Information security – Monitoring or scanning of software or data including attack... – Vulnerability assessment
Reexamination Certificate
2003-04-23
2009-06-23
Moazzami, Nasser G (Department: 2436)
Information security
Monitoring or scanning of software or data including attack...
Vulnerability assessment
C726S002000, C713S150000, C380S277000
Reexamination Certificate
active
07552480
ABSTRACT:
A quantitative model combines a one-dimensional risk-assessment approach with expert knowledge to enable calculation of a probability or likelihood of exploitation of a threat to an information system asset without referring to actuarial information. A numerical value is established for one or more threats of attack on the information system asset based on expert knowledge without reference to actuarial data, and likewise, based on expert knowledge without reference to actuarial data, a numerical value is established for each of one or more access and privilege components of one or more vulnerabilities to attack on the information system asset. A security risk level for the information system asset is computed based upon the numerical values for threat and the access and privilege components for vulnerability so established.
REFERENCES:
patent: 6223143 (2001-04-01), Weinstock et al.
patent: 6895383 (2005-05-01), Heinrich
patent: 7305351 (2007-12-01), Bechhofer et al.
patent: 7319971 (2008-01-01), Abrahams et al.
patent: 2003/0046128 (2003-03-01), Heinrich
patent: 2005/0004863 (2005-01-01), Havrilak
“Information Security Risk Assessment: Practices of Leading Organizations,” U.S. General Accounting Office, Nov., 1999, 50 pp., http://www.gao.gov/special.pubs/ai00033.pdf.
“Guideline for the Analysis of Local Area Network Security” [online], National Institute of Standards and Technology, FIPS PUB 191, Nov. 9, 1994 [retrieved on Feb. 17, 2009], 28 pp., http://www.itl.nist.gov/fipspubs/fip191.htm.
Cohen F., “Managing Network Security: Balancing Risk” [online], Dec. 1998 [retrieved on Feb. 17, 2009], 5 pp., http://all.net/journal
etsec/1998-12.html.
Moore, A. P. Ellison, R. J., and Linger, R. C., “Attack Modeling for Information Security and Survivability” Mar., 2001, 31 pp., http://www.cert.org/archive/pdf/01tn001.pdf.
Soo Hoo, Kevin J., “How Much is Enough? A Risk-Management Approach to Computer Security,” Stanford University, Jun., 2000, 99 pp., http://cisac.stanford.edu.docs/soohoo.pdf.
Katzke, Stuart W., “A Framework for Computer Security Risk Management,”The Analysis, Communication, and Perception of Risk, Edited by B. J. Garrick and W. C. Gekler, Plenum Press, New York, pp. 361-374, 1991.
National Institute of Standards and Technology, “Guideline for Automatic Data Processing Risk Analysis,”FIPS PUBS 65, Federal Information Processing Standards Publication, 27 pp., Aug. 1, 1979.
Citibank N.A.
King & Spalding LLP
Marcou George T.
Moazzami Nasser G
Okoronkwo Chinwendu C
LandOfFree
Method and system of assessing risk using a one-dimensional... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and system of assessing risk using a one-dimensional..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and system of assessing risk using a one-dimensional... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-4147334