WO2020055230A1 - System and method for performing vulnerability assessment of a computer network - Google Patents

System and method for performing vulnerability assessment of a computer network Download PDF

Info

Publication number
WO2020055230A1
WO2020055230A1 PCT/MY2019/050054 MY2019050054W WO2020055230A1 WO 2020055230 A1 WO2020055230 A1 WO 2020055230A1 MY 2019050054 W MY2019050054 W MY 2019050054W WO 2020055230 A1 WO2020055230 A1 WO 2020055230A1
Authority
WO
WIPO (PCT)
Prior art keywords
vulnerability
detected
scanning task
data
computer
Prior art date
Application number
PCT/MY2019/050054
Other languages
French (fr)
Inventor
Nor Izyani Daud
Khairul Azmi ABU BAKAR
Galoh Rashidah Haron
Dharmadharshni MANIAM
Original Assignee
Mimos Berhad
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mimos Berhad filed Critical Mimos Berhad
Publication of WO2020055230A1 publication Critical patent/WO2020055230A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Definitions

  • the invention relates to network security.
  • the invention pertains to automated vulnerability management in computer network.
  • PCT Publication No. WO 2014/182738 Al discloses a system for automatically managing vulnerabilities which may determine vulnerability data describing vulnerabilities in an information technology environment and subsequently assign each of the vulnerabilities to a stakeholder for remediation.
  • the system may receive a remediation proposal from the stakeholder, obtain approval for the remediation proposal and then facilitate remediation of the vulnerability based on the proposal.
  • U.S. Patent No. US 7,712,138 B2 also discloses a system and method to schedule and perform security audits in a distributed computing network.
  • the computing network is surveyed by a security audit system to identify various elements in the network and their function and relative importance. Based on the element’s function and priority, a more thorough type of security audit is selected to run against each of the network elements by the security audit system.
  • the security audit may also be scheduled to be run at an appropriate time based on the information gathered from the survey. Further, the same information from the security audit may be used to calculate a security score for each element in the network, wherein the security score is useful in assessing the security of the network and prioritising issues that need to be remedied.
  • One of the objects of the invention is to provide an automated system and method that use historical vulnerability data in performing vulnerability assessment of a computer network, so that the vulnerability located on a computer connected to the network can be detected more rapidly, and procedures involved in the vulnerability assessment will also become less complicated. In addition, it will not be required to perform complete cycle of the vulnerability assessment, if the same vulnerability is detected numerously.
  • Another object of the invention is to provide an automated system and method for performing vulnerability assessment of a computer network and then assigning an appropriate penalty to a vulnerability located on a computer connected to the network.
  • At least one of the preceding objects is met, in whole or in part, by the invention, in which one of the embodiments of the invention describes a method for performing vulnerability assessment of a computer network.
  • the method may comprise the steps of extracting vulnerability data from results generated after executing scanning tasks on each computer that is accessible via the network; determining if each vulnerability is previously detected, based on the extracted vulnerability data; retrieving historical data relating to the vulnerability that is previously detected from a database, wherein the historical data may be collected from one or more preceding scanning tasks; identifying if the vulnerability is detected in a repeated scanning task, based on the historical data; analysing if the vulnerability that is detected in the repeated scanning task still remains unresolved; assigning a penalty to the vulnerability that remains unresolved in the repeated scanning task, wherein the penalty is assigned based on a decision matrix table which is built upon a relationship between penalty values, vulnerability severity levels and penalty types; and computing a time for resolving the vulnerability if it is not previously detected.
  • the method may also comprise the step of creating and sending a notification to the computer after the computing step.
  • the method may further comprise the steps of executing a new scanning task upon receipt of a notification informing that the vulnerability is resolved; and repeating the extracting and determining steps.
  • the method may further comprise the steps of executing a new scanning task after the computed time for resolving the vulnerability has lapsed; and repeating the extracting and determining steps.
  • a further embodiment of the invention is a system for performing vulnerability assessment of a computer network, comprising an extraction module configured to extract vulnerability data from results generated from scanning tasks that are executed on each computer accessible via the network; determine if each vulnerability is previously detected, based on the extracted vulnerability data; retrieve historical data relating to the vulnerability that is previously detected from a database, wherein the historical data are data collected from one or more preceding scanning tasks; identify if the vulnerability is detected in a repeated scanning task, based on the retrieved historical data; and compute a time for resolving the vulnerability if it is not previously detected; and an verifying module in communication with the extraction module, wherein the verifying module is configured to analyse the vulnerability that is detected in the repeated scanning task if it still remains unresolved; and assign a penalty to the vulnerability that remains unresolved in the repeated scanning task, wherein the penalty is assigned based on a decision matrix table which is built upon a relationship between penalty values, vulnerability severity levels and penalty types.
  • the extraction module or verifying module may further be configured to create and send a notification to the computer.
  • the system may further comprise a rectifying module for triggering and executing a new scanning task after a notification is received from the computer, informing that the vulnerability is resolved.
  • the system may further comprise a scheduling module for triggering and executing a new scanning task periodically or after the computed time for resolving the vulnerability has lapsed.
  • Figure l is a computer network, in accordance with one embodiment of the invention.
  • Figure 2 is a system for performing vulnerability assessment of a computer network, in accordance with one embodiment of the invention.
  • Figure 3 is a general flow chart of a method for performing vulnerability assessment of a computer network, in accordance with another embodiment of the invention.
  • Figure 4 is a general flow chart detailing steps to be performed if it is identified that the vulnerability data is detected in a repeated scanning task, in accordance with one embodiment of the invention.
  • Figure 5 is a general flow chart detailing steps to be performed when a notification is received from a computer workstation, according to one embodiment of the invention.
  • Figure 6 is a general flow chart detailing steps to be performed after a scanning task is completed on a computer workstation, according to one embodiment of the invention.
  • the invention provides a system and method for performing vulnerability assessment of a distributed computing network, in which the vulnerability assessment may be configured to operate in an automated setting.
  • Figure 2 is a general architecture of a system for performing vulnerability assessment of a computing network which may belong to an enterprise or an entity, according to a preferred embodiment of the invention.
  • the computing network as shown in Figure 1 may be monitored and managed by a network administrator or several authorised personnel.
