oy
`[Ez
`
`des brevets
`
`
`
`
`
`
`
`Patent Office
`
`Office européen
`
`
`
`“|
`
`(12)
`
`IMA
`
`(11)
`
`EP 3 360 071 B1
`
`EUROPEAN PATENT SPECIFICATION
`
`(45) Date of publication and mention
`of the grant of the patent:
`30.12.2020
`Bulletin 2020/53
`
`(51) Int Cl.:
`GO6F 21/57 (2013.01)
`HO4L 29/06 (2006.0)
`
`GO6F 21/60 (2913.07)
`GOGF 21/56 (2019-0)
`
`(21) Application number: 16854157.1
`
`(86) International application number:
`
`(22) Date of filing: 04.10.2016
`
`PCT/US2016/055273
`
`(87) International publication number:
`WO 2017/062338 (13.04.2017 Gazette 2017/15)
`
`
`
`(54) METHOD AND SYSTEM FOR IDENTIFICATION OF SECURITY VULNERABILITIES
`
`VERFAHREN UND SYSTEM ZUR ERKENNUNG VON SICHERHEITSSCHWACHSTELLEN
`
`PROCEDE ET SYSTEME D’IDENTIFICATION DE VULNERABILITES DE SECURITE
`
`
`
`(84) Designated Contracting States:
`AL AT BE BG CH CY CZ DE DK EE ES FI FR GB
`GR HR HUIEISIT LILT LU LV MC MK MT NL NO
`PL PT RO RS SE SISK SMTR
`
`(74) Representative: Barker Brettell LLP
`100 Hagley Road
`Edgbaston
`Birmingham B16 8QQ (GB)
`
`(30) Priority: 06.10.2015 US 201514876592
`
`(43) Date of publication of application:
`15.08.2018
`Bulletin 2018/33
`
`(73) Proprietor: Assured Enterprises, Inc.
`Reston, Virginia 20190 (US)
`
`(72) Inventor: LI, David
`Reston, Virginia 20190 (US)
`
`(56) References cited:
`WO-A2-2011/068967
`US-A1- 2008 244691
`US-A1- 2012 222123
`US-A1- 2014 123 279
`US-B1- 7 845 007
`
`US-A1- 2004 064 726
`US-A1- 2011 321 164
`US-A1- 2013 333 032
`US-B1-7 845 007
`
`
`
`
`
`Note: Within nine months of the publication of the mention of the grant of the European patent in the European Patent
`Bulletin, any person may give notice to the European Patent Office of opposition to that patent, in accordance with the
`Implementing Regulations. Notice of opposition shall not be deemed to have been filed until the opposition fee has been
`paid. (Art. 99(1) European Patent Convention).
`
`
`
`WIZ, Inc. EXHIBIT - 1032
`Printed by Jouve, 75001 PARIS (FR)
`WIZ, Inc. v. Orca Security LTD. - IPR2024-00220
`
`EP 3 360 071 B1
`
`WIZ, Inc. EXHIBIT - 1032
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`1
`
`EP 3 360 071 B1
`
`2
`
`Description
`
`TECHNICAL FIELD OF THE INVENTION
`
`Embodiments of the present invention relate
`[0001]
`generally to security of electronic devices and systems
`and, more particularly, to identification of security vulner-
`abilities
`
`BACKGROUND
`
`Computer systems may include many elements
`[0002]
`communicatively coupled to one another via a network.
`Networking and sharing of elements adds a level of com-
`plexity that is not present with a single element that
`stands alone. Network and system administrators may
`manage network elements using various software tools,
`which may include a graphical user interface.
`[0003]
`Application code may run on computer sys-
`tems. One application may have code running on various
`elements of a computer system. The application itself
`may be managed by network or system administrators
`using various software tools.
`[0004]
`Malware may attack computer systems. Mal-
`ware may include spyware, rootkits, password stealers,
`spam, sources of phishing attacks, sources of denial-of-
`service-attacks, viruses, loggers, Trojans, adware, or
`any other digital content that produces malicious activi-
`ties. Furthermore, an application may be vulnerable to
`malware or other exploitative attacks
`[0005]
`Application WO2011068967 discloses a mal-
`ware analysis method, performing code scans based on
`analyses of import tables to identify called application
`code functions/components .
