The researchers evaluated each path along which a hacker could access a network, and assigned it a risk level based on how challenging it is to the hacker.
The paths and risks involved were determined using a newly-developed technique called “attack graphs” and the National Vulnerability Database (NVD), which is a U.S. government security repository.
“We analyse all of the paths that system attackers could penetrate through a network, and assign a risk to each component of the system,” explained Anoop Singhal, a computer scientist at the National Institute of Standards and Technology (NIST).
“Decision makers can use our assigned probabilities to make wise decisions and investments to safeguard their network.”
The researchers use a simple system in which there is an attacker on a computer, a firewall, router, an FTP server and a database server. The goal for the attacker is to find the simplest path into the database server.
Attack Graph Analysis determines three potential attack paths. For each path in the graph, the NIST researchers assign an attack probability based on the score in the NVD.
One path takes only three steps. The first step has an 80 percent chance of being hacked, the second, a 90 percent chance. The final step requires great expertise, so there is only a 10 percent probability it can be breached.
Because it takes multiple steps to reach the goal, the probabilities of each component are multiplied to determine the overall risk. The example path therefore is found to be reasonably secure, with a less than 10 percent chance of being hacked.
The next step is for the researchers to expand their research to handle large-scale enterprise networks.
