected software extraction unit 31 refers to the software database 24 and repeats the process for all the used software 24 b.

  In step S12, the affected software extraction unit 31 determines whether or not the version of the software 60-m related to the vulnerability information exists. If the version of the software 60-m related to this vulnerability information exists (Yes), the process of step S13 is performed. If the version of the software 60-m related to the vulnerability information does not exist (No), the process of step S16 is performed.

In step S13, the influence software extraction unit 31 refers to the service setting database 27 and extracts the computer identifier 27a of the computer 50-n on which the software 60-m is installed.
In step S14, the influence software extraction unit 31 refers to the computer database 23 and extracts the system identifier 23b corresponding to the computer identifier 27a of the computer 50-n.
In step S15, the affected software extraction unit 31 performs a direct path search process (FIG. 18) of the computer 50-n based on the vulnerability identifier 21a of the vulnerability information.

  In step S16, the affected software extraction unit 31 refers to the software database 24 and returns to the process of step S11 if any of the used software 24b is not processed.

  In step S <b> 17, the notification unit 35 refers to the administrator database 37 to obtain an administrator mail address, transmits vulnerability information to the administrator's mail address by e-mail, and ends the process of FIG. 17.

FIG. 18 is a flowchart showing a direct path search process in the first embodiment.
When the process starts, in step S21, the direct path search unit 32 refers to the item of the service providing network 27c in the service setting database 27 and determines whether or not this service is an external service. If it is an external service (Yes), the process of step S22 is performed. If it is not an external service (No), the process of step S25 is performed.

  In step S22, the direct path search unit 32 calls an attack possibility determination process (FIG. 19) for the computer 50-n that uses an external network (NW: Network) as an attack source. In this attack possibility determination process, a route that can be directly reached by the computer 50-n equipped with the software 60-m that is affected by the external network is searched, and the route that is directly reachable is affected. It is determined whether the vulnerability of the software 60-m is protected by a firewall or an IPS (Intrusion Prevention System).

In step S23, if the direct path search unit 32 determines that the computer 50-n can be attacked from the external network (NW) (Yes), it performs the process of step S24. If it is determined from the external network that the computer 50-n cannot be attacked (No), the process of step S25 is performed.
In step S24, the recording unit 34 generates an emergency vulnerability point information record in the log database 36, and ends the process of FIG.

  In step S25, the direct path search unit 32 calls an indirect path search process (FIG. 20). In this indirect path search process, a route that is indirectly reachable to the computer 50-n equipped with the software 60-m that is affected by the external network is searched, and the software 60 that is affected by the indirectly reachable route. -Determine whether the vulnerability of m is protected by a firewall or IPS (Intrusion Prevention System). When the indirect path search process ends, the process of FIG. 18 ends.

FIG. 19 is a flowchart showing an attack possibility determination process in the first embodiment.
When the process starts, in step S30, the network connection information database 26 is referred to, and the network connection information of the determination target system 40 is acquired.
In step S31, based on the network connection information, it is determined whether or not the attack source can reach the computer 50-n in the third layer (Layer 3) in the seven layers of OSI. If reachable (Yes), the process of step S32 is performed. If unreachable (No), the process of step S37 is performed.
Here, reachable in the third layer (Layer 3) in the seven layers of OSI means that the attack source can connect via the network device 45 or the computer 50 connected in the third layer (Layer 3) of the network connection information. The computer 50-n is reachable.

In step S32, based on the network connection information, it is determined whether or not there is a firewall 41 (FW) in the route of the second layer (Layer 2) in the seven layers of OSI from the attack source to the computer 50-n. To do. If there is a firewall 41 (FW) (Yes), the process of step S33 is performed. If there is no firewall 41 (FW) (No), the process of step S34 is performed.
Here, the path of the third layer (Layer 2) in the seven layers of OSI refers to the path from the attack source via the network device 45 or the computer 50 connected in the second layer (Layer 2) of the network connection information. This is a route that can reach the computer 50-n.

  In step S33, the firewall 41 (FW) determines whether the setting is to block the computer 50-n. If it is the setting which blocks the said computer 50-n (Yes), the process of step S37 will be performed. If it is not the setting which blocks the said computer 50-n (No), the process of step S34 will be performed.

