The Network Vulnerability Tool (NVT) - A System Vulnerability Visualiz .

1y ago
27 Views
3 Downloads
1.01 MB
26 Pages
Last View : 9d ago
Last Download : 6m ago
Upload by : Casen Newsome
Transcription

Type of Submission: PaperTitle or Topic:The Network Vulnerability Tool (NVT) –A System Vulnerability Visualization ArchitectureAbstract: For the past two years, Harris Corporation has been conducting research for the U.S. Air ForceResearch Laboratory under the Network Vulnerability Tool (NVT) Study. The Network VulnerabilityTool concept develops and applies a single topological system model. This model supports theinformation needs of multiple vulnerability analysis tools using an integrated knowledge solicitation andtranslation framework. As part of this effort, vulnerability tools from COTS, GOTS, and researchlaboratory sources were surveyed, and a representative sample tool collection was selected for inclusionin the NVT prototype. The prototype integrates and interactively applies multiple existing vulnerabilityassessment technologies, resulting in a cohesive, combined vulnerability/risk assessment. The combinedrisk assessment provides a readily comprehensible picture of the risk posture, assisting the analyst in thedefinition of an acceptable risk posture for an operational system or preliminary system design. The NVTprogram has defined and developed a vulnerability assessment environment, consolidating multiplevulnerability sources and tools types into a coherent vulnerability visualization architecture. This paperdescribes the Network Vulnerability Tool architecture, its components, important architecture features,benefits of the NVT approach, and potential future enhancements.Keywords: Vulnerability Assessment, Risk Management, Data Visualization, SecurityArchitecture and DesignAuthors: Ronda R. Henning and Kevin L. Fox, Ph.D.Organizational Affiliation: Harris CorporationTelephone Numbers: 407-984-6009 (voice)407-984-6353 (fax)E-mail address: rhenning@harris.comPoint of Contact: Ronda HenningU.S. Government Program Sponsor: Air Force Research Laboratory/IFGBContract Number: F30602-96-C-0289U.S. Government Publication Release Authority: Dwayne P. Allain or Peter J. Radesi

The Network Vulnerability Tool (NVT) –A System Vulnerability Visualization ArchitectureRonda R. HenningHarris CorporationP.O. Box 98000, M/S W2-7756Melbourne, FL 32902(407) 984-6009rhenning@harris.comI.IntroductionThe next generation of information systems andinfrastructures under development by theDepartment of Defense and the IntelligenceCommunity are built upon the concept ofacceptable risk. That is, the security features andsystem architecture are deemed to providesufficient protection over the life of the dataprocessed. In previous generations of systems arisk adverse vulnerability posture dictatedcustom hardware and software solutions. Today,the rapid evolution of technology andproliferation of computing power mandate theuse of commodity Commercial-Off-The-Shelf(COTS) hardware and software components forcost effective solutions. This strong dependenceon COTS implies that commercial grade securitymechanisms are sufficient for most applications.Security architectures, therefore, must bestructured to build operational, nents. Higher assurance components areplaced at community or information boundaries,forming an enclave-based security architecturethat implements a defense-in-depth approach toinformation assurance.There are few design tools available to thesystem architect to assist in maximizing theavailableprotectionmechanismswhileremaining within the development budget.Current generation risk analysis tools usually aresingle vendor solutions that address a particularaspect or aspects of risk. These tools tend to fallinto one of three categories:Kevin L. Fox, Ph.D.Harris CorporationP.O. Box 98000, M/S W3-7755Melbourne, FL 32902(407) 984-6011kfox@harris.com1. Tools that work from documentedvulnerability databases and possibly repairknown vulnerabilities. Tools of this type arevendor-dependent for database updates,either through new product versions or by asubscription service. Examples from thiscategory include ISS’ Internet Scanner,Network Associates, Inc.’s CyberCop, andHarris’ STAT.2. Monolithic tools that use various parametersto calculate a risk indicator. These tools aredifficult to maintain and hard to keep currentwith the rapidly evolving threat andtechnology environment. An example ofthis tool category is Los AlamosVulnerability Assessment (LAVA) tool.3. Tools that examine a particular aspect of thesystem, such as the operating system ordatabase management system, but ignore theother system components. SATAN, forexample, analyzes operating systemvulnerabilities but ignores infrastructurecomponents such as routers.None of these tools implement an aggregatesnapshot approach to the system, with a “drilldown” or layered approach to facilitateaddressing risk at various layers (network,platform, database, etc.) of the system. Theyprovide little assistance to system designerswhen analyzing alternatives among security risk,system performance and mission functionality.Instead, a “risk solution” is provided thataddresses the particular aspect of risk that agiven tool was designed to calculate. Todevelop a comprehensive risk assessment, a tool

