(12) United States Patent
`Giakouminakis et al.
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 9,141,805 B2
`Sep. 22, 2015
`
`USOO914 1805B2
`
`(54) METHODS AND SYSTEMS FOR IMPROVED
`RISK SCORING OF VULNERABILITIES
`
`(75) Inventors: Anastasios Giakouminakis, Allendale,
`NJ (US); Sheldon E. Malm, Mississauga
`(CA); Chad Loder, Los Angeles, CA
`(US); Richard D. Li, Somerville, VA
`(US)
`(73) Assignee: RAPID7 LLC, Newton, MA (US)
`(*) Notice:
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 376 days.
`(21) Appl. No.: 13/298,586
`
`(22) Filed:
`
`Nov. 17, 2011
`
`(65)
`
`Prior Publication Data
`US 2013 FOOT4188A1
`Mar. 21, 2013
`
`Related U.S. Application Data
`(60) Provisional application No. 61/535,723, filed on Sep.
`16, 2011.
`
`(51) Int. Cl.
`G06F2L/57
`(52) U.S. Cl.
`CPC .............. G06F 21/577 (2013.01); G06F2I/57
`(2013.01)
`
`(2013.01)
`
`(58) Field of Classification Search
`CPC ........ G06F 21/577; G06F 21/57; H04L 63/00
`USPC ............................................................ 726/25
`See application file for complete search history.
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`2004/0064726 A1* 4/2004 Girouard ....................... T13 201
`2004/01939.18 A1* 9, 2004 Green et al. ...
`T13 201
`2004/02501 15 A1 12/2004 Gemmel et al.
`T13 201
`2005, OO86530 A1* 4, 2005 Goddard ........
`713,201
`8, 2005 Markin ..........
`... 707/02
`2005/O187963 A1*
`1/2006 Durham et al. ................. 726/25
`2006.0005245 A1*
`2006/0136327 A1* 6/2006 You ................................. 705/38
`2006/0195905 A1* 8/2006 Fudge ............................. 726/25
`2006/0259974 A1* 11/2006 Marinescu et al. ............. 726/25
`2006/0265751 A1* 1 1/2006 Cosquer et al. ................. 726/25
`8/2007 Brumbaugh et al. ........... 726/25
`2007/0186283 A1*
`2008/O104276 A1*
`5/2008 Lahoti et al. .......
`709/245
`2008/0301779 A1* 12/2008 Garget al. ...
`... 726/4
`2010, 0169948 A1* 7, 2010 Budko et al. .......
`... 726, 1
`2010/0332889 A1* 12/2010 Shineorson et al.
`... 714/2
`2011/0178942 A1* 7, 2011 Watters et al. ................ 705/325
`2011 0191854 A1
`8/2011 Giakouminakis et al.
`2012/0110667 A1* 5, 2012 Zubrillin et al. ................. T26/24
`
`OTHER PUBLICATIONS
`
`Chiang et al., Risk and Vulnerability Assessment of Secure Auto
`nomic Communication Networks, Aug. 2007. The 2nd International
`Conference on Wireless Broadband and Ultra Wideband Communi
`cations, pp. 40-45.*
`
`(Continued)
`
`Primary Examiner — Kenneth Chang
`(74) Attorney, Agent, or Firm — MH2 Technology Law
`Group, LLP
`
`ABSTRACT
`(57)
`A security tool can identify vulnerabilities in a computing
`system and determine a risk level of the Vulnerabilities based
`on base and optional CVSS vectors and additional factors that
`represent the evolving nature of vulnerabilities. Likewise, the
`security tool can determine an overall risk for vulnerabilities,
`an asset, and/or a collection of assets that encompasses a
`global view of an asset's risk and/or collection of assets risk,
`business considerations of an entity that own and controls the
`asset and/or the collection of assets, and the entity's associa
`tions.
