由於網路的普及以及系統程式功能的日漸強大，帶給使用者許多好處，但是相對伴隨著而來的是來自網路的攻擊，各種攻擊手法充斥著網路世界，這些攻擊不僅會導致系統的資料洩漏或毀損甚至癱瘓整個系統。根據Gartner Group指出，大約百分之九十的網路攻擊都是利用系統或應用程式的不良設定及未修補弱點進行攻擊。對於企業或組織而言，線上服務系統因為被攻擊而癱瘓的話，損失的不只是金錢還有客戶對企業或組織的信任，這對企業或組織而言將是沉重的打擊，因此如何有效提高系統安全，避免被上述的威脅所感染、入侵，是近年來越來越被強調及重視的。本論文針對上述的不良設定及弱點，提出一個有效的評估及檢測系統，對於不良設定部份，利用CCE檢測工具檢測系統是否存在不良設定，幫助系統管理者快速瞭解系統設定是否符合政策，並修正不良設定之處；對於弱點部份，由於目前市面上已經存在許多弱點掃描工具，因此我們主要著眼於弱點評估部分，利用CVSS弱點評估系統，將弱點對於組織的影響量化，使得系統管理者更能了解各弱點嚴重性，進而幫助制定修補順序，除此之外，由於CVSS並沒有考慮到同時針對多台電腦的弱點進行評分，可能會導致同一弱點在伺服器與一般電腦同分甚至低分的情形。因此，我們針對上述的問題對CVSS改良，使之更適合企業或組織使用。經實驗證明，我們所提出的系統能有效且正確的運作，幫助系統管理者更全面的了解自己所管轄的所有系統並且提高系統安全性。

The rising popularity of the Internet and the growing capability of systems bring users many advantages. Along with those benefits, the open use nature of the internet also allows a darker element to exist. There are various Internet-based attacks on the Internet. These attacks can force target systems to leak or destroy sensitive information or even crash the entire system. According to the Gartner Group report, most successful attacks exploit software applications and operating systems that were not properly configured or patched. Regarding enterprises, there are far reaching consequences if their online services are attacked and compromised. What they lose is not only money, but also reputation and client trust. As a result, making their online systems safer is becoming a higher priority. In this thesis, we proposed a system to resolve the misconfiguration and vulnerability issues we discussed above. For the configuration part, we use a CCE scanner to scan the system and determine the presence of the misconfiguration in the system. According to the CCE scanner report, administrators can verify if a system’s configuration corresponds with enterprise policy and if not, correct the misconfiguration. In the vulnerability portion, there are already many vulnerability scan tools available. Therefore we focus on the aspect of vulnerability assessment. We use the CVSS scoring system to measure the vulnerability severity to the organization and help administrators with patch management. Furthermore, CVSS does not account for the situation when we assess vulnerabilities for more than one computer. CVSS also does not weigh vulnerabilities based on computer roles. We try to improve the CVSS scoring system by incorporating the ability to factor the severity of vulnerabilities based on the host’s role withinorganizations and enterprises. Our system can help administrators to understand their own systems and enhance system security.