In step S34, based on the network connection information, it is determined whether or not the IPS 42 exists in the route of the second layer (Layer 2) in the seven layers of OSI from the attack source to the computer 50-n. If the IPS 42 is present (Yes), the process of step S35 is performed. If there is no IPS 42 (No), the process of step S36 is performed.
In step S35, the IPS 42 determines whether or not the setting is to block attacks against this vulnerability. If the setting is to block the attack on the vulnerability (Yes), the process of step S37 is performed. If it is not the setting which blocks the attack to a vulnerability (No), the process of step S36 is performed.
In step S36, it is determined that the computer 50-n can be attacked from the attack source, and the processing of FIG.
In step S37, it is determined that the attack from the attack source to the computer 50-n is impossible, and the processing of FIG.

FIG. 20 is a flowchart showing indirect path search processing in the first embodiment.
When the process starts, in step S40, the indirect path search unit 33 determines whether there is a proxy server for the service in the system. If there is a proxy server for the service in the system (Yes), the process of step S41 is performed. If there is no proxy server for the service in the system (No), the process of step S46 is performed.
In step S41, the indirect path search unit 33 calls an attack possibility determination process (FIG. 19) for the Proxy having the external network (NW) as an attack source.

In step S42, the indirect path search unit 33 determines whether or not the proxy can be attacked from the external network (NW). If the proxy can be attacked from the external network (NW) (Yes), the process of step S43 is performed. If the proxy cannot be attacked from the external network (NW) (No), the process of step S46 is performed.
In step S43, the indirect path search unit 33 calls an attack possibility determination process (FIG. 19) for the service using the proxy as an attack source.
In step S44, the indirect path search unit 33 determines whether or not it is possible to attack the service from the Proxy. If the proxy can attack the service (Yes), the process of step S45 is performed. If the proxy cannot attack the service (No), the process of step S46 is performed.
In step S45, the recording unit 34 generates a record of warning vulnerable point information in the log database 36, and ends the process of FIG.
In step S46, the recording unit 34 generates a record of vulnerable point information in the log database 36, and ends the process of FIG.

In the processing of FIG. 20, the indirect path search unit 33 searches for a route that can be indirectly reached by the computer 50-n on which the software 60-m affected by the external network (NW) is installed. The indirect path search unit 33 determines whether or not the vulnerability of the affected software 60-m is protected by a firewall or IPS (Intrusion Prevention System) in all of the indirectly reachable routes. The affected software 60-m determines whether or not it is possible to indirectly attack from the external network (NW).
The indirectly reachable route is a route that can reach the computer 50-n from the external network (NW) through the proxy server.

FIG. 21 is a flowchart showing the operation of the notification unit for browser access in the first embodiment.
When the process starts, in step S50, the notification unit 35 waits until an HTTP request is received from any terminal.
In step S51 to S54, the notification unit 35 refers to the system information database 22 and repeats the process for all systems.
In step S52, the notification unit 35 reads the vulnerability log for a predetermined period from the log database 36.
In step S53, the notification unit 35 converts the read vulnerability log into an HTTP format, and transmits an HTTP response to the terminal.

In step S54, the notification unit 35 refers to the system information database 22, and returns to the process of step S51 if the process has not been repeated for all the systems. If the process has been repeated for all systems, the process returns to step S50.
In the process of FIG. 21, the notification unit 35 provides the latest vulnerability information in response to a request from the administrator terminal 200 or the like.

FIG. 22 is a diagram showing a browser screen of the administrator terminal in the first embodiment.
By starting the browser 210-1 from the administrator terminal 200 and inputting a predetermined URL (for example, http://1.2.3.4/), a vulnerability log for a predetermined period stored in the log database 36 is displayed. It is possible. In the present embodiment, this predetermined URL is the URL of the server on which the vulnerability determination system 10 is installed. When the vulnerability determination system 10 is distributed and implemented on a plurality of servers, the predetermined URL is the URL of the server on which the notification unit 35 of the vulnerability determination system 10 is mounted.
On the screen of the browser 210-1, vulnerability logs relating to Systems 01 to System 04 that are the determination target systems 40-1 to 40-4 are displayed.

