A Study and Implementation of Vulnerability Assessment and Misconfiguration Detection

According to a study from Gartner Group, mostly successful attacks exploit software applications and operating systems that were not properly configured or vulnerability patched. Regarding enterprises, there are far reaching consequences if their online services are attacked and compromised. As a result, making their systems safer is becoming a higher priority. In this paper, we proposed a system to resolve the vulnerability and misconfiguration issues. In the vulnerability part, we focus on the aspect of vulnerability assessment. We use CVSS (common vulnerability scoring system) to measure the vulnerability severity to the organization and help administrators with patch management. For the configuration portion, we use CCE (common configuration enumeration) configuration scanner to scan the system and determine the presence of the misconfiguration in the system. The experiments show that our system can help administrators to understand their own systems and enhance system security.

[1]  S. Radack The Common Vulnerability Scoring System (CVSS) , 2007 .

[2]  R. A. Martin Integrating your information security vulnerability management capabilities through industry standards (CVE&OVAL) , 2003, SMC'03 Conference Proceedings. 2003 IEEE International Conference on Systems, Man and Cybernetics. Conference Theme - System Security and Assurance (Cat. No.03CH37483).

[3]  Karen Scarfone,et al.  Improving the Common Vulnerability Scoring System , 2007, IET Inf. Secur..

[4]  Karen Scarfone,et al.  Common Vulnerability Scoring System , 2006, IEEE Security & Privacy.

[5]  Karen A. Scarfone,et al.  A Complete Guide to the Common Vulnerability Scoring System Version 2.0 | NIST , 2007 .

[6]  Neal Ziring,et al.  Specification for the Extensible Configuration Checklist Description Format (XCCDF) , 2005 .