`
`SUMMARY
`
`In one embodiment, a system for securing an
`[0006]
`electronic device includes a processor and a memory.
`The memory may be communicatively coupled to the
`
`processor and include instructions. The instructions,
`
`when loaded and executed by the processor, cause the
`processor to scan data including one or more application
`components to uniquely identify elements therein, deter-
`mine from a given application component additional com-
`ponents to be accessed by the given application compo-
`nent, scan the additional components to uniquely identify
`
`elements therein, determine whether the additional com-
`ponents include any known vulnerabilities, associate one
`or more known vulnerabilities of the additional compo-
`nents with the given application component, record the
`known vulnerabilities and the given application compo-
`nent. The given application component may be uniquely
`identified.
`[0007]
`In another embodiment, a machine readable
`storage medium may include computer-executable in-
`structions that are readable by a processor. The instruc-
`
`tions, when read and executed, may be for causing the
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`processor to scan data including one or more application
`components to uniquely identify elements therein, deter-
`mine from a given application component additional com-
`ponents to be accessed by the given application compo-
`nent, scan the additional components to uniquely identify
`elements therein, determine whether the additional com-
`ponents include any known vulnerabilities, associate one
`or more known vulnerabilities of the additional compo-
`nents with the given application component, record the
`known vulnerabilities and the given application compo-
`nent. The given application component may be uniquely
`identified.
`[0008]
`In yet another embodiment, a method of secur-
`ing an electronic device may include scanning data in-
`cluding application components to uniquely identify ele-
`ments therein, determining from a given application com-
`ponent additional components to be accessed by the giv-
`en application component, scanning the additional com-
`ponents to uniquely identify elements therein, determin-
`ing whether the additional components include any
`known vulnerabilities, associating one or more known
`vulnerabilities of the additional components with the giv-
`en application component, and recording the known vul-
`nerabilities and the given application component. The
`given application component may be uniquely identified.
`[0009]
`In one embodiment, a system may include a
`memory. The memory may be communicatively coupled
`to the processor and include instructions. The instruc-
`tions, when loaded and executed by the processor, cause
`the processor to identify one or more application compo-
`nents uniquely identified and determine vulnerabilities
`associated with a given application component. The vul-
`nerabilities may include vulnerabilities of additional com-
`ponents to be accessed by the given application compo-
`nent. The processor may be caused to adjust character-
`izations of the vulnerabilities associated with the given
`application component based upon contextual informa-
`tion from the system in which the given application com-
`ponent resides. The contextual information may include
`security information.
`
`In another embodiment, a machine readable
`[0010]
`storage medium may include computer-executable in-
`structions that are readable by a processor. The instruc-
`tions, when read and executed, may be for causing the
`processor to identify one or more uniquely identified ap-
`plication components and determine vulnerabilities as-
`sociated with a given application component. The vul-
`nerabilities may include vulnerabilities of additional com-
`ponents to be accessed by the given application compo-
`nent. The processor may be caused to adjust character-
`izations of the vulnerabilities associated with the given
`application component based upon contextual informa-
`tion from the system in which the given application com-
`ponent resides. The contextual information may include
`security information.
`[0011]
`In yet another embodiment, a method may in-
`clude identifying one or more application components
`uniquely identified and determining vulnerabilities asso-
`
`

`

`3
`
`EP 3 360 071 B1
`
`4
`
`ciated with a given application component. The vulnera-
`bilities may include vulnerabilities of one or more addi-
`tional components to be accessed by the given applica-
`tion component. The method may include adjusting char-
`
`acterizations of the vulnerabilities associated with the giv-
`en application component based upon contextual infor-
`mation from the system in which the given application
`component resides. The contextual information may in-
`clude security information.
