« PreviousContinue »
METHOD AND SYSTEM FOR QUANTITATIVELY ASSESSING COMPUTER NETWORK VULNERABILITY
FIELD OF THE INVENTION
 The present invention relates generally to quantitative assessment of security vulnerabilities. More particularly, the present invention relates to automated assessment and quantification of, or security risks associated with, the vulnerabilities of computer networks.
BACKGROUND OF THE INVENTION
 Computer networks are a collection of interconnected computers, linked together for the purposes of sharing resources such as printers, storage space and processing power, and allowing interaction between computers both within and without the network. Each computer on a network is also referred to as either a node or a host. Typically each computer can interact with other computers on the network. In many cases a computer network is connected to other computer networks to form an internet. This is the typical manner in which the Internet is designed. Allowing computers in a corporate network access to the Internet, or other such public networks, results in allowing other computers attached to the public network to have a degree of access to the various nodes on the corporate network. Clearly, allowing a large number of unknown users access to the data stored on a corporate network exposes the corporate network to the risk of data corruption, theft, or system unavailability all of which are highly undesirable. As a result, it is essential to secure a computer network from external users who should not have access to the network. Securing a computer network from external attack is a tradeoff between allowing a system to be accessible to valid users and inaccessible to malicious attackers. A system can easily be made secure from attack by eliminating the network's ability to communicate with other networks, however, this is clearly not an acceptable solution in most cases.
 The security of a computer network can only be guaranteed if all potential interaction with users is prevented, i.e. malicious users will not have a chance while there is no opportunity for inadvertent security violation by authorized users. As mentioned above, to fully secure the network from interaction with malicious users connection to the external network must be eliminated, which severely limits the value of the network itself. Thus, for a system to be useable and functional a certain degree of vulnerability to attack is likely. The goal of network security is to minimize the vulnerability of a network, while maintaining access needed to meet legitimate use of the network.
 The degree to which a network is vulnerable is related to the number of possible attacks against which it has not been secured. It should be noted that so long as the computer network is accessible, it cannot be completely secure. At best it will be secure against all known attack methodologies, but may be vulnerable to an as yet unidentified means of malicious penetration. Due to the interest in keeping critical systems running, and the requirement of these systems to have connections available to users, and possibly to a broader network, it is crucial to be able to evaluate a computer network on the basis of its vulnerability to attack, in a quantitative manner.
 In a typical network, such as the Internet, a transport layer transmits data as packets, or more generally data units, also generically known as transport protocol data units (TPDU). The receiving transport entity receives the TPDU from the network layer, which handles the routing of the data. In a network such as the Internet, various processes or application programs can be configured to receive data from the transport entity. To facilitate the receipt of data for multiple processes or applications, it is common to employ data ports in the transport layer, so that TPDUs, intended for a particular service, can be identified by a port number. If a service or application program receives data on a particular port, the application or service is considered to be bound to the port. The availability of ports indicates the availability of a service, and in many cases individual ports have become associated with given services (e.g. port '80' is typically reserved for hyper-text transfer protocol (http) servers).
 Typically, attacks on a network prey on known flaws in services bound to available ports. For example, a malicious party can scan a network to determine ports that are open, and then attempt to attack the services on the open ports to gain access to the network using known exploits associated with the service. Alternatively, a malicious party, with access to a network, can scan ports associated with services, such as file transfer protocol (FTP) or telnet servers, and then attempt to employ a "packet sniffer" to discern userid and password information transmitted as plain text; these services transmit data in the clear, i.e. their data is NOT encrypted A third method of network attack is to covertly introduce a backdoor to a system through such methods as getting help of an inside party, or through malicious email scripting. These backdoors are typically assume port numbers that minimize the risk of interfering with an existing service and makes it hard to detect them. Typically, these backdoors could exist for a long time without system administrators being aware of their existence.
 When a port is open, the application bound to it responds to all traffic directed to the port. This is considered to be the most dangerous state for a network, as traffic from any source is allowed to interact with the application. If no application is using a given port, any traffic destined for that port is dropped, making the system secure to attacks on that port. Such a port is considered closed. An intermediate port condition is a filtered port. A filtered port responds only to requests from an address recognized as emanating from a trusted party. This is considered to be a safe practice, but it should be noted that if a number of computers running different services all employ filtering, a web of trust is created, allowing users inside this trusted circle access to other computers. This web of trust is only as secure as its least secure member, since a malicious attacker can gain access to all of the computers in the trusted circle by accessing the least secure member.
