1 An Empirical Analysis of Vendor Response to Vulnerability Disclosure Ashish Arora, Ramayya Krishnan, Rahul Telang, Yubao Yang Carnegie Mellon University.

Slides:

Advertisements

Similar presentations

1 A FRAMEWORK FOR BUSINESS DEMOGRAPHY STATISTICS Entrepreneurship Indicators Project Steering Group Nadim Ahmad, Statistics Directorate, OECD Rome 5-6.

Advertisements

Carrying Out an Investigation in Science

1 COMM 301: Empirical Research in Communication Lecture 15 – Hypothesis Testing Kwan M Lee.

Predictor of Customer Perceived Software Quality By Haroon Malik.

Section 2.2: What do samples tell us?.

© 2003 Carnegie Mellon University slide 1 Building CSIRT Capabilities and the State of the Practice Georgia Killcrece CSIRT Development Team CERT ® Training.

© 2006 Pearson Education Canada Inc.5-1 Chapter 5 The Information Perspective on Decision Usefulness.

Evidence from REITS Brent W. Ambrose (The Pennsylvania State University), Shaun Bond (University of Cincinnati), & Joseph Ooi (National University of Singapore)

Software Security Growth Modeling: Examining Vulnerabilities with Reliability Growth Models Andy Ozment Computer Security Group Computer Laboratory University.

Validity, Sampling & Experimental Control Psych 231: Research Methods in Psychology.

Longitudinal Experiments Larry V. Hedges Northwestern University Prepared for the IES Summer Research Training Institute July 28, 2010.

Learning Goals Explain the importance of information to the company

Chapter 2 – Tools of Positive Analysis

Research Methods in MIS Instructor: Dr. Deepak Khazanchi.

How To Disclose Software Vulnerabilities Responsibly?* Huseyin Cavusoglu Ph.D., Tulane University Hasan Cavusoglu Ph.D., U. of British Columbia Srinivasan.

© Sam Ransbotham The Impact of Immediate Disclosure on Attack Diffusion and Volume Sam Ransbotham Boston College Sabyasachi Mitra Georgia Institute of.

The Relationship Between Emotional Intelligence and Academic Achievement among Project Management Students in UMP UHL4042 Project based Proposal Writing.

ECON 6012 Cost Benefit Analysis Memorial University of Newfoundland

Software Testing Lifecycle Practice

Track II: Introduction and Overview of Financial Services and Information Technology Privacy Policy: Synthesizing Financial Services Industry Privacy David.

M. Velucchi, A. Viviani, A. Zeli New York University and European University of Rome Università di Firenze ISTAT Roma, November 21, 2011 DETERMINANTS OF.

Measuring Impact: Experiments

Software Estimation and Function Point Analysis Presented by Craig Myers MBA 731 November 12, 2007.

Introduction to Computer Ethics

Effect of Vulnerability Disclosures on Market Value of Software Vendors – An Empirical Analysis Sunil Wattal Rahul Telang Carnegie Mellon University WEIS.

Process Capability and Statistical Process Control.

What Can We Learn About Capital Structure from Bond Credit Spreads? Mark J. Flannery University of Florida Stanislava (Stas) Nikolova George Mason University.

Managing Marketing Information Chapter Learning Goals 1.Explain the importance of information to the company 2.Define the marketing information.

Lesli Scott Ashley Bowers Sue Ellen Hansen Robin Tepper Jacob Survey Research Center, University of Michigan Third International Conference on Establishment.

EVALUATING PAPERS KMS quality- Impact on Competitive Advantage Proceedings of the 41 st Hawaii International Conference on System Sciences

Chapter 6 Lecture 3 Sections: 6.4 – 6.5.

Determinants of Credit Default Swap Spread: Evidence from the Japanese Credit Derivative Market.

1 The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting Andy Ozment Computer Security Group Computer Laboratory University.

Sampling distributions for sample means

MIS An Economic Analysis of Software Market with Risk-Sharing Contract Byung Cho Kim Pei-Yu Chen Tridas Mukhopadhyay Tepper School of Business Carnegie.

Rahul Telang1 Provision of Software Quality in the Presence of Patching Technology Rahul Telang With Ashish Arora and Jon Caulkins The Heinz School.

Chapter 3 Project Management Chapter 3 Project Management Organising, planning and scheduling software projects.