`
`BRIEF DESCRIPTION OF THE FIGURES
`
`[0012]
`
`Fora more complete understanding of the con-
`
`figurations of the present disclosure, needs satisfied
`
`scanning of various sources of information by agents
`102. Server 104 may be implemented in any suitable
`manner, including by one or more applications, scripts,
`libraries, modules, code, drivers, or other entities on an
`electronic device. These may include software or instruc-
`tions resident on a memory 124 for execution by a proc-
`essor 122. Although sever 104 is
`illustrated in FIGURE
`1 as including example elements, server 104 may include
`
`10
`
`more or less elements. Moreover, the function of some
`elements of server 104 as discussed herein may be per-
`formed in various embodiments by other elements of
`server 104. Also, the function of some elements of server
`104 as discussed herein may be performed in various
`
`thereby, and the objects, features, and advantages there-
`
`15
`
`of, reference now is made to the following description
`taken in connection with the accompanying drawings.
`
`is a block diagram of an example system
`FIGURE 1
`for identifying security vulnerabilities, in accordance
`with the teachings of the present disclosure;
`FIGURE 2
`is an illustration of example operation and
`further configuration of the system for identifying se-
`
`curity vulnerabilities, in accordance with the teach-
`ings of the present disclosure;
`FIGURE 3
`is an illustration of further example oper-
`ation of the system for identifying security vulnera-
`bilities,
`in accordance with the teachings of the
`present disclosure; and
`FIGURE 4
`is a flow chart of an example method for
`identifying security vulnerabilities, in accordance
`with the teachings of the present disclosure.
`
`DETAILED DESCRIPTION
`
`is an illustration of an example em-
`FIGURE 1
`[0013]
`bodiment of a system 100 for identifying security vulner-
`
`abilities, in accordance with the teachings of the present
`disclosure. System 100 may include any suitable number
`and kind of elements. For example, system 100 may in-
`clude one or more devices that can identify security vul-
`nerabilities by scanning electronic devices, file systems,
`Java applications, .NET applications, or other sources of
`electronic data. Such scanning may be performed locally
`to the source of electronic data or remotely on another
`electronic device communicatively coupled through a
`
`network to the source of electronic data. For example,
`system 100 may include one or more agents 102 config-
`ured to scan sources of electronic data for vulnerabilities.
`In another example, system 100 may include a server
`104 configured coordinate scanning sources of electron-
`ic data for vulnerabilities. System 100 may include any
`suitable number and kind of source of electronic data,
`such as files or file system 114, that may be scanned for
`vulnerabilities. Although file system 114 is shown sepa-
`rate from any clients or servers, file system 114 may be
`resident on the same device as client 102 or server 104.
`[0014]
`Server 104 may be configured to coordinate
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`embodiments by elements of client 102. For example,
`server 104 may include a communication application
`120, security enterprise manager 126, update manager
`
`134, scan scheduler 128, policy manager 130, or a cen-
`tral repository 132.
`[0015]
`Client 102 may be configured scan various
`sources of information such as file system 114. Client
`102 may be implemented in any suitable manner, includ-
`ing by one or more applications, scripts, libraries, mod-
`ules, code, drivers, or other entities on an electronic de-
`vice. These may include software or instructions resident
`on a memory 118 for execution by a processor 116. Al-
`though client 102 is illustrated in FIGURE 1 as including
`example elements, client 102 may include more or less
`elements. Moreover, the function of some elements of
`client 102 as discussed herein may be performed in var-
`ious embodiments by other elements of client 102. For
`example, client 102 may include a communication appli-
`cation 110, scan application 108, and local repository
`112.
`Client 102 may communicate with server 104
`through network 106.
`[0016]
`Client 102 and server 104 may communicate
`with sources of information about vulnerability of soft-
`ware. Any suitable sources of information may be utilized
`
`by client 102 and server 104. For example, server 104
`may communicate with one or more vulnerability data-
`bases 138, 140. Database 138 may be a publicly acces-
`sible vulnerability database, while database 140 may be
`a proprietary vulnerability database. Although a single
`such database 138, 140 is shown and described, multiple
`public or proprietary databases may be accessed. Data-
`base 138 may include the National Vulnerability Data-
`base (NVD). Database 138 may include a repository of
`standards-based vulnerability management data. The
`database may further include databases of security
`checklists, security related software flaws, misconfigura-
`tions, product names, product versions, exploitability
`metrics, impact metrics, temporal metrics, environmental
`metrics, and others. Server 104 may communicate with
`a system evaluation database 136, which may include
`information about the overall health of a system in which
`file system 114 (or other data under evaluation) resides.
