Vulnerability Evaluation and Prioritization for Cyber Resilient Systems
ABSTRACT
Vulnerability management, a vital activity to improve the resiliency of cyber systems, is a process that requires extensive resources– time and personnel. For effective and efficient vulnerability management, vulnerabilities should be prioritized based on their criticality. The Common Vulnerability Scoring System (CVSS) is utilized by the National Institute of Standards and Technology (NIST) to rank severity. However, in its severity score, NIST only provides the base metric values, exploitability and impact, for the known vulnerabilities and acknowledges the importance of time-dependent factors and the characteristics of the affected organization to have more accurate vulnerability rankings. While NIST emphasizes the integration of temporal and environmental metrics, there is no established approach to conduct this integration.
In this research project, we created a method to prioritize the criticality of vulnerabilities by integrating environmental factors in two steps: (i) connecting the network topology by analyzing asset-based dependencies and (ii) analyzing the dependency of the organization’s business processes on vulnerable assets. For the first step, we use Bayesian Belief Networks enhanced attack graphs to find out the most critical vulnerabilities in a given network topology. In the second step, extending the graph-theory-based functional dependency network analysis method, we map the assets to the business processes considering their functional dependencies. Based on the impact on the affected business processes, environmental impact subscores of vulnerabilities are identified. The experiment and simulation results revealed that our method results in different and more accurate vulnerability rankings than the CVSS base metrics provided in the National Vulnerability Database.
“This material is based upon work supported by the National Science Foundation under Award# 1948261.”
BIO
Omer F. Keskin is a Ph.D. candidate in Engineering Management and Systems Engineering at Old Dominion University and an MS Student in Digital Forensics and Cybersecurity at University at Albany. He holds an MS Degree in engineering management and a BS degree in systems engineering. His research is focused on organizational cybersecurity risk management, supply chain cybersecurity and critical infrastructure cybersecurity risks.