(Effects of the first embodiment)
The first embodiment described above has the following effects (A) to (D).
(A) When the vulnerability of the software 60-m (service) is detected, it is determined whether or not it is possible to attack the computer providing the service from the external network (NW), and the attack from the external network (NW) is impossible. In some cases, the urgency of measures has been lowered. This makes it possible to distinguish between vulnerabilities that should be addressed immediately and vulnerabilities that do not become a major issue if not addressed immediately, thus reducing the system administrator's vulnerability response workload. Is possible.

(B) From the external network (NW), not only determine whether or not it is possible to attack the computer 50-n that provides the service directly, but also determine whether or not it is possible to attack indirectly via the Proxy server. Yes. Thereby, it is possible to deal with a case where an attack is indirectly made from an external network (NW) via a proxy server.

(C) The warning level in the case of being able to attack indirectly via the proxy server is lowered, compared to the case where the computer 50-n providing the service can be attacked directly from the external network (NW). As a result, it is possible to prioritize the response to the attack via the proxy server having a low attack potential and the direct attack having a high attack potential.

(D) Vulnerability warning even when a mail is sent from the vulnerability determination system 10 to the administrator's e-mail address and the vulnerability determination system 10 is accessed from any of the administrator terminals 200 by the browser 210-1. The screen is displayed. As a result, the administrator can always obtain the latest vulnerability information even in an unforeseen situation where the vulnerability information e-mail is not distributed.

(Configuration of Second Embodiment)
The configuration of the vulnerability determination system 10 in the second embodiment has the same configuration as the vulnerability determination system 10 in the first embodiment shown in FIG.
(Operation of Second Embodiment)

The operations of the affected software extraction unit 31 and the notification unit 35 in the second embodiment are the same as the operations of the affected software extraction unit 31 and the notification unit 35 in the first embodiment shown in FIG.
The direct path search process in the second embodiment is the same as the direct path search process in the first embodiment shown in FIG.
The attack possibility determination process in the second embodiment is the same as the attack possibility determination process in the first embodiment shown in FIG.

FIG. 23 is a flowchart showing indirect path search processing in the second embodiment. This process is different from the indirect path search process in the first embodiment shown in FIG.
When the process is started, in step S60 to S66, the computer database 23 is referred to, and a determination process of the capture possibility is performed among all the computers other than the computer 50-n of the same system as the computer 50-n. Repeat for the missing one (second computer).
In step S61, the second computer calls up a determination process (FIG. 24) for the possibility of becoming a stepping stone for the attack.
In step S62, it is determined whether or not the second computer can serve as a stepping stone for the attack. If the second computer can be a step for an attack (Yes), the process of step S63 is performed. If the second computer cannot be a step for an attack (No), the process of step S66 is performed.

In step S63, an attack possibility determination process (FIG. 19) is performed using the second computer as an attack source.
In step S64, it is determined whether or not it is possible to attack the service from the second computer. If the attack is possible (Yes), the process of step S65 is performed. If the attack is impossible (No), the process of step S66 is performed.

In step S65, the recording unit 34 generates warning vulnerability point information in the log DB.
In step S66, the computer database 23 is referred to, and all the computers other than the computer 50-n in the same system as the computer 50-n have not been subjected to the determination process of the capture possibility (second computer ), The process returns to the process of step S60. If all the determination processes have been completed, the process of FIG. 23 is terminated.
The indirect path search unit 33 searches for a route that can be indirectly reached by the computer 50-n equipped with the software 600-m affected by the external network (NW). In the present embodiment, the indirectly reachable route is the computer 50 via the vulnerability that can execute arbitrary code in the software 60-m of the second computer included in the determination target system 40 from the external network (NW). It is a route that can reach -n.

  FIG. 24 is a flowchart showing a process for determining the possibility that the computer according to the second embodiment becomes a stepping stone for an attack. The computer in this processing refers to the second computer in FIG.

When the process starts, in step S70, the computer database 23 is referred to, and the server usage flag 23c and the client usage flag 23d of the computer are acquired.
In step S71, it is determined whether or not the server use flag 23c is “True”. If “True” (Yes), the process of step S72 is performed. If it is “False” (No), the process of step S76 is performed.
In step S72, a determination process (FIG. 25) of the capture possibility of the computer as a server is called.

In step S73, it is determined whether or not there is a possibility of capture of the computer as a server. If it is determined that there is a possibility of capture, the process of step S74 is performed. If it is determined that there is no possibility of capture, the process of step S76 is performed.
In step S74, it is determined whether or not there are vulnerabilities that can be exploited that allow arbitrary code execution. If there is any code that can be executed, the process of step S75 is performed. If there is no code that can be executed arbitrarily, the process of step S79 is performed.

