User Tools

Site Tools


riskanalysis

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
riskanalysis [2017/10/24 15:23]
lallodi [Vulnerability remediation]
riskanalysis [2017/10/24 15:24]
lallodi [Attack types]
Line 11: Line 11:
   - introduce new vulnerabilities.   - introduce new vulnerabilities.
  
-The IT response to that is, in general: “any severe-enough vulnerability must be fixed”. The industry standard to measure vulnerability severity is the Common Vulnerability Scoring System (CVSS) by NIST, but this is known to be uncorrelated with actual exploits [[http://​www.win.tue.nl/​~lallodi/​allodi-tissec-14.pdf|(Allodi TISSEC 2014)]]. The Figure on the side {{ :​imgs:​riskanalysis:​vulnvens.png?​nolink&​280|}} depicts a Venn Diagram distribution of vulnerabilities (NVD), vulnerabilities with a Proof-of-Concept exploit (EDB), vulnerabilities in the black markets (EKITS), and vulnerabilities exploited at scale (SYM). Areas are proportional to number of vulnerabilities,​ and color mappings match High (red), Medium (yellow), Low (blue) CVSS severities [[http://​nvd.nist.gov|(NVD)]]. As one can see, CVSS severities do not appear to be good predictors for probability of inclusion in SYM, an insight that remains valid also after more formally controlling for possible  +The IT response to that is, in general: “any severe-enough vulnerability must be fixed”. The industry standard to measure vulnerability severity is the Common Vulnerability Scoring System (CVSS) by NIST, but this is known to be uncorrelated with actual exploits [[http://​www.win.tue.nl/​~lallodi/​allodi-tissec-14.pdf|(Allodi ​et al. TISSEC 2014)]]. The Figure on the side {{ :​imgs:​riskanalysis:​vulnvens.png?​nolink&​280|}} depicts a Venn Diagram distribution of vulnerabilities (NVD), vulnerabilities with a Proof-of-Concept exploit (EDB), vulnerabilities in the black markets (EKITS), and vulnerabilities exploited at scale (SYM). Areas are proportional to number of vulnerabilities,​ and color mappings match High (red), Medium (yellow), Low (blue) CVSS severities [[http://​nvd.nist.gov|(NVD)]]. As one can see, CVSS severities do not appear to be good predictors for probability of inclusion in SYM, an insight that remains valid also after more formally controlling for possible  
-confounding factors [[http://​www.win.tue.nl/​~lallodi/​allodi-tissec-14.pdf|(Allodi TISSEC 2014)]].+confounding factors [[http://​www.win.tue.nl/​~lallodi/​allodi-tissec-14.pdf|(Allodi ​et al. TISSEC 2014)]].
  
 This led to poor vulnerability management practices whereby vulnerability patching work is overwhelmed by the huge number of patches to install, that cannot however be straightforwardly applied because of the concerns outlined above. ​ This led to poor vulnerability management practices whereby vulnerability patching work is overwhelmed by the huge number of patches to install, that cannot however be straightforwardly applied because of the concerns outlined above. ​
Line 25: Line 25:
 Cyber-attacks can be roughly classified in two categories: Cyber-attacks can be roughly classified in two categories:
  
-  - **Targeted cyber-attacks**:​ these attacks target specific systems and organizations and are typically carried by sophisticated,​ technically advanced attackers. These may be nation-state agencies as well as resourceful enterprises (e.g. for espionage purposes). These attack may be carried by means of the so-called “0-day” attacks, i.e. exploits that attack a vulnerability that is unknown to the defender (e.g. because the attacker discovered it). These attacks are very rare. A 2012 study revealed that only a small fraction of overall attacks involve 0-days [[https://​users.ece.cmu.edu/​~tdumitra/​public_documents/​bilge12_zero_day.pdf| (Bilge CCS 2012)]].+  - **Targeted cyber-attacks**:​ these attacks target specific systems and organizations and are typically carried by sophisticated,​ technically advanced attackers. These may be nation-state agencies as well as resourceful enterprises (e.g. for espionage purposes). These attack may be carried by means of the so-called “0-day” attacks, i.e. exploits that attack a vulnerability that is unknown to the defender (e.g. because the attacker discovered it). These attacks are very rare. A 2012 study revealed that only a small fraction of overall attacks involve 0-days [[https://​users.ece.cmu.edu/​~tdumitra/​public_documents/​bilge12_zero_day.pdf| (Bilge ​et al. CCS 2012)]].
   - **Untargeted cyber-attacks**:​ these attacks are launched against the population of Internet users at large. Vulnerable targets end up being infected, whereas non-vulnerable targets remain unaffected. The attacker does not target specific systems or users, but rather a class of users with certain characteristics . These attacks are by far the most common and exploit well-known vulnerabilities. For example, the recent WannaCry malware exploited a long-patched vulnerability and affected millions of users worldwide without targeting any specific organization (for example, the UK NHS has been a victim of the malware not because of attacker interest in its systems, but because of its reliance to old software configurations.   - **Untargeted cyber-attacks**:​ these attacks are launched against the population of Internet users at large. Vulnerable targets end up being infected, whereas non-vulnerable targets remain unaffected. The attacker does not target specific systems or users, but rather a class of users with certain characteristics . These attacks are by far the most common and exploit well-known vulnerabilities. For example, the recent WannaCry malware exploited a long-patched vulnerability and affected millions of users worldwide without targeting any specific organization (for example, the UK NHS has been a victim of the malware not because of attacker interest in its systems, but because of its reliance to old software configurations.
  
riskanalysis.txt · Last modified: 2017/10/24 15:24 by lallodi