Post on 02-Apr-2018
Type of Submission: Paper
Title or Topic: The Network Vulnerability Tool (NVT) –A System Vulnerability Visualization Architecture
Abstract: For the past two years, Harris Corporation has been conducting research for the U.S. Air ForceResearch Laboratory under the Network Vulnerability Tool (NVT) Study. The Network VulnerabilityTool concept develops and applies a single topological system model. This model supports theinformation needs of multiple vulnerability analysis tools using an integrated knowledge solicitation andtranslation framework. As part of this effort, vulnerability tools from COTS, GOTS, and researchlaboratory sources were surveyed, and a representative sample tool collection was selected for inclusionin the NVT prototype. The prototype integrates and interactively applies multiple existing vulnerabilityassessment technologies, resulting in a cohesive, combined vulnerability/risk assessment. The combinedrisk assessment provides a readily comprehensible picture of the risk posture, assisting the analyst in thedefinition of an acceptable risk posture for an operational system or preliminary system design. The NVTprogram has defined and developed a vulnerability assessment environment, consolidating multiplevulnerability sources and tools types into a coherent vulnerability visualization architecture. This paperdescribes the Network Vulnerability Tool architecture, its components, important architecture features,benefits of the NVT approach, and potential future enhancements.
Keywords: Vulnerability Assessment, Risk Management, Data Visualization, SecurityArchitecture and Design
Authors: Ronda R. Henning and Kevin L. Fox, Ph.D.
Organizational Affiliation: Harris Corporation
Telephone Numbers: 407-984-6009 (voice) 407-984-6353 (fax)
E-mail address: rhenning@harris.com
Point of Contact: Ronda Henning
U.S. Government Program Sponsor: Air Force Research Laboratory/IFGB
Contract Number: F30602-96-C-0289
U.S. Government Publication Release Authority: Dwayne P. Allain or Peter J. Radesi
The Network Vulnerability Tool (NVT) –A System Vulnerability Visualization Architecture
Ronda R. HenningHarris Corporation
P.O. Box 98000, M/S W2-7756Melbourne, FL 32902
(407) 984-6009rhenning@harris.com
Kevin L. Fox, Ph.D.Harris Corporation
P.O. Box 98000, M/S W3-7755Melbourne, FL 32902
(407) 984-6011kfox@harris.com
I. Introduction
The next generation of information systems andinfrastructures under development by theDepartment of Defense and the IntelligenceCommunity are built upon the concept ofacceptable risk. That is, the security features andsystem architecture are deemed to providesufficient protection over the life of the dataprocessed. In previous generations of systems arisk adverse vulnerability posture dictatedcustom hardware and software solutions. Today,the rapid evolution of technology andproliferation of computing power mandate theuse of commodity Commercial-Off-The-Shelf(COTS) hardware and software components forcost effective solutions. This strong dependenceon COTS implies that commercial grade securitymechanisms are sufficient for most applications.Security architectures, therefore, must bestructured to build operational, mission-criticalsystems with relatively weak COTScomponents. Higher assurance components areplaced at community or information boundaries,forming an enclave-based security architecturethat implements a defense-in-depth approach toinformation assurance.
There are few design tools available to thesystem architect to assist in maximizing theavailable protection mechanisms whileremaining within the development budget.Current generation risk analysis tools usually aresingle vendor solutions that address a particularaspect or aspects of risk. These tools tend to fallinto one of three categories:
1. Tools that work from documentedvulnerability databases and possibly repairknown vulnerabilities. Tools of this type arevendor-dependent for database updates,either through new product versions or by asubscription service. Examples from thiscategory include ISS’ Internet Scanner,Network Associates, Inc.’s CyberCop, andHarris’ STAT.
2. Monolithic tools that use various parametersto calculate a risk indicator. These tools aredifficult to maintain and hard to keep currentwith the rapidly evolving threat andtechnology environment. An example ofthis tool category is Los AlamosVulnerability Assessment (LAVA) tool.
3. Tools that examine a particular aspect of thesystem, such as the operating system ordatabase management system, but ignore theother system components. SATAN, forexample, analyzes operating systemvulnerabilities but ignores infrastructurecomponents such as routers.
