AFRODITA: A Flexible Vulnerability Risk Scoring Database of Information Technology Security Chien-Ting Kuo1, He-Ming Ruan2, Chin-Laung Lei3, Shih-Jen Chen4 1,2,3

1,4

Department of Electrical Engineering, National Taiwan University, No. 1, Sec. 4, Roosevelt Rd., 106 Taipei, Taiwan Smart Network System Institute, Institute for Information Industry, 105 Taipei, Taiwan

{protools1, tannhauser2}@fractal.ee.ntu.edu.tw, [email protected], [email protected]

Abstract. Information security audit has become more and more important to the organizations. And risk analysis has become a popular research issue. In this paper, we proposed a flexible vulnerability risk scoring scheme to help the information security auditors to realize the risk level with technology adoption lifecycle. A practical implementation demonstrates that the proposed scheme is both useful and effective. Keywords: vulnerability, risk analysis, security risk scoring

1

Introduction

In recent years, a lot of vulnerabilities have been discovered. Traditional technology skills used in information community, information operation system, information storage database, and web application services usually introduce some defects designed by human developers with some logic or operating blind spot. Those vulnerabilities may cause sensitive personal data, like credit card numbers, social number ID, and private phone numbers being stolen by some illegal crackers. For organizations and companies, those vulnerabilities may cause a lot of financial loss and damage to the business reputation. To avoid these situations, the organization inner information security audit has to be strengthened in a more systematic way. Accordingly, vulnerabilities risk analysis has become a popular research issue about information security and management in recent years. Some researches focus themselves on building and analyzing the risk matrix with the organization information infrastructures, and design and implementation of the information disaster recovery process for helping organizations and companies to resume the normal operation quickly [1][2]. Other researchers focus on analyzing and rating the vulnerabilities been discovered. They investigate the vulnerabilities on different products and information technology software, and base on some common features like access types or authentication levels to given those vulnerabilities some

scores. By this scoring mechanism, common user and other information security researchers can quickly understand those vulnerabilities that had been discovered by information security audit. The most famous vulnerability scoring system is “Common Vulnerability Scoring System (CVSS)”. This vulnerability scoring uses simple parameters and equations to calculate the vulnerabilities. And the “Open Source Vulnerability Database (OSVDB)” is a database witch includes many kinds of vulnerabilities found on products and information technology around the world. In this paper, we aim to propose a flexible scoring scheme for threat level analysis on information technology vulnerability. Besides, we also implement a flexible database as our storage media. This proposed vulnerability risk scoring scheme is not only associating the CVSS and OSVDB, but also extending some concepts of flexible weighting from technology adoption lifecycle. In section 2, we will introduce the OSVDB, CVSS, and technology adoption lifecycle. In section 3, the proposed scheme will be described. Finally, the implementation technology skills will be presented in section 4 and some conclusions in section 5.

2

Background

In this section, we will introduce the open source vulnerability database (OSVDB) in section 2.1, the common vulnerability scoring system (CVSS) in section 2.2, and the technology adoption lifecycle in section 2.3. Those technology and theory are the cornerstones of the proposed flexible vulnerability risk scoring scheme in this paper. 2.1

The Open Source Vulnerability Database (OSVDB)

The Open Source Vulnerability Database (OSVDB) [3] is an independent open source project currently sponsored by the GFI LANquard, Tenable Network Security, and Layered Technologies. The OSVDB currently includes 73302 vulnerabilities those exist in 34540 products around in our information technology life, and has been maintained by 4735 security researchers around the world. This project is founded in the Defcon and Black Hat conferences in august 2002, and aims to provide more accurate and clear information about security vulnerabilities. The open source vulnerability database project provides a lot of useful tools which are not only for researchers but also for ordinary users. One can use either the OSVDB main web page to perform a detailed query on currently vulnerabilities, or the various browser plugins to query the database conveniently and efficiently. Moreover, the database is fully available for anyone. The OSVDB project has provided several storage data type of this database, including CSV format, MySQL database file, Sqlite database file, and XML data format.

