Type of Submission: Paper

Title or Topic: The Network Vulnerability Tool (NVT) –A System Vulnerability Visualization Architecture

Abstract: For the past two years, Harris Corporation has been conducting research for the U.S. Air ForceResearch Laboratory under the Network Vulnerability Tool (NVT) Study. The Network VulnerabilityTool concept develops and applies a single topological system model. This model supports theinformation needs of multiple vulnerability analysis tools using an integrated knowledge solicitation andtranslation framework. As part of this effort, vulnerability tools from COTS, GOTS, and researchlaboratory sources were surveyed, and a representative sample tool collection was selected for inclusionin the NVT prototype. The prototype integrates and interactively applies multiple existing vulnerabilityassessment technologies, resulting in a cohesive, combined vulnerability/risk assessment. The combinedrisk assessment provides a readily comprehensible picture of the risk posture, assisting the analyst in thedefinition of an acceptable risk posture for an operational system or preliminary system design. The NVTprogram has defined and developed a vulnerability assessment environment, consolidating multiplevulnerability sources and tools types into a coherent vulnerability visualization architecture. This paperdescribes the Network Vulnerability Tool architecture, its components, important architecture features,benefits of the NVT approach, and potential future enhancements.

Keywords: Vulnerability Assessment, Risk Management, Data Visualization, SecurityArchitecture and Design

Authors: Ronda R. Henning and Kevin L. Fox, Ph.D.

Organizational Affiliation: Harris Corporation

Telephone Numbers: 407-984-6009 (voice) 407-984-6353 (fax)

E-mail address: rhenning@harris.com

Point of Contact: Ronda Henning

U.S. Government Program Sponsor: Air Force Research Laboratory/IFGB

Contract Number: F30602-96-C-0289

U.S. Government Publication Release Authority: Dwayne P. Allain or Peter J. Radesi

The Network Vulnerability Tool (NVT) –A System Vulnerability Visualization Architecture

Ronda R. HenningHarris Corporation

P.O. Box 98000, M/S W2-7756Melbourne, FL 32902

(407) 984-6009rhenning@harris.com

Kevin L. Fox, Ph.D.Harris Corporation

P.O. Box 98000, M/S W3-7755Melbourne, FL 32902

(407) 984-6011kfox@harris.com

I. Introduction

The next generation of information systems andinfrastructures under development by theDepartment of Defense and the IntelligenceCommunity are built upon the concept ofacceptable risk. That is, the security features andsystem architecture are deemed to providesufficient protection over the life of the dataprocessed. In previous generations of systems arisk adverse vulnerability posture dictatedcustom hardware and software solutions. Today,the rapid evolution of technology andproliferation of computing power mandate theuse of commodity Commercial-Off-The-Shelf(COTS) hardware and software components forcost effective solutions. This strong dependenceon COTS implies that commercial grade securitymechanisms are sufficient for most applications.Security architectures, therefore, must bestructured to build operational, mission-criticalsystems with relatively weak COTScomponents. Higher assurance components areplaced at community or information boundaries,forming an enclave-based security architecturethat implements a defense-in-depth approach toinformation assurance.

There are few design tools available to thesystem architect to assist in maximizing theavailable protection mechanisms whileremaining within the development budget.Current generation risk analysis tools usually aresingle vendor solutions that address a particularaspect or aspects of risk. These tools tend to fallinto one of three categories:

1. Tools that work from documentedvulnerability databases and possibly repairknown vulnerabilities. Tools of this type arevendor-dependent for database updates,either through new product versions or by asubscription service. Examples from thiscategory include ISS’ Internet Scanner,Network Associates, Inc.’s CyberCop, andHarris’ STAT.

2. Monolithic tools that use various parametersto calculate a risk indicator. These tools aredifficult to maintain and hard to keep currentwith the rapidly evolving threat andtechnology environment. An example ofthis tool category is Los AlamosVulnerability Assessment (LAVA) tool.

3. Tools that examine a particular aspect of thesystem, such as the operating system ordatabase management system, but ignore theother system components. SATAN, forexample, analyzes operating systemvulnerabilities but ignores infrastructurecomponents such as routers.

None of these tools implement an aggregatesnapshot approach to the system, with a “drilldown” or layered approach to facilitateaddressing risk at various layers (network,platform, database, etc.) of the system. Theyprovide little assistance to system designerswhen analyzing alternatives among security risk,system performance and mission functionality.Instead, a “risk solution” is provided thataddresses the particular aspect of risk that agiven tool was designed to calculate. Todevelop a comprehensive risk assessment, a tool

user would have to become proficient in the useof several tools, and manually correlate theresulting outputs.

