Researchers at the National Institute of Standards and Technology have developed a new analysis technique to help IT administrators assess security risk.
The patent-pending technique was developed by computer scientist Anoop Singhal and his research colleagues at George Mason University. Though NIST researchers weren’t available this morning to comment on their findings, Singhal and his team use attack graphs and the National Vulnerability Database in their assessment of network pathways.
“We analyze all of the paths that system attackers could penetrate through a network and assign a risk to each component of the system,” Singhal said in a statement. “Decision makers can use our assigned probabilities to make wise decisions and investments to safeguard their network.”
According to NIST, once inside a network’s firewall, a hacker can take a number of routes through the network to find a treasure-trove of confidential data. NIST researchers evaluate each route and assign it a risk based on the level of difficulty for the hacker. For example, in a simple system there is an attacker on a computer, a firewall, router, an FTP server and a database server, NIST officials explained. The goal for the attacker is to find the simplest path into the database server. Using attack graph analysis, NIST determines three potential attack paths and assigns an attack probability for each path in the graph based on the score in the NVD database.
Because it takes multiple steps to reach the goal, the probabilities of each component are multiplied to determine the overall risk, NIST officials said. The next step is for the researchers to expand their research to handle large-scale enterprise networks, officials added.