user would have to become proficient in the useof several tools, and manually correlate theresulting outputs.A key for successful risk analysis is completeand accurate data for the generation of thesystem models used by the analysis tools. Mostof the current generation of risk analysis toolsdepends on surveys filled out by users, systemoperations personnel, and analysts to acquire thedata for development of the system model usedfor the analysis. Alternatively, active networkscanning may be used to test variousvulnerabilities against system components.Textual or survey-based knowledge solicitationtechniques are labor intensive and potentiallytedious for the analyst. Many of the existingtools reuse the same information to analyzedifferent aspects of the system security. Acentralized repository of modeling data couldprovide a basis for shared inputs among existingtools. This repository could be used to generatedata sets for use by risk analysis tools, allowingmultiple tools to be run against the same systemwithout separate input activities, reducing thepossibility of operator error. The use of multiplerisk analysis reasoning engines, or backends,would allow various aspects of the system to beanalyzed without the cost of developing one toolto perform all types of analysis. Integration ofthe information and the resulting informedassessments available by applying multiple toolscould produce a more robust and accuratepicture of a system’s vulnerability posture.These results can facilitate more informedsystem design decisions, providing a frameworkfor alternative evaluation and comparison.For the past two years, Harris Corporation hasbeen conducting research for the Air ForceResearch Laboratory under the NetworkVisualization Tool (NVT) Program. The NVTconcept defines a knowledge solicitation andtranslation framework for the risk assessmentprocess.This framework incorporates agraphical description of a network topology, acentral repository of modeling data, and reportconsolidation from multiple risk/vulnerabilityassessment tools into a single vulnerabilityassessment. Results are presented to a systemuser through a comprehensible, graphicalinterface. The goal of this effort is to assess thefeasibility of developing such a framework for agraphicalriskanalysisenvironmentaccommodating both existing and new riskanalysis techniques.The result of Network Visualization Tool effortis an initial vulnerability visualization andassessment environment, consolidating multisource output into a cohesive capability withinan open, standards-based architecture. Thispaper describes the NVT system architectureand its components, features and benefits of ourapproach, future research topics, and potentialapplications.II.System OverviewUnder the Network Visualization Tool program,an innovative and unique vulnerabilityassessment framework that can accommodatechanges to threat and technology environmentand preserve the data from current risk analysistools is being developed. The goal of this effortis to research, develop, test, and demonstrate anengineering prototype for a system vulnerabilityassessment framework that helps systemarchitects identify security vulnerabilities anddevelop cost-effective countermeasures.NVT provides a flexible, extensible, andmaintainable solution. The NVT prototypeisolates factual information about a system fromthe reporting and processing capabilities ofindividual vulnerability assessment tools. Nosingle vulnerability assessment tool canadequately address all components of acomprehensive system architecture.Amonolithic assessment system is difficult toevolve with the dynamic nature of threat andtechnology. NVT allows multiple tools to sharedata, and then fuses their results to provide aconcise picture of a network’s security postureto an NVT user, as illustrated in Figure 1. Ourobjective was to develop a prototype systemsecurity engineering tool that:qFunctions as a design tool to identifyvulnerabilities in an architecture before thearchitecture is built and help enforce goodsecurity design principles

