riskanalysis
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
riskanalysis [2017/10/23 15:42] – [Factors of risk] lallodi | riskanalysis [2021/01/10 21:04] (current) – external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Cyber-risk Analysis ====== | + | ====== Cyber-Risk Analysis |
+ | This research line at TU/e SEC is led by [[http:// | ||
===== Vulnerability remediation ===== | ===== Vulnerability remediation ===== | ||
Line 10: | Line 11: | ||
- introduce new vulnerabilities. | - introduce new vulnerabilities. | ||
- | The IT response to that is, in general: “any severe-enough vulnerability must be fixed”. The industry standard to measure vulnerability severity is the Common Vulnerability Scoring System (CVSS) by NIST, but this is known to be uncorrelated with actual exploits [[http:// | + | The IT response to that is, in general: “any severe-enough vulnerability must be fixed”. The industry standard to measure vulnerability severity is the Common Vulnerability Scoring System (CVSS) by NIST, but this is known to be uncorrelated with actual exploits [[http:// |
- | confounding factors [[http:// | + | confounding factors [[http:// |
This led to poor vulnerability management practices whereby vulnerability patching work is overwhelmed by the huge number of patches to install, that cannot however be straightforwardly applied because of the concerns outlined above. | This led to poor vulnerability management practices whereby vulnerability patching work is overwhelmed by the huge number of patches to install, that cannot however be straightforwardly applied because of the concerns outlined above. | ||
Line 24: | Line 25: | ||
Cyber-attacks can be roughly classified in two categories: | Cyber-attacks can be roughly classified in two categories: | ||
- | - **Targeted cyber-attacks**: | + | - **Targeted cyber-attacks**: |
- **Untargeted cyber-attacks**: | - **Untargeted cyber-attacks**: | ||
- | ==== Factors of risk ==== | + | ==== Factors of risk: attacker economics==== |
Whereas targeted attack scenarios vary on a case-by-case basis, untargeted attacks can be more generally characterized. Due to the relevance of the latter on the overall threat scenario, in the remainder we focus on this. | Whereas targeted attack scenarios vary on a case-by-case basis, untargeted attacks can be more generally characterized. Due to the relevance of the latter on the overall threat scenario, in the remainder we focus on this. | ||
Line 33: | Line 34: | ||
Untargeted attacks are used to achieve a number of impacts on victim systems; for example, installing banking Trojans; stealing credentials, | Untargeted attacks are used to achieve a number of impacts on victim systems; for example, installing banking Trojans; stealing credentials, | ||
- | This lead to the commodification of cyber-attackers whereby attackers can buy attack technology and products of attacks (e.g. spam services) from other attackers. A non-technical summary of the characteristics of underground markets can be found in [[http:// | + | This lead to the commodification of cyber-attackers whereby attackers can buy attack technology and products of attacks (e.g. spam services) from other attackers. |
- | + | ||
- | The core idea of an underground market is to breakdown the phases of an attack in “atomic units” that can then be re-composed by the customer to generate the attack he/she wishes to launch. For example, an attacker may compose an attack with specific exploits (e.g. for internet explorer vulnerabilities), | + | |
While this obviously simplifies the attack process for the attacker (who does not need to be technically sophisticated to engineer all attacks from scratch), introduces limitations in the likely sources of attack as these will coincide with the market’s offering/ | While this obviously simplifies the attack process for the attacker (who does not need to be technically sophisticated to engineer all attacks from scratch), introduces limitations in the likely sources of attack as these will coincide with the market’s offering/ | ||
Line 44: | Line 43: | ||
The creation of objective risk estimation methods for risk assessment remains an open challenge, to adapt existent risk metrics (like [[https:// | The creation of objective risk estimation methods for risk assessment remains an open challenge, to adapt existent risk metrics (like [[https:// | ||
+ | |||
+ | ===== References ===== | ||
+ | |||
+ | * Luca Allodi and Fabio Massacci (2017), Security Events and Vulnerability Data for Cybersecurity Risk Estimation. Risk Analysis, 37: 1606–1627. doi: | ||
+ | * Luca Allodi, Fabio Massacci. Comparing vulnerability severity and exploits using case-control studies. ACM Transactions on Information and System Security (TISSEC). 17, 1, Article 1 (August 2014), 20 pages. [[http:// | ||
+ | * Luca Allodi. (2015, March). The heavy tails of vulnerability exploitation. In International Symposium on Engineering Secure Software and Systems (pp. 133-148). Springer, Cham. [[http:// | ||
+ | * Luca Allodi. Attacker economics for Internet-scale vulnerability risk assessment (Extended Abstract) Research proposal, in Proceedings of Usenix LEET 2013. [[http:// | ||
+ | * Luca Allodi, Fabio Massacci. How CVSS is DOSsing your patching policy (and wasting your money). Presentation at BlackHat USA 2013. [[http:// | ||
+ | * Luca Allodi, Woohyun Shim, Fabio Massacci. Quantitative assessment of risk reduction with cybercrime black market monitoring. Proceedings of IEEE S&P 2013 International Workshop on Cyber Crime. [[http:// | ||
+ | * Luca Allodi, Fabio Massacci. A Preliminary Analysis of Vulnerability Scores for Attacks in Wild. Proceedings of BADGERS 2012 CCS Workshop. [[http:// |
riskanalysis.txt · Last modified: 2021/01/10 21:04 by 127.0.0.1