  • the computing network may comprise a plurality of computer workstations or applications for providing services or resources to public users through their electronic devices, such as personnel computers, laptop computers, tablet computers, etc.
  • the workstations or applications may contain vulnerabilities that may affect operations of the enterprise, it is essential to assess, track and maintain these applications through a system (101) that is able to perform a series of operations as described in the following.
  • the system (101) may also be configured to communicate with a database (209) that may be a separate component to or an integral part of the system (101).
  • the system (101) may perform vulnerability assessment of a network comprising a plurality of computer workstations connected and accessible to the network.
  • the system (101) may also be provided with various components, for example an extraction module (201), a verifying module (203), a rectifying module (205) and s scheduling module (207), as shown in Figure 2.
  • the extraction module (201) may be configured to process scan results obtained from each computer accessible to the network, so as to extract a plurality of vulnerability data (where each data is associated with a vulnerability) and then decide if each vulnerability data that is being extracted is a new data. More specifically, the extraction module (201) may be configured to receive a plurality of scan results generated from scanning tasks that are executed on each of the computers accessible to the network, and to extract desired vulnerability data from the scan results.
  • each of the extracted vulnerability data may comprise information which may include type of vulnerability, computer workstation where the vulnerability is found (such as its IP address), contact details (such as email address) of personnel in charge of the computer workstation where the vulnerability is found, etc.
  • the extraction module (201) may determine if each of the extracted vulnerability data is a“new” data. For example, if the vulnerability data A is not previously detected by the system (101), the vulnerability data A is a new data, and the extraction module (201) may compute a time to resolve such vulnerability.
  • the extraction module (201) may also be configured to create and send a notification to the computer workstation where the vulnerability is found, to notify the person or personnel in charge of the workstation that the vulnerability is found on his or her workstation and that it should be resolved within the computed time.
  • the extraction module (201) may communicate with the database (209) to retrieve all historical data relevant to such vulnerability data, but it should be appreciated that the historical data referred herein are data collected from one or more preceding scanning tasks (or more specifically, the scanning tasks that are executed before the current scanning tasks). Based on the historical vulnerability data retrieved from the database (209), it enables the extraction module (201) to identify if the same vulnerability data is detected in a“repeated” scanning task. In another word, the extraction module (201) may proceed to identify if the current scanning task is a repeated scanning task which may be a second, third or a scanning task subsequent to the preceding scanning tasks. In certain embodiments, an indication may be produced by the extraction module (201), indicating whether the vulnerability data is detected in a repeated scanning task or not.
  • the extraction module (201) may identify that the vulnerability is not detected in a repeated scanning task. As such, the extraction module (201) may compute a time to resolve such vulnerability. The extraction module (201) may also be configured to create and send a notification to the computer workstation where the vulnerability is found, to notify the person or personnel in charge of the workstation that the vulnerability is found on his or her workstation and that it should be resolved within the computed time.
  • the extraction module (201) may identify that the vulnerability data is detected in a repeated scanning task. Such identification result or indication may then be transferred to the verifying module (203) for performing further analyses.
  • the verifying module (203) may be configured to be in communication with the extraction module (201). In some embodiments, the verifying module (203) may either be a separate component or an integral part of the extraction module (201). In certain preferred embodiments, the verifying module (203) may also be configured to perform the analyses as described in the following.
  • the verifying module (203) may analyse the same data if the vulnerability still remains unresolved in the computer workstation. For instance, if the vulnerability B is no longer exists or has been resolved, the verifying module (203) may update the data relating to vulnerability B to reflect or show that the vulnerability B is now resolved, before the updated data is stored on the database (209). In contrast, if the vulnerability B still exists or remains unresolved in the computer workstation, the verifying module (203) may be configured to assign a penalty to such vulnerability.
  • the penalty may be assigned by the verifying module (203) to a vulnerability and executed according to a decision matrix table which is built upon a relationship between penalty values, vulnerability severity levels and penalty types.
  • a penalty value and a severity level may preferably be assigned to the vulnerability or to the computer workstation, before assigning the penalty type.
  • the verifying module (203) may be further configured to create and send a notification to the computer workstation where the vulnerability is found, for notifying the person in charge of the workstation that the vulnerability is still found on his or her workstation and that it should be resolved immediately.
  • the system (101) may also comprise the rectifying module (205), which is configured to trigger and execute a new scanning task on the computer workstation upon receipt of a notification from such workstation informing that the vulnerability is resolved.
  • the rectifying module (205) may be configured to trigger and execute a new scanning task on each of the computer workstations, rather than a single computer workstation.
  • the system (101) may also comprise the scheduling module (207), as depicted in the preceding description.
  • the scheduling module (207) may be configured in some embodiments to trigger and execute periodic scanning tasks on the computer workstations.
  • the scheduling module (207) may also be configured in some embodiments to trigger and execute new scanning tasks on the computer workstations after the computed time to resolve the respective vulnerabilities have lapsed. In some other embodiments, the scheduling module (207) may also be configured to check if a scanning task has been executed on a particular computer workstation.
  • the database (209) used in this invention may also be configured to communicate with each of the modules provided to the system (101), so that the information can be transmitted from the respective modules and stored in the database (209).
  • the database (209) may store the vulnerability data that are extracted from the extraction module (201).
  • the database (209) may also store the outcomes (such as time for resolving the vulnerability, penalty values, penalty types, etc.).
  • the database (209) may also store the indications generated by the extraction module (201), verifying module (203), rectifying module (205) or scheduling module (207).
  • the indications to be stored onto the database (209) may include indications generated by the extraction module (201) for indicating if the vulnerability is detected in a repeated scanning task or it is not.
  • the database (209) may also store the scan results from the computer workstations. Consequently, records on the database (209) may be updated periodically.
  • Figure 3 is a general flow chart of the method for performing vulnerability assessment of a computer network, according to the further embodiment of the invention.
  • it may be preferred to execute a scanning task on each of the computer workstations accessible to the network, thereby generating a plurality of scan results, each of which may be in a form of report or in other suitable format.
