1. Field of the Invention
This invention relates in general to network security, and more particularly to a method, apparatus and program storage device for providing automated tracking of security vulnerabilities.
2. Description of Related Art
Security is a primary concern for companies of all sizes. This is especially true for information security. Any business involved in e-commerce, database management, e-mail communication and anything else requiring the Internet or networks needs to be concerned with protecting critical information. Hundreds of new vulnerabilities are being discovered annually, and dozens of new security patches are being released monthly. Compounding matters, when opening the company network perimeter for consumers and business partners, system-level security becomes even more critical as it forces an increase in exposure points. Every hole must be patched because an attacker needs to find only one hole to compromise the entire environment. A firewall alone is not sufficient for network security.
Information security has evolved over the years due to the increasing reliance on public networks to disclose personal, financial, and other restricted information. The popularity of the Internet was one of the most important developments that prompted an intensified effort in data security. An ever-growing number of people are using their personal computers to gain access to the resources that the Internet has to offer, such as research and information retrieval to electronic mail and commerce transaction. However, the Internet and its earlier protocols were developed as a trust-based system. That is, the Internet Protocol was not designed to be secure in itself. There are no approved security standards built into the TCP/IP communications stack, leaving it open to potentially malicious users and processes across the network. Modern developments have made Internet communication more secure, but there are still several incidents that gain national attention and alert us to the fact that nothing is completely safe.
Enterprises in every industry rely on regulations and rules that are set by standards making bodies such as the American Medical Association (AMA) or the Institute of Electrical and Electronics Engineers (IEEE). The same ideals hold true for information security. Many security consultants and vendors agree upon the standard security model known as CIA, or Confidentiality, Integrity, and Availability. This three-tiered model is a generally accepted component to assessing risks to sensitive information and establishing security policy.
Confidentiality refers to the fact that sensitive information must be available only to a set of pre-defined individuals. Unauthorized transmission and usage of information should be restricted. For example, confidentiality of information ensures that an unauthorized individual does not obtain a customer's personal or financial information for malicious purposes such as identity theft or credit fraud.
Integrity means that information should not be altered in ways that render it incomplete or incorrect. Unauthorized users should be restricted from the ability to modify or destroy sensitive information.
Availability refers to the concept that information should be accessible to authorized users any time that it is needed. Availability is a warranty that information can be obtained with an agreed-upon frequency and timeliness. This is often measured in terms of percentages and agreed to formally in Service Level Agreements (SLAs) used by network service providers and their enterprise clients.
The widely accepted paradigm of the CIA triad discussed above is a basic framework for a secure environment. There are tools that individually provide network security according to the CIA triad; however these tools are generally specific to only one discipline. Most organizations today conduct some form of security technical testing for their IT infrastructures. There are tools to assist in performing vulnerability reviews, such as a vulnerability scanner against their critical devices to determine if they have vulnerabilities that could lead to a loss of confidentiality, integrity of availability of information. Examples of such tools for providing vulnerability review include Nessus, security products from Internet Security Systems (ISS), Network Security Assessment (NSA), Retina® just to name a few. Another tool for performing security audits is Nmap (“Network Mapper”). Nmap is a free open source utility that was designed to determine what hosts are available on the network, what services (application name and version) they are offering, what operating system (and OS version) they are running, and dozens of other characteristics.
These programs will generally create text or HTML files that list each vulnerability found. Although most organizations have little to no trouble in running such applications against their environments and hence uncovering security issues, these same organizations often struggle with tracking these problems to closure. In other words, they find it easy to uncover the problems, but find it more difficult to track and fix the problems.
Problem tracking tools provided by companies, such as Remedy Corporation and Peregrine Systems, have attempted to solve this issue. Remedy Corporation provides Remedy IT Service Management applications and Remedy's Action Request System®. These applications provide escalation, alerting, and reporting features for ensuring that critical issues do not fall through the cracks by providing a detailed audit trail that allows review and refinement of workflow responses. Peregrine Systems provides ServiceCenter® for tracking and prioritizing incidents as well as trend analysis. However, these tools are limited in a number of ways. For one, they do not allow for automated validation that a problem ticket has actually been fixed. It is left to human judgment and integrity if an issue is fixed. However, in the security field this is unacceptable. Second, these tools do not necessarily provide for the ability to set timelines for fixing an issue based on multiple factors such as the criticality of the system, the frequency of this vulnerability across the organization, and the severity rating of the vulnerability itself.
It can be seen then that there is a need for a method, apparatus and program storage device for providing automated tracking of security vulnerabilities.