In step S75, it is determined that there is a possibility that the computer becomes a stepping stone for the attack, and the processing of FIG.
In step S76, it is determined whether or not the client use flag 23d is “True”. If “True” (Yes), the process of step S77 is performed. If it is “False” (No), the process of step S79 is performed.
In step S77, a determination process (FIG. 26) of the capture possibility of the computer as a client is called.
In step S78, it is determined whether or not there is a possibility of capture of the computer as a client. If it is determined that there is a possibility of capture, the process of step S74 is performed. If it is determined that there is no capture possibility, the process of step S79 is performed.
In step S79, it is determined that there is no possibility that the computer becomes a stepping stone for the attack, and the processing in FIG. 24 is terminated.

FIG. 25 is a flowchart showing processing for determining the capture possibility of a computer as a server in the second embodiment. The said computer in the process of this figure means the said computer in the process of FIG. 24, and means the 2nd computer in the process of FIG.
When the process starts, the software database 24 is referred to in steps S80 to S91, and the process is repeated for all software 60-m installed in the computer.

In step S81, the software database 24 is referenced to determine whether the software type 24d of the software 60-m is a service. If the software type 24d is a service (Yes), the process of step S82 is performed. If the software type 24d is not a service (No), the process of step S91 is performed.
In steps S82 to S90, the vulnerability information database 21 is referred to, and the process is repeated for all vulnerabilities.

In step S83, it is determined whether or not the software 60-m is affected by the vulnerability. If it is affected by the vulnerability (Yes), the process of step S84 is performed. If not affected by the vulnerability (No), the process of step S90 is performed.
In step S84, referring to the log database 36, it is confirmed whether or not a log related to the vulnerability of the software 60-m of the computer is recorded.
If the log is recorded in step S85 (Yes), the process of step S86 is performed. If the log is not recorded (No), the process of step S88 is performed.

In step S86, the type of the log is determined. If the log type is “information”, the process of step S90 is performed. If the log type is “emergency” or “warning”, the process of step S87 is performed.
In step S87, it is determined that there is a possibility of capture, and the information on the vulnerability and the software 60-m is held.
In step S88, the direct path search process (FIG. 18) to the computer due to the vulnerability is recursively called.

In step S89, it is determined whether or not there is a possibility of attack on the computer. If there is a possibility of attacking the computer (Yes), the process of step S87 is performed. If there is no possibility of attacking the computer (No), the process of step S90 is performed.
In step S90, the vulnerability information database 21 is referred to. If all the vulnerabilities have not been repeated, the process returns to step S82.

In step S91, with reference to the software database 24, if all the software 60-m installed in the computer has not been repeated, the process returns to step S80.
In step S92, whether or not there is a possibility of capture, and information on the vulnerability and software 60-m that are held are returned to the caller, and the processing in FIG. 25 is terminated.
In the processing of FIG. 25, when the second computer included in the determination target system 40 is used as a server, the investigation is limited to vulnerabilities that can execute arbitrary codes of service software. As a result, when the second computer is used as a server, it is possible to exclude client software vulnerabilities that are not likely to attack.

  FIG. 26 is a flowchart illustrating processing for determining the capture possibility of a computer as a client according to the second embodiment. The said computer in the process of this figure means the said computer in the process of FIG. 24, and means the 2nd computer in the process of FIG.

When the process starts, the software database 24 is referred to in steps S100 to S106, and the process is repeated for all software 60-m installed in the computer. In step S101, the software type 24d of the software 60-m is: Determine if it is an operating system or client software. Here, the client software refers to software 60-m that provides a service only to an operator when the computer is used as a client, such as a Web browser or mail client software. If it is an operating system or client software (Yes), the process of step S102 is performed. If it is not an operating system (No), the process of step S106 is performed.

In steps S102 to S105, the vulnerability information database 21 is referred to, and the process is repeated for all vulnerabilities.
In step S103, it is determined whether or not the software 60-m is affected by the vulnerability. If it is affected by the vulnerability (Yes), the process of step S104 is performed. If not affected by the vulnerability (No), the process of step S105 is performed.
In step S104, the vulnerability and the information of the software 60-m are held with the possibility of capture.