Fig. 1. The discover quantity with different type of vulnerability by quarter (Source from [3])

Fig. 2. The different vulnerability type quantity ratio with total quantity in each quarter (Source from [3])

With the help of the OSVDB, we can quantize the threats of recent vulnerabilities easily. The OSVDB project offers the currently quantity of the threats of various vulnerabilities. Fig. 1 shows the discover quantity with different type of vulnerability by quarter in recent years, and Fig. 2 shows the different vulnerability type quantity

ratio with total quantity in each quarter. Besides, the OWASP top 10 is also an important reference from the aspect of web security. Thus, in this work, we will also focus on certain types of vulnerabilities, which have been visible for many years on the OWASP top 10. 2.2

The Common Vulnerability Scoring System (CVSS)

The Common Vulnerability Scoring System (CVSS) was proposed by National Infrastructure Advisory Council (NIAC) in 2004 [4]. Nowadays, it is maintained by Forum of Incident Response and Security Teams (FIRST) and CVSS Special Interest Group (CVSS-SIG). Different with other security risk analysis mechanism are focus on information infrastructure and enterprise and increase performance of risk access and assure metrics [5][6][7][8][9]. The CVSS provides a scoring mechanism of information technology vulnerabilities. With the scoring mechanism, researchers and ordinary users can realize the risk level about the current information technology environments. Table 1 shows the parameters and associate item values. After the discovery of vulnerabilities, experts can select items for every parameter and use the equations that are shown in Fig. 3 to calculate the risk scores, which are so called BaseScore. The BaseScore is normalized to a specific range such as zero to ten. The higher the risk score is, the greater the risk exists.

Table 1. Parameters AccessVector AccessComplexity

Authentication

ConfImpact

IntegImpact

AvailImpact

CVSS Parameters and associate values

Selection Items Requires local access Adjacent network accessible Network accessible High Medium Low Requires multiple instances Requires single instance No authentication None Partial Complete None Partial Complete None Partial Complete

Associate value 0.395 0.646 1.0 0.35 0.61 0.71 0.45 0.56 0.704 0.0 0.275 0.660 0.0 0.275 0.660 0.0 0.275 0.660

Fig. 3. The BaseScore equations of CVSS vulnerability scoring system

2.3

Technology Adoption Lifecycle

The technology adoption lifecycle [10] was proposed by Everett Rogers in the book “Diffusion of Innovations” in 1962. The technology adoption lifecycle model is presented as a bell curve. It separates a technology lifecycle into five phases: the innovators, the early adopters, the early majority, the late majority, and the laggards. Fig.4 shows the distributed of the five phases in the technology adoption lifecycle. For example, if a new technology had been created, and the innovators customers using the new technology is about 2.5% of total customers. Gradually increased over time, the customers using this new technology will increase. The customers between 2.5%~16% and 16%~50% are called early adopters and early majority. If this new technology is useful and even become a major popular technology in community, just like Facebook, there will be more and more users enjoy this technology, and it is at the late majority state. Finally, a few users eventually want to use this mature technology, and they are called laggards. After those five phases, the technology will be replaced by other new one and becomes a legacy. However, if this new technology is not good enough, this technology will be eliminated between the early adopters phase and early majority phase. Although there exist various kinds of products and technologies, most of them usually follow this technology adoption lifecycle.

Fig. 4.

The five phases of technology adoption lifecycle. (Source from [10])

For example, there be ice user answered. Anymay questions bout onnairethewillanti-virus all relationsoftware with the nt device or some installed esult. For example, there may be .on about the anti-virus software

d client device or some installed tware. scanning results made from

Because of the higher the user awareness scoreBaseScore is 80, and thevalue average of eachmeans end system risk isvulnerability greater. We client device’s scancalculate BaseScoretheis end 8.0. client vulnerability scanning results as the upper formula: Because of the BaseScore value higher means the system risk is greater. We calculate the end client vulnerability scanning!results the!upper formula: !!!!!!!"#$%&'()#)*+ !" ! as !!" !"#$!"#$%!------(1)

!!!!!!!"#$%&'()#)*+ ! !" ! !!" ! !"#$!"#$%!------(1) y scanner (ECVS) return to After this formula, the end client vulnerability bility scanning results made from he recording of information scanning results groupthe value be the product of the rability scanner (ECVS) return to After this formula, endwill client vulnerability will the record eachofend client Vulnerability ratio (V%). rver, recording information scanning results and groupvulnerability value will be the product of theOn the questionnaire submit by end upper example, the end client vulnerability scanning RISD) will record each end client Vulnerability and vulnerability ratio (V%). On the nd the 4questionnaire by end upper example, the end vulnerability scanning igure shows thesubmit end client results group value willclient be the 20*30%, and equal to 6. Flexible Vulnerability Risk Scoring Scheme have style4information with it. The The The any figure shows theassociated end 3client results group value will be the 20*30%, and equal to 6. other group values are like group1, the values are pear to have any style information associated with it. The The other group values are like group1, the values are elow. the product of the original score in the system and the According the Fig.1 and Fig.2, we system can findand the the distributions of thestatistic productresults of theinoriginal score in the group weight ratio. Afterwith all, theonetotal sum of groups ckPersonEmpNo> every type of vulnerability alsoAfter similar of the adoption group weight are ratio. all, the the total sum of technology groups 23 lifecycle. The phenomenon is especially obvious on the curve of Cross-Site-Script; weighted values is the shown the organization risk 6:04 weighted values is the shown the organization risk 11:36:04 cation> the peak of this curve locates in the 2006 Q2. According the report from the OWASP estIPLocation> score. score. dows XP Professional Service Pack oft Windows XP Professional Service Pack

