Track: Cyber Security
Abstract
One of the main security risks in information technology (IT) is software vulnerability. The vulnerability when exploited by attacks, can cause catastrophic losses to the system. A lot vulnerabilities are explored and discovered in the computing system and these vulnerabilities have also increased multifold. The security vulnerabilities span across entire networks, large organisations and have to mitigated by information security engineers on a regular routine basis. One of the key challenges for Information Technology (IT) system administrators is how to tackle these vulnerabilities and more specifically which vulnerability to prioritize. All companies recognize the importance and need to prioritize these vulnerabilities. It is not only important to prioritize the vulnerabilities; it is imperative to utilize a vulnerability evaluation system. The significant role of the vulnerability evaluation system is to separate these vulnerabilities from each other through quantitative and qualitative methods. In this paper, we first review through both qualitatively and quantitatively the various vulnerabilities within an existing large global multinational company. We explore and analyze 30,000 various vulnerabilities across a 3-month time period. The 30,000 vulnerabilities are captured using an automated software from individual systems and the the network within the company. The software detects the vulnerabilities and the various characteristics associated with these vulnerabilities and assigns severity levels based on the severity of the vulnerability. The severity is assigned a score from 1 to 5, with 1 being least. The vulnerabilities captured span across 20 different lab environments, across different operating systems and these vulnerabilities are with various severity levels. The CVSS vulnerability scoring system was utilized for data from one of the biggest multinational company from within their environment. The researchers analyzed the various vulnerabilities using the various parameters of these vulnerabilities. The researchers analyzed and studied the various inherent patterns within the environment. Various variables were analyzed critically as part of the descriptive analytics. The vulnerabilities were analyzed across the labs. Then each lab was analyzed using variables like OS, various severity levels, IDs, status of vulnerabilities, CVSS scores, Access Vector, Attack Complexity, Confidentiality, Integrity, Availability, Exploitability, Systems, categories of systems, Ports, PCI,