In step S105, the vulnerability information database 21 is referred to, and if all the vulnerabilities are not repeated, the process returns to step S102.
In step S106, the software database 24 is referred to, and if all the software 60-m installed in the computer has not been repeated, the process returns to step S100.
In step S107, the presence / absence of capture possibility, the vulnerability held, and the information of the software 60-m are returned to the caller, and the processing of FIG.
In the processing of FIG. 26, when the second computer included in the determination target system 40 is used as a client, investigation is limited to vulnerabilities that can execute arbitrary codes of the operating system or client software. Thereby, when the second computer is used as a client, it is possible to exclude vulnerabilities of the service software without the possibility of attack.

(Effect of 2nd Embodiment)
The second embodiment described above has the following effects (E) to (G).
(E) The second computer included in the determination target system 40 includes software 60-m having a vulnerability capable of executing arbitrary code, and an indirect attack is performed on the computer using this vulnerability as a stepping stone. A case can be detected and alerted.

(F) When the second computer is used as a server, the investigation is limited to the influence of the vulnerability of the software 60-m related to the service. When the second computer 50 is used by the client, the investigation is limited to the influence of the vulnerability of the software 60-m related to the OS or the client. Thereby, it is possible to exclude the software 60-m that is not executed and has no possibility of attacking the vulnerability among the software 60-m having the vulnerability.

(G) It is determined whether or not a vulnerability log is described in the vulnerability information database 21. Only when the vulnerability log is not recorded, the direct path search process is recursively called. As a result, it is possible to reduce the processing load by suppressing the direct path search process of the computer 50-n that has already been found to be vulnerable.

(Modification)
The present invention is not limited to the above embodiment, and can be modified without departing from the spirit of the present invention. For example, there are the following forms (a) and (b) as usage forms and modifications.

(A) In 1st Embodiment and 2nd Embodiment, it implement | achieves as the vulnerability determination system 10 and the vulnerability determination method on the system. However, the present invention is not limited to this, and may be realized as a vulnerability determination software program installed in the vulnerability determination server, and further realized as a vulnerability determination software program installed in each computer 50-n. Also good.
(B) In the first embodiment and the second embodiment, the vulnerability determination system 10 and the administrator terminal 200 are independent computers, and are connected to each other via the network 100 so that they can communicate with each other. However, the present invention is not limited to this, and the vulnerability determination system 10 and the administrator terminal 200 may be configured on the same computer.

10 Vulnerability determination system (vulnerability determination device)
11 Vulnerability Information Collection Unit 12 System Information Collection Unit 13 Computer Information Collection Unit 14 Software Information Collection Unit 15 Device Information Collection Unit 16 Network Connection Information Collection Unit 17 Service Setting Collection Unit 18 Device Setting Collection Unit 21 Vulnerability Information Database (Vulnerability information)
22 system information database 23 computer database 24 software database 25 device database 26 network connection information database 27 service setting database 28 device setting database 31 affected software extraction unit 32 direct path search unit 33 indirect path search unit 34 recording unit 35 notification unit 36 log database 37 Administrator database 40 (= 40-1 to 40-4) Determination target system (system to be managed)
41 Firewall (network equipment)
42 IPS (Network Equipment)
43 router (network equipment)
44 switches (network equipment)
45 Network device 50 (= 50-1,...) Computer 60 (= 60-1,...) Software 100 Network 200 (= 200-1 to 200-3) Administrator terminal 300 (= 300-1 to 300-3) Vulnerability information website

Claims (19)