  • the generated scan results may be transmitted and uploaded to a server or alternatively a database (209), before being processed further.
  • the scan results uploaded to the server or database (209) may preferably be unprocessed. It may also be required in certain embodiments to identify sources of the scan results (such as Nessus) at Step 303.
  • Vulnerability data may also be extracted from each of the scan results.
  • the extracted vulnerability data may comprise information which may include type of vulnerability identified in a scan result, computer workstation where the vulnerability is found (such as IP address), contact details (such as email address) of personnel in charge of the workstation where the vulnerability is found, etc. Accordingly, it may be required in certain embodiments to register all of the computer workstations that are accessible to the network through the extraction module (201), or another component in some embodiments. For example, contact details (e.g. email address) of personnel in charge of a computer workstation may be inputted when registering the workstation through the extraction module (201). Other suitable information may also be inputted or requested by the network administrator in some preferred embodiments. With these information, it allows the personnel of a particular computer workstation to be notified (such as by an email notification) when a vulnerability is found on that computer workstation.
  • the extracted data may subsequently be transferred to the database (209) for storing thereon, as shown in Step 305 of Figure 3.
  • each of the vulnerability data may be subjected to the extraction module (201) which may determine if it is a“new” data. For example, if the vulnerability data A is not previously detected, such data is new, and a time to resolve such vulnerability may be computed, as shown in Step 309.
  • a notification may be created and sent (such as by email) to the computer workstation where the vulnerability is found, in order to notify the personnel in charge of the workstation that the vulnerability is found on this workstation and that it should be resolved within the computed time.
  • the vulnerability data A is previously detected, it is not new.
  • historical data relevant to such vulnerability data may be retrieved from the database (209), as shown in Step 313.
  • the historical data referred herein are data collected from one or more preceding scanning tasks (or specifically, the scanning tasks executed before the current scanning tasks).
  • Step 315 it may facilitate the identification process at Step 315, more particularly in identifying if the same vulnerability data is detected in a “repeated” scanning task. For instance, when a computer workstation is scanned for the first time (i.e. first scanning task) and a vulnerability is found in this workstation, it may be scanned again (i.e. second scanning task) after a period of time or in other circumstances.
  • the vulnerability data from the first scanning task can be used as historical data to identify if the same vulnerability data is detected in the second scanning task.
  • the computer workstation may also be scanned for a further time (i.e. third scanning task) to identify if the same vulnerability data is detected in the third scanning task.
  • the subsequent scanning tasks (such as the second and third scanning tasks) may be referred to as“repeated scanning tasks”, where the same vulnerability data have been repeatedly detected in these later scanning tasks.
  • Indications may also be generated in some embodiments, indicating whether or not the vulnerability data is detected in a repeated scanning task. If it is identified that the vulnerability data is not detected in a repeated scanning task, a time to resolve such vulnerability may be computed, and a notification may be sent to the computer workstation in which the vulnerability is found, as illustrated in Steps 309 and 311.
  • Step 315 may then be transmitted to the verifying module (203) for further analyses as illustrated in Figure 4.
  • the vulnerability data may be analysed if the vulnerability still remains unresolved in the computer workstation. For instance, if the vulnerability B no longer exists or has been resolved, the data relating to vulnerability B may be updated and stored on the database (209), as shown in Step 403, in order to reflect or show that the vulnerability B is now resolved. In some preferred embodiments, the data relating to vulnerability B may be updated and stored on the database (209), before proceeding to the subsequent scanning task.
  • a penalty may be assigned to such vulnerability.
  • a penalty value may be assigned first in Step 405, to the workstation in which the vulnerability is found.
  • a severity level may subsequently be assigned after evaluating the vulnerability found.
  • the penalty value may also be assigned after evaluating the severity level of the vulnerability found.
  • the penalty type may be assigned and executed according to the decision matrix table as shown in Table 1 below.
  • a notification or a reminder may be sent by email to the workstation where the vulnerability is found, for notifying the person in charge of the workstation that the vulnerability is still found on his or her workstation and that it should be resolved immediately.
  • the computer workstation may also be disconnected from the network, for example when the penalty value assigned is 4 or higher and also when the severity level is high.
  • FIG. 5 is a general flow chart showing the steps to be performed when a notification is received from the workstation where the vulnerability is found.
  • a notification is sent, preferably automatically, from a computer workstation to the system administrator or the network administrator, informing that the vulnerability found at this workstation is resolved.
  • a new scanning task may be triggered and executed on the computer workstation, as illustrated in Step 503. After completing the scanning task, the process in Figure 3 will be repeated.
  • Figure 6 is a general flow chart showing the steps to be performed after completing a periodic scanning task on a computer workstation.
  • Step 601 it may be checked if a scanning task has been executed on a particular computer workstation. If the computer workstation has been scanned, then no further action is required. On the other hand, if the computer workstation has not been scanned, a scanning task may be triggered and executed on the workstation, as shown in Step 603. After completing the scanning task, the process illustrated in Figure 3 will be repeated.
  • the method described in the foregoing may be converted to a series of computer-executable program instructions stored on a non-transitory computer-readable storage medium.
  • the program instructions When executed by a processing module, it may cause the processing module to perform the steps illustrated in Figures 3, 4, 5 and 6, thereby allowing the vulnerability assessment to be performed in an automated setting.
  • the disclosure includes as contained in the appended claims, as well as that of the foregoing description.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention provides a system and method for performing vulnerability assessment of a distributed computing network. The system and method may involve extracting vulnerability data from scan results generated by each computer accessible via the network, and then using the extracted vulnerability data to determine if each vulnerability is previously detected. If a vulnerability is previously detected, historical data relating to such vulnerability are retrieved from a database (209), in which the historical data are used to identify whether the vulnerability is detected in a repeated scanning task. The vulnerability data is also analysed if the vulnerability detected in the repeated scanning task still remains unresolved. A penalty will be assigned to the vulnerability that remains unresolved in the repeated scanning task. On the contrary, a time for resolving the vulnerability is computed if it is not previously detected or if it is not detected in the repeated scanning task.