None of these tools implement an aggregatesnapshot approach to the system, with a “drilldown” or layered approach to facilitateaddressing risk at various layers (network,platform, database, etc.) of the system. Theyprovide little assistance to system designerswhen analyzing alternatives among security risk,system performance and mission functionality.Instead, a “risk solution” is provided thataddresses the particular aspect of risk that agiven tool was designed to calculate. Todevelop a comprehensive risk assessment, a tool
user would have to become proficient in the useof several tools, and manually correlate theresulting outputs.
A key for successful risk analysis is completeand accurate data for the generation of thesystem models used by the analysis tools. Mostof the current generation of risk analysis toolsdepends on surveys filled out by users, systemoperations personnel, and analysts to acquire thedata for development of the system model usedfor the analysis. Alternatively, active networkscanning may be used to test variousvulnerabilities against system components.Textual or survey-based knowledge solicitationtechniques are labor intensive and potentiallytedious for the analyst. Many of the existingtools reuse the same information to analyzedifferent aspects of the system security. Acentralized repository of modeling data couldprovide a basis for shared inputs among existingtools. This repository could be used to generatedata sets for use by risk analysis tools, allowingmultiple tools to be run against the same systemwithout separate input activities, reducing thepossibility of operator error. The use of multiplerisk analysis reasoning engines, or backends,would allow various aspects of the system to beanalyzed without the cost of developing one toolto perform all types of analysis. Integration ofthe information and the resulting informedassessments available by applying multiple toolscould produce a more robust and accuratepicture of a system’s vulnerability posture.These results can facilitate more informedsystem design decisions, providing a frameworkfor alternative evaluation and comparison.
For the past two years, Harris Corporation hasbeen conducting research for the Air ForceResearch Laboratory under the NetworkVisualization Tool (NVT) Program. The NVTconcept defines a knowledge solicitation andtranslation framework for the risk assessmentprocess. This framework incorporates agraphical description of a network topology, acentral repository of modeling data, and reportconsolidation from multiple risk/vulnerabilityassessment tools into a single vulnerabilityassessment. Results are presented to a systemuser through a comprehensible, graphical
interface. The goal of this effort is to assess thefeasibility of developing such a framework for agraphical risk analysis environmentaccommodating both existing and new riskanalysis techniques.
The result of Network Visualization Tool effortis an initial vulnerability visualization andassessment environment, consolidating multi-source output into a cohesive capability withinan open, standards-based architecture. Thispaper describes the NVT system architectureand its components, features and benefits of ourapproach, future research topics, and potentialapplications.
II. System Overview
Under the Network Visualization Tool program,an innovative and unique vulnerabilityassessment framework that can accommodatechanges to threat and technology environmentand preserve the data from current risk analysistools is being developed. The goal of this effortis to research, develop, test, and demonstrate anengineering prototype for a system vulnerabilityassessment framework that helps systemarchitects identify security vulnerabilities anddevelop cost-effective countermeasures.
NVT provides a flexible, extensible, andmaintainable solution. The NVT prototypeisolates factual information about a system fromthe reporting and processing capabilities ofindividual vulnerability assessment tools. Nosingle vulnerability assessment tool canadequately address all components of acomprehensive system architecture. Amonolithic assessment system is difficult toevolve with the dynamic nature of threat andtechnology. NVT allows multiple tools to sharedata, and then fuses their results to provide aconcise picture of a network’s security postureto an NVT user, as illustrated in Figure 1. Ourobjective was to develop a prototype systemsecurity engineering tool that:
q Functions as a design tool to identifyvulnerabilities in an architecture before thearchitecture is built and help enforce goodsecurity design principles
Figure 1. NVT Fuses the Results of Multiple Risk Analysis Tools to providea Single, Comprehensive Network Security Posture Report.
q “Snapshots” a system and its vulnerabilities,enabling comparison of how risk evolvesover the system lifecycle
q Applies static vulnerability databases from avariety of sources
q Applies legacy risk analysis tools and threatmodels
q Correlates information from various riskmodels/tools into an understandable pictureof the system’s vulnerabilities
q Allows what-if analysis to facilitate trade offanalysis between security, functionality,performance, and availability
q Provides an easy to use way to specify therelevant characteristics of a system design
Our vision for a system security engineering toolfacilitating system vulnerability assessmentincorporates a single, graphical representation ofa system. This system representation isprovided to multiple risk/vulnerabilityassessment tools and vulnerability data or
knowledge bases, resulting in a single,consolidated input to multiple tools. A FuzzyExpert System applies the unique correlationtechnology of FuzzyFusionTM to combine the
unified r port. The architecture concept is
The NVT prototype is implemented on an Intel
This platform was selected as a low cost solutionp
The initial tool suite employs a number ofd
q HP OpenView, for network automatics
q ANSSR, a GOTS network system analysis
q RAM, NSA’s risk assessment methodo ogy,
pr gramming language.