`Each of these databases may be implemented in any
`
`suitable manner, such as by a relational database, nav-
`igational database, or other organization of data and data
`
`

`

`5
`
`EP 3 360 071 B1
`
`6
`
`structures. Server 104 may integrate the contents from
`these databases to provide comprehensive coverage of
`known vulnerabilities.
`[0017]
`Communication application 120 and communi-
`cation application 110 may be configured to handle in-
`bound and outbound communications to other entities
`for server 104 and client 102. For example, communica-
`tion application 120 and communication application 110
`may handle communications with file system 114, data-
`
`bases 138, 140, 126, and between server 104 and client
`102. Communication application 120 and communication
`application 110 may be implemented by any suitable
`mechanism, such as an application, function, library, ap-
`
`plication programming interface,
`
`script,
`
`executable,
`
`code, software, or instructions. These may in turn be im-
`plemented by instructions resident in memory for execu-
`
`tion by a processor that, when loaded into the processor,
`cause the functionality described in this disclosure to be
`performed.
`[0018]
`Security enterprise manager 126 may be con-
`figured to organize scanning operations in system 100.
`Security enterprise manager 126 may determine, for ex-
`ample, what agents 102 need to scan their respective
`
`sources of data, how agents 102 will scan, how informa-
`tion will be reported from agents 102, what remedial ac-
`tion might be taken or recommended, when agents 102
`will be updated, and other such configurations and op-
`erations of system 100. Security enterprise manager 126
`may utilize a scan scheduler 128 to determine or dictate
`how often and under what conditions scans of data will
`be made and repeated. Furthermore, security enterprise
`manager 126 may utilize an update manager 134 to de-
`termine or dictate how often and under what conditions
`information to be used by scan application 108 will be
`updated. Update manager 134 may be configured to
`gather information from one or more sources about how
`
`to scan data, such as database 138, 140, 136. Update
`manager 134 may be configured to store relevant infor-
`mation to be used by agents 102 in central repository
`132. Contents from central repository 132 may be selec-
`tively provided to agents 102 by update manager. Secu-
`rity enterprise manager 126 may utilize a policy manager
`130 configured to analyze the overall health of a system
`under evaluation. Policy manager 130 may be configured
`to access information from, for example, system evalu-
`ation database 136. Security enterprise manager 126,
`
`update manager 134, scan scheduler 128, and policy
`manager 130 may be implemented by any suitable mech-
`anism, such as an application, function, library, applica-
`tion programming interface, script, executable, code,
`software, or instructions. These may in turn be imple-
`mented by instructions resident in memory for execution
`by a processor that, when loaded into the processor,
`cause the functionality described in this disclosure to be
`performed.
`[0019]
`Scan application 108 may be configured to scan
`data under evaluation in system 100. The data may be
`located on the same electronic device as scan application
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`108 or on an electronic device communicatively coupled
`to scan application 108. Scan application may analyze
`the data under evaluation to determine whether the data
`indicates any vulnerabilities to users of the data. Scan
`application may utilize a local repository 112 to hold rules,
`guidelines, settings, or other data collected by server
`104. Local repository 112 may be implemented by any
`suitable manner of implementing databases or other data
`structures. Scan application 108 may be configured to
`
`scan data, such as those in file system 114, at any ap-
`propriate time. Scan application 108 may be implement-
`ed by any suitable mechanism, such as an application,
`function,
`library,
`application programming interface,
`
`script, executable, code, software, or instructions. These
`may in turn be implemented by instructions resident in
`memory for execution by a processor that, when loaded
`
`into the processor, cause the functionality described in
`this disclosure to be performed.