 Despite the fact that it is generally considered to be safer to close ports attached to unneeded services than to leave those services available, many computer networks are vulnerable to attack because unused services are still active, and have not been secured. In many cases services are installed by either applications or operating systems in a default installation, and they remain unused, unmaintained, and open to attack. In other cases, services cannot be removed without compromising the utility of a system. In
many of these cases replacing an insecure service with a secure service, such as secure FTP (SFTP) instead of FTP, can reduce the vulnerability of the network to external attack.
 Another common method of securing a network is to employ a gateway, so that only one computer on the network is directly accessible to the external network. This system typically acts as a firewall, and prevents malicious access to the other computers in the network. Firewalls typically allow only legitimate business-related services into an internal network. Additionally, firewalls are known to interrupt certain services, such as peer-to-peer network sharing between computers on either side of the firewall. Allowing such communication through a firewall is like "punching a hole" in a wall and hence introduces a degree of exposure to exploitation.
 In a practical computing environment, every network has a degree of vulnerability. If a system is designed to serve users, and to communicate with outside services it can only be protected from known attacks. It will be readily apparent that the existence of an open port is in itself a liability, but the degree of vulnerability depends also on the security of the application running on the open port. Simply closing all ports may eliminate vulnerability, but it is the equivalent of unhooking the computer from the network, which provides security at the expense of utility.
 The United States Federal Bureau of Investigation (FBI) and the System Administration Networking and Security (SANS) Institute are viewed as the pre-eminent sources of information regarding the top identified threats to networks. In general, most attacks on a computer network rely upon well known "exploits" that allow malicious parties to gain access to a node on a network, either by using scripted tools or manually exploiting the known vulnerability. Because most attacks are based on known exploits, the FBI and the SANS Institute are able to inform network administrators of possible attacks and ports that should be secured by maintaining a list of known security problems. Typically, the list of dangerous ports published by the two organization are arrived via industry consensus on the danger associated with the ports.
 Currently, assessment of the vulnerability of a network to attack is provided by a system administrator utilizing a port scanner, such as nmap, and then cross checking the open ports deemed most dangerous, e.g. those listed on the SANS or FBI lists. After determining which ports on each computer are potentially vulnerable, the application bound to the port must be checked to see if it is vulnerable to the attack. In a standard TCP based network, each computer has 65,535 potential ports, each of which can be bound to a service. An open port that is not on the SANS or FBI lists is still a potential vulnerability, as there may be associated exploits that are not deemed to be as dangerous as those of the ports on the lists. It could also be used by a "Trojan horse" application designed to give access to the system to malicious parties. Thus an accounting for each of the 65,535 ports must be made. This is a time consuming task, and must be repeated on each computer in the network. The same service can be also provided by different applications, for example two different web server applications. The choice of web server application affects the vulnerability of a system, as each application has its own vulnerabili
ties. A list of open ports which does not include information about the type of service running on the port is not a sufficient tool with which to fully secure a network.
 There are no known software applications, such that map all of a computer's applications to the ports to which they are bound. This would allow an administrator to identify open ports and services available on a network and allow investigation of the potential extent of exposure from the services available. Further, there are few tools that allow for the quantification of vulnerabilities present in a network and hence the associated quantification of the security risks within the network.
 Typically, system administrators have to live with a degree of vulnerability in order to provide utility of the systems they manage. As mentioned earlier, it is not possible to secure systems against all attacks. At the present time there is no standard method for assessing the vulnerability of a system to attack based on services available other than the exhaustive port listing and risk list comparison. This time consuming method does not result in a quantitative result, but instead relies upon a qualitative assessment made by the administrator. Alternatively, so-called "white hat hackers", who attack a system on behalf of its administrator are employed to test the system against typical attacks. Neither of these approaches provide a repeatable method of assessment that can be performed across an entire wide area network to allow a corporation or other such entity to enforce an overall quantitative security policy, nor can quantitative security assessments be made between networks.
 It is, therefore, desirable to provide a method and system for quantitative analysis of the vulnerability of a computer network to attack. This method would quantify risk associated within open ports within an network, being an aggregation of risks associated with individual systems or nodes in the network.
SUMMARY OF THE INVENTION
 It is an object of the present invention to obviate or mitigate at least one disadvantage of previous methods for assessing the vulnerability of computer networks to malicious access. It is a particular object of the present invention, to provide a method for providing a quantitative assessment of the vulnerability of the computer network.
 In a first aspect, the present invention provides a method of quantitatively assessing the vulnerability of an elementary network unit, which includes at least one host, in which the state of each port, and application bound thereto, is known. This method comprises the steps of first classifying each port on each host in the elementary network unit and subsequently determining a quantitative vulnerability rating for the elementary network unit in accordance with the classification of each port on each host in the elementary network unit.
