On Computing Enterprise IT Risk Metrics

Abstract : Assessing the vulnerability of large heterogeneous systems is crucial to IT operational decisions such as prioritizing the deployment of security patches and enhanced monitoring. These assessments are based on various criteria, including (i) the NIST National Vulnerability Database which reports tens of thousands of vulnerabilities on individual components, with several thousand added every year, and (ii) the specifics of the enterprise IT infrastructure which includes many components.Defining and computing appropriate vulnerability metrics to support decision making remains a challenge. Currently, several IT organizations make use of the CVSS metrics that score vulnerabilities on individual components. CVSS does allow for environmental metrics, which are meant to capture the connectivity among the components; unfortunately, within Section 2.3 of [1] there are no guidelines for how these should be defined and, consequently, environmental metrics are rarely defined and used.We present a systematic approach to quantify and automatically compute the risk profile of an enterprise from information about individual vulnerabilities contained in CVSS scores. The metric we propose can be used as the CVSS environmental score. Our metric can be applied to the problem of prioritizing patches, customized to the connectivity of an enterprise. It can also be used to prioritize vulnerable components for purposes of enhanced monitoring.
Type de document :
Communication dans un congrès
Jan Camenisch; Simone Fischer-Hübner; Yuko Murayama; Armand Portmann; Carlos Rieder. 26th International Information Security Conference (SEC), Jun 2011, Lucerne, Switzerland. Springer, IFIP Advances in Information and Communication Technology, AICT-354, pp.271-280, 2011, Future Challenges in Security and Privacy for Academia and Industry. 〈10.1007/978-3-642-21424-0_22〉
Liste complète des métadonnées

Littérature citée [9 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-01567601
Contributeur : Hal Ifip <>
Soumis le : lundi 24 juillet 2017 - 10:40:21
Dernière modification le : jeudi 28 décembre 2017 - 13:58:02

Fichier

978-3-642-21424-0_22_Chapter.p...
Fichiers produits par l'(les) auteur(s)

Licence


Distributed under a Creative Commons Paternité 4.0 International License

Identifiants

Citation

Sandeep Bhatt, William Horne, Prasad Rao. On Computing Enterprise IT Risk Metrics. Jan Camenisch; Simone Fischer-Hübner; Yuko Murayama; Armand Portmann; Carlos Rieder. 26th International Information Security Conference (SEC), Jun 2011, Lucerne, Switzerland. Springer, IFIP Advances in Information and Communication Technology, AICT-354, pp.271-280, 2011, Future Challenges in Security and Privacy for Academia and Industry. 〈10.1007/978-3-642-21424-0_22〉. 〈hal-01567601〉

Partager

Métriques

Consultations de la notice

55

Téléchargements de fichiers

16