Figure 1. NVT Fuses the Results of Multiple Risk Analysis Tools to providea Single, Comprehensive Network Security Posture Report.q“Snapshots” a system and its vulnerabilities,enabling comparison of how risk evolvesover the system lifecycleqApplies static vulnerability databases from avariety of sourcesqApplies legacy risk analysis tools and threatmodelsqCorrelates information from various riskmodels/tools into an understandable pictureof the system’s vulnerabilitiesqqAllows what-if analysis to facilitate trade offanalysis between security, functionality,performance, and availabilityProvides an easy to use way to specify therelevant characteristics of a system designOur vision for a system security engineering toolfacilitating system vulnerability assessmentincorporates a single, graphical representation ofa system.This system representation isprovidedtomultiplerisk/vulnerabilityassessment tools and vulnerability data orknowledge bases, resulting in a single,consolidated input to multiple tools. A FuzzyExpert System applies the unique correlationtechnology of FuzzyFusionTM to combine theunified r port.The architecture concept isThe NVT prototype is implemented on an IntelThis platform was selected as a low cost solutionpThe initial tool suite employs a number ofdqHP OpenView, for network automaticsqANSSR, a GOTS network system analysisqRAM, NSA’s risk assessment methodo ogy,pr gramming language.vulnerabi ity

DataSourcesUser EnteredInformationLegacy RiskTool Data(ANSSR)VulnerabilityTool (ISS)VulnerabilityTool (STAT)SystemPictureComplete System Object ModelPer toolanalysisIndividual Tool ReportsMulti toolanalysisSNMPDiscoveryTool Report FuzzyFusionTMTool toExpertAnalysisDPL-fReportMediaIconFactbase onfig Part of NVT PrototypeFigure 2. The NVT Vulnerability Assessment Tool Architecture Concept.With supporting compilers and displaycapabilities, NVT represents the integration of12 COTS packages into a cohesive riskassessment capability.II.1System Architecture Data EntryNVT is based on the concept of a knowledgesolicitation framework that incorporates agraphical description of a network topology.This topology is used for capture of networkattributes, and is subsequently analyzed forsecurity vulnerabilities.The knowledgesolicitation portion of NVT applies modernnetwork discovery capabilities and a graphicaluser interface. This improves the accuracy ofthe network model, provides a common networkdescription for multiple risk analysis reasoningengines, and enhances the productivity of thesystem security analyst.The NVT prototype automatically maps anexisting network, or can be used for the manualentry of a network design. The prototype usesHP OpenView to graphically depict a networktopology. As illustrated in Figure 3, once it hasbeen given the IP address of the default routerfor the network, NVT, through the use ofOpenView, can search for computers and otherdevices attached to the network. It performs anactive search, pinging possible IP addresses onthe network, and adding whatever responseinformation it receives to its network map. NVTalso provides, through OpenView, a manualmethod to draw a proposed network with agraphical user interface that supports drag anddrop. A System Security Engineer can rapidlydefine a given system architecture, including thesecurity critical information. For example:qA user can apply the manual entry capabilityto consider alternative designs as part of atrade study.qA user may edit the properties of each node,providing additional details as required toprovide complete logical network planning.qA user can also represent an entire networkon a map by using a subnetwork icon. Adetailed map of the subnetwork can belinked to this icon and displayed by doubleclicking on the icon.

Automatic Discoverynext level solutionsNVT TIM #6, #1Figure 3. HP OpenView’s Network Discovery Tools enable NVT users to Mapan Existing Network for Further Security AnalysisOnce the system description has beencompleted, the NVT prototype represents andstores the description in an object/classhierarchy.This single topological modelsupports the information needs of multiplereasoning (vulnerability/risk assessment) tools,as well as the FuzzyFusionTM of their resultsinto a cohesive vulnerability/risk assessment.NVT translates this system representation intothe appropriate format for each of theassessment tools employed.This singlerepresentation of a system simplifies the use ofmultiple tools, eliminating redundant data entry.It also provides the foundation for addressing theproblem of incomplete data for a givenvulnerability assessment tool, and for futureknowledge negotiation capabilities.II.2 Risk Analysis Tool SelectionUnder the Network Visualization Tool program,current COTS, GOTS and research vulnerabilityassessment and reasoning tools were surveyed todetermine their capabilities and availability.Tools were categorized by the types ofvulnerabilities assessed, and their functionalcharacteristics. Each tool was further evaluatedon its data acquisition and output formats todetermine how the information can be applied inthe NVT engineering prototype implementation.The primary criteria were the operating systemrequired by the tool, the capability of the tool toassess network environments, the data gatheringmethods used by the tool, and the risk typesassessed by the tool.The vulnerabilityassessment and reasoning tools have to be ableto run in the NVT prototype’s operationalenvironment (a PC with Windows NT).A primary purpose of the NVT prototype is todemonstrate a framework with the flexibility tointegrate and interactively use multiple ogies. In order to demonstrate the proofof concept of integrating and interactively usingmultiple existing vulnerability assessment andreasoningtechnologieswithinprogramrestrictions, a representative sample of tools wasselected for inclusion in NVT. As a result of thetool survey, ANSSR, RAM, and ISS InternetScanner were selected for inclusion in NVT.

