Correlating Easily and Unobtrusively Queried Computer Characteristics to Number and Severity of Vulnerabilities
Abstract
Cybersecurity has become a top-of-mind concern as the threat landscape expands and organizations continue to undergo digital transformation. As the industry confronts this growth, tools designed to evaluate the security posture of a network must improve to provide better value. Current agent-based and network scanning tools are resource intensive, expensive, and require thorough testing before implementation in order to ensure seamless integration. While surfacing specific vulnerability information is imperative to securing network assets, there are ways to predict the security status of a network without taking exact measurements. These methods may inform security professionals as to where the weakest points of the network lie quickly, unobtrusively, and cost-effectively. This thesis proposes a methodology for identifying correlations between host configuration and vulnerability, then specifically examines easily queried characteristics within the Microsoft Windows operating system that may be vulnerability predictors. After taking measurements of forty hosts, it was discovered that there is a strong (r > 0.80) correlation between several metrics and total number of vulnerabilities as measured by the Tenable Nessus network scanner. Specifically, total number of open TCP ports (r = 0.82), total number of programs installed (r = 0.90), days since last restart (r = 0.97), and days since last windows update (r = 0.93) were found to be strong candidates for identifying high-risk machines. A significant correlation was also found when measuring the total number of logged in users (r = 0.68). Correlations were not as strong when considering subsets of hosts in similar environments. These findings can be used in tooling which will quickly evaluate the security posture of network hosts.