• Title/Summary/Keyword: Security Scoring

Search Result 34, Processing Time 0.027 seconds

Quantitative Scoring Criteria on the Importance of Software Weaknesses (소프트웨어 보안약점의 중요도에 대한 정량 평가 기준 연구)

  • Ahn, Joonseon;Bang, Ji-Ho;Lee, Eunyoung
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.22 no.6
    • /
    • pp.1407-1417
    • /
    • 2012
  • In order to protect a software system from security attacks, it is important to remove the software security weaknesses through the entire life cycle of software development. To remove the software weaknesses more effectively, software weaknesses are prioritized and sorted continuously. In this paper, we introduce the existing scoring systems for software weakness and software vulnerability, and propose a new quantitative standard for the scoring system, which helps evaluate the importance of software weakness objectively. We also demonstrate the practicability of the proposed standard by scoring 2011 CWE/SANS Top 25 list with the proposed standard and comparing it to the original score of MITRE.

Quantitative Scoring System on the Importance of Software Vulnerabilities (보안취약점 중요도 정량 평가 체계 연구)

  • Ahn, Joonseon;Chang, Byeong-Mo;Lee, Eunyoung
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.25 no.4
    • /
    • pp.921-932
    • /
    • 2015
  • We proposed a new scoring system on software vulnerabilities, which calculates quantitatively the severity of software vulnerabilities. The proposed scoring system consists of metrics for vulnerability severity and scoring equations; the metrics are designed to measure the severity of a software vulnerability considering the prevalence of the vulnerability, the risk level of the vulnerability, the domestic market share of the software and the frequency of the software. We applied the proposed scoring system to domestically reported software vulnerabilities, and discussed the effectiveness of the scoring system, comparing it with CVSS and CWSS. We also suggested the prospective utilization areas of the proposed scoring system.

Risk Scoring System for Software Vulnerability Using Public Vulnerability Information (공개 취약점 정보를 활용한 소프트웨어 취약점 위험도 스코어링 시스템)

  • Kim, Min Cheol;Oh, Sejoon;Kang, Hyunjae;Kim, Jinsoo;Kim, Huy Kang
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.28 no.6
    • /
    • pp.1449-1461
    • /
    • 2018
  • As the number of software vulnerabilities grows year by year, attacks on software are also taking place a lot. As a result, the security administrator must identify and patch vulnerabilities in the software. However, it is important to prioritize the patches because patches for all vulnerabilities are realistically hard. In this paper, we propose a scoring system that expands the scale of risk assessment metric by taking into consideration attack patterns or weaknesses cause vulnerabilities with the vulnerability information provided by the NIST(National Institute of Standards and Technology). The proposed scoring system is expanded based on the CWSS and uses only public vulnerability information to utilize easily for any company. In this paper, we applied the automated scoring system to software vulnerabilities, and showed the expanded metrics with consideration for influence of attack pattern and weakness are meaningful.

Privacy-Preserving Credit Scoring Using Zero-Knowledge Proofs (영지식 증명을 활용한 프라이버시 보장 신용평가방법)

  • Park, Chul;Kim, Jonghyun;Lee, Dong Hoon
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.29 no.6
    • /
    • pp.1285-1303
    • /
    • 2019
  • In the current credit scoring system, the credit bureau gathers credit information from financial institutions and calculates a credit score based on it. However, because all sensitive credit information is stored in one central authority, there are possibilities of privacy violations and successful external attacks can breach large amounts of personal information. To handle this problem, we propose privacy-preserving credit scoring in which a user gathers credit information from financial institutions, calculates a credit score and proves that the score is calculated correctly using a zero-knowledge proof and a blockchain. In addition, we propose a zero-knowledge proof scheme that can efficiently prove committed inputs to check whether the inputs of a zero-knowledge proof are actually provided by financial institutions with a blockchain. This scheme provides perfect zero-knowledge unlike Agrawal et al.'s scheme, short CRSs and proofs, and fast proof and verification. We confirmed that the proposed credit scoring can be used in the real world by implementing it and experimenting with a credit score algorithm which is similar to that of the real world.

A Web application vulnerability scoring framework by categorizing vulnerabilities according to privilege acquisition (취약점의 권한 획득 정도에 따른 웹 애플리케이션 취약성 수치화 프레임워크)

  • Cho, Sung-Young;Yoo, Su-Yeon;Jeon, Sang-Hun;Lim, Chae-Ho;Kim, Se-Hun
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.22 no.3
    • /
    • pp.601-613
    • /
    • 2012
  • It is required to design and implement secure web applications to provide safe web services. For this reason, there are several scoring frameworks to measure vulnerabilities in web applications. However, these frameworks do not classify according to seriousness of vulnerability because these frameworks simply accumulate score of individual factors in a vulnerability. We rate and score vulnerabilities according to probability of privilege acquisition so that we can prioritize vulnerabilities found in web applications. Also, our proposed framework provides a method to score all web applications provided by an organization so that which web applications is the worst secure and should be treated first. Our scoring framework is applied to the data which lists vulnerabilities in web applications found by a web scanner based on crawling, and we show the importance of categorizing vulnerabilities according to privilege acquisition.