`[0020]
`In operation, scan application 108 may search
`for holes, vulnerabilities, or other possible exploitations
`in software. Such software may include files in file system
`114. Scan application may look for signatures of software
`binaries that are defined in local repository 112. Such
`signatures may be imported from original sources, such
`as databases 138, 140. Scan application 108 may search
`and scan software located on a given computer, desktop,
`smartphone, tablet, or other suitable electronic device.
`In some embodiments, scan application 108 may search
`and scan a defined installation image that is to be in-
`stalled on multiple clients. Scan application 108 may
`identify files or subcomponents or files in file system 114
`that have been identified as having a vulnerability. In
`
`file might not be malicious
`some embodiments, such a
`itself, but may be exploitable by malware.
`[0021]
`The memories may be in the form of physical
`memory or pages of virtualized memory. The processors
`
`may comprise, for example, a microprocessor, microcon-
`troller, digital signal processor (DSP), application specific
`integrated circuit (ASIC), or any other digital or analog
`circuitry configured to interpret and/or execute program
`
`instructions and/or process data. In some embodiments,
`the processor may interpret and/or execute program in-
`structions and/or process data stored in memory. Mem-
`ory may be configured in part or whole as application
`memory, system memory, or both. Memory may include
`any system, device, or apparatus configured to hold
`and/or house one or more memory modules. Each mem-
`ory module may include any system, device or apparatus
`configured to retain program instructions and/or data for
`aperiod of time (e.g., computer-readable storage media).
`Instructions, logic, or data for configuring the operation
`of the system may reside in memory for execution by the
`processor. Program instructions may be used to cause
`a general-purpose or special-purpose processing sys-
`tem that is programmed with the instructions to perform
`the operations described above. The operations may be
`performed by specific hardware components that contain
`hardwired logic for performing the operations, or by any
`
`

`

`7
`
`EP 3 360 071 B1
`
`8
`
`combination of programmed computer components and
`custom hardware components.
`[0022]
`FIGURE 2
`is an illustration of operation of sys-
`tem 100 and of further configuration thereof, in accord-
`ance with embodiments of the present disclosure. Scan
`application 108 may be scanning a sequence of files on
`file system 114. Scan application 108 may encounter a
`given file, such as XYZ.exe 202. Scan application 108
`may determine a unique identification of the file. In one
`embodiment, scan application 108 may determine the
`actual contents of XYZ.exe 202 by determining a signa-
`ture, hash, or other unique digital identifier of XYZ.exe
`202. The unique identification may precisely identify the
`
`version, build, or other particular instance of XYZ.exe, of
`
`which there may be many versions or completely different
`sources.
`Scan application 108 may check whether the
`[0023]
`signature of XYZ.exe 202 matches any known software
`elements populated in local repository 112. If there are
`any known vulnerabilities of XYZ.exe 202 noted in local
`repository 112, they may be noted. The entries of local
`repository 112 may be marked or indexed according to
`
`a hash, signature, or other identifier. Moreover, the vul-
`nerabilities may be categorized or defined by a unique
`identifier, so that consumers of the results from scan ap-
`plication 108 may efficiently apply its results.
`[0024]
`Many files might not be known to be safe or
`vulnerable, as myriad different software creators create
`myriad different pieces of software. Accordingly, in one
`embodiment scan application 108 might not find an indi-
`cation of XYZ.exe 202 in local repository 112. The exist-
`ing binary signature and use of scanning of top-level ap-
`plications may be of little use. As shown in FIGURE 1,
`there might not be an entry for XYZ.exe 202 therein. Al-
`ternatively, there may be an entry denoting that XYZ.exe
`has no known vulnerabilities. Based upon either such
`case, inone embodiment scan application 108 might de-
`termine that XYZ.exe 202 itself has no known vulnera-
`bilities.
`[0025]
`
`However, in some embodiments a
`
`file might
`
`make use of still other files. For example, a file might
`access other files by calling external functions. These
`external functions might be executed in, for example, a
`shared library. The compiled binaries of the shared library
`may be statically or dynamically linked, included, or oth-
`erwise associated with the binaries of the original file.
