Indian American scientist plugs loopholes in computer safety
Washington, July 24, 2008 (IANS)

A technique developed by Indian American computer scientist Anoop Singhal will minimise chances of hackers stealing confidential corporate data, including health and financial records. Singhal and his colleagues at George Mason University, who developed the analysis technique based on 'attack graphs', have applied for a patent.

“We analyse all of the paths that attackers could penetrate through a network and assign a risk to each component of the system,” said Singhal. “Decision makers can use our assigned probabilities to make wise decisions and investments to safeguard their network.” Scientists at the National Institute of Standards and Technology (NIST) are addressing these concerns by applying security metrics to computer network pathways.

Once inside a network's firewall, for a seemingly mild-mannered purpose as posting an image to a file transfer protocol (FTP) site, a hacker can travel through the network through a variety of routes to hit the jackpot of valuable data. Besides hardware, the hacker can break in through software on the computers, especially file-sharing applications that have been blamed for some major data breaches recently.

Singhal and his team determine risk by using these attack graphs and NIST's National Vulnerability Database (NVD). This official repository includes a collection of security-related software weaknesses that hackers can exploit. NVD data was collected from software vendors and experts assigned scores from most to least insecure.

For example, in a simple system there is an attacker on a computer, a firewall, router, an FTP server and a database server. The goal for the attacker is to find the simplest path into the jackpot - the database server.

Attack graph analysis determines three potential attack paths. For each path in the graph, the NIST researchers assign an attack probability based on the score in the NVD database.

Because it takes multiple steps to reach the goal, the probabilities of each component are multiplied to determine the overall risk.

One path takes only three steps. The first step has an 80 percent chance of being hacked, the second, a 90 percent chance. The final step requires great expertise, so there is only a 10 percent probability it can be breached.

By multiplying the three probabilities together, that path is pretty secure with a less than 10 percent chance of being hacked.