A key for successful risk analysis is completeand accurate data for the generation of thesystem models used by the analysis tools. Mostof the current generation of risk analysis toolsdepends on surveys filled out by users, systemoperations personnel, and analysts to acquire thedata for development of the system model usedfor the analysis. Alternatively, active networkscanning may be used to test variousvulnerabilities against system components.Textual or survey-based knowledge solicitationtechniques are labor intensive and potentiallytedious for the analyst. Many of the existingtools reuse the same information to analyzedifferent aspects of the system security. Acentralized repository of modeling data couldprovide a basis for shared inputs among existingtools. This repository could be used to generatedata sets for use by risk analysis tools, allowingmultiple tools to be run against the same systemwithout separate input activities, reducing thepossibility of operator error. The use of multiplerisk analysis reasoning engines, or backends,would allow various aspects of the system to beanalyzed without the cost of developing one toolto perform all types of analysis. Integration ofthe information and the resulting informedassessments available by applying multiple toolscould produce a more robust and accuratepicture of a system’s vulnerability posture.These results can facilitate more informedsystem design decisions, providing a frameworkfor alternative evaluation and comparison.

For the past two years, Harris Corporation hasbeen conducting research for the Air ForceResearch Laboratory under the NetworkVisualization Tool (NVT) Program. The NVTconcept defines a knowledge solicitation andtranslation framework for the risk assessmentprocess. This framework incorporates agraphical description of a network topology, acentral repository of modeling data, and reportconsolidation from multiple risk/vulnerabilityassessment tools into a single vulnerabilityassessment. Results are presented to a systemuser through a comprehensible, graphical

interface. The goal of this effort is to assess thefeasibility of developing such a framework for agraphical risk analysis environmentaccommodating both existing and new riskanalysis techniques.

The result of Network Visualization Tool effortis an initial vulnerability visualization andassessment environment, consolidating multi-source output into a cohesive capability withinan open, standards-based architecture. Thispaper describes the NVT system architectureand its components, features and benefits of ourapproach, future research topics, and potentialapplications.

II. System Overview

Under the Network Visualization Tool program,an innovative and unique vulnerabilityassessment framework that can accommodatechanges to threat and technology environmentand preserve the data from current risk analysistools is being developed. The goal of this effortis to research, develop, test, and demonstrate anengineering prototype for a system vulnerabilityassessment framework that helps systemarchitects identify security vulnerabilities anddevelop cost-effective countermeasures.

NVT provides a flexible, extensible, andmaintainable solution. The NVT prototypeisolates factual information about a system fromthe reporting and processing capabilities ofindividual vulnerability assessment tools. Nosingle vulnerability assessment tool canadequately address all components of acomprehensive system architecture. Amonolithic assessment system is difficult toevolve with the dynamic nature of threat andtechnology. NVT allows multiple tools to sharedata, and then fuses their results to provide aconcise picture of a network’s security postureto an NVT user, as illustrated in Figure 1. Ourobjective was to develop a prototype systemsecurity engineering tool that:

q Functions as a design tool to identifyvulnerabilities in an architecture before thearchitecture is built and help enforce goodsecurity design principles

Figure 1. NVT Fuses the Results of Multiple Risk Analysis Tools to providea Single, Comprehensive Network Security Posture Report.

q “Snapshots” a system and its vulnerabilities,enabling comparison of how risk evolvesover the system lifecycle

q Applies static vulnerability databases from avariety of sources

q Applies legacy risk analysis tools and threatmodels

q Correlates information from various riskmodels/tools into an understandable pictureof the system’s vulnerabilities

q Allows what-if analysis to facilitate trade offanalysis between security, functionality,performance, and availability

q Provides an easy to use way to specify therelevant characteristics of a system design

Our vision for a system security engineering toolfacilitating system vulnerability assessmentincorporates a single, graphical representation ofa system. This system representation isprovided to multiple risk/vulnerabilityassessment tools and vulnerability data or

knowledge bases, resulting in a single,consolidated input to multiple tools. A FuzzyExpert System applies the unique correlationtechnology of FuzzyFusionTM to combine the

unified r port. The architecture concept is

The NVT prototype is implemented on an Intel

This platform was selected as a low cost solutionp

The initial tool suite employs a number ofd

q HP OpenView, for network automatics

q ANSSR, a GOTS network system analysis

q RAM, NSA’s risk assessment methodo ogy,

pr gramming language.