vulnerabi ity
User EnteredInformation
VulnerabilityTool (STAT)
SNMPDiscovery
Legacy RiskTool Data (ANSSR)
VulnerabilityTool (ISS)
DataSources
Complete System Object Model SystemPicture
Individual Tool Reports
Tool Report FuzzyFusionTM
Icon Text Excel Access Config
Per toolanalysis
Multi tool analysis
Tool toExpertAnalysis
ReportMedia
DPL-fCERT
NOTESExpertSystem
= Part of NVT Prototype
Factbase FuzzyFusionTM
Figure 2. The NVT Vulnerability Assessment Tool Architecture Concept.
With supporting compilers and displaycapabilities, NVT represents the integration of12 COTS packages into a cohesive riskassessment capability.
II.1 System Architecture Data Entry
NVT is based on the concept of a knowledgesolicitation framework that incorporates agraphical description of a network topology.This topology is used for capture of networkattributes, and is subsequently analyzed forsecurity vulnerabilities. The knowledgesolicitation portion of NVT applies modernnetwork discovery capabilities and a graphicaluser interface. This improves the accuracy ofthe network model, provides a common networkdescription for multiple risk analysis reasoningengines, and enhances the productivity of thesystem security analyst.
The NVT prototype automatically maps anexisting network, or can be used for the manualentry of a network design. The prototype usesHP OpenView to graphically depict a networktopology. As illustrated in Figure 3, once it has
been given the IP address of the default routerfor the network, NVT, through the use ofOpenView, can search for computers and otherdevices attached to the network. It performs anactive search, pinging possible IP addresses onthe network, and adding whatever responseinformation it receives to its network map. NVTalso provides, through OpenView, a manualmethod to draw a proposed network with agraphical user interface that supports drag anddrop. A System Security Engineer can rapidlydefine a given system architecture, including thesecurity critical information. For example:
q A user can apply the manual entry capabilityto consider alternative designs as part of atrade study.
q A user may edit the properties of each node,providing additional details as required toprovide complete logical network planning.
q A user can also represent an entire networkon a map by using a subnetwork icon. Adetailed map of the subnetwork can belinked to this icon and displayed by doubleclicking on the icon.
next level solutions NVT TIM #6, #1
Automatic Discovery
Figure 3. HP OpenView’s Network Discovery Tools enable NVT users to Mapan Existing Network for Further Security Analysis
Once the system description has beencompleted, the NVT prototype represents andstores the description in an object/classhierarchy. This single topological modelsupports the information needs of multiplereasoning (vulnerability/risk assessment) tools,as well as the FuzzyFusionTM of their resultsinto a cohesive vulnerability/risk assessment.NVT translates this system representation intothe appropriate format for each of theassessment tools employed. This singlerepresentation of a system simplifies the use ofmultiple tools, eliminating redundant data entry.It also provides the foundation for addressing theproblem of incomplete data for a givenvulnerability assessment tool, and for futureknowledge negotiation capabilities.
II.2 Risk Analysis Tool Selection
Under the Network Visualization Tool program,current COTS, GOTS and research vulnerabilityassessment and reasoning tools were surveyed todetermine their capabilities and availability.Tools were categorized by the types ofvulnerabilities assessed, and their functional
characteristics. Each tool was further evaluatedon its data acquisition and output formats todetermine how the information can be applied inthe NVT engineering prototype implementation.The primary criteria were the operating systemrequired by the tool, the capability of the tool toassess network environments, the data gatheringmethods used by the tool, and the risk typesassessed by the tool. The vulnerabilityassessment and reasoning tools have to be ableto run in the NVT prototype’s operationalenvironment (a PC with Windows NT).
A primary purpose of the NVT prototype is todemonstrate a framework with the flexibility tointegrate and interactively use multiple existingvulnerability assessment and reasoningtechnologies. In order to demonstrate the proofof concept of integrating and interactively usingmultiple existing vulnerability assessment andreasoning technologies within programrestrictions, a representative sample of tools wasselected for inclusion in NVT. As a result of thetool survey, ANSSR, RAM, and ISS InternetScanner were selected for inclusion in NVT.