 In an embodiment of the present invention the step of classifying each port includes the determining, for each port, a network vulnerability rating, an application vulnerability rating and a port status rating. The step of determining a quantitative vulnerability rating for the elementary network unit includes determining, for each port, a port vulnerability rating as a function of the network vulnerability rating, the application vulnerability rating and the port status rating, and determining, for each host in the elementary network unit, a host vulnerability rating as a function of the determined port vulnerability rating for each port associated with the host, and finally determining the quantitative vulnerability rating for the elementary network unit as a function of the determined host vulnerability ratings for each host in the elementary network unit. In another embodiment of the first aspect of the present invention, the network vulnerability rating is determined by network protocol conventions regarding the assignment of ports. In alternate embodiments the application vulnerability rating is determined by a combination of the application, and version of the application, bound to the port, and the operating system associated with the application. In further embodiments the port status rating is determined by the state of each port, which is selected from open, closed and filtered.
 In a further aspect, the present invention provides an application program for quantitatively assessing the vulnerability of a computer network based on the state of, and application bound to, each port received from a network scanning application, the computer network being logically grouped into at least one elementary network unit having at least one host. The application program has classification means for classifying each port on each host in the elementary network unit as well as means for determining a quantitative vulnerability rating for the elementary network unit in accordance with the classification of each port on each host in the elementary network unit.
 In embodiments of the application program of the present invention, the classification means includes means for determining a network vulnerability rating for each port, means for determining an application vulnerability rating for each port and means for determining a port status rating for each port. In other embodiments of the present aspect of the invention, the means for determining a quantitative vulnerability rating for the elementary network unit includes means for determining, for each port, a port vulnerability rating as a function of the network vulnerability rating, the application vulnerability rating and the port status rating, means for determining, for each host in the elementary network unit, a host vulnerability rating as a function of the determined port vulnerability rating for each port associated with the host and means for determining the quantitative vulnerability rating for the elementary network unit as a function of the determined host vulnerability ratings for each host in the elementary network unit.
 Another aspect of the present invention provides a graphical representation for displaying computer network vulnerability. The graphical represetation provides a plot of the computer network divided into elementary network units, each elementary network unit having a quantitative vulnerability rating.
 A further aspect of the present invention provides a method for evaluating risk in a computer network, the computer network having at least one elementary network unit. This method consists of the steps of determining a quantitative vulnerability rating for each elementary network unit and determining a risk associated with the computer network by in accordance with the determined quantitative vulnerability ratings. The step of determining the risk can include aggregating each determined quantitative vul
nerability rating, and the step of determining the risk can include comparing the determined quantitative vulnerability ratings to benchmarks.
 Other aspects and features of the present invention will become apparent to those ordinarily skilled in the art upon review of the following description of specific embodiments of the invention in conjunction with the accompanying figures.
BRIEF DESCRIPTION OF THE DRAWINGS
 Embodiments of the present invention will now be described, by way of example only, with reference to the attached Figures, wherein:
 FIG. 1 is a flow chart of a method of the present invention;
 FIG. 2 is a flowchart of a method of the present invention;
 FIG. 3 is a graphical risk map of an exemplary network generated in accordance with the present invention;
 FIG. 4 is an Open Services Map of an exemplary network generated in accordance with the present invention; and
 FIG. 5 is an Open Port Count Map of an exemplary network generated in accordance with the present invention.
 Generally, the present invention provides a method and system for quantitatively assessing the degree of vulnerability of a computer network to attack. It is common in the art to design computer networks so that the overall network is divided into a number of groups based on trust relationships, herein referred to as elementary network units (ENU). Each computer in a network has a set of trust rules that define how the computer will share its resources. Typically, a number of networked computers have similar rules of trust so that all the computers are able to share their resources freely. This interconnected trust relationship defines the ENU. Because of the trust relationship between computers in the ENU, gaining access to one of the computers can compromise the entire ENU. The size of an ENU can vary, depending upon the trust rules established. In some instances a single computer may be an ENU, while in others entire addressing subnets may form an ENU. The method of the present invention will be described in an embodiment where only a single ENU is evaluated. To evaluate the entire network, a series of ENUs would be scanned, in series or in parallel, and the associated vulnerabilities aggregated. Alternatively, it is possible to treat the entire network as an ENU and scan the entire network.
 In general, the method of vulnerability assessment according to the present invention is illustrated in the flowchart of FIG. 1. Prior to commencing the process of evaluation of the vulnerability of the network each of the nodes in the ENU is scanned to determine the status of its ports and the applications or services bound thereto. In a network operating with a standard TCP stack, there are 61,535 ports per network node. The status of each port, as determined by the scan, is then used to classify each open port in step 100. This classification can be performed in a number of ways, as will be elaborated below. In step 102 a