Table 1. Capabilities Summary for the NVT prototype’s Initial Set of Analysis ToolsSelected ToolFunctional CapabilitiesANSSR(Analysis of Networked SystemsSecurity Risks)Mitre CorporationRAM(Risk Assessment Model)NSAISS Internet ScannerInternet Security Systems (ISS)CorporationPassive data gathering- Model structure- Survey based data gathering- Network awarePassive data gathering- Event tree- Prioritized attack listRisk Type- Mathematical model- Multiple risks/services- Event based over timeActive data gathering- Scans network for hosts, servers,firewalls, and routers- Assesses security and policycompliance of networks, operatingsystems, and software applicationsThese three tools met the requirements andprovided the greatest diversity of functionalcapabilities, as shown in Table 1. The selectedtools represent the greatest diversity ofcharacteristics with the fewest expectedintegration risks.The RAM model has been incorporated into aCOTS tool, the DPL-f programming languagefor decision support, developed by AppliedDecision Analysis, Inc., a subsidiary ofPriceWaterhouseCoopers, LLC. This providesRAM with additional capabilities for rapid faulttree construction, libraries of embedded faulttrees, an expert opinion generation system,enumeration and ordering of cut sets, andgraphical portrayal of risk over time.II.3 Output Report Correlation andGenerationNone of the above tools take an aggregatesnapshot approach to the system, with a “drilldown” or layered approach to address risk atvarious layers (network, platform, database, etc.)of the system. Using multiple risk analysis toolswould allow various aspects of the system to beanalyzed for vulnerabilities without the cost ofdeveloping one tool to perform all types ofanalysis. To provide a more comprehensivevulnerability assessment of a system than anyone tool could provide, the outputs of thevarious tools must be integrated and fused into aRisk Type- Single Occurrence of LossExtensible to Risk Type- Comparison of effectiveness ofdifferent designs- Not limited to computers/networks- Optimization of system/cost benefitanalysisRisk Type- Computer Network ComplianceReport (snapshot in time)single, concise report. This would providegreater assistance to system designers analyzingalternatives among security risk, systemperformance, and mission functionality.Under the Network Visualization Tool effort, weinvestigated technologies that would support ourgoal of integrating and fusing the results frommultiple vulnerability analysis applications. Byexamining the variety of current COTS andGOTS products, and the variety of inputs andoutputs those products require, it becameapparent that fuzzy decision technology offeredthe most flexible solution to our problem. Ourfocus on fuzzy decision methodologies as ourtechnology foundation was based on an analysisof a variety of technologies, including ExpertSystems, Databases Systems, Data Fusion,Neural Networks, Fuzzy Logic, and FuzzyExpert Systems. The later is based on thepremise that multi-criteria, multi-expert decisionmaking can lead to a best-fit answer. Primarybenefit of a fuzzy reasoning system is its abilityto use and assimilate knowledge from multiplesources. We believe that fuzzy expert systemtechnology is applicable because:qAn expert exists for each tool that we wishto include in the systemqThe problem itself is fuzzy; it hasambiguities and often partial information