`
`3f2003 Bunker et al. ................ T13 201
`2003/005611.6 A1
`2003/0233438 A1* 12/2003 Hutchinson et al. .......... 709,223
`
`28 Claims, 5 Drawing Sheets
`
`
`
`14
`
`SCAN
`
`
`
`to
`
`12
`
`WIZ, Inc. EXHIBIT - 1044
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`US 9,141,805 B2
`US 9,141,805 B2
`Page 2
`Page 2
`
`(56)
`(56)
`
`References Cited
`References Cited
`
`OTHER PUBLICATIONS
`OTHER PUBLICATIONS
`Mell, Peter et al. A Complete Guide to the Common Vulnerability
`Mell, Peter et al. A Complete Guide to the Common Vulnerability
`Scoring SystemVersion 2.0. Common Vulnerability Scoring System
`Scoring System Version 2.0. Common Vulnerability Scoring System
`(v2). Jun. 2007, pp. 1-23.
`(v2). Jun. 2007, pp. 1-23.
`
`Li, Richard D. et al. System and Methods for Identifying Virtual
`Li, Richard D. et al. System and Methods for Identifying Virtual
`Machines in a Network. U.S. Appl. No. 13/218,606, filed Aug. 26.
`Machines in a Network. U.S. Appl. No. 13/218,606,filed Aug. 26,
`2011.
`2011.
`Li, Richard D. et al. Systems and Methods for Performing Vulner
`Li, Richard D. et al. Systems and Methods for Performing Vulner-
`ability Scans on Virtual Machines. U.S. Appl. No. 13/218,705, filed
`ability Scans on Virtual Machines. U.S. Appl. No. 13/218,705, filed.
`Aug. 26, 2011.
`Aug. 26, 2011.
`
`* cited by examiner
`* cited by examiner
`
`

`

`U.S. Patent
`U.S. Patent
`
`Sep. 22, 2015
`Sep. 22, 2015
`
`Sheet 1 of 5
`Sheet 1 of 5
`
`US 9,141,805 B2
`US 9,141,805 B2
`
`- --- S. ---
`
`
`
`00
`
`
`
`U.S. Patent
`
`Sep. 22, 2015
`
`Sheet 1 of 5
`
`US 9,141,805 B2
`
`
`
`
`
`
`
`
`
`102 、_ |
`一
`
`
`108 一
`
`—_ 1
`
`106
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`102
`
`

`

`U.S. Patent
`
`Sep. 22, 2015
`
`Sheet 2 of 5
`
`US 9,141,805 B2
`
`
`
`
`
`
`
`FOSOSSSSos”
`
`
`
`
`Moderate
`
`Moderate:
`
`Maderate
`
`Moderate
`
`Moderate
`
`Moderaie
`
`Moderate
`
`Mon Apr 30 2007
`
`of 286 1! [>| >]
`
`Rows per pager fia || ee 林寺
`
`
`
`
`Moderate
`
`Moderate
`
`6.04
`0,02
`0.02
`和 .02
`8.02
`6.02
`002 Tue Qet 4 2005
`Thu Jul 24 2008
`0.02
`Thu Oct 14 2004
`0.02
`0.02
`
` Solari
`Solaris sadmind Secicly Level Low
` soleris No 'Housers’ Restrictions Enabled
` RiGA-2007-0257:
` BHS4-2005-674:
`RES4-2003-223: Stunnel security update
`ProFT Pd Valid. User. information Leak
`
`
`
`
`
`
`
`
`
`
`
`
`
`216
`
`Moderate
`
`18
`
`lexploitable.
`
`© bn
`
`9 new vignerabilities as they af8xlscovered Select a
`
`
`
`
`
`
`
` Customize dashboard
`
`
`
`
`
`
`i
` | Search
`User: nxadmin
`
`
`
` NEXPOSE (Tome
` RAPID7
`
`Reports
`
`1
`
`Tickets
`
`¥
`
`Assets
`
`TY
`
`
`
`Help | Support | News | Log Out
`
`
`
`
`
`vulnerability to view information about the vulnerabilities and the affected systems.
`This page conizins a list of aif the vulnerabilities affecting your devices. This list is automatically updated w
`
`Home :: Vulnerabilities
`
`了 [x] Vulnerabi ity
`alee
` Vulnerability Listing
`
`Published On
`
`Risk
`
`CVSS Score
`
` aa Expicitability
`
`
`
`Exclude SANS
`
`instances
`
`Severity
`
`4
`
`\
`
`J
`|
`1
`\
`
`aa
`
` \
`
`
`206
`
`
`
`
`
`
`
`yewabiy
`
`
` Apache deiault installation
`
`
`
`
`
`
`
`open ssh security and
`perl security update
`
`exploitable.