vulnerabi ity

User EnteredInformation

VulnerabilityTool (STAT)

SNMPDiscovery

Legacy RiskTool Data (ANSSR)

VulnerabilityTool (ISS)

DataSources

Complete System Object Model SystemPicture

Individual Tool Reports

Tool Report FuzzyFusionTM

Icon Text Excel Access Config

Per toolanalysis

Multi tool analysis

Tool toExpertAnalysis

ReportMedia

DPL-fCERT

NOTESExpertSystem

= Part of NVT Prototype

Factbase FuzzyFusionTM

Figure 2. The NVT Vulnerability Assessment Tool Architecture Concept.

With supporting compilers and displaycapabilities, NVT represents the integration of12 COTS packages into a cohesive riskassessment capability.

II.1 System Architecture Data Entry

NVT is based on the concept of a knowledgesolicitation framework that incorporates agraphical description of a network topology.This topology is used for capture of networkattributes, and is subsequently analyzed forsecurity vulnerabilities. The knowledgesolicitation portion of NVT applies modernnetwork discovery capabilities and a graphicaluser interface. This improves the accuracy ofthe network model, provides a common networkdescription for multiple risk analysis reasoningengines, and enhances the productivity of thesystem security analyst.

The NVT prototype automatically maps anexisting network, or can be used for the manualentry of a network design. The prototype usesHP OpenView to graphically depict a networktopology. As illustrated in Figure 3, once it has

been given the IP address of the default routerfor the network, NVT, through the use ofOpenView, can search for computers and otherdevices attached to the network. It performs anactive search, pinging possible IP addresses onthe network, and adding whatever responseinformation it receives to its network map. NVTalso provides, through OpenView, a manualmethod to draw a proposed network with agraphical user interface that supports drag anddrop. A System Security Engineer can rapidlydefine a given system architecture, including thesecurity critical information. For example:

q A user can apply the manual entry capabilityto consider alternative designs as part of atrade study.

q A user may edit the properties of each node,providing additional details as required toprovide complete logical network planning.

q A user can also represent an entire networkon a map by using a subnetwork icon. Adetailed map of the subnetwork can belinked to this icon and displayed by doubleclicking on the icon.

next level solutions NVT TIM #6, #1

Automatic Discovery

Figure 3. HP OpenView’s Network Discovery Tools enable NVT users to Mapan Existing Network for Further Security Analysis

Once the system description has beencompleted, the NVT prototype represents andstores the description in an object/classhierarchy. This single topological modelsupports the information needs of multiplereasoning (vulnerability/risk assessment) tools,as well as the FuzzyFusionTM of their resultsinto a cohesive vulnerability/risk assessment.NVT translates this system representation intothe appropriate format for each of theassessment tools employed. This singlerepresentation of a system simplifies the use ofmultiple tools, eliminating redundant data entry.It also provides the foundation for addressing theproblem of incomplete data for a givenvulnerability assessment tool, and for futureknowledge negotiation capabilities.

II.2 Risk Analysis Tool Selection

Under the Network Visualization Tool program,current COTS, GOTS and research vulnerabilityassessment and reasoning tools were surveyed todetermine their capabilities and availability.Tools were categorized by the types ofvulnerabilities assessed, and their functional

characteristics. Each tool was further evaluatedon its data acquisition and output formats todetermine how the information can be applied inthe NVT engineering prototype implementation.The primary criteria were the operating systemrequired by the tool, the capability of the tool toassess network environments, the data gatheringmethods used by the tool, and the risk typesassessed by the tool. The vulnerabilityassessment and reasoning tools have to be ableto run in the NVT prototype’s operationalenvironment (a PC with Windows NT).

A primary purpose of the NVT prototype is todemonstrate a framework with the flexibility tointegrate and interactively use multiple existingvulnerability assessment and reasoningtechnologies. In order to demonstrate the proofof concept of integrating and interactively usingmultiple existing vulnerability assessment andreasoning technologies within programrestrictions, a representative sample of tools wasselected for inclusion in NVT. As a result of thetool survey, ANSSR, RAM, and ISS InternetScanner were selected for inclusion in NVT.