Description

SYSTEM AND METHOD FOR PERFORMING VULNERABILITY ASSESSMENT OF A COMPUTER NETWORK
Field of Invention
The invention relates to network security. In more particular, the invention pertains to automated vulnerability management in computer network.
Background of the Invention
There has been increasing reliance on public networks to gain access to resources that are of interest to users, such as information retrieval to electronic mails and commerce transactions. As the resources are to be obtained from various information technology assets that are located and spread over a wide geographical area, it may be challenging if a network administrator is required to perform security scanning in order to keep a public network (or more networks) safe from potential internal and external threats. It may also become more difficult and time consuming if critical vulnerabilities are to be tracked manually for remediation or to escalate such discovery to respective owners of the information technology assets.
To mitigate the above issues, various methods and systems are available in the art for assessing network security. For example, PCT Publication No. WO 2014/182738 Al discloses a system for automatically managing vulnerabilities which may determine vulnerability data describing vulnerabilities in an information technology environment and subsequently assign each of the vulnerabilities to a stakeholder for remediation. The system may receive a remediation proposal from the stakeholder, obtain approval for the remediation proposal and then facilitate remediation of the vulnerability based on the proposal.
U.S. Patent No. US 7,712,138 B2 also discloses a system and method to schedule and perform security audits in a distributed computing network. The computing network is surveyed by a security audit system to identify various elements in the network and their function and relative importance. Based on the element’s function and priority, a more thorough type of security audit is selected to run against each of the network elements by the security audit system. The security audit may also be scheduled to be run at an appropriate time based on the information gathered from the survey. Further, the same information from the security audit may be used to calculate a security score for each element in the network, wherein the security score is useful in assessing the security of the network and prioritising issues that need to be remedied.
Although numerous systems and methods have been provided in the art for assessing the network security, they are however not able to automatically monitor and track the vulnerability status and provide a solution to the computing network (or the network administrator) if it is repeatedly detected that the vulnerability remains unresolved for a long period of time. As such, there exists a need to provide an improved method and system for assessing the network security.
Summary of the Invention
One of the objects of the invention is to provide an automated system and method that use historical vulnerability data in performing vulnerability assessment of a computer network, so that the vulnerability located on a computer connected to the network can be detected more rapidly, and procedures involved in the vulnerability assessment will also become less complicated. In addition, it will not be required to perform complete cycle of the vulnerability assessment, if the same vulnerability is detected numerously.
Another object of the invention is to provide an automated system and method for performing vulnerability assessment of a computer network and then assigning an appropriate penalty to a vulnerability located on a computer connected to the network.
At least one of the preceding objects is met, in whole or in part, by the invention, in which one of the embodiments of the invention describes a method for performing vulnerability assessment of a computer network. The method may comprise the steps of extracting vulnerability data from results generated after executing scanning tasks on each computer that is accessible via the network; determining if each vulnerability is previously detected, based on the extracted vulnerability data; retrieving historical data relating to the vulnerability that is previously detected from a database, wherein the historical data may be collected from one or more preceding scanning tasks; identifying if the vulnerability is detected in a repeated scanning task, based on the historical data; analysing if the vulnerability that is detected in the repeated scanning task still remains unresolved; assigning a penalty to the vulnerability that remains unresolved in the repeated scanning task, wherein the penalty is assigned based on a decision matrix table which is built upon a relationship between penalty values, vulnerability severity levels and penalty types; and computing a time for resolving the vulnerability if it is not previously detected.
The method may also comprise the step of creating and sending a notification to the computer after the computing step.
The method may further comprise the steps of executing a new scanning task upon receipt of a notification informing that the vulnerability is resolved; and repeating the extracting and determining steps.
The method may further comprise the steps of executing a new scanning task after the computed time for resolving the vulnerability has lapsed; and repeating the extracting and determining steps.
A further embodiment of the invention is a system for performing vulnerability assessment of a computer network, comprising an extraction module configured to extract vulnerability data from results generated from scanning tasks that are executed on each computer accessible via the network; determine if each vulnerability is previously detected, based on the extracted vulnerability data; retrieve historical data relating to the vulnerability that is previously detected from a database, wherein the historical data are data collected from one or more preceding scanning tasks; identify if the vulnerability is detected in a repeated scanning task, based on the retrieved historical data; and compute a time for resolving the vulnerability if it is not previously detected; and an verifying module in communication with the extraction module, wherein the verifying module is configured to analyse the vulnerability that is detected in the repeated scanning task if it still remains unresolved; and assign a penalty to the vulnerability that remains unresolved in the repeated scanning task, wherein the penalty is assigned based on a decision matrix table which is built upon a relationship between penalty values, vulnerability severity levels and penalty types.
In some further embodiments, the extraction module or verifying module may further be configured to create and send a notification to the computer.
The system may further comprise a rectifying module for triggering and executing a new scanning task after a notification is received from the computer, informing that the vulnerability is resolved.
The system may further comprise a scheduling module for triggering and executing a new scanning task periodically or after the computed time for resolving the vulnerability has lapsed.
One skilled in the art will readily appreciate that the invention is well adapted to carry out the aspects and obtain the ends and advantages mentioned, as well as those inherent therein. The embodiments described herein are not intended as limitations on the scope of the invention.
Brief Description of Drawings
For the purpose of facilitating an understanding of the invention, there is illustrated in the accompanying drawings the preferred embodiments from an inspection of which when considered in connection with the following description, the invention, its construction and operation and many of its advantages would be readily understood and appreciated.
Figure l is a computer network, in accordance with one embodiment of the invention. Figure 2 is a system for performing vulnerability assessment of a computer network, in accordance with one embodiment of the invention.
Figure 3 is a general flow chart of a method for performing vulnerability assessment of a computer network, in accordance with another embodiment of the invention.
Figure 4 is a general flow chart detailing steps to be performed if it is identified that the vulnerability data is detected in a repeated scanning task, in accordance with one embodiment of the invention.
Figure 5 is a general flow chart detailing steps to be performed when a notification is received from a computer workstation, according to one embodiment of the invention.
Figure 6 is a general flow chart detailing steps to be performed after a scanning task is completed on a computer workstation, according to one embodiment of the invention.
Detailed Description of the Invention
Hereinafter, the invention shall be described according to the preferred embodiments of the invention and by referring to the accompanying description and drawings. However, it is to be understood that limiting the description to the preferred embodiments of the invention and to the drawings is merely to facilitate discussion of the invention and it is envisioned that those skilled in the art may devise various modifications without departing from the scope of the appended claim.