`explotable
`exploitable
`= #3 ‘exploitable.
`
`
`
`a
`
`\
`{
`
`\
`
`
`
`Login Prompts
`
`lal
`
`be ‘exnioitable.
`2 lexploilable:
`
`
`
`
` Showing: Rows 4 to 10 of 2675
`
`
`
`
`
`
` |
`
`
`
`are Enabled
`| iWehDAV Extensions
`
`
`
`
`3,
`
`

`

`U.S. Patent
`U.S. Patent
`
`Sep. 22, 2015
`Sep. 22, 2015
`
`Sheet 3 of 5
`Sheet 3 of 5
`
`US 9,141,805 B2
`US 9,141,805 B2
`
`
`
`
`
`02
`-
`
` |
`
`
`
`CONSOLE
`CONSO
`MODU
`MODULE
`303.
`308.
`
`i
`
`
`
`
`
`
`
`-
`
`SCAN
`MODUE {
`31Q
`
`Y
`
`Nene
`1
`N.
`- - - - - - -
`SCAN
`- - - - - - - - t /
`^
`
`04
`104
`
`Nu 108
`
`
`te
`
`

`

`U.S. Patent
`U.S. Patent
`
`Sep. 22, 2015
`Sep. 22, 2015
`
`Sheet 4 of 5
`Sheet 4 of 5
`
`US 9,141,805 B2
`US 9,141,805 B2
`
`4.32
`
`i}ENTFY WNERABTES IN AN ASSE
`
`N/
`
`
`DETERMINE A RISK LEVEL FOR THE IDENTIFIED VULNERABILITY
`
`
`
`
`
`
`
`RRRRRRRRR
`OEERMNEARSKEW FOR HE DENFE)
`WNERABY
`
`i08
`\/
`
`
`
`408
`, 1
`OEERSNEANOWERA RSK FOR ANASSE
`DETERMINE AN OVERALLRISK FOR AN ASSET
`oY
`(OPTIONA)
`(OPTIONAL)
`
`
`
`
`
`
`
`Provide A Notification Dentifying The
`
`
`wo
`440
`PROVIDEA NOTIFICATION IDENTIFYING THE
`NO
`Wit.NERABITES, RSK LEVE AND THE OVERAL
`VULNERABILITIES, RISK LEVEL, AND THE OVERALL
`RISK (OP
`}
`RISK(
`
`}
`
`

`

`U.S. Patent
`
`Sep. 22, 2015
`
`Sheet 5 of 5
`
`US 9,141,805 B2
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Ka
` Bs
`
`
`
`
`524
`
`ADAPTER
`DISPLAY
`
`号
`
`&
`
`
`
`
`
`
`
`KEYBOARD
`
`518
`
`
`
`
`
`
`
`
`
`
`
`
`
`516.
`
`INTERFACE
`NETWORK
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
` 密
`
`
`
`
`
`
`
`
`
`
`
`
`STORAGE
`
`REMOVABLE
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`STORAGE DRIVE
`
`REMOVABLE
`
`
`
`
`
`
`
`
`
`
`510
`DRIVE
`
`HARD DISK
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`PROCESSOR
`
`
`
`
`MEMORY
`
`MAIN
`
`ol
`i
`i
`
`

`

`1.
`1
`METHODS AND SYSTEMS FOR IMPROVED
`METHODS AND SYSTEMIS FOR IMPROVED
`RISK SCORING OF VULNERABILITIES
`RISK SCORING OF VUILNERABILITIES
`
`US 9,141,805 B2
`US 9,141,805 B2
`
`2
`2
`erence to the following detailed description of the embodi
`erence to the following detailed description of the embodi-
`ments when considered in connection with the accompanying
`ments when considered in connection with the accompanying
`figures, in which:
`figures, in which:
`CROSS-REFERENCE TO RELATED
`CROSS-REFERENCE TO RELATED
`FIG. 1 is block diagram of an exemplary environment in
`FIG. 1 is block diagram of an exemplary environment in
`APPLICATIONS
`APPLICATIONS
`which a security tool can test and analyze assets, according to
`whichasecurity tool can test and analyze assets, according to
`various embodiments.