Table 1. Capabilities Summary for the NVT prototype’s Initial Set of Analysis Tools

Selected Tool Functional CapabilitiesANSSR(Analysis of Networked SystemsSecurity Risks)Mitre Corporation

Passive data gathering- Model structure- Survey based data gathering- Network aware

Risk Type- Single Occurrence of Loss

RAM(Risk Assessment Model)NSA

Passive data gathering- Event tree- Prioritized attack list

Risk Type- Mathematical model- Multiple risks/services- Event based over time

Extensible to Risk Type- Comparison of effectiveness of

different designs- Not limited to computers/networks- Optimization of system/cost benefit

analysis

ISS Internet ScannerInternet Security Systems (ISS)Corporation

Active data gathering- Scans network for hosts, servers,

firewalls, and routers- Assesses security and policy

compliance of networks, operatingsystems, and software applications

Risk Type- Computer Network Compliance

Report (snapshot in time)

These three tools met the requirements andprovided the greatest diversity of functionalcapabilities, as shown in Table 1. The selectedtools represent the greatest diversity ofcharacteristics with the fewest expectedintegration risks.

The RAM model has been incorporated into aCOTS tool, the DPL-f programming languagefor decision support, developed by AppliedDecision Analysis, Inc., a subsidiary ofPriceWaterhouseCoopers, LLC. This providesRAM with additional capabilities for rapid faulttree construction, libraries of embedded faulttrees, an expert opinion generation system,enumeration and ordering of cut sets, andgraphical portrayal of risk over time.

II.3 Output Report Correlation andGeneration

None of the above tools take an aggregatesnapshot approach to the system, with a “drilldown” or layered approach to address risk atvarious layers (network, platform, database, etc.)of the system. Using multiple risk analysis toolswould allow various aspects of the system to beanalyzed for vulnerabilities without the cost ofdeveloping one tool to perform all types ofanalysis. To provide a more comprehensivevulnerability assessment of a system than anyone tool could provide, the outputs of thevarious tools must be integrated and fused into a

single, concise report. This would providegreater assistance to system designers analyzingalternatives among security risk, systemperformance, and mission functionality.

Under the Network Visualization Tool effort, weinvestigated technologies that would support ourgoal of integrating and fusing the results frommultiple vulnerability analysis applications. Byexamining the variety of current COTS andGOTS products, and the variety of inputs andoutputs those products require, it becameapparent that fuzzy decision technology offeredthe most flexible solution to our problem. Ourfocus on fuzzy decision methodologies as ourtechnology foundation was based on an analysisof a variety of technologies, including ExpertSystems, Databases Systems, Data Fusion,Neural Networks, Fuzzy Logic, and FuzzyExpert Systems. The later is based on thepremise that multi-criteria, multi-expert decisionmaking can lead to a best-fit answer. Primarybenefit of a fuzzy reasoning system is its abilityto use and assimilate knowledge from multiplesources. We believe that fuzzy expert systemtechnology is applicable because:

q An expert exists for each tool that we wishto include in the system

q The problem itself is fuzzy; it hasambiguities and often partial information

Figure 4. NVT leverages Existing Vulnerability Assessment Tools to presenta Single, Cohesive Risk Picture.

q We can incrementally learn and apply newtechnologies as the system grows

q We believe we can identify validmembership functions for the mapping ofdata to concept and concept to knowledge

As a result of our research of existingtechnologies, Harris has developedFuzzyFusionTM technology to combine theresults of multiple vulnerability assessment/riskanalysis tools into a unified report.FuzzyFusionTM combines the techniques offuzzy logic, fuzzy expert systems and datafusion. FuzzyFusionTM incorporates Level 2data fusion, since our data is already aligned.We have an established network model andoperator environment, and need to establish therelationship between the network model and thefindings of the risk analysis tools. Real worldmeasurements are captured in fuzzy logic. Thereasoning concepts from data fusion are used toestablish relationships among the networkmodel, vulnerability findings from the various

tools, and the knowledge of network securityexperts. FuzzyFusionTM is accomplishedthrough the use of a fuzzy expert system, whichcombines the outputs of the various tools, userconcerns about system risks and vulnerabilities,and expert understanding of the results of eachtool and how these fit into the larger informationsystem security picture.