The invention provides a system and method for performing vulnerability assessment of a distributed computing network, in which the vulnerability assessment may be configured to operate in an automated setting.
Figure 2 is a general architecture of a system for performing vulnerability assessment of a computing network which may belong to an enterprise or an entity, according to a preferred embodiment of the invention. The computing network as shown in Figure 1 may be monitored and managed by a network administrator or several authorised personnel. In some embodiments, the computing network may comprise a plurality of computer workstations or applications for providing services or resources to public users through their electronic devices, such as personnel computers, laptop computers, tablet computers, etc. As the workstations or applications may contain vulnerabilities that may affect operations of the enterprise, it is essential to assess, track and maintain these applications through a system (101) that is able to perform a series of operations as described in the following. In some embodiments, the system (101) may also be configured to communicate with a database (209) that may be a separate component to or an integral part of the system (101).
In some embodiments, the system (101) may perform vulnerability assessment of a network comprising a plurality of computer workstations connected and accessible to the network. In some preferred embodiments, the system (101) may also be provided with various components, for example an extraction module (201), a verifying module (203), a rectifying module (205) and s scheduling module (207), as shown in Figure 2.
The extraction module (201) may be configured to process scan results obtained from each computer accessible to the network, so as to extract a plurality of vulnerability data (where each data is associated with a vulnerability) and then decide if each vulnerability data that is being extracted is a new data. More specifically, the extraction module (201) may be configured to receive a plurality of scan results generated from scanning tasks that are executed on each of the computers accessible to the network, and to extract desired vulnerability data from the scan results. In certain embodiments, each of the extracted vulnerability data may comprise information which may include type of vulnerability, computer workstation where the vulnerability is found (such as its IP address), contact details (such as email address) of personnel in charge of the computer workstation where the vulnerability is found, etc. Based on the extracted vulnerability data, the extraction module (201) may determine if each of the extracted vulnerability data is a“new” data. For example, if the vulnerability data A is not previously detected by the system (101), the vulnerability data A is a new data, and the extraction module (201) may compute a time to resolve such vulnerability. The extraction module (201) may also be configured to create and send a notification to the computer workstation where the vulnerability is found, to notify the person or personnel in charge of the workstation that the vulnerability is found on his or her workstation and that it should be resolved within the computed time.
In contrast, if the vulnerability data A has previously been detected by the system (101), it is not new. Under this circumstance, the extraction module (201) may communicate with the database (209) to retrieve all historical data relevant to such vulnerability data, but it should be appreciated that the historical data referred herein are data collected from one or more preceding scanning tasks (or more specifically, the scanning tasks that are executed before the current scanning tasks). Based on the historical vulnerability data retrieved from the database (209), it enables the extraction module (201) to identify if the same vulnerability data is detected in a“repeated” scanning task. In another word, the extraction module (201) may proceed to identify if the current scanning task is a repeated scanning task which may be a second, third or a scanning task subsequent to the preceding scanning tasks. In certain embodiments, an indication may be produced by the extraction module (201), indicating whether the vulnerability data is detected in a repeated scanning task or not.
In some embodiments, the extraction module (201) may identify that the vulnerability is not detected in a repeated scanning task. As such, the extraction module (201) may compute a time to resolve such vulnerability. The extraction module (201) may also be configured to create and send a notification to the computer workstation where the vulnerability is found, to notify the person or personnel in charge of the workstation that the vulnerability is found on his or her workstation and that it should be resolved within the computed time.
In some embodiments, the extraction module (201) may identify that the vulnerability data is detected in a repeated scanning task. Such identification result or indication may then be transferred to the verifying module (203) for performing further analyses. In certain embodiments, the verifying module (203) may be configured to be in communication with the extraction module (201). In some embodiments, the verifying module (203) may either be a separate component or an integral part of the extraction module (201). In certain preferred embodiments, the verifying module (203) may also be configured to perform the analyses as described in the following.
If the extraction module (201) identifies that a vulnerability data is indeed detected in a repeated scanning task, the verifying module (203) may analyse the same data if the vulnerability still remains unresolved in the computer workstation. For instance, if the vulnerability B is no longer exists or has been resolved, the verifying module (203) may update the data relating to vulnerability B to reflect or show that the vulnerability B is now resolved, before the updated data is stored on the database (209). In contrast, if the vulnerability B still exists or remains unresolved in the computer workstation, the verifying module (203) may be configured to assign a penalty to such vulnerability. In certain embodiments, the penalty may be assigned by the verifying module (203) to a vulnerability and executed according to a decision matrix table which is built upon a relationship between penalty values, vulnerability severity levels and penalty types. In these embodiments, a penalty value and a severity level may preferably be assigned to the vulnerability or to the computer workstation, before assigning the penalty type.
Depending on the penalty type, the verifying module (203) may be further configured to create and send a notification to the computer workstation where the vulnerability is found, for notifying the person in charge of the workstation that the vulnerability is still found on his or her workstation and that it should be resolved immediately.
As depicted in the preceding description, the system (101) may also comprise the rectifying module (205), which is configured to trigger and execute a new scanning task on the computer workstation upon receipt of a notification from such workstation informing that the vulnerability is resolved. In certain embodiments, the rectifying module (205) may be configured to trigger and execute a new scanning task on each of the computer workstations, rather than a single computer workstation. In some embodiments, the system (101) may also comprise the scheduling module (207), as depicted in the preceding description. Preferably, the scheduling module (207) may be configured in some embodiments to trigger and execute periodic scanning tasks on the computer workstations. The scheduling module (207) may also be configured in some embodiments to trigger and execute new scanning tasks on the computer workstations after the computed time to resolve the respective vulnerabilities have lapsed. In some other embodiments, the scheduling module (207) may also be configured to check if a scanning task has been executed on a particular computer workstation.
In some preferred embodiments, the database (209) used in this invention may also be configured to communicate with each of the modules provided to the system (101), so that the information can be transmitted from the respective modules and stored in the database (209). For example, the database (209) may store the vulnerability data that are extracted from the extraction module (201). The database (209) may also store the outcomes (such as time for resolving the vulnerability, penalty values, penalty types, etc.). The database (209) may also store the indications generated by the extraction module (201), verifying module (203), rectifying module (205) or scheduling module (207). For example, the indications to be stored onto the database (209) may include indications generated by the extraction module (201) for indicating if the vulnerability is detected in a repeated scanning task or it is not. In some embodiments, the database (209) may also store the scan results from the computer workstations. Consequently, records on the database (209) may be updated periodically.