`For example, XYZ.exe 202 may be dynamically linked to
`a DLL such as ABC.dll 204. Many applications might be
`linked to, share, and use such a
`file.
`[0026]
`In one embodiment, scan application 108 may
`determine the set of libraries or other external code that
`are to be accessed by a given file. Scan application 108
`may analyze the software and application file structure
`to identify such components. An application executable
`may be in a portable executable format. The format may
`include a data structure that contains the information
`needed for the operating system loader to manager the
`wrapped executable code. The file format may begin with
`
`a header that specifies information about the code in the
`file, the type of application, required library headers, and
`space requirements. The header may further specify an
`import table that identifies functions used by the file to
`access external components and the locations of such
`functions. Scan application 108 may parse this informa-
`tion to determine what external components, libraries, or
`
`that XYZ.exe 202 executes, such as
`other entities
`ABC.dll 204. Any suitable file format or structure may be
`parsed and analyzed by scan application 108 to deter-
`mine the wrappings or packaging to identify external
`components used by the file.
`[0027]
`In some cases, required components such as
`shared library may be stored as separate files in the file
`system. In other cases, required components may be
`embedded in the executables themselves. When addi-
`tional required components are stored as separate files,
`some file-based scanners cannot associate the identified
`vulnerabilities to the correct executables that ultimately
`use the required components. When required compo-
`nents are embedded in the executables themselves,
`some file-based scanners will miss the executables as-
`incorporating the required components because the bi-
`nary signatures do not exist for the executable files as
`they exist while incorporating these required compo-
`nents. However, in either case scan application 108 may
`identify the types of applications or executables based
`on a specific operating system, file extensions, other file
`attributes, and the file signatures. The file signatures may
`include hex codes around the beginning of the files,
`known as "magic numbers. Based on the types of appli-
`
`cations, the executable file structures can be known, as
`well as the required components. From these, potential
`vulnerable system calls may be identified. For example,
`an application .EXE file (an executable application with
`file extension "exe" on Windows™ Operating Systems)
`may use the Portable Executable (PE) file format. The
`PE file format is a data structure that contains the infor-
`mation necessary for the Windows™ Operating System
`loader to manage the wrapped executable code. The PE
`file format begins with a header that includes information
`about the code, the type of application, required library
`functions, and space requirements. Furthermore, the im-
`port table of the PE file header contains the information
`about specific functions used by this executable and the
`locations of these functions. For Linux/Unix-based exe-
`cutables, scan application 104 may use the dynamic
`loader of the system to examine the dynamic section of
`an executable to identify all needed components, such
`as shared libraries used by given dynamically-linked ex-
`ecutables.
`[0028]
`Scan application 108 may in turn scan these
`libraries based upon the determination. For example,
`scan application 108 may scan ABC.dll 204 after finding
`
`is linked to XYZ.exe 202. Moreover, in another
`that it
`embodiment the scan results of the linked library may be
`
`ascribed to the original file. For example, even if XYZ.exe
`itself was determined to have no vulnerabilities in local
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`

`

`9
`
`EP 3 360 071 B1
`
`10
`
`repository 112, the vulnerabilities of ABC.dll 204 denoted
`in local repository
`112 may be subsequently associated
`with XYZ.exe.
`[0029]
`Furthermore, as shown in FIGURE 2, local re-
`pository 112 may have entries that are specific to indi-
`vidual versions of files. The vulnerabilities of different ver-
`sions of the same file may be different. The vulnerabili-
`ties, directly or indirectly attributed to XYZ.exe, may be
`reported by scan application 108.
`[0030]
`FIGURE illustrates further example operation
`of system 100, in accordance with embodiments of the
`present disclosure. Upon completion of all or some of the
`scan of file system 114, scan application 108 may report
`vulnerabilities to other parts of system 100 for corrective
`action or reporting. In one embodiment, system 100 may
`utilize policy manager 130 to determine what corrective
`action or reporting is to be performed.