`various embodiments.
`This application claims priority to U.S. Provisional Patent
`FIG. 2 is exemplary diagrams of interfaces generated by
`This application claimspriority to U.S. Provisional Patent
`FIG. 2 is exemplary diagrams of interfaces generated by
`Application Ser. No. 61/535,723 filed on Sep. 16, 2011, the
`the security tool for providing reports, according to various
`Application Ser. No. 61/535,723 filed on Sep. 16, 2011, the
`the security tool for providing reports, according to various
`disclosure of which is incorporated in its entirety by reference
`disclosure ofwhichis incorporatedin its entirety by reference
`embodiments.
`embodiments.
`herein.
`herein.
`FIG. 3 is a block diagram of an exemplary configuration of
`FIG.3 is a block diagram of an exemplary configuration of
`the security tool, according to various embodiments.
`the security tool, according to various embodiments.
`FIG. 4 is a flow diagram of exemplary processes performed
`FIG.41s a flow diagram of exemplary processes performed
`by the security tool, according to various embodiments.
`by the security tool, according to various embodiments.
`FIG. 5 is a block diagram of an exemplary computing
`FIG. 5 is a block diagram of an exemplary computing
`system, according to various embodiments.
`system, according to various embodiments.
`
`FIELD
`FIELD
`
`Aspects of the disclosure relate generally to computer
`Aspects of the disclosure relate generally to computer
`security.
`security.
`
`DESCRIPTION OF THE RELATED ART
`DESCRIPTION OF THE RELATED ART
`
`10
`
`15
`
`20
`
`25
`25
`
`In today's distributed computing environments, security is
`In today’s distributed computing environments, security is
`of the utmost importance. Due to the rise of wide-area public
`of the utmost importance. Dueto the rise of wide-area public
`networks, users have unlimited access to content, e.g. data,
`networks, users have unlimited access to content, e.g. data,
`files, applications, programs, etc., from a variety of Sources.
`files, applications, programs, etc., from a variety of sources.
`Additionally, the users’ connection to the public networks
`Additionally, the users’ connection to the public networks
`provides a window for malicious entities to attack the users
`provides a window for malicious entities to attack the users’
`computing systems. Malicious entities utilize this ease of
`computing systems. Malicious entities utilize this ease of
`accessibility and anonymity to attack the users. For example,
`accessibility and anonymity to attack the users. For example,
`the malicious entities can plant viruses, Trojans, or other
`the malicious entities can plant viruses, Trojans, or other
`malicious agents in publicly available content in order to
`malicious agents in publicly available content in order to
`attack the users’ computing systems and steal sensitive infor
`attack the users’ computing systemsandsteal sensitive infor-
`mation from the users and can attack the users’ systems
`mation from the users and can attack the users’ systems
`remotely across the public networks.
`remotely across the public networks.
`30
`30
`To attack a user's computing system, a malicious entity
`To attack a user’s computing system, a malicious entity
`will utilize a Vulnerability in a user's computing system. A
`will utilize a vulnerability in a user’s computing system. A
`Vulnerability can be any type of weakness, bug, and/or glitch
`vulnerability can be any type of weakness, bug, and/or glitch
`in the Software and hardware of a computing system. Accord
`in the software and hardware of a computing system. Accord-
`ingly, users can desire to identify any Vulnerabilities in their
`ingly, users can desire to identify any vulnerabilities in their
`computing systems and the risk that the Vulnerabilities pose.
`computing systemsandtherisk that the vulnerabilities pose.
`Risk that a vulnerability poses is traditionally described as
`Risk that a vulnerability posesis traditionally described as
`the product of likelihood of a loss event and the impact of a
`the productof likelihood of a loss event and the impact of a
`loss event. In Information Risk and Vulnerability Assessment,
`loss event. In Information Risk and Vulnerability Assessment,
`these factors are understoodas six vectors that form the basis
`these factors are understood as six vectors that form the basis
`of the Common Vulnerability Scoring System (CVSS). The
`of the Common Vulnerability Scoring System (CVSS). The
`CVSS also defines additional “optional vectors that can
`CVSS also defines additional “optional” vectors that can
`assess the context-sensitivity of the impact of a loss event in
`assess the context-sensitivity of the impact of a loss event in
`a particular environment and the fact that likelihood of suc
`a particular environment and the fact that likelihood of suc-
`cessful attack via a particular Vulnerability changes over time.