Quantitative Cyber Security Scoring System Based on Risk Assessment Model (위험 평가 모델 기반의 정량적 사이버 보안 평가 체계)

  • Kim, Inkyung;Park, Namje
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.29 no.5
    • /
    • pp.1179-1189
    • /
    • 2019
  • Cyber security evaluation is a series of processes that estimate the level of risk of assets and systems through asset analysis, threat analysis and vulnerability analysis and apply appropriate security measures. In order to prepare for increasing cyber attacks, systematic cyber security evaluation is required. Various indicators for measuring cyber security level such as CWSS and CVSS have been developed, but the quantitative method to apply appropriate security measures according to the risk priority through the standardized security evaluation result is insufficient. It is needed that an Scoring system taking into consideration the characteristics of the target assets, the applied environment, and the impact on the assets. In this paper, we propose a quantitative risk assessment model based on the analysis of existing cyber security scoring system and a method for quantification of assessment factors to apply to the established model. The level of qualitative attribute elements required for cyber security evaluation is expressed as a value through security requirement weight by AHP, threat influence, and vulnerability element applying probability. It is expected that the standardized cyber security evaluation system will be established by supplementing the limitations of the quantitative method of applying the statistical data through the proposed method.

3-Step Security Vulnerability Risk Scoring considering CVE Trends (CVE 동향을 반영한 3-Step 보안 취약점 위험도 스코어링)

  • Jihye, Lim;Jaewoo, Lee
    • Journal of the Korea Institute of Information and Communication Engineering
    • /
    • v.27 no.1
    • /
    • pp.87-96
    • /
    • 2023
  • As the number of security vulnerabilities increases yearly, security threats continue to occur, and the vulnerability risk is also important. We devise a security threat score calculation reflecting trends to determine the risk of security vulnerabilities. The three stages considered key elements such as attack type, supplier, vulnerability trend, and current attack methods and techniques. First, it reflects the results of checking the relevance of the attack type, supplier, and CVE. Secondly, it considers the characteristics of the topic group and CVE identified through the LDA algorithm by the Jaccard similarity technique. Third, the latest version of the MITER ATT&CK framework attack method, technology trend, and relevance between CVE are considered. We used the data within overseas sites provide reliable security information to review the usability of the proposed final formula CTRS. The scoring formula makes it possible to fast patch and respond to related information by identifying vulnerabilities with high relevance and risk only with some particular phrase.

An APT Attack Scoring Method Using MITRE ATT&CK (MITRE ATT&CK을 이용한 APT 공격 스코어링 방법 연구)

  • Cho, Sungyoung;Park, Yongwoo;Lee, Kunho;Choi, Changhee;Shin, Chanho;Lee, Kyeongsik
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.32 no.4
    • /
    • pp.673-689
    • /
    • 2022
  • We propose an APT attack scoring method as a part of the process for detecting and responding to APT attacks. First, unlike previous work that considered inconsistent and subjective factors determined by cyber security experts in the process of scoring cyber attacks, we identify quantifiable factors from components of MITRE ATT&CK techniques and propose a method of quantifying each identified factor. Then, we propose a method of calculating the score of the unit attack technique from the quantified factors, and the score of the entire APT attack composed of one or more multiple attack techniques. We present the possibility of quantification to determine the threat level and urgency of cyber attacks by applying the proposed scoring method to the APT attack reports, which contains the hundreds of APT attack cases occurred worldwide. Using our work, it will be possible to determine whether actual cyber attacks have occurred in the process of detecting APT attacks, and respond to more urgent and important cyber attacks by estimating the priority of APT attacks.

A Study On Advanced Model of Web Vulnerability Scoring Technique (웹 취약점 스코어링 기법의 advanced 모델 연구)

  • Byeon, Autumn;Lim, Jong In;Lee, Kyong-Ho
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.25 no.5
    • /
    • pp.1217-1224
    • /
    • 2015
  • Web application security problems are addressed by the web vulnerability analysis which in turn supports companies to understand those problems and to establish their own solutions. Ministry of Science, ICT and Future Planning (MSIP) has released its guidelines for analysis and assessment of the web vulnerability. Although it is possible to distinguish vulnerability items in a manner suggested in the MSIP's guidelines, MSIP's factors and criteria proposed in the guidelines are neither sufficient nor efficient in analyzing specific vulnerability entries' risks. This study discusses analysis of the domestic and international Vulnerability Scoring system and proposes an appropriate evaluating method for web vulnerability analysis.

Designing of The Enterprise Insider-Threats Management System Based on Tasks and Activity Patterns (사용자 직무와 활동패턴 기반의 내부자위협통합관리체계 설계)

  • Hong, Byoung Jin;Lee, Soo Jin
    • Convergence Security Journal
    • /
    • v.15 no.6_2
    • /
    • pp.3-10
    • /
    • 2015
  • Recent massive data breaches or major security incidents show that threats posed by insiders have greatly increased over time. Especially, authorized insiders can cause more serious problems than external hackers can. Therefore there is a growing need to introduce a system that can monitor the insider threats in real time and prevent data breaches or security incidents in early-stage. In this paper, we propose a EITMS(Enterprise Insider-Threats Management System). EITMS detects the abnormal behaviors of authorized insiders based on the normal patterns made from their roles, duties and private activities. And, in order to prevent breaches and incidents in early-stage, a scoring system that can visualize the insider threats is also included.