Output of the concise assessment can beprovided to the NVT user through multiplemeans and in various degrees of detail, asillustrated in Figure 4. The graphical networkmap of a system can be color-coded to provide avisual indication of where the greatest risks arelocated. In Figure 4, the node with the greatestassociated risk is colored red. Less severe risksare colored yellow. A pop-up slider window canalso be utilized to indicate the top N risks, andtheir severity. Further details, such as textreports and spreadsheet analyses, can beaccessed by drilling down through the layers ofinformation.

next level solutions NVT TIM #6, #1

ANSSR Manual Entry

Figure 5. Entering System Information into the Interface for ANSSR isa Manually Intensive Process.

III. Features & Benefits of NVT

The result of the NVT Program is a prototypedemonstrating a comprehensive vulnerabilityprofile based on the user defined acceptable riskof compromise to a given system. End usershave a simple expression of the vulnerabilityposture of a given system or system design, andare capable of performing “what if” analysis forfunctionality, performance, and countermeasuretrades.

The primary advantage of the NVT prototype isthat it provides a flexible, modular, extensibleapproach to vulnerability assessment. Thisinnovative design accommodates multiple riskassessment techniques, but only requires singleentry of the system description (through autodiscovery or manual entry of a model), which isa significant benefit to the System SecurityEngineer. Figure 5 illustrates the interface toANSSR, which supports a character based GUIwhen it is used as a stand-alone tool. As thenumber of windows and menus suggests, entryof information into the tool is a manuallyintensive exercise. One of the benefits of NVT

is that it automates providing the requiredsystem information to the various vulnerabilityassessment tools, allowing each tool to use onlythe input data it requires. NVT eliminates themanually intensive operations associated withlegacy assessment tools, and preserves existinguser investment in legacy methodologies. NVTalso provides a mechanism to correlateinformation among tools. Information solicitedfrom the user for any single tool is shared amongall tools. Legacy vulnerability assessment toolsand databases can be reused, and their resultsused in conjunction with alternate risk models.

NVT was designed to be an affordablevulnerability assessment environment. Manymonolithic risk assessment tools require highperformance Unix platforms and cost over$40,000 per copy of each tool. The NVTprototype is being developed on a Windows NT-based Pentium platform. Our initial tool suitereflects a desire to be economical and pragmaticin tool selection. Three COTS/GOTSvulnerability assessment tools, are incorporatedinto the framework: ANSSR, DPL-f, and ISSInternet Scanner. Costs for the runtime licenses

of COTS products currently employed withinthe NVT prototype along with a suitable NTworkstation are approximately $30,000.

The modular, extensible system design for NVTensures ease of technology transition andintegration as new vulnerability tools andtechnology vulnerabilities come to market. Thismodularity also preserves user legacy models,and allows each user to select the tools mostappropriate for his environment and needs. Thismodel also allows a user to preserve hiscorporate investment. For example, if anorganization already employs active scanningtechnology, the tool can be integrated into theNVT framework with little difficulty. Thisprovides a new source of input (the existingtool), and makes new processing elements(additional risk assessment tools) available tothe enterprise.

IV. Future Research

The basic foundation of NVT provided valuableexperience in risk analysis tool integration andcorrelation technologies. Future research anddevelopment efforts would benefit fromfeedback from System Security Engineers usingthe NVT prototype as a tool to:

q Identify vulnerabilities and enforce goodsecurity design principles

q “Snapshot” a system and its vulnerabilities,and compares how risk evolves over thesystem lifecycle

q Correlate information from various risktools in an understandable graphicalvulnerability analysis

q Support hypothetical analysis, facilitatingarchitecture choices among security,functionality, performance, and availability

q Provide rapid specification of the relevantcharacteristics of a system design

Beyond the efforts conducted under the initialNVT Program, further research is need toimprove the FuzzyFusionTM used to combineoutputs from various risk analysis tools into aunified report. In addition, we have identified

new functionality to incorporate into resultanalysis, including:

q Temporal based reasoning – accounts forthe time required to exploit a knownvulnerability as part of the systemassessment process. It enables a user toperform a vulnerability assessment thattakes into account the time required toexercise a given vulnerability. For example,if time required to penetrate/compromise anode exceeds the timeline for a mission,then the threat is minimal.

q Vulnerability thresholding – minimizescontinued computation when an aggregatevulnerability level in a given system orsegment exceeds a user defined limit,allowing the user to define his ownvulnerability tolerance. It eliminatespossibly computationally intensive searchtrees when a sufficiently lethal vulnerabilityis located, or when a large number ofvulnerabilities are identified. It allows theuser to define his vulnerability tolerancelevel, and supports tailorable definitions ofacceptable levels of vulnerability.

q Reasoning with uncertainty or incompletedata information – provides the user withsome answer, the best that is available withthe information available.

q Vulnerability trade-off visualizationtechniques – allow the user to easilyperform what-if analysis andexperimentation among performance,functionality, and countermeasures. Itenables the user to readily understand thetrade-offs among desired capabilities.