[11], the Cross-Site-Script attack is the top 4 in 2004 and become the top 1 in 2007. This report shows us a trend of the risk of the vulnerability: the risk level has a 4. Implementation relation with4. theImplementation vulnerability quantity in the history. When a new technology is more and more popular, amount of users will increase quickly. As the population of users grows, the newWe technology will draw more and more and use the PHP-5.3.3 version, andcrackers' JQuery to researchers' We uselead the PHP-5.3.3 version, and JQuery to attention. Thus, it willthe to the growthWeb not only ininterface, the number of discovered evaluate effectiveness base and n> evaluate thethe effectiveness Web base interface, vulnerabilities, butthe also occurrences exploitation the same and kind of ount> using Sqlite3 database to of implement the of recording 006 vulnerabilities. Therefore, we can associate the threat-level with the technology using the Sqlite3 database to implement the recording A of information security database (RISD). The reason is stName> owsUpdateResult">... adoption lifecycle. sswordStrength> of database reason is theinformation PHP-5.3.3 security and JQuery are (RISD). powerfulTheweb allSoftwareResult">... teResult">... The main idea of the AFRODITA is to use the past statistic information from igResult">... the PHP-5.3.3 and arethe XML powerful wareResult">... development tool, and it is JQuery easy to read data web esult">... OSVDB to weight the risk scoring BaseScore from CVSS. Besides, we construct a esult">... t">... format. The Sqlite3 is a file type database. All database development tool, and it is easy to read the XML ... new database to store each of the CVSS parameters, the relation values, the data modified ... is exist in a system file, so that we don’t create End client scan results score, and the weightsThe corresponding to each the vulnerabilities. With the proposed format. Sqlite3 is a fileoftype database. All database another database server. The other advanced is that scheme, we is can periodically up tofile, date data the andcreate update the exist in a attain system so from that weOSVDB don’t client scan results implemented database flexibly meantime. query waste timeinisthe smaller than MySQL. results and questionnaire results of

CPU i7 860CPU @ 860 2.80GHz (TM) @ 2.80GHz >RAMSize> PasswordStrength> dStrength> persky Anti-Virus Anti-Virus ion>6 AntiVirusSoftwareVersion> 5/30 10:03:19 10:03:19

another database server. The other advanced is that

ve been save in the recording of query waste time is smaller than MySQL. questionnaire results of !"##$%&!!"#$% y and database (RISD), the real time !"#$%&!'( ! ! ! !! en in thewill recording dulesave (RRAM) calculate of the !"#$!!"#!!"#$% !"##$%&!!"#$% is organization. risk base (RISD), The the real realtime time !"#$%&!'( ! ! ! !! !"##$%&!!!"#$ (RRAM) will the the total (RRAM) will separate calculate !"#$!!"#!!"#$%! !! !"#$%&'()*" ! ! recording information !"#$%&$!!"!#$!!"#$% anization.ofThe real timesecurity risk five groups. The five groups are !"##$%&!!!"#$ AM) will separate the total d client total vulnerability score !"#$%&'()*" ! ! ! !! ding of information security !"#$%&$!!"!#$!!"#$% on system defense values, and Fig. 5. The equations of type ratio and volume ration calculated with the BaseScore of The five ygroups. policy values. The groups values ofare first vulnerabilities on the OSVDB. !"#$%$&#!"#$% ! !"#$%&'($ ! !"#$%&!'(!!!!!!!!!!!!!!!! nt total vulnerability score ups are calculated with the ! !"#$%&'()*" ts and defense end clientvalues, vulnerability ystem and e values of third and fourth groups cy values. The values of first !"#$%$&#!"#$% ! !"#$%&'($ ! !"#$%&!'(!!!!!!!!!!!!!!!! hanism and generatedwith by security are calculated the ! !"#$%&'()*" tion security manager could select d end client vulnerability o of each group. Sum of all weight 5. Conclusions Fig. 6. The equations of modified score calculated with es of third and fourth ercent. For example, the groups manager type ratio and volume ratio. and generated byvulnerability security wareness and system Nowadays, most of all organizations need to do ecurity manager could the select important. So he setting user information security audits, and the managers need to %) and vulnerability are equations to calculate the type ratio and the volume ratio are shown in Fig. 5. ach group. Sum ofratio all (V%) weight The realize the information security risk for their 5. Conclusions system defense In Fig. 5, α organization. and β, are use to adjust the this ratio reason, of statistic In the aequations, the .less Fororganization example, the manager According wedata. propose

