IHS Inc. The Source for Critical Information and Insight
Electronics |  Change

Advanced Search
 
home > news > 2008
 

NIST Model Predicts Network Security

August 18, 2008 // Published as a news service by IHS

 
Electronics & Telecom Docs
IHS sells a full selection of standards documents & collections from the industry's top organizations.
To learn more, and for a free quote, please complete the form below.
TIA Collection
NEMA Collection
CEA Collection
EIA Collection
ITU Collections
IEEE Collections
EU EMC Collections
IEC Collections
First Name:

Last Name:

Email address:
Data breaches are a recurring problem for IT managers responsible for securing their company’s confidential data, as well as sensitive information belonging to their clients.

To help managers safeguard valuable information most efficiently and guide their network security efforts, scientists at the National Institute of Standards and Technology (NIST) developed Attack Graph Analysis, applying security metrics to computer network pathways to assign a probable risk of attack.

"We analyze all of the paths that system attackers could penetrate through a network and assign a risk to each component of the system," said NIST computer scientist Anoop Singhal.

"Decision-makers can use our assigned probabilities to make wise decisions and investments to safeguard their network."

The research was presented at the July 2008 Conference on Data and Application Security in London.

Computer networks are made up of components ranging from individual computers to servers and routers. Once inside a network's firewall, a hacker can travel through the network using a variety of routes. In addition to hardware, the hacker can break in through software on the computers, especially file-sharing applications that have recently been blamed for some major data breaches.

NIST researchers evaluate each route and assign it a risk based on how challenging it is to the hacker. The paths are determined using a technique called "attack graphs." A new analysis technique based on attack graphs was jointly developed by Singhal and research colleagues at George Mason University. A patent is pending on the technique.

Singhal and his team determine risk by using these attack graphs and NIST's National Vulnerability Database (NVD). This government repository includes a collection of security-related software weaknesses that hackers can exploit. NVD data was collected from software vendors and security scores are assigned from highest to lowest by the experts.

For example, in a simple system there is an attacker on a computer, a firewall, router, a file transfer protocol (FTP) server and a database server. The goal for the attacker is to find the simplest path into the jackpot - the database server. Attack Graph Analysis determines three potential attack paths. For each path in the graph, NIST researchers assign an attack probability based on the score in the NVD database.

Because it takes multiple steps to reach the goal, the probabilities of each component are multiplied to determine the overall risk. One path takes only three steps. The first step has an 80% chance of being hacked, the second, a 90% chance. The final step requires great expertise, so there is only a 10% probability it can be breached. By multiplying the three probabilities together, that path is pretty secure with a less than 10% chance of being hacked.

The next step is for the researchers to expand their research to handle large-scale enterprise networks.

For more information, go to http://nvd.nist.gov/.

Source: National Institute of Standards and Technology (NIST).