`cessful attack via a particular vulnerability changes overtime.
`The CVSS does afford the ability to rank one vulnerability
`The CVSS doesafford the ability to rank one vulnerability
`against another, but nuanced organizational analysis has
`against another, but nuanced organizational analysis has
`proved problematic, partly due to the ordinal nature of the
`proved problematic, partly due to the ordinal nature of the
`scoring system, and partly due to large gaps in the underlying
`scoring system,and partly dueto large gaps in the underlying
`metrics. Further, the CVSS does not scale: it is meant to
`metrics. Further, the CVSS does not scale:
`it is meant to
`perform analysis at the Vulnerability level, but does not scale
`perform analysis at the vulnerability level, but does not scale
`to asset level or asset group level analysis. Nor does the CVSS
`to asset levelor asset group level analysis. Nor does the CVSS
`facilitate any sense of indirect impact or likelihood involving
`facilitate any sense of indirect impactor likelihood involving
`integrated or adjacent organizations.
`integrated or adjacent organizations.
`Most importantly, it does not account for numerous factors
`Most importantly, it does not account for numerousfactors
`that increase or mitigate risk that must be taken into consid
`that increase or mitigate risk that must be taken into consid-
`eration to truly understand an organization’s risk posture—
`eration to truly understand an organization’s risk posture—
`factors that have proven to play a role just as strong as the
`factors that have proven to play a role just as strong as the
`base, environmental, and temporal vectors that comprise the
`base, environmental, and temporal vectors that comprise the
`CVSS. In fact, as the threat landscape continues to evolve,
`CVSS. In fact, as the threat landscape continues to evolve,
`one can argue that the original base vectors have become less
`one can arguethat the original base vectors have becomeless
`important in assessing likelihood of attack than new Vulner
`importantin assessing likelihood of attack than new vulner-
`ability metrics that recent research has yielded.
`ability metrics that recent research has yielded.
`
`35
`35
`
`40
`40
`
`45
`45
`
`50
`50
`
`55
`55
`
`60
`60
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`Various features of the embodiments can be more fully
`Various features of the embodiments can be more fully
`appreciated, as the same become better understood with ref
`appreciated, as the same becomebetter understood with ref-
`
`65
`65
`
`DETAILED DESCRIPTION
`DETAILED DESCRIPTION
`
`For simplicity and illustrative purposes, the principles of
`For simplicity andillustrative purposes, the principles of
`the present teachings are described by referring mainly to
`the present teachings are described by referring mainly to
`exemplary embodiments thereof. However, one of ordinary
`exemplary embodiments thereof. However, one of ordinary
`skill in the art would readily recognize that the same prin
`skill in the art would readily recognize that the same prin-
`ciples are equally applicable to, and can be implemented in,
`ciples are equally applicable to, and can be implemented in,
`all types of information and systems, and that any such varia
`all types of information and systems, and that any such varia-
`tions do not depart from the true spirit and scope of the present
`tions do not depart from the true spirit and scope ofthe present
`teachings. Moreover, in the following detailed description,
`teachings. Moreover, in the following detailed description,
`references are made to the accompanying figures, which illus
`references are madeto the accompanyingfigures, whichillus-
`trate specific exemplary embodiments. Electrical, mechani
`trate specific exemplary embodiments. Electrical, mechani-
`cal, logical and structural changes may be made to the exem
`cal, logical and structural changes may be madeto the exem-
`plary embodiments without departing from the spirit and
`plary embodiments without departing from the spirit and
`Scope of the present teachings. The following detailed
`scope of the present
`teachings. The following detailed
`description is, therefore, not to be taken in a limiting sense
`description is, therefore, not to be taken in a limiting sense
`and the scope of the present teachings is defined by the
`and the scope of the present teachings is defined by the
`appended claims and their equivalents.
`appended claimsandtheir equivalents.