Figure 4. NVT leverages Existing Vulnerability Assessment Tools to presenta Single, Cohesive Risk Picture.qWe can incrementally learn and apply newtechnologies as the system growsqWe believe we can identify validmembership functions for the mapping ofdata to concept and concept to knowledgeAs a result of our research of TM technology to combine theresults of multiple vulnerability assessment/riskanalysis tools into a unified report.FuzzyFusionTM combines the techniques offuzzy logic, fuzzy expert systems and datafusion. FuzzyFusionTM incorporates Level 2data fusion, since our data is already aligned.We have an established network model andoperator environment, and need to establish therelationship between the network model and thefindings of the risk analysis tools. Real worldmeasurements are captured in fuzzy logic. Thereasoning concepts from data fusion are used toestablish relationships among the networkmodel, vulnerability findings from the varioustools, and the knowledge of network securityexperts. FuzzyFusionTM is accomplishedthrough the use of a fuzzy expert system, whichcombines the outputs of the various tools, userconcerns about system risks and vulnerabilities,and expert understanding of the results of eachtool and how these fit into the larger informationsystem security picture.Output of the concise assessment can beprovided to the NVT user through multiplemeans and in various degrees of detail, asillustrated in Figure 4. The graphical networkmap of a system can be color-coded to provide avisual indication of where the greatest risks arelocated. In Figure 4, the node with the greatestassociated risk is colored red. Less severe risksare colored yellow. A pop-up slider window canalso be utilized to indicate the top N risks, andtheir severity. Further details, such as textreports and spreadsheet analyses, can beaccessed by drilling down through the layers ofinformation.

ANSSR Manual Entrynext level solutionsNVT TIM #6, #1Figure 5. Entering System Information into the Interface for ANSSR isa Manually Intensive Process.III.Features & Benefits of NVTThe result of the NVT Program is a prototypedemonstrating a comprehensive vulnerabilityprofile based on the user defined acceptable riskof compromise to a given system. End usershave a simple expression of the vulnerabilityposture of a given system or system design, andare capable of performing “what if” analysis forfunctionality, performance, and countermeasuretrades.The primary advantage of the NVT prototype isthat it provides a flexible, modular, extensibleapproach to vulnerability assessment. Thisinnovative design accommodates multiple riskassessment techniques, but only requires singleentry of the system description (through autodiscovery or manual entry of a model), which isa significant benefit to the System SecurityEngineer. Figure 5 illustrates the interface toANSSR, which supports a character based GUIwhen it is used as a stand-alone tool. As thenumber of windows and menus suggests, entryof information into the tool is a manuallyintensive exercise. One of the benefits of NVTis that it automates providing the requiredsystem information to the various vulnerabilityassessment tools, allowing each tool to use onlythe input data it requires. NVT eliminates themanually intensive operations associated withlegacy assessment tools, and preserves existinguser investment in legacy methodologies. NVTalso provides a mechanism to correlateinformation among tools. Information solicitedfrom the user for any single tool is shared amongall tools. Legacy vulnerability assessment toolsand databases can be reused, and their resultsused in conjunction with alternate risk models.NVT was designed to be an affordablevulnerability assessment environment. Manymonolithic risk assessment tools require highperformance Unix platforms and cost over 40,000 per copy of each tool. The NVTprototype is being developed on a Windows NTbased Pentium platform. Our initial tool suitereflects a desire to be economical and pragmaticin tool selection. Three COTS/GOTSvulnerability assessment tools, are incorporatedinto the framework: ANSSR, DPL-f, and ISSInternet Scanner. Costs for the runtime licenses