In further embodiments, it may also be preferred to provide a method for performing vulnerability assessment of a computer network by using the system (101) described in the foregoing.
Figure 3 is a general flow chart of the method for performing vulnerability assessment of a computer network, according to the further embodiment of the invention. In some embodiments, it may be preferred to execute a scanning task on each of the computer workstations accessible to the network, thereby generating a plurality of scan results, each of which may be in a form of report or in other suitable format. At Step 301, the generated scan results may be transmitted and uploaded to a server or alternatively a database (209), before being processed further. In some embodiments, the scan results uploaded to the server or database (209) may preferably be unprocessed. It may also be required in certain embodiments to identify sources of the scan results (such as Nessus) at Step 303.
Vulnerability data may also be extracted from each of the scan results. For instance, the extracted vulnerability data may comprise information which may include type of vulnerability identified in a scan result, computer workstation where the vulnerability is found (such as IP address), contact details (such as email address) of personnel in charge of the workstation where the vulnerability is found, etc. Accordingly, it may be required in certain embodiments to register all of the computer workstations that are accessible to the network through the extraction module (201), or another component in some embodiments. For example, contact details (e.g. email address) of personnel in charge of a computer workstation may be inputted when registering the workstation through the extraction module (201). Other suitable information may also be inputted or requested by the network administrator in some preferred embodiments. With these information, it allows the personnel of a particular computer workstation to be notified (such as by an email notification) when a vulnerability is found on that computer workstation.
Upon extraction of the vulnerability data from the scan results, the extracted data may subsequently be transferred to the database (209) for storing thereon, as shown in Step 305 of Figure 3.
At Step 307, each of the vulnerability data may be subjected to the extraction module (201) which may determine if it is a“new” data. For example, if the vulnerability data A is not previously detected, such data is new, and a time to resolve such vulnerability may be computed, as shown in Step 309. At Step 311, a notification may be created and sent (such as by email) to the computer workstation where the vulnerability is found, in order to notify the personnel in charge of the workstation that the vulnerability is found on this workstation and that it should be resolved within the computed time.
In contrast, if the vulnerability data A is previously detected, it is not new. Under such circumstance, historical data relevant to such vulnerability data may be retrieved from the database (209), as shown in Step 313. However, it should be appreciated that the historical data referred herein are data collected from one or more preceding scanning tasks (or specifically, the scanning tasks executed before the current scanning tasks).
Based on the historical data, it may facilitate the identification process at Step 315, more particularly in identifying if the same vulnerability data is detected in a “repeated” scanning task. For instance, when a computer workstation is scanned for the first time (i.e. first scanning task) and a vulnerability is found in this workstation, it may be scanned again (i.e. second scanning task) after a period of time or in other circumstances. The vulnerability data from the first scanning task can be used as historical data to identify if the same vulnerability data is detected in the second scanning task. The computer workstation may also be scanned for a further time (i.e. third scanning task) to identify if the same vulnerability data is detected in the third scanning task. It should therefore be appreciated that the subsequent scanning tasks (such as the second and third scanning tasks) may be referred to as“repeated scanning tasks”, where the same vulnerability data have been repeatedly detected in these later scanning tasks.
Indications may also be generated in some embodiments, indicating whether or not the vulnerability data is detected in a repeated scanning task. If it is identified that the vulnerability data is not detected in a repeated scanning task, a time to resolve such vulnerability may be computed, and a notification may be sent to the computer workstation in which the vulnerability is found, as illustrated in Steps 309 and 311.
On the other hand, if it is identified that the vulnerability data is detected in a repeated scanning task, the results or indications from Step 315 may then be transmitted to the verifying module (203) for further analyses as illustrated in Figure 4.
In Step 401, the vulnerability data may be analysed if the vulnerability still remains unresolved in the computer workstation. For instance, if the vulnerability B no longer exists or has been resolved, the data relating to vulnerability B may be updated and stored on the database (209), as shown in Step 403, in order to reflect or show that the vulnerability B is now resolved. In some preferred embodiments, the data relating to vulnerability B may be updated and stored on the database (209), before proceeding to the subsequent scanning task.
If it is analysed in Step 401 that the vulnerability B still exists or remains unresolved in the computer workstation, a penalty may be assigned to such vulnerability. In some embodiments, a penalty value may be assigned first in Step 405, to the workstation in which the vulnerability is found. A severity level may subsequently be assigned after evaluating the vulnerability found. In some embodiments, the penalty value may also be assigned after evaluating the severity level of the vulnerability found. Later, in Step 407, the penalty type may be assigned and executed according to the decision matrix table as shown in Table 1 below.
Table 1
Figure imgf000014_0001
Figure imgf000015_0001
Depending on the penalty type, a notification or a reminder may be sent by email to the workstation where the vulnerability is found, for notifying the person in charge of the workstation that the vulnerability is still found on his or her workstation and that it should be resolved immediately. The computer workstation may also be disconnected from the network, for example when the penalty value assigned is 4 or higher and also when the severity level is high.
Figure 5 is a general flow chart showing the steps to be performed when a notification is received from the workstation where the vulnerability is found. In particular, at Step 501, a notification is sent, preferably automatically, from a computer workstation to the system administrator or the network administrator, informing that the vulnerability found at this workstation is resolved. Upon receipt of the notification, a new scanning task may be triggered and executed on the computer workstation, as illustrated in Step 503. After completing the scanning task, the process in Figure 3 will be repeated.
Figure 6 is a general flow chart showing the steps to be performed after completing a periodic scanning task on a computer workstation. In particular, in Step 601, it may be checked if a scanning task has been executed on a particular computer workstation. If the computer workstation has been scanned, then no further action is required. On the other hand, if the computer workstation has not been scanned, a scanning task may be triggered and executed on the workstation, as shown in Step 603. After completing the scanning task, the process illustrated in Figure 3 will be repeated.
In another further embodiment of the invention, the method described in the foregoing may be converted to a series of computer-executable program instructions stored on a non-transitory computer-readable storage medium. When the program instructions are executed by a processing module, it may cause the processing module to perform the steps illustrated in Figures 3, 4, 5 and 6, thereby allowing the vulnerability assessment to be performed in an automated setting. The disclosure includes as contained in the appended claims, as well as that of the foregoing description. Although this invention has been described in its preferred form with a degree of particularity, it is understood that the disclosure of the preferred form has been made only by way of example and that numerous changes in the details of construction and the combination and arrangements of parts may be resorted to without departing from the scope of the invention.