current_value is the amount of a specific type of vulnerabilities, which are newly ess and system vulnerability Nowadays, all organizations need to do of discovered in current quarter, most and theof past_Max_value is the maximum number tant. So he setting the user information security audits, and the managers need to vulnerability ratio (V%) are realize the information security risk for their organization system defense organization. According this reason, we propose a

vulnerabilities, which are discovered in a single quarter and belong to the same type with the current_value, in the past years. Besides, the quarter_total_value is the total amount of vulnerabilities discovered in the current quarter. To avoid the risk level of the BaseScore overflowed, we define that the maximum value of quotient between current_value and the past_Max_value is 1. The modified score is shown in the Fig. 6. After a finely tuning, the modified score value presents not only the same risk level with the CVSS BaseScore, but also the treat for each vulnerability.

4

Implementation

We use PHP to parse the records in the OSVDB. The PHP is a powerful and crossplatform tool to perform query or management functionalities on database. After parsing the data from the OSVDB, the PHP is also used to calculate and store the results, which are stored in the proposed database, AFRODITA. Considering the efficiency of queries, we choose SQLite as our database. Moreover, with the web interface which is consisted of PHP and other web development tools, such as AJAX and JQuery, we can easily present of the proposed mechanism as a SaaS service with cloud computing. By using AFRODITA, the one can learn about not only the current situation of IT threats, but also the vulnerability quantity tendency.

5

Conclusion

Nowadays, most organizations audit vulnerabilities of their insider information devices, and use some risk analysis models to present the information security risk level. Therefore, we propose a flexible scoring scheme for automatic calculating and modifying the information security risk score with technology adoption lifecycle. And we use the lightweight database to implement this system. The implement flexible database shows that the proposed scheme is useful and effective.

Acknowledgments. This study is conducted under the “III Innovative and Prospective Technologies Project” of the Institute for Information Industry which is subsidized by the Ministry of Economy Affairs of the Republic of China.

References 1. Y.P. Fu, K.J. Farn, C.H. Yang, "CORAS for the Research of ISAC," 2008 International Conference on Convergence and Hybrid Information Technology (ICHIT '08), pp.250-256, 28-30 Aug. 2008. 2. J.O. Aagedal, F. den Braber, T. Dimitrakos, B.A. Gran, D. Raptis, and K. Stolen, "Modelbased risk assessment to improve enterprise security," 2002 Sixth International Conference on Enterprise Distributed Object Computing (EDOC '02), pp. 51- 62, 2002.

3. The Open Source Vulnerability Database, https://osvdb.org 4. The Common Vulnerability Scoring System, http://www.first.org/cvss/ 5. M. Ouedraogo, H. Mouratidis, D. Khadraoui, and E. Dubois, "Security Assurance Metrics and Aggregation Techniques for IT Systems," 2009 Fourth International Conference on Internet Monitoring and Protection (ICIMC '09), pp.98-102, 24-28 May 2009 6. D.S. Bhilare, A.K. Ramani, and S. Tanwani, "Information Security Risk Assessment and Pointed Reporting: Scalable Approach," 2009 International Conference on Computer Engineering and Technology (ICCET '09), vol.1, pp.365-370, 22-24 Jan. 2009 7. J.J.C. Ryan, and D.J. Ryan, "Performance Metrics for Information Security Risk Management," Security & Privacy, IEEE, vol.6, no.5, pp.38-44, Sept.-Oct. 2008 8. W.Qu,D.Z. Zhang, "Security Metrics Models and Application with SVM in Information Security Management," 2007 International Conference on Machine Learning and Cybernetics, vol.6, pp.3234-3238, 19-22 Aug. 2007 9. G. Peterson, "Introduction to identity management risk metrics," Security & Privacy, IEEE , vol.4, no.4, pp.88-91, July-Aug. 2006. 10.Diffusion of Innovations, http://upload.wikimedia.org/wikipedia/en/archive/4/45/20110714211709%21DiffusionOfIn novation.png 11.The Open Web Application Security Project, https://www.owasp.org/index.php/Main_Page