Table 1. Capabilities Summary for the NVT prototype’s Initial Set of Analysis Tools
Selected Tool Functional CapabilitiesANSSR(Analysis of Networked SystemsSecurity Risks)Mitre Corporation
Passive data gathering- Model structure- Survey based data gathering- Network aware
Risk Type- Single Occurrence of Loss
RAM(Risk Assessment Model)NSA
Passive data gathering- Event tree- Prioritized attack list
Risk Type- Mathematical model- Multiple risks/services- Event based over time
Extensible to Risk Type- Comparison of effectiveness of
different designs- Not limited to computers/networks- Optimization of system/cost benefit
analysis
ISS Internet ScannerInternet Security Systems (ISS)Corporation
Active data gathering- Scans network for hosts, servers,
firewalls, and routers- Assesses security and policy
compliance of networks, operatingsystems, and software applications
Risk Type- Computer Network Compliance
Report (snapshot in time)
These three tools met the requirements andprovided the greatest diversity of functionalcapabilities, as shown in Table 1. The selectedtools represent the greatest diversity ofcharacteristics with the fewest expectedintegration risks.
The RAM model has been incorporated into aCOTS tool, the DPL-f programming languagefor decision support, developed by AppliedDecision Analysis, Inc., a subsidiary ofPriceWaterhouseCoopers, LLC. This providesRAM with additional capabilities for rapid faulttree construction, libraries of embedded faulttrees, an expert opinion generation system,enumeration and ordering of cut sets, andgraphical portrayal of risk over time.
II.3 Output Report Correlation andGeneration
None of the above tools take an aggregatesnapshot approach to the system, with a “drilldown” or layered approach to address risk atvarious layers (network, platform, database, etc.)of the system. Using multiple risk analysis toolswould allow various aspects of the system to beanalyzed for vulnerabilities without the cost ofdeveloping one tool to perform all types ofanalysis. To provide a more comprehensivevulnerability assessment of a system than anyone tool could provide, the outputs of thevarious tools must be integrated and fused into a
single, concise report. This would providegreater assistance to system designers analyzingalternatives among security risk, systemperformance, and mission functionality.
Under the Network Visualization Tool effort, weinvestigated technologies that would support ourgoal of integrating and fusing the results frommultiple vulnerability analysis applications. Byexamining the variety of current COTS andGOTS products, and the variety of inputs andoutputs those products require, it becameapparent that fuzzy decision technology offeredthe most flexible solution to our problem. Ourfocus on fuzzy decision methodologies as ourtechnology foundation was based on an analysisof a variety of technologies, including ExpertSystems, Databases Systems, Data Fusion,Neural Networks, Fuzzy Logic, and FuzzyExpert Systems. The later is based on thepremise that multi-criteria, multi-expert decisionmaking can lead to a best-fit answer. Primarybenefit of a fuzzy reasoning system is its abilityto use and assimilate knowledge from multiplesources. We believe that fuzzy expert systemtechnology is applicable because:
q An expert exists for each tool that we wishto include in the system
q The problem itself is fuzzy; it hasambiguities and often partial information
Figure 4. NVT leverages Existing Vulnerability Assessment Tools to presenta Single, Cohesive Risk Picture.
q We can incrementally learn and apply newtechnologies as the system grows
q We believe we can identify validmembership functions for the mapping ofdata to concept and concept to knowledge
As a result of our research of existingtechnologies, Harris has developedFuzzyFusionTM technology to combine theresults of multiple vulnerability assessment/riskanalysis tools into a unified report.FuzzyFusionTM combines the techniques offuzzy logic, fuzzy expert systems and datafusion. FuzzyFusionTM incorporates Level 2data fusion, since our data is already aligned.We have an established network model andoperator environment, and need to establish therelationship between the network model and thefindings of the risk analysis tools. Real worldmeasurements are captured in fuzzy logic. Thereasoning concepts from data fusion are used toestablish relationships among the networkmodel, vulnerability findings from the various
tools, and the knowledge of network securityexperts. FuzzyFusionTM is accomplishedthrough the use of a fuzzy expert system, whichcombines the outputs of the various tools, userconcerns about system risks and vulnerabilities,and expert understanding of the results of eachtool and how these fit into the larger informationsystem security picture.