`Embodiments of the present teachings relate to systems
`Embodiments of the present teachings relate to systems
`and methods for determining the risk for vulnerabilities and
`and methods for determining the risk for vulnerabilities and
`overall risk for Vulnerabilities, assets, and collections of
`overall risk for vulnerabilities, assets, and collections of
`assets. In particular, a security tool can identify vulnerabili
`assets. In particular, a security tool can identify vulnerabili-
`ties in a computing system and determine a risk level of the
`ties in a computing system and determine a risk level of the
`Vulnerabilities based on base and optional CVSS vectors and
`vulnerabilities based on base and optional CVSS vectors and
`additional factors that represent the evolving nature of Vul
`additional factors that represent the evolving nature of vul-
`nerabilities. Likewise, the security tool can determine an
`nerabilities. Likewise, the security tool can determine an
`overall risk for Vulnerabilities, an asset, and/or a collection of
`overall risk for vulnerabilities, an asset, and/or a collection of
`assets that encompasses a global view of an asset's risk and/or
`assets that encompassesa global view of an asset’s risk and/or
`a collection of assets risk, business considerations of an
`a collection of assets’ risk, business considerations of an
`entity that owns and controls the asset and/or collection of
`entity that owns and controls the asset and/or collection of
`assets, and the entity's associations. Accordingly, the security
`assets, and the entity’s associations. Accordingly,the security
`tool can, in real time, identify and analyze security threats to
`tool can, in real time, identify and analyze security threats to
`a computing system and provide details of Vulnerabilities that
`acomputing system and provide details ofvulnerabilities that
`accurately represent the threats to a user.
`accurately represent the threats to a user.
`FIG. 1 illustrates an exemplary environment 100 in which
`FIG.1 illustrates an exemplary environment 100 in which
`a security tool 102 can identify and analyze vulnerabilities in
`a security tool 102 can identify and analyze vulnerabilities in
`assets and can determinethe risk of the vulnerabilities to the
`assets and can determine the risk of the Vulnerabilities to the
`assets. While FIG. 1 illustrates various systems contained in
`assets. While FIG. 1 illustrates various systems contained in
`the environment 100, one skilled in the art will realize that
`the environment 100, one skilled in the art will realize that
`these systems are exemplary and that the environment 100
`these systems are exemplary and that the environment 100
`can include any number and type of systems.
`can include any numberandtype of systems.
`As illustrated in FIG. 1, the environment 100 can represent
`Asillustrated in FIG.1, the environment 100 can represent
`the systems of public or private entities, such as governmental
`the systemsofpublic orprivate entities, such as governmental
`agencies, individuals, businesses, partnerships, companies,
`agencies, individuals, businesses, partnerships, companies,
`corporations, etc., utilized to Support the entities. The envi
`corporations, etc., utilized to support the entities. The envi-
`ronment 100 can include a number of assets, such as the
`ronment 100 can include a numberof assets, such as the
`computing system 104 that are owned and operated by the
`computing system 104 that are owned and operated by the
`entities. The computing systems 104 can be any type of con
`entities. The computing systems 104 can be any type of con-
`ventional computing systems, such as desktops, laptops, serv
`ventional computing systems, such as desktops,laptops, serv-
`ers, etc. The computing systems 104 can include hardware
`ers, etc. The computing systems 104 can include hardware
`resources, such as processors, memory, network hardware,
`resources, such as processors, memory, network hardware,
`
`

`

`US 9,141,805 B2
`US 9,141,805 B2
`
`5
`
`10
`
`15
`
`20
`
`25
`25
`
`3
`3
`storage devices, and the like, and Software resources. Such as
`storage devices, and the like, and software resources, such as
`operating systems (OS), application programs, and the like.
`operating systems (OS), application programs, andthelike.