Public Policy Analysis ECON 3386 Anant Nyshadham.

Security measures across the software development process Dr. Holger Peine Slide 1 Security vulnerabilities are clearly.

WEIS Economic Analysis of Incentives to Disclose Software Vulnerabilities Dmitri Nizovtsev Washburn University Marie Thursby Georgia Institute of.

Security Vulnerabilities Linda Cornwall, GridPP15, RAL, 11 th January 2006

1 An Empirical Analysis of Software Vendors’ Patching Behavior Rahul Telang With Ashish Arora, Ramayya Krishnan and Yubao Yang Carnegie Mellon University.

The Scientific Method: Terminology Operational definitions are used to clarify precisely what is meant by each variable Participants or subjects are the.

Chapter 8: Simple Linear Regression Yang Zhenlin.

The Impact of Student Self-e ﬃ cacy on Scientiﬁc Inquiry Skills: An Exploratory Investigation in River City, a Multi-user Virtual Environment Presenter:

Chapter 6 Lecture 3 Sections: 6.4 – 6.5. Sampling Distributions and Estimators What we want to do is find out the sampling distribution of a statistic.

Understanding Numerical Data. Statistics Statistics is a tool used to answer general questions on the basis of a limited amount of specific data. Statistics.

Copyright © 2011 Pearson Education, Inc. Regression Diagnostics Chapter 22.

Intro to Inference & The Central Limit Theorem. Learning Objectives By the end of this lecture, you should be able to: – Describe what is meant by the.

Writing Security Alerts tbird Last modified 2/25/2016 8:55 PM.

Understanding the Report Process and Research Methods Business Communication, 15e Lehman and DuFrene Business Communication, 15 th edition by Lehman and.

MGT 3213 – 07. © 2009 Cengage Learning. All rights reserved.

Full Disclosure: Is It Beneficial? Project Based Information Systems Tim Schultz 12/02/02.

©2015 Check Point Software Technologies Ltd. 1 Website Watering Holes Endpoints are at risk in numerous ways, especially when social engineering is applied.

Discontinuous Responses to Recycling Laws and Plastic Water Bottle Deposits by W. Kip Viscusi Vanderbilt University Law School Joel Huber Fuqua School.

Assessing the Impact of Informality on Wages in Tanzania: Is There a Penalty for Women? Pablo Suárez Robles (University Paris-Est Créteil) 1.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Security in Opened versus Closed Systems – The Dance of Boltzmann, Coase and Moore Presented By Chad Frommeyer.

Experimental Research

Learning Goals Explain the importance of information to the company

Managing the Project Lifecycle

Responding to Intrusions

Author: Konstantinos Drakos Journal: Economica

Log Linear Modeling of Independence

Techniques for Data Analysis Event Study

Inspection and Review The main objective of an Inspection or a Review is to detect defects. (Not for Giving Alternative Solutions) This activity and procedure.

Informal Caregiving Formal Employment.

Private Placements, Cash Dividends and Interests Transfer: Empirical Evidence from Chinese Listed Firms Source: International review of economics & finance,

Managing Marketing Information

AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.

Presentation transcript:

1 An Empirical Analysis of Vendor Response to Vulnerability Disclosure Ashish Arora, Ramayya Krishnan, Rahul Telang, Yubao Yang Carnegie Mellon University

2 Motivation Information security breaches: A significant and increasing threat Lack of systematic policy for how vulnerability information should be disclosed Self reported security incidences

3 Motivation While theoretical models are useful to understand the issues surrounding vulnerability disclosure, we need empirical estimates for policy making. One of the key factors is to understand how vendors respond to disclosure and disclosure policies? An empirical estimate on vendor response to disclosure window will be very useful in calibrating the current policies. However, data collection is non- trivial.

4 Research goals Whether (and by how much) early disclosure induces vendors to patch faster. What are other key factors that condition patching time?