Output of the concise assessment can beprovided to the NVT user through multiplemeans and in various degrees of detail, asillustrated in Figure 4. The graphical networkmap of a system can be color-coded to provide avisual indication of where the greatest risks arelocated. In Figure 4, the node with the greatestassociated risk is colored red. Less severe risksare colored yellow. A pop-up slider window canalso be utilized to indicate the top N risks, andtheir severity. Further details, such as textreports and spreadsheet analyses, can beaccessed by drilling down through the layers ofinformation.
next level solutions NVT TIM #6, #1
ANSSR Manual Entry
Figure 5. Entering System Information into the Interface for ANSSR isa Manually Intensive Process.
III. Features & Benefits of NVT
The result of the NVT Program is a prototypedemonstrating a comprehensive vulnerabilityprofile based on the user defined acceptable riskof compromise to a given system. End usershave a simple expression of the vulnerabilityposture of a given system or system design, andare capable of performing “what if” analysis forfunctionality, performance, and countermeasuretrades.
The primary advantage of the NVT prototype isthat it provides a flexible, modular, extensibleapproach to vulnerability assessment. Thisinnovative design accommodates multiple riskassessment techniques, but only requires singleentry of the system description (through autodiscovery or manual entry of a model), which isa significant benefit to the System SecurityEngineer. Figure 5 illustrates the interface toANSSR, which supports a character based GUIwhen it is used as a stand-alone tool. As thenumber of windows and menus suggests, entryof information into the tool is a manuallyintensive exercise. One of the benefits of NVT
is that it automates providing the requiredsystem information to the various vulnerabilityassessment tools, allowing each tool to use onlythe input data it requires. NVT eliminates themanually intensive operations associated withlegacy assessment tools, and preserves existinguser investment in legacy methodologies. NVTalso provides a mechanism to correlateinformation among tools. Information solicitedfrom the user for any single tool is shared amongall tools. Legacy vulnerability assessment toolsand databases can be reused, and their resultsused in conjunction with alternate risk models.
NVT was designed to be an affordablevulnerability assessment environment. Manymonolithic risk assessment tools require highperformance Unix platforms and cost over$40,000 per copy of each tool. The NVTprototype is being developed on a Windows NT-based Pentium platform. Our initial tool suitereflects a desire to be economical and pragmaticin tool selection. Three COTS/GOTSvulnerability assessment tools, are incorporatedinto the framework: ANSSR, DPL-f, and ISSInternet Scanner. Costs for the runtime licenses
of COTS products currently employed withinthe NVT prototype along with a suitable NTworkstation are approximately $30,000.
The modular, extensible system design for NVTensures ease of technology transition andintegration as new vulnerability tools andtechnology vulnerabilities come to market. Thismodularity also preserves user legacy models,and allows each user to select the tools mostappropriate for his environment and needs. Thismodel also allows a user to preserve hiscorporate investment. For example, if anorganization already employs active scanningtechnology, the tool can be integrated into theNVT framework with little difficulty. Thisprovides a new source of input (the existingtool), and makes new processing elements(additional risk assessment tools) available tothe enterprise.
IV. Future Research
The basic foundation of NVT provided valuableexperience in risk analysis tool integration andcorrelation technologies. Future research anddevelopment efforts would benefit fromfeedback from System Security Engineers usingthe NVT prototype as a tool to:
q Identify vulnerabilities and enforce goodsecurity design principles
q “Snapshot” a system and its vulnerabilities,and compares how risk evolves over thesystem lifecycle
q Correlate information from various risktools in an understandable graphicalvulnerability analysis
q Support hypothetical analysis, facilitatingarchitecture choices among security,functionality, performance, and availability
q Provide rapid specification of the relevantcharacteristics of a system design
Beyond the efforts conducted under the initialNVT Program, further research is need toimprove the FuzzyFusionTM used to combineoutputs from various risk analysis tools into aunified report. In addition, we have identified
new functionality to incorporate into resultanalysis, including:
q Temporal based reasoning – accounts forthe time required to exploit a knownvulnerability as part of the systemassessment process. It enables a user toperform a vulnerability assessment thattakes into account the time required toexercise a given vulnerability. For example,if time required to penetrate/compromise anode exceeds the timeline for a mission,then the threat is minimal.
q Vulnerability thresholding – minimizescontinued computation when an aggregatevulnerability level in a given system orsegment exceeds a user defined limit,allowing the user to define his ownvulnerability tolerance. It eliminatespossibly computationally intensive searchtrees when a sufficiently lethal vulnerabilityis located, or when a large number ofvulnerabilities are identified. It allows theuser to define his vulnerability tolerancelevel, and supports tailorable definitions ofacceptable levels of vulnerability.
q Reasoning with uncertainty or incompletedata information – provides the user withsome answer, the best that is available withthe information available.
q Vulnerability trade-off visualizationtechniques – allow the user to easilyperform what-if analysis andexperimentation among performance,functionality, and countermeasures. Itenables the user to readily understand thetrade-offs among desired capabilities.