Claims

Claims
1. A method for performing vulnerability assessment of a computer network, comprising the steps of:
extracting vulnerability data from results generated after executing scanning tasks on each computer that is accessible via the network;
determining if each vulnerability is previously detected, based on the extracted vulnerability data;
retrieving historical data relating to the previously detected vulnerability from a database (209), wherein the historical data are collected from one or more preceding scanning tasks;
identifying if the vulnerability is detected in a repeated scanning task, based on the historical data;
analysing if the vulnerability that is detected in the repeated scanning task still remains unresolved;
assigning a penalty to the vulnerability that remains unresolved in the repeated scanning task, wherein the penalty is assigned based on a decision matrix table which is built upon a relationship between penalty values, vulnerability severity levels and penalty types; and
computing a time for resolving the vulnerability if it is not previously detected or if it is not detected in the repeated scanning task.
2. The method according to claim 1 further comprising the step of creating and sending a notification to the computer after the computing step.
3. The method according to claim 1 further comprising the steps of:
executing a new scanning task upon receipt of a notification informing that the vulnerability is resolved; and
repeating the extracting and determining steps.
4. The method according to claim 1 further comprising the steps of:
executing a new scanning task after the computed time for resolving the vulnerability has lapsed; and
repeating the extracting and determining steps.
5. A system (101) for performing vulnerability assessment of a computer network, comprising:
an extraction module (201) configured to:
extract vulnerability data from results generated from scanning tasks that are executed on each computer accessible via the network;
determine if each vulnerability is previously detected, based on the extracted vulnerability data;
retrieve historical data relating to the vulnerability that is previously detected from a database (209), wherein the historical data are data collected from one or more preceding scanning tasks;
identify if the vulnerability is detected in a repeated scanning task, based on the retrieved historical data; and
compute a time for resolving the vulnerability if it is not previously detected or if it is not detected in the repeated scanning task; and
a verifying module (203) in communication with the extraction module (201), wherein the verifying module (203) is configured to:
analyse the vulnerability that is detected in the repeated scanning task if it still remains unresolved; and
assign a penalty to the vulnerability that remains unresolved in the repeated scanning task, wherein the penalty is assigned based on a decision matrix table which is built upon a relationship between penalty values, vulnerability severity levels and penalty types.
6. The system (101) according to claim 5, wherein the extraction module (201) or verifying module (203) is further configured to create and send a notification to the computer.
7. The system (101) according to claim 6 further comprising a rectifying module (205) for triggering and executing a new scanning task after a notification is received from the computer, informing that the vulnerability is resolved.
8. The system (101) according to claim 5 further comprising a scheduling module (207) for triggering and executing a new scanning task periodically or after the computed time for resolving the vulnerability has lapsed.
PCT/MY2019/050054 2018-09-13 2019-09-12 System and method for performing vulnerability assessment of a computer network WO2020055230A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
MYPI2018001552A MY191638A (en) 2018-09-13 2018-09-13 System and method for performing vulnerability assessment of a computer network
MYPI2018001552 2018-09-13

