Identifying Potentially-Impacted Area by Vulnerabilities in Networked Systems Using CVSS

Author

Harada, Toshiki ; Kanaoka, Akira ; Okamoto, Eiji ; Kato, Masahiko

Author_Institution

Grad. Sch. of Syst. Inf. Eng. Dept., Univ. of Tsukuba, Tsukuba, Japan

fYear

2010

fDate

19-23 July 2010

Firstpage

367

Lastpage

370

Abstract

CVSS (Common Vulnerability Scoring System) is a framework scoring IT vulnerabilities. CVSS is composed of three metric groups: Base, Temporal, and Environmental. Although, the environmental score which gives risk of vulnerabilities in network environment of each user should be used for prioritizing actions, only base score is currently used. One of the reason for unused of environmental score is hard to score uniquely, because the criterion for determining ”Target Distribution (TD),” which is a parameter indicating impacted proportion, is vague. We propose a method for identifying the potentially-impacted area enabling TD measurement in networked systems in terms of three security objectives: confidentiality, integrity and availability. We also apply the method to some model cases of networked systems, and assess their TD. The results correspond to a popular wisdom that trilayer structure is more secure.

Keywords

authorisation; computer network security; data integrity; CVSS; common vulnerability scoring system; environmental score; networked system; potentially impacted area; target distribution; trilayer structure; Availability; Computational modeling; Computers; Databases; Internet; Measurement; Security; CVSS; cloud computing; environmental score; network model;

fLanguage

English

Publisher

ieee

Conference_Titel

Applications and the Internet (SAINT), 2010 10th IEEE/IPSJ International Symposium on

Conference_Location

Seoul

Print_ISBN

978-1-4244-7526-1

Electronic_ISBN

978-0-7695-4107-5

Type

conf

DOI

10.1109/SAINT.2010.105

Filename

5598039