This functionality will allow NVT to moreaccurately reflect the human decision makingprocess. Further, it will support a more robust,systems orientation towards vulnerabilities,accommodating consideration of application andplatform vulnerabilities as well as networkvulnerabilities.
V. Potential Applications
The NVT program has developed foundationtechnology that can be applied to three distinct
related problem domains: security riskassessment, security modeling, and securityadministration. Our initial research, as well asthis paper, was directed at the security riskassessment problem domain. NVT could also beintegrated with existing network modeling toolsto provide a security perspective to networkmodeling environments. As a securityadministrator’s toolset, NVT could be anintegration platform for administrative toolssuch as password dictionaries, to provide anoperationally oriented security assessmentcapability.
This research was funded under the NetworkVisualization Tool (NVT) program for U.S.AFRL/IFGB, contract #F30602-96-C-0289. U.S.Government Publication Release Authority: DwayneP. Allain or Peter J. Radesi.
References
1. Computers in Security. Charles P. Pfleeger.Prentice Hall PTR. Upper Saddle River, NJ.1997.
2. “Sniffing Out Network Holes”. LeslieO’Neil and Joe Scambray. INFOWORLD.February 8, 1999. Pp. 74-82.
3. Analysis of Networked Systems SecurityRisks (ANSSR) Assessment Tool, Version2.2, User’s Manual. D. J. Bodeau and F. N.Chase. The MITRE Corporation. Bedford,MA.
4. “ANSSR: A Tool for Risk Analysis ofNetworked Systems”. D. J. Bodeau, F. N.Chase, and S. G. Kass. Proceedings of the13th National Computer SecurityConference. October 1990.
5. “A Practitioner’s View of CRAMM”.Norman Truman. Gamma Secure SystemsLimited.http://www.gammass1.co.uk/topics/hot5.html. September 1997.
6. DPL-f User Manual. Applied DecisionAnalysis LLC. 1999.
7. ISS Internet Scanner User Guide forWindows NT. Internet Security Systems(ISS). Atlanta, GA. 1997.
8. HP OpenView for Windows: WorkgroupNode Manager User’s Guide. HewlettPackard. Cupertino, CA. 1998.
9. HP OpenView: Professional Suite GettingStarted Guide. Hewlett Packard. Cupertino,CA. 1998.
10. “L-3 Network Security Expert 3.0”. Productreview, SC Magazine (Information SecurityNews).http://www.infosecnews.com/l3/l3.html.
11. Network Visualization Tool Program –Final Scientific & Technical Report. R. R.Henning, K. L. Fox, J. T. Farrell, C. C.Miller, E. P. Meijer. Harris Corporation.Melbourne, FL. June 1999.
NVT, #1 next level solutions 4-Aug-99
The Network Vulnerability Tool --A System Vulnerability Visualization Architecture
Ronda R. Henning407-984-6009rhenning@harris.com
Kevin L. Fox, Ph.D.407-984-6011kfox@harris.com
NVT, #2 next level solutions 4-Aug-99
Network Visualization Tool Program
• AFRL-funded research program with 2 goals: 1. Investigate:
• The feasibility of a common risk assessment and vulnerability detection architecture
• Enhanced usability, productivity, and system coverage 2. Define techniques to promote:
• enhanced knowledge solicitation• normalized, shared system representation• application of data fusion techniques to risk and vulnerability reporting• comprehensible reporting mechanisms for results interpretation
NVT, #3 next level solutions 4-Aug-99
• “I don’t know what’s on my network”• “The last risk assessment was done 15 years ago”• “I don’t know if I can connect my legacy systems in transition”• “How do I know if I’ve fixed all the systems”• “What is an acceptable risk?”