Publications (1)

Publication Number Publication Date
WO2020055230A1 true WO2020055230A1 (en) 2020-03-19

Family

ID=69778224

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/MY2019/050054 WO2020055230A1 (en) 2018-09-13 2019-09-12 System and method for performing vulnerability assessment of a computer network

Country Status (2)

Country Link
MY (1) MY191638A (en)
WO (1) WO2020055230A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113609491A (en) * 2021-08-02 2021-11-05 中通服咨询设计研究院有限公司 Plug-in vulnerability automatic scanning method based on message queue

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050010821A1 (en) * 2003-04-29 2005-01-13 Geoffrey Cooper Policy-based vulnerability assessment
JP2009237807A (en) * 2008-03-26 2009-10-15 Nippon Telegr & Teleph Corp <Ntt> Vulnerability diagnosis conducting apparatus and diagnostic schedule generating program
US20130167238A1 (en) * 2011-12-23 2013-06-27 Mcafee, Inc. System and method for scanning for computer vulnerabilities in a network environment
US9507943B1 (en) * 2013-02-19 2016-11-29 Amazon Technologies, Inc. Analysis tool for data security
US20180253558A1 (en) * 2015-10-06 2018-09-06 Assured Enterprises, Inc. Method and system for identification of security vulnerabilities

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050010821A1 (en) * 2003-04-29 2005-01-13 Geoffrey Cooper Policy-based vulnerability assessment
JP2009237807A (en) * 2008-03-26 2009-10-15 Nippon Telegr & Teleph Corp <Ntt> Vulnerability diagnosis conducting apparatus and diagnostic schedule generating program
US20130167238A1 (en) * 2011-12-23 2013-06-27 Mcafee, Inc. System and method for scanning for computer vulnerabilities in a network environment
US9507943B1 (en) * 2013-02-19 2016-11-29 Amazon Technologies, Inc. Analysis tool for data security
US20180253558A1 (en) * 2015-10-06 2018-09-06 Assured Enterprises, Inc. Method and system for identification of security vulnerabilities

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113609491A (en) * 2021-08-02 2021-11-05 中通服咨询设计研究院有限公司 Plug-in vulnerability automatic scanning method based on message queue
CN113609491B (en) * 2021-08-02 2024-01-26 中通服咨询设计研究院有限公司 Plug-in vulnerability automatic scanning method based on message queue

Also Published As

Publication number Publication date
MY191638A (en) 2022-07-05

Similar Documents

Publication Publication Date Title
US12010137B2 (en) Information technology security assessment system
US20210288995A1 (en) Operational Network Risk Mitigation System And Method
EP3036645B1 (en) Method and system for dynamic and comprehensive vulnerability management
US20180137288A1 (en) System and method for modeling security threats to prioritize threat remediation scheduling
AU2017421179B2 (en) Autonomic incident triage prioritization by performance modifier and temporal decay parameters
US20200047334A1 (en) Event processing using robotic entities
Kuypers et al. An empirical analysis of cyber security incidents at a large organization
US20160226893A1 (en) Methods for optimizing an automated determination in real-time of a risk rating of cyber-attack and devices thereof
US20220078188A1 (en) Change Monitoring and Detection for a Cloud Computing Environment
KR100755000B1 (en) Security risk management system and method
US12063229B1 (en) System and method for associating cybersecurity intelligence to cyberthreat actors through a similarity matrix
CN105376193B (en) The intelligent association analysis method and device of security incident
US20220030025A1 (en) Information technology security assessment model for process flows and associated automated remediation
Maheshwari et al. Integrating risk assessment and threat modeling within SDLC process
US9558346B1 (en) Information processing systems with security-related feedback
CN112799785B (en) Virtual machine cluster migration method, device, equipment and medium
US10817611B1 (en) Findings remediation management framework system and method
CN114357447A (en) Attacker threat scoring method and related device
US20230370486A1 (en) Systems and methods for dynamic vulnerability scoring
US20080072321A1 (en) System and method for automating network intrusion training
KR100524649B1 (en) Risk analysis system for information assets
WO2020055230A1 (en) System and method for performing vulnerability assessment of a computer network
Palko et al. Model of information security critical incident risk assessment
US20230156043A1 (en) System and method of supporting decision-making for security management
Tsai et al. Simulation optimization in security screening systems subject to budget and waiting time constraints

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19859191

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19859191

Country of ref document: EP

Kind code of ref document: A1