`In addition to the physical computing systems, the assets
`In addition to the physical computing systems, the assets
`can include one or more virtual machines (VMs) 114 that are
`can include one or more virtual machines (VMs) 114thatare
`hosted by one or more of the computing systems 104. In
`hosted by one or more of the computing systems 104. In
`particular, the VMs 114 can be any software implementation
`particular, the VMs 114 can be any software implementation
`of a machine or computer that can execute a program or
`of a machine or computer that can execute a program or
`application using underlying hardware of the computer sys
`application using underlying hardware of the computer sys-
`tems 104. In embodiments, the VMs 114 can be systemVMs
`tems 104. In embodiments, the VMs 114 can be system VMs
`capable of executing a complete operating system (OS) or
`capable of executing a complete operating system (OS) or
`process VMs capable of executing one or more programs or
`process VMscapable of executing one or more programs or
`applications. It should be appreciated that the number, type,
`applications. It should be appreciated that the number, type,
`functionality, and extent of each of the VMs 114 can vary
`functionality, and extent of each of the VMs 114 can vary
`based on the computer systems 104, any requirements, or
`based on the computer systems 104, any requirements, or
`other factors. To operate on the computer systems 104, the
`other factors. To operate on the computer systems 104, the
`VMs 114 can be configured to communicate with a hypervi
`VMs114 can be configured to communicate with a hypervi-
`sor or other logic to access resources of the computer systems
`soror other logic to access resources ofthe computer systems
`104.
`104.
`The computing systems 104 in the environment 100 can be
`The computing systems 104 in the environment100 can be
`located at any location, whether located at single geographic
`located at any location, whether located at single geographic
`location or remotely located from each other. For example,
`location or remotely located from each other. For example,
`the computing systems 104 can represent the computing sys
`the computing systems 104 can represent the computing sys-
`tems of a company that is located in multiple geographic
`tems of a company that is located in multiple geographic
`locations. As such, one or more of the computing systems 104
`locations. As such, one or more ofthe computing systems 104
`can be located at one location (e.g. one office of the company)
`can be locatedat one location (e.g. one office ofthe company)
`and one or more of the computing system 104 can be located
`and one or more of the computing system 104 can be located
`at one or more different locations (e.g. satellite offices of the
`at one or more different locations(e.g. satellite offices of the
`company). In order to communicate and share data, the com
`company). In order to communicate and share data, the com-
`puting systems 104 can be coupled to one or more networks
`puting systems 104 can be coupled to one or more networks
`30
`106. The one or more networks 106 can be any type of
`30
`106. The one or more networks 106 can be any type of
`communications networks, whether wired or wireless, to
`communications networks, whether wired or wireless, to
`allow the computing system to communicate, such as wide
`allow the computing system to communicate, such as wide-
`area networksor local-area networks.
`area networks or local-area networks.
`In embodiments, the owners, administrators, and users of
`In embodiments, the owners, administrators, and users of
`the computing systems 104 can desire to test and analyze the
`the computing systems 104 can desireto test and analyze the
`security of the computing systems 104. To achieve this, the
`security of the computing systems 104. To achievethis, the
`security tool 102 can be utilized to test and analyze the secu
`security tool 102 can be utilized to test and analyze the secu-
`rity of the computing systems 104 and/or the VMs 114. The
`rity of the computing systems 104 and/or the VMs 114. The
`security tool 102 can be configured to run on one or more of
`security tool 102 can be configured to run on one or more of
`40
`the computing systems 104. The security tool 102 can be
`40
`the computing systems 104. The security tool 102 can be
`configured to identify vulnerabilities in the computing system
`configuredto identify vulnerabilities in the computing system
`104 and/or the VMs 114 and to analyze the Vulnerabilities in
`104 and/or the VMs 114 andto analyze the vulnerabilities in
`the computing systems 104 and/or the VMs 114 in order to
`the computing systems 104 and/or the VMs 114 in order to
`determine a risk level the Vulnerabilities pose to the comput
`determinea risk level the vulnerabilities pose to the comput-
`ing systems 104 and/or the VMs 114. A vulnerability can be
`ing systems 104 and/or the VMs 114. A vulnerability can be
`any type of weakness, bug, and/or glitch in the Software
`any type of weakness, bug, and/or glitch in the software
`resources and/or hardware resources of the computing system
`resources and/or hardware resources ofthe computing system
`104 and/or the software resources of the VMs 114 that can
`104 and/or the software resources of the VMs 114 that can
`allow the security of the computing system 104 and/or the
`allow the security of the computing system 104 and/or the
`VMs 114 to be compromised. For example, a Vulnerability in
`VMs114 to be compromised. For example, a vulnerability in
`the Software resources can include, for example, Software that
`the software resources can include, for example, software that
`is out of date, Software that has known security weakness,
`is out of date, software that has known security weakness,
`configurations of Software that have known security weak
`configurations of software that have known security weak-
`nesses, known bugs of software, etc. Likewise, a Vulnerability
`nesses, knownbugsof software, etc. Likewise, a vulnerability
`in the hardware resources can include, for example, known
`in the hardware resources can include, for example, known
`bugs in hardware, configurations of hardware that have
`bugs in hardware, configurations of hardware that have
`known security weaknesses, etc.