`[0031]
`System 100 may handle different determined
`vulnerabilities in different ways. In one embodiment, sys-
`tem 100 may identify that
`acomponent has a vulnerability
`that is of a qualitatively or quantitatively higher or lower
`priority based upon the degree of malicious behavior
`available for malware. Such a component may include a
`file. In another embodiment, system 100 may identify that
`a component has a particular vulnerability, but that vul-
`nerability is enhanced or lessened by other aspects of
`the system in which the file resides.
`[0032]
`System evaluation database 136 may include
`a complete diagnostic evaluation of the system in which
`the file resides. For example, system evaluation data-
`base 136 include information about the candidate sys-
`
`tem, including whether it has firewalls, where such fire-
`
`walls are located, what kind of firewalls exist, and how
`they are configured. In one embodiment, the interplay of
`the vulnerabilities of the files as determined by scan ap-
`plication 108 and the candidate system conditions from
`system evaluation database 136 may yield whether or
`not corrective action is necessary. In another embodi-
`
`ment, a prioritization of the corrective action or vulnera-
`bilities may be produced. System evaluation database
`136 may include information about the candidate system
`with any suitable number of permutations and combina-
`tions of security software, hardware, or settings thereof
`resident on the candidate system.
`
`[0033] Forexample, ifthe particularinstance of ABC.dll
`is known to be vulnerable to a particular network-based
`exploit, the vulnerability may be added to an evaluation
`of XYZ.exe 202. Security enterprise manager 128 may
`receive the vulnerability list. Security enterprise manager
`128 may consult system evaluation database 136 to eval-
`uate the system that included XYZ.exe 202 with respect
`to its configuration. Policy manager 128 may interpret an
`entry in system evaluation database 126 that the candi-
`date system (for example, DEF) has a particular firewall
`installed with given settings. The settings of the particular
`firewall may be tuned to defeat the particular vulnerability
`identified in
`XY Z.exe 202 through its use of ABC.dll. Con-
`sequently, security enterprise manager 126 may rank the
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`XY Z.exe 202 qualitatively or quan-
`known vulnerability of
`titatively less than other vulnerabilities.
`[0034]
`Insome embodiments, security enterprise man-
`ager 128 may produce or infer a composite vulnerability
`measurement. The composite vulnerability measure-
`ment may be inferred from the vulnerability of identified
`individual components. For example, the composite vul-
`nerability severity measurement may be a weighted ag-
`gregate of individual severity measurements. For exam-
`
`ple, base, temporal, and environmental factors may be
`used. The weights associated with vulnerabilities of each
`factor may be customized, or industry-standard weights
`may be used. Each of these factors may include a sub-
`group of related factors. Furthermore, each group may
`produce a composite quantitative score with a vector
`used to illustrate the components used to derive the
`score.
`In one embodiment, through policy manager
`[0035]
`128 and system evaluation database 136, security en-
`terprise manager 128 may contextualize standard met-
`rics received from databases 138, 140 based upon spe-
`cific characteristics of the candidate system. For exam-
`ple, as discussed above, the firewall used in the candi-
`date system may be considered. In another embodiment,
`policy manager 128 may characterize the security oper-
`ating environment of the candidate system using a three-
`dimensional mathematical model. In various embodi-
`ments, the three dimensions may include threat vector,
`threat impact, and enterprise maturity of cyber defense.
`A threat vector may refer to the path or mechanism that
`potential attackers employ to gain access to
`a computer,
`a system, or an enterprise. Identification of the vectors
`provides the insights of how the attackers (or other threat
`agents) exploit the associated vulnerabilities. The threat
`impact may refer to the impact when those vulnerabilities
`are successfully exploited. There are a wide range of
`different impacts that may be categorized or quantified,
`
`including but not limited to data loss, confidentiality com-
`
`promise, loss of revenue, damages to the systems, etc.
`
`In some embodiments, the ranking of a specific vulner-
`ability will be boosted if it associated with an application
`thatin turnis associated with any critical enterprise asset.
`The enterprise maturity may refer to a wide range of en-
`terprise assessments, including organization architec-
`ture, networks software/application, computing infra-
`structure wireless, intrusion detection/prevention, ac-
`cess control, securit