Assessing computer security vulnerability

Abstract

The lack of a standard gauge for quantifying computer system vulnerability is a hindrance to communicating information about vulnerabilities, and is thus a hindrance to reducing those vulnerabilities. The inability to address this issue through uniform semantics often leads to uncoordinated efforts at combating exposure to common avenues of exploitation. The de-facto standard for evaluating computer security is the government's Trusted Computer Evaluation Criteria, also known as the Orange Book. However, it is a generally accepted fact that the majority of non-government multi-user computer systems are classified into one of its two lower classes. The link between the higher classes and government classified data, makes the measure unsuitable for commercial use.This project presents a feasible approach for resolving this problem by introducing a standardized assessment. It introduces a method, termed the System Vulnerability Index (SVI), that analyzes a number of factors that affect security. These factors are evaluated and combined, through the use of special rules, to provide a measure of vulnerability. The strength of this method is in its abstraction of the problem, which makes it applicable to various operating systems and hardware implementations. User and superuser actions, as well as clues to a potentially breached state of security, serve as the basis for the security relevant factors. Facts for assessment are presented in a form suitable for implementation in a rule-based expert system.