This functionality will allow NVT to moreaccurately reflect the human decision makingprocess. Further, it will support a more robust,systems orientation towards vulnerabilities,accommodating consideration of application andplatform vulnerabilities as well as networkvulnerabilities.

V. Potential Applications

The NVT program has developed foundationtechnology that can be applied to three distinct

related problem domains: security riskassessment, security modeling, and securityadministration. Our initial research, as well asthis paper, was directed at the security riskassessment problem domain. NVT could also beintegrated with existing network modeling toolsto provide a security perspective to networkmodeling environments. As a securityadministrator’s toolset, NVT could be anintegration platform for administrative toolssuch as password dictionaries, to provide anoperationally oriented security assessmentcapability.

This research was funded under the NetworkVisualization Tool (NVT) program for U.S.AFRL/IFGB, contract #F30602-96-C-0289. U.S.Government Publication Release Authority: DwayneP. Allain or Peter J. Radesi.

References

1. Computers in Security. Charles P. Pfleeger.Prentice Hall PTR. Upper Saddle River, NJ.1997.

2. “Sniffing Out Network Holes”. LeslieO’Neil and Joe Scambray. INFOWORLD.February 8, 1999. Pp. 74-82.

3. Analysis of Networked Systems SecurityRisks (ANSSR) Assessment Tool, Version2.2, User’s Manual. D. J. Bodeau and F. N.Chase. The MITRE Corporation. Bedford,MA.

4. “ANSSR: A Tool for Risk Analysis ofNetworked Systems”. D. J. Bodeau, F. N.Chase, and S. G. Kass. Proceedings of the13th National Computer SecurityConference. October 1990.

5. “A Practitioner’s View of CRAMM”.Norman Truman. Gamma Secure SystemsLimited.http://www.gammass1.co.uk/topics/hot5.html. September 1997.

6. DPL-f User Manual. Applied DecisionAnalysis LLC. 1999.

7. ISS Internet Scanner User Guide forWindows NT. Internet Security Systems(ISS). Atlanta, GA. 1997.

8. HP OpenView for Windows: WorkgroupNode Manager User’s Guide. HewlettPackard. Cupertino, CA. 1998.

9. HP OpenView: Professional Suite GettingStarted Guide. Hewlett Packard. Cupertino,CA. 1998.

10. “L-3 Network Security Expert 3.0”. Productreview, SC Magazine (Information SecurityNews).http://www.infosecnews.com/l3/l3.html.

11. Network Visualization Tool Program –Final Scientific & Technical Report. R. R.Henning, K. L. Fox, J. T. Farrell, C. C.Miller, E. P. Meijer. Harris Corporation.Melbourne, FL. June 1999.

NVT, #1 next level solutions 4-Aug-99

The Network Vulnerability Tool --A System Vulnerability Visualization Architecture

Ronda R. Henning407-984-6009rhenning@harris.com

Kevin L. Fox, Ph.D.407-984-6011kfox@harris.com

NVT, #2 next level solutions 4-Aug-99

Network Visualization Tool Program

• AFRL-funded research program with 2 goals: 1. Investigate:

• The feasibility of a common risk assessment and vulnerability detection architecture

• Enhanced usability, productivity, and system coverage 2. Define techniques to promote:

• enhanced knowledge solicitation• normalized, shared system representation• application of data fusion techniques to risk and vulnerability reporting• comprehensible reporting mechanisms for results interpretation

NVT, #3 next level solutions 4-Aug-99

• “I don’t know what’s on my network”• “The last risk assessment was done 15 years ago”• “I don’t know if I can connect my legacy systems in transition”• “How do I know if I’ve fixed all the systems”• “What is an acceptable risk?”

User’s Perspective

NVT, #4 next level solutions 4-Aug-99

The Risk Tool Landscape

• Monolithic, proprietary environments• Difficult to incorporate new threats or technologies• Multiple tools with multiple system representations

• from users and scanning technology• no reuse or information sharing

• Diverse, single solution tools• vulnerability scanners• systemic risk assessment• paper risk assessments• legacy tool suites

NetworkManagementTools

VulnerabilityScanners

SystemicAssessmentTools

LegacyRiskTools

RISK?