of COTS products currently employed withinthe NVT prototype along with a suitable NTworkstation are approximately 30,000.The modular, extensible system design for NVTensures ease of technology transition andintegration as new vulnerability tools andtechnology vulnerabilities come to market. Thismodularity also preserves user legacy models,and allows each user to select the tools mostappropriate for his environment and needs. Thismodel also allows a user to preserve hiscorporate investment.For example, if anorganization already employs active scanningtechnology, the tool can be integrated into theNVT framework with little difficulty. Thisprovides a new source of input (the existingtool), and makes new processing elements(additional risk assessment tools) available tothe enterprise.new functionality to incorporate into resultanalysis, including:qTemporal based reasoning – accounts forthe time required to exploit a knownvulnerability as part of the systemassessment process. It enables a user toperform a vulnerability assessment thattakes into account the time required toexercise a given vulnerability. For example,if time required to penetrate/compromise anode exceeds the timeline for a mission,then the threat is minimal.qVulnerability thresholding – minimizescontinued computation when an aggregatevulnerability level in a given system orsegment exceeds a user defined limit,allowing the user to define his ownvulnerability tolerance. It eliminatespossibly computationally intensive searchtrees when a sufficiently lethal vulnerabilityis located, or when a large number ofvulnerabilities are identified. It allows theuser to define his vulnerability tolerancelevel, and supports tailorable definitions ofacceptable levels of vulnerability.qReasoning with uncertainty or incompletedata information – provides the user withsome answer, the best that is available withthe information niques – allow the user to gperformance,functionality, and countermeasures.Itenables the user to readily understand thetrade-offs among desired capabilities.IV. Future ResearchThe basic foundation of NVT provided valuableexperience in risk analysis tool integration andcorrelation technologies. Future research anddevelopment efforts would benefit fromfeedback from System Security Engineers usingthe NVT prototype as a tool to:qIdentify vulnerabilities and enforce goodsecurity design principlesq“Snapshot” a system and its vulnerabilities,and compares how risk evolves over thesystem lifecycleqCorrelate information from various risktools in an understandable graphicalvulnerability analysisqSupport hypothetical analysis, facilitatingarchitecture choices among security,functionality, performance, and availabilityqProvide rapid specification of the relevantcharacteristics of a system designBeyond the efforts conducted under the initialNVT Program, further research is need toimprove the FuzzyFusionTM used to combineoutputs from various risk analysis tools into aunified report. In addition, we have identifiedThis functionality will allow NVT to moreaccurately reflect the human decision makingprocess. Further, it will support a more robust,systems orientation towards vulnerabilities,accommodating consideration of application andplatform vulnerabilities as well as networkvulnerabilities.V.Potential ApplicationsThe NVT program has developed foundationtechnology that can be applied to three distinct

related problem domains: security riskassessment, security modeling, and securityadministration. Our initial research, as well asthis paper, was directed at the security riskassessment problem domain. NVT could also beintegrated with existing network modeling toolsto provide a security perspective to networkmodeling environments.As a securityadministrator’s toolset, NVT could be anintegration platform for administrative toolssuch as password dictionaries, to provide anoperationally oriented security assessmentcapability.This research was funded under the NetworkVisualization Tool (NVT) program for U.S.AFRL/IFGB, contract #F30602-96-C-0289. U.S.Government Publication Release Authority: DwayneP. Allain or Peter J. Radesi.References1. Computers in Security. Charles P. Pfleeger.Prentice Hall PTR. Upper Saddle River, NJ.1997.4. “ANSSR: A Tool for Risk Analysis ofNetworked Systems”. D. J. Bodeau, F. N.Chase, and S. G. Kass. Proceedings of the13thNationalComputerSecurityConference. October 1990.5. “A Practitioner’s View of CRAMM”.Norman Truman. Gamma Secure t5.html. September 1997.6. DPL-f User Manual.Analysis LLC. 1999.Applied Decision7. ISS Internet Scanner User Guide forWindows NT. Internet Security Systems(ISS). Atlanta, GA. 1997.8. HP OpenView for Windows: WorkgroupNode Manager User’s Guide. HewlettPackard. Cupertino, CA. 1998.9. HP OpenView: Professional Suite GettingStarted Guide. Hewlett Packard. Cupertino,CA. 1998.2. “Sniffing Out Network Holes”. LeslieO’Neil and Joe Scambray. INFOWORLD.February 8, 1999. Pp. 74-82.10. “L-3 Network Security Expert 3.0”. Productreview, SC Magazine (Information l.3. Analysis of Networked Systems SecurityRisks (ANSSR) Assessment Tool, Version2.2, User’s Manual. D. J. Bodeau and F. N.Chase. The MITRE Corporation. Bedford,MA.11. Network Visualization Tool Program –Final Scientific & Technical Report. R. R.Henning, K. L. Fox, J. T. Farrell, C. C.Miller, E. P. Meijer. Harris Corporation.Melbourne, FL. June 1999.