5 Literature Arora, Telang, and Xu (2003) outline a model for the optimal policy for software vulnerability disclosure. Telang and Wattal (2004) show that disclosure is costly to vendors and hence provides incentives to vendors to improve the quality of their software Market based mechanism –Camp and Wolfram (2004) describe a means for creating market for vulnerabilities in order to increase the security of systems –Kannan and Telang (2004) show that markets always perform worse that CERT because of poor disclosure rules –Schechter (2002) argues that vendors should create and exploit a market for testers –Ozment (2004), an auction based market based mechanism

6 Vendors face cost of patching. More time they have for patching less it costs them. Vendors’ customer incur loss when they are breached. Depending on the market structure, vendors “internalize” some of the customer loss. The more loss they internalize, more costs they incur and earlier is the patch. Disclosure of vulnerability is potentially hurtful to customers because disclosure makes it easier for hackers to find the information too. Thus disclosure threat supposedly forces vendors to patch faster because disclosure increases their costs. However, there is little (if any) empirical evidence that vendors indeed patch faster and by how much. Predictions of Analytical Model (Arora, Telang and Xu [2003])

7 Model Prediction Besides understanding the role of disclosure, we also investigate other factors that have bearing on vendor response. Some of the factors are –Severity of the vulnerability –Vendor characteristics –Open source / closed source –Disclosure source –Publicly traded firm –Effect of September 11.

8 Data Vulnerabilities published by SecurityFocus or CERT/CC. Information on the key time variables (Patching time = Date of patch – Date of notification). CERT provided us with information on when they notified the vendors. The date on which vendors delivered a patch to them etc. Vendor information from Hoover’s online business information database and vendor’s website Vulnerability information from the NIST ICAT database Time period from 9/26/2000 to 8/11/ observations, related to 255 unique vendors and 303 unique ICAT database documented vulnerabilities

9 CERT/CC Vs SecurityFocus Two major vulnerability disclosure sources CERT/CC (A Federal supported R&D center) –Typically 45 days of secret period after notifying vendors –No exploit code disclosed SecurityFocus (An online open forum) –Policy of instant disclose (many time individuals may provide vendors some time before disclosure) –Disclose full information We discard all vulnerabilities which are reported first by vendors

10 Early disclosure Anytime vulnerability is disclosed within the disclosure window (mostly 45 days) and vendor has not patched, early disclosure happens. However, in our sample most of the time disclosure happens quite early. –Instant disclosure is a case when disclosure happens before or at the same time when vendor is notified of the vulnerability. “Not early” case on SecurityFocus –Identifiers tend to be careful in using this powerful instant disclosure tool. They inform the vendor first and wait for the vendor patch before posting on SecurityFocus website –30% in our sample “Early” case on CERT/CC –Disclosure by others in CERT/CC secret time period –Already known public when CERT/CC picked it up –A vendor was missed when CERT/CC notify other vendors –Disclosure before 45 days if 80% of the vendors are ready

11 Impact of instant disclosure Without instant disclosureWith instant disclosure Patching Time (days)58.08(78.30)44.37(80.01) Severity Metric29.97(22.68)23.44(21.34) Obs / vuls Published by CERT/CCPublished by SecurityFocus Patching48.41 (78.13)63.91 (94.79) Severity Metric27.38 (22.37)8.76 (4.48) Obs / vuls1181 / / 43 Impact of publication source

12 Impact of disclosure source (for Instantly disclosed vuls) CERT/CCSecurityFocusOthers Patching Time24.46(36.96)42.95(78.59)59.42(97.71) Metric38.41(23.79)21.60(21.63)16.97(13.33) Obs / vuls Disclosure by CERT has a significant impact on patching speed of the vendor than disclosure by Securityfocus or by other sources

13 Vendor Characteristics MeanStd Dev No. of Employee Open Source Public Firms There are total 255 unique vendors. Above statistics is based on the 121 vendors that we have reliable information. There are total 301 unique vulnerabilities. Average Severity Score was Each vulnerability affected on an average 11 vendors. Vulnerability Characteristics

14 Analysis Two sets of analysis –Impact of disclosure on patching time. Conditional on not having patched until time t-1, how will disclosure at time t will affect vendor’s patching speed. We choose different values of t. –Impact of expected “disclosure window” on patching time. How will change in disclosure window affect vendors’ patching behavior?