A vulnerability determination system for determining the vulnerability of a managed system including a computer and a network device,
An affected software extraction unit that determines whether software included in the managed system is affected by vulnerability based on software vulnerability information and software information installed in the computer;
When the affected software extraction unit determines that the software of the managed system is affected by the vulnerability, it determines whether the affected software can be attacked directly from an external network. A direct path search unit;
A vulnerability determination system characterized by comprising: The direct path search unit includes:
If the affected software provided a service to the external network, a search is made for a route that can be directly reached from the external network to the computer equipped with the affected software. The affected software can attack directly from the external network by determining whether the affected software's vulnerability is protected by a firewall or IPS (Intrusion Prevention System) in a possible route The vulnerability determination system according to claim 1, wherein it is determined whether or not. The vulnerability determination system according to claim 1 or 2, further includes:
When the affected software extraction unit determines that the software included in the managed system is affected by the vulnerability, the affected software determines whether the affected software can be indirectly attacked from the external network. An indirect path search unit,
A vulnerability determination system characterized by comprising: The indirect path search unit searches for a route that is indirectly reachable from the external network to the computer equipped with the affected software, and the affected software is in all of the indirectly reachable routes. It is determined whether the affected software can indirectly attack from the external network by determining whether or not the vulnerability is protected by a firewall or IPS (Intrusion Prevention System) The vulnerability determination system according to claim 3. The vulnerability determination system according to claim 4, wherein the indirectly reachable path is a path that can reach the computer from the external network via a proxy server. The indirectly reachable path is a path that can reach the computer from the external network via a vulnerability that allows execution of arbitrary code in the software of the second computer included in the managed system. 5. The vulnerability determination system according to claim 4, wherein When the second computer of the managed system is used as a server,
The indirectly reachable path is a path that can reach the computer via the arbitrary code executable vulnerability in the service software of the second computer,
The vulnerability determination system according to claim 6. When the second computer of the managed system is used as a client,
The indirectly reachable path is a path that can reach the computer via the arbitrary code executable vulnerability in the client software or operating system of the second computer. 6. The vulnerability determination system according to 6. The vulnerability determination system according to any one of claims 4 to 8, further comprising:
Based on the determination results of the direct path search unit and the indirect path search unit, a recording unit for recording the urgency level of vulnerability countermeasures and a countermeasure plan,
A notification section for notifying the urgency of the countermeasure and the countermeasure proposal;
A vulnerability determination system characterized by comprising: A vulnerability determination method for determining the vulnerability of a managed system including a computer and a network device,
Vulnerability determination device
An affected software extraction process for determining whether software included in the managed system is affected by the vulnerability, based on software vulnerability information and software information installed in the computer;
When the affected software extraction process determines that the software of the managed system is affected by the vulnerability, the affected software determines whether the affected software can be attacked directly from an external network. Direct path search processing,
Vulnerability determination method characterized by performing. The direct path search process includes:
If the affected software provided a service to the external network, a search is made for a route that can be directly reached from the external network to the computer equipped with the affected software. By determining whether the affected software's vulnerabilities are protected by a firewall or IPS (Intrusion Prevention System) in a possible path, the affected software can attack directly from the external network It is judged whether it is. The vulnerability determination method of Claim 10 characterized by the above-mentioned. The vulnerability determination method according to claim 10 or claim 11 further includes:
Vulnerability determination device
When it is determined by the affected software extraction process that the software of the managed system is affected by the vulnerability, it is determined whether or not the affected software can be indirectly attacked from the external network. A vulnerability determination method characterized by performing indirect path search processing. The indirect path search process searches for a route that can be indirectly reached from the external network to the computer equipped with the affected software, and the affected software in all of the indirectly reachable routes. It is determined whether the affected software can indirectly attack from the external network by determining whether or not the vulnerability is protected by a firewall or IPS (Intrusion Prevention System) The vulnerability determination method according to claim 12. The vulnerability determination method according to claim 13, wherein the indirectly reachable route is a route that can reach the computer from the external network via a proxy server. The indirectly reachable path is a path that can reach the computer from the external network via a vulnerability that allows execution of arbitrary code in the software of the second computer included in the managed system. The vulnerability determination method according to claim 13, wherein When the second computer is used as a server,
The indirectly reachable path is a path that can reach the computer via the arbitrary code executable vulnerability in the service software of the second computer. Vulnerability assessment method. When the second computer is used as a client,
The indirectly reachable path is a path that can reach the computer via the arbitrary code executable vulnerability in the client software or operating system of the second computer. 15. The vulnerability determination method according to 15. The vulnerability determination method according to any one of claims 12 to 17, further includes:
Vulnerability determination device
Based on the determination result of the direct path search process and the indirect path search process, a recording process for recording the urgency level of vulnerability countermeasures and a countermeasure plan;
Notification processing for notifying the urgency of countermeasures and countermeasure proposals to the outside;
Vulnerability determination method characterized by performing.   A vulnerability determination program for causing a computer to perform the vulnerability determination method according to any one of claims 10 to 18.

Images