[1] B. Brykczynski and R.A. Small. “Reducing Internet-based intrusions: Effective security patch management” Software, IEEE Volume 20, Issue 1, Page(s):50 – 57 Jan.-Feb. 2003
[2] Chuan-Wen Chang, Dwen-Ren Tsai and Jui-Mi Tsai “A cross-site patch management model and architecture design for large scale heterogeneous environment” Security Technology, 2005. CCST '05. 39th Annual 2005 International Carnahan Conference, Page(s):41 – 46, Oct. 2005
[3] H. Cavusoglu, H. Cavusoglu and J. Zhang “Economics of security patch management” The Fifth Workshop on the Economics of Information Security June 2006
[4] C. Kreitner. “The development and proliferation of consensus security configuration benchmarks for systems connected to the Internet” System Sciences, 2003. Proceedings of the 36th Annual Hawaii International Conference Page(s):10 pp 6-9 Jan 2003
[5] R.A Martin. “Integrating your information security vulnerability management capabilities through industry standards (CVE&OVAL)” Systems, Man and Cybernetics, 2003. IEEE International Conference Volume 2 Page(s):1528 - 1533, Oct. 2003
[6] P. Mell, and K. Scarfone. “Improving the Common Vulnerability Scoring System” Information Security, IET Volume 1, Issue 3, Page(s):119 – 127, Sept. 2007
[7] P. Mell, K. Scarfone and S. Romanosky. “Common Vulnerability Scoring System” Security & Privacy, IEEE, Volume 4, Page(s):85 – 89, Nov.-Dec. 2006
[8] Jung-jin Park, Jin-sub Park, Jeong-gi Lee, Bong-hoi Kim, Geum-boon Lee and Beom-joon Cho “Windows Security Patch Auto-Management System Based on XML” Advanced Communication Technology, The 9th International Conference on Volume 1, Page(s):407 – 411, Feb. 2007
[9] M.Yoshimoto, B.B. Bista, and T. Takata. “Development of security scanner with high portability and usability” Advanced Information Networking and Applications, 2005. AINA 2005. 19th International Conference, Volume 2 Page(s):407 – 410, March 2005

[10] “A Complete Guide to the Common Vulnerability Scoring System Version 2.0” FIRST, June, 2007 http://www.first.org/cvss/cvss-guide.pdf

[11] “An Introduction to the OVAL Language Version 5.0” MITRE, 2006 http://oval.mitre.org/oval/documents/docs-06/an_introduction_to_the_oval_language.pdf
[12] “CCE v5 - Windows XP” MITRE, March, 2008, http://cce.mitre.org/lists/data/downloads/cce-winxp-5.20080305.xls
[13] “NSA Security Guide for WXP” NSA, Sep 12, 2006 http://www.nsa.gov/notices/notic00004.cfm?Address=/snac/os/winxp/Windows_XP_Security_Guide_v2.2.zip
[14] “SCAP-WinXPPro.zip” http://nvd.nist.gov/scap/content/SCAP-WinXPPro.zip
[15] “SCAP-Win2003-MS-Beta.zip” http://nvd.nist.gov/scap/content/SCAP-Win2003-MS-Beta.zip
[16] “Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.1.4 (Draft)” NIST, October 2007 http://nvd.nist.gov/scap/xccdf/docs/xccdf-spec-1.1.4-20071102.doc

[17] “The Total Cost of Security Patch Management” Wipro, April 2005 http://download.microsoft.com/download/1/7/b/17b54d06-1550-4011-9253-9484f769fe9f/TCO_SPM_Wipro.pdf
[18] “Windows XP Professional Operating System Legacy, Enterprise, and Specialized Security Benchmark Consensus Baseline Security Settings” The Center for Internet Security, August, 2005 http://www.incits.org/tc_home/CS1/2005docs/cs1050098.pdf
[19] CERT/CC: http://www.cert.org/stats/cert_stats.html
[20] Common Configuration Enumeration (CCE): http://cce.mitre.org/
[21] Common Vulnerabilities and Exposure (CVE): http://cve.mitre.org/
[22] Common Vulnerability Scoring System (CVSS): http://www.first.org/cvss/
[23] Common Vulnerability Scoring System Version 2 Calculator: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2
[24] Common Platform Enumeration (CPE): http://cpe.mitre.org/
[25] Extensible Configuration Checklist Description Format (XCCDF): http://nvd.nist.gov/xccdf.cfm
[26] Gartner Group: http://www.gartner.com/
[27] National Vulnerability Database (Nvd): http://nvd.nist.gov/home.cfm
[28] Nessus: http://www.nessus.org/nessus/
[29] Open Vulnerability and Assessment Language (OVAL): http://oval.mitre.org/
[30] Security Content Automation Protocol (SCAP): http://nvd.nist.gov/scap.cfm