The Network Vulnerability Tool -A System Vulnerability Visualization ArchitectureKevin L. Fox, Ph.D.407-984-6011kfox@harris.comNVT, #1Ronda R. Henning407-984-6009rhenning@harris.comnext level solutions4-Aug-99

Network Visualization Tool Program AFRL-funded research program with 2 goals:1. Investigate: The feasibility of a common risk assessment andvulnerability detection architecture Enhanced usability, productivity, and system coverage2. Define techniques to promote: enhanced knowledge solicitation normalized, shared system representation application of data fusion techniques to riskand vulnerability reporting comprehensible reporting mechanisms for resultsinterpretationNVT, #2next level solutions4-Aug-99

User’s Perspective “I don’t know what’s on my network” “The last risk assessment was done15 years ago” “I don’t know if I can connect mylegacy systems in transition” “How do I know if I’ve fixed all thesystems” “What is an acceptable risk?”NVT, #3next level solutions4-Aug-99

The Risk Tool Landscape Monolithic, proprietary environments Difficult to incorporate new threats or technologies Multiple tools with multiple system representations from users and scanning technology no reuse or information sharing Diverse, single solution toolsSystemic vulnerability scannersVulnerabilityAssessment systemic risk assessment ToolsScanners

facilitating system vulnerability assessment incorporates a single, graphical representation of a system. This system representation is provided to multiple risk/vulnerability assessment tools and vulnerability data or knowledge bases, resulting in a single, consolidated input to multiple tools. A Fuzzy E xpert System applies the unique correlation

Related Documents:

May 02, 2018 · D. Program Evaluation ͟The organization has provided a description of the framework for how each program will be evaluated. The framework should include all the elements below: ͟The evaluation methods are cost-effective for the organization ͟Quantitative and qualitative data is being collected (at Basics tier, data collection must have begun)

Silat is a combative art of self-defense and survival rooted from Matay archipelago. It was traced at thé early of Langkasuka Kingdom (2nd century CE) till thé reign of Melaka (Malaysia) Sultanate era (13th century). Silat has now evolved to become part of social culture and tradition with thé appearance of a fine physical and spiritual .

On an exceptional basis, Member States may request UNESCO to provide thé candidates with access to thé platform so they can complète thé form by themselves. Thèse requests must be addressed to esd rize unesco. or by 15 A ril 2021 UNESCO will provide thé nomineewith accessto thé platform via their émail address.

̶The leading indicator of employee engagement is based on the quality of the relationship between employee and supervisor Empower your managers! ̶Help them understand the impact on the organization ̶Share important changes, plan options, tasks, and deadlines ̶Provide key messages and talking points ̶Prepare them to answer employee questions

Dr. Sunita Bharatwal** Dr. Pawan Garga*** Abstract Customer satisfaction is derived from thè functionalities and values, a product or Service can provide. The current study aims to segregate thè dimensions of ordine Service quality and gather insights on its impact on web shopping. The trends of purchases have

Chính Văn.- Còn đức Thế tôn thì tuệ giác cực kỳ trong sạch 8: hiện hành bất nhị 9, đạt đến vô tướng 10, đứng vào chỗ đứng của các đức Thế tôn 11, thể hiện tính bình đẳng của các Ngài, đến chỗ không còn chướng ngại 12, giáo pháp không thể khuynh đảo, tâm thức không bị cản trở, cái được

Kandy. The highest vulnerability (0.45: moderate vulnerability) to dengue was indicated from CMC and the lowest indicated from Galaha MOH (0.15; very low vulnerability) in Kandy. Interestingly the KMC MOH area had a notable vulnerability of 0.41 (moderate vulnerability), which was the highes

America’s criminal justice system. Racial and ethnic disparity foster public mistrust of the criminal jus-tice system and this impedes our ability to promote public safety. Many people working within the criminal justice system are acutely aware of the problem of racial disparity and would like to counteract it. The pur-pose of this manual is to present information on the causes of disparity .