User’s Perspective
NVT, #4 next level solutions 4-Aug-99
The Risk Tool Landscape
• Monolithic, proprietary environments• Difficult to incorporate new threats or technologies• Multiple tools with multiple system representations
• from users and scanning technology• no reuse or information sharing
• Diverse, single solution tools• vulnerability scanners• systemic risk assessment• paper risk assessments• legacy tool suites
NetworkManagementTools
VulnerabilityScanners
SystemicAssessmentTools
LegacyRiskTools
RISK?
NVT, #5 next level solutions 4-Aug-99
Concept of Operations
• Deployed systems• Determine system risk posture • Determine how risk evolves over the system life cycle
• Legacy systems• Measure associated risk• Key to infrastructure modernization• Understand and accept the implications of connectivity
• Use during the life cycle to “snapshot” a system’s risk posture.
Security OfficersSystem Designers
• Mitigate/define security architecture• Architecture optionsanalysis• Stop problems before theybecome problems• Fulfill requirement for asystem risk analysis• Use as a Design toolduring system development
NVT, #6 next level solutions 4-Aug-99
Risk Analysis Tools
• Three distinct risk/vulnerability analysis tools wereintegrated in a proof-of-concept prototype– ANSSR was selected as a prime example of a
legacy reasoning engine– ISS Internet Scanner was selected as an example
of a “live” vulnerability tool– Risk Assessment Methodology (RAM) was
selected for large scale, highly complex problems• Replaced by DPL-f
• HP Open View used for SNMP Network ManagementMapping Environment
NVT, #7 next level solutions 4-Aug-99
NVT Architecture
AnalysisandIntegration
SingleTool
Analysis
Multi-ToolCorrelation
ExpertCorrelation
IndividualTool Processing
Combinationof ToolOutputs
Addition ofDatabases(AFCERTS, etc)
• Expert System• DPL-f
The FuzzyFusion TM Process
Data Sources
UserEntered
Information
Legacy RiskTool Data (ANSSR)
VulnerabilityTool (ISS)
VulnerabilityTool (STAT)
SNMPDiscovery
OtherTools
SystemPicture
Complete System Object Model
Icon Text Excel Access ConfigReportOptions
Incorporated into NVT prototype Future Enhancements
FactBase
NVT, #11 next level solutions 4-Aug-99
NVT Program Conclusions
• Demonstrated an initial proof-of-concept– Can combine multiple assessment tools with different
modes of operation to provide a more complete picture– Fuzzy Logic and Data Fusion concepts/technologies are
viable for use in result integration– Use multiple tools to fill in or resolve missing data required
by other tools
• Primary advantages of NVT prototype– Provides a flexible, modular, extensible approach to
vulnerability assessment– Accommodates multiple assessment techniques, BUT only
requires single entry of network description– Preserves investment in legacy methodologies/tools, but
reduces associated labor
NVT, #12 next level solutions 4-Aug-99
Conclusions - Continued
• The NVT prototype was designed to be an affordablevulnerability assessment environment– Developed on Windows NT, Pentium platform– Costs for runtime licenses of COTS products currently
employed along with a suitable workstation ~ $30K– Design facilitates incorporation of other vulnerability
assessment technologies• Incorporation of new tools into NVT environment < 1 mm• Time then required to modify FuzzyFusionTM
• Select tools most appropriate for a given environment• Preserves investment already in place
NVT, #13 next level solutions 4-Aug-99
Future Research Topics
• Temporal-Based Reasoning– Enables analyst to perform an assessment that accounts for
time required to exploit a known vulnerability
• Vulnerability Thresholds– Minimizes continued computation when an aggregate
vulnerability level in a given system exceeds a user-definedlimit
– Eliminates possibly computationally intensive search treeswhen a sufficient lethal vulnerability is located
– Allows a user to define a vulnerability tolerance level
• Vulnerability Trade-off Visualization Techniques– Allow the user to perform what-if analysis among
performance, functionality and countermeasures
• Incorporate Static Vulnerability Database(s)
NVT, #14 next level solutions 4-Aug-99
Security Officer Toolbox• Active Scanning tools• Password Dictionaries• Account Administration
Possible Directions
Assessment Tool Box•More COTS capabilities
• RISKWATCH• BUDDY SYSTEM• STAT Security Modeling Tool
• Integrate with Network Design Tools• Security Configuration Determination
• Use of Data Fusion Techniques Possible• Multiple Tools can yield one integrated model• More complete and coherent picture
NVT RESULTS