NVT, #5 next level solutions 4-Aug-99

Concept of Operations

• Deployed systems• Determine system risk posture • Determine how risk evolves over the system life cycle

• Legacy systems• Measure associated risk• Key to infrastructure modernization• Understand and accept the implications of connectivity

• Use during the life cycle to “snapshot” a system’s risk posture.

Security OfficersSystem Designers

• Mitigate/define security architecture• Architecture optionsanalysis• Stop problems before theybecome problems• Fulfill requirement for asystem risk analysis• Use as a Design toolduring system development

NVT, #6 next level solutions 4-Aug-99

Risk Analysis Tools

• Three distinct risk/vulnerability analysis tools wereintegrated in a proof-of-concept prototype– ANSSR was selected as a prime example of a

legacy reasoning engine– ISS Internet Scanner was selected as an example

of a “live” vulnerability tool– Risk Assessment Methodology (RAM) was

selected for large scale, highly complex problems• Replaced by DPL-f

• HP Open View used for SNMP Network ManagementMapping Environment

NVT, #7 next level solutions 4-Aug-99

NVT Architecture

AnalysisandIntegration

SingleTool

Analysis

Multi-ToolCorrelation

ExpertCorrelation

IndividualTool Processing

Combinationof ToolOutputs

Addition ofDatabases(AFCERTS, etc)

• Expert System• DPL-f

The FuzzyFusion TM Process

Data Sources

UserEntered

Information

Legacy RiskTool Data (ANSSR)

VulnerabilityTool (ISS)

VulnerabilityTool (STAT)

SNMPDiscovery

OtherTools

SystemPicture

Complete System Object Model

Icon Text Excel Access ConfigReportOptions

Incorporated into NVT prototype Future Enhancements

FactBase

NVT, #8 next level solutions 4-Aug-99

Automatic Discovery

NVT, #9 next level solutions 4-Aug-99

Manual Network Diagram

NVT, #10 next level solutions 4-Aug-99

NVT Reporting Options

NVT, #11 next level solutions 4-Aug-99

NVT Program Conclusions

• Demonstrated an initial proof-of-concept– Can combine multiple assessment tools with different

modes of operation to provide a more complete picture– Fuzzy Logic and Data Fusion concepts/technologies are

viable for use in result integration– Use multiple tools to fill in or resolve missing data required

by other tools

• Primary advantages of NVT prototype– Provides a flexible, modular, extensible approach to

vulnerability assessment– Accommodates multiple assessment techniques, BUT only

requires single entry of network description– Preserves investment in legacy methodologies/tools, but

reduces associated labor

NVT, #12 next level solutions 4-Aug-99

Conclusions - Continued

• The NVT prototype was designed to be an affordablevulnerability assessment environment– Developed on Windows NT, Pentium platform– Costs for runtime licenses of COTS products currently

employed along with a suitable workstation ~ $30K– Design facilitates incorporation of other vulnerability

assessment technologies• Incorporation of new tools into NVT environment < 1 mm• Time then required to modify FuzzyFusionTM

• Select tools most appropriate for a given environment• Preserves investment already in place

NVT, #13 next level solutions 4-Aug-99

Future Research Topics

• Temporal-Based Reasoning– Enables analyst to perform an assessment that accounts for

time required to exploit a known vulnerability

• Vulnerability Thresholds– Minimizes continued computation when an aggregate

vulnerability level in a given system exceeds a user-definedlimit

– Eliminates possibly computationally intensive search treeswhen a sufficient lethal vulnerability is located

– Allows a user to define a vulnerability tolerance level

• Vulnerability Trade-off Visualization Techniques– Allow the user to perform what-if analysis among

performance, functionality and countermeasures

• Incorporate Static Vulnerability Database(s)

NVT, #14 next level solutions 4-Aug-99

Security Officer Toolbox• Active Scanning tools• Password Dictionaries• Account Administration

Possible Directions

Assessment Tool Box•More COTS capabilities

• RISKWATCH• BUDDY SYSTEM• STAT Security Modeling Tool

• Integrate with Network Design Tools• Security Configuration Determination

• Use of Data Fusion Techniques Possible• Multiple Tools can yield one integrated model• More complete and coherent picture

NVT RESULTS

NVT, #15 next level solutions 4-Aug-99

Questions?