`knownsecurity weaknesses, etc.
`In embodiments, in order to identify a vulnerability, the
`In embodiments, in order to identify a vulnerability, the
`security tool 102 can be configured to examine a computing
`security tool 102 can be configured to examine a computing
`system 104 to identify the software resources and the hard
`system 104 to identify the software resources and the hard-
`ware resources of the computing system 104. Likewise, the
`ware resources of the computing system 104. Likewise, the
`security tool 102 can be configured to examine the VMs 114
`security tool 102 can be configured to examine the VMs 114
`to identify the resources of the VMs 114. For example, the
`to identify the resources of the VMs 114. For example, the
`security tool 102 can be configured to scan the computing
`security tool 102 can be configured to scan the computing
`systems 104 in order to identify the details of the software
`systems 104 in order to identify the details of the software
`resources of the computing systems (type of Software
`resources of the computing systems (type of software
`installed, e.g. OS and application programs, version of the
`installed, e.g. OS and application programs, version of the
`
`45
`45
`
`35
`35
`
`50
`50
`
`55
`55
`
`60
`60
`
`65
`65
`
`4
`4
`software installed, configuration of the software installed,
`software installed, configuration of the software installed,
`etc.) and the details of the hardware resources (type of hard
`etc.) and the details of the hardware resources (type of hard-
`ware, configuration of the hardware, etc.). Additionally, the
`ware, configuration of the hardware, etc.). Additionally, the
`security tool 102 can be configured to communicate with a
`security tool 102 can be configured to communicate with a
`Vulnerability Scanner, which can operate on the computer
`vulnerability scanner, which can operate on the computer
`systems 104, to identity the Vulnerabilities. Likewise, the
`systems 104, to identity the vulnerabilities. Likewise, the
`security tool 102 can be configured to scan the VMs 114 in
`security tool 102 can be configured to scan the VMs114 in
`order to identify the details of the VMs 114. Examples of
`order to identify the details of the VMs 114. Examples of
`scanning and identifying vulnerabilities in VMs can be found
`scanning andidentifying vulnerabilities in VMs can be found
`in: Systems and Methods for Identifying Virtual Machines in
`in: Systems and Methodsfor Identifying Virtual Machinesin
`a Network, U.S. patent application Ser. No. 13/218,606, U.S.
`a Network,U.S. patent application Ser. No. 13/218,606, U.S.
`Patent Application Publication No. 2013-0055246, invented
`Patent Application Publication No. 2013-0055246, invented
`by Richard Li, Jeffrey Berger, and Anastasios Giakoumi
`by Richard Li, Jeffrey Berger, and Anastasios Giakoumi-
`nakis, assigned to Rapid7, LLC; and Systems and Methods
`nakis, assigned to Rapid7, LLC; and Systems and Methods
`for Performing Vulnerability Scans on Virtual Machines, U.S.
`for Performing Vulnerability Scans onVirtual Machines, U.S.
`patent application Ser. No. 13/218,705, U.S. Patent Applica
`patent application Ser. No. 13/218,705, U.S. Patent Applica-
`tion Publication No. 2013-0055398, invented by Richard Li,
`tion Publication No. 2013-0055398, invented by Richard Li,
`Jeffrey Berger, and Anastasios Giakouminakis, assigned to
`Jeffrey Berger, and Anastasios Giakouminakis, assigned to
`Rapid7, LLC, the disclosures of which are incorporated
`Rapid7, LLC,
`the disclosures of which are incorporated
`herein, in their entirety, by reference.
`herein, in their entirety, by reference.
`In embodiments, once the Software and hardware resources
`Inembodiments, once the software and hardware resources
`are identified, the security tool 102 can be configured to
`are identified, the security tool 102 can be configured to
`compare the details of the software resources and the details
`compare the details of the software resources and the details
`of the hardware resources to a vulnerability database 108. The
`ofthe hardware resources to a vuln