15 T e = 0 daysT e = days (1.1) Vendor fixed effect (1.2) Vendor characteristics (2.1) Vendor fixed effect (2.2) Vendor characteristics CERT (0.18) (0.17) 0.27 (0.21) 0.30 (0.18) Disclosure (0.10) (0.10) (0.20) (0.20) Firm Size 0.00 (0.01) 0.00 (0.02) Public firm (0.13) 0.08 (0.14) Open source (0.35) (0.12) (0.40) (0.15) Severity metric (0.04) (0.04) (0.06) (0.05) Post September/ (0.11) (0.10) 0.08 (0.15) 0.08 (0.14) Constant 4.44 (0.23) 4.37 (0.22) 3.81 (0.27) (0.25) R2R N Notes: * indicates significant at 10% level, ** indicates significant at 5% level and *** indicates significant at 1% level.

16 Results Disclosure accelerates the patch delivery significantly. For vulnerabilities that are disclosed instantly, patch comes 55% faster than otherwise. When disclosure happens later the patch still comes significantly faster but the difference between with and without disclosure patching speed seems to reduce. Open source vendors tend to patch faster; almost 44% faster. Significant impact of 9/11. Patches come faster post 9/11.

17 T e =0 days (1.1) Vendor fixed effect (1.2) Vendor characteristics C_C -1.02** (0.23)-0.95** (0.21) C_S -1.01** (0.20)-1.06** (0.18) C_O -0.63** (0.21)-0.60** (0.19) C_None (0.20)0.04 (0.18) Firm Size -0.55* (0.35)0.00 (0.01) Public firm (0.13) Open source -0.52** (0.12) Severity metric (log) -0.07* (0.04) Post September/ ** (0.11)-0.38** (0.11) Constant 3.92** (0.22)3.88** (0.21) R2R N 1280 Notes: * indicates significant at 10% level, ** indicates significant at 5% level Impact of Disclosure Source

18 T e =0 daysT e =4 - 7 days (1.1) Vendor fixed effect (1.2) Vendor characteristics (2.1) Vendor fixed effect (2.2) Vendor characteristics C_C -1.02***(0.23)-0.95***(0.21)-0.69*(0.36)-0.65*(0.37) C_S -1.01***(0.20)-1.06***(0.18)-0.54(0.46)-0.38(0.46) C_O -0.63***(0.21)-0.60***(0.19)2.04***(0.74)1.64**(0.70) C_None -0.04(0.20)0.04(0.18)0.52***(0.19)0.47***(0.17) Firm Size 0.00(0.01)-0.01(0.02) Public firm -0.06(0.13)0.07(0.13) Open source -0.55*(0.35)-0.52***(0.12)-1.05***(0.39)-0.17(0.15) Severity metric (log) -0.07*(0.04)-0.07*(0.04)-0.05(0.05)-0.06(0.05) Post September/ ***(0.11)-0.38***(0.11)0.12(0.15)0.09(0.14) Constant 3.92***(0.22)3.88***(0.21)3.56***(0.25)3.56***(0.24) R2R N Notes: * indicates significant at 10% level, ** indicates significant at 5% level and *** indicates significant at 1% level.

19 Impact of Disclosure Window “T” We now want to understand what is the impact of disclosure window on patching time. This is the information a policy maker like CERT needs. Before they decide how much time should be given vendors, they need to know what is impact of giving one additional day. CERT provides approximately 45 days. However, it is clear the most of the time disclosure happens much earlier. This means that expected disclosure window “T” is much smaller and is unobservable to econometrician. But we know that for all vulnerabilities that are disclosed instantly, T = 0. For all other, T>0. Thus these two samples should provide us with the directional effect of “T” on patching time.

20 Impact of disclosure window “T” We use only CERT data to analyze this because CERT has a more well defined policy. We test whether there is significant difference between patching times for vulns instantly disclosed and otherwise in the CERT sample.

21 With disclosure sourceWithout disclosure source (1.1) Vendor fixed effect (1.2) Vendor characteristics (2.1)Vendor fixed effect (2.2)Vendor characteristics Disclosure -0.83** (0.11) -0.93** (0.10) Disclosed_by_C -0.97** (0.17) -0.99** (0.15) Disclosed_by_S -0.94** (0.13) -1.09** (0.12) Disclosed_by_O -0.56** (0.14) -0.63** (0.14) Firm Size 0.00 (0.02) 0.00 (0.02) Public firm (0.14) (0.14) Open source -0.55* (0.36) -0.56** (0.13) -0.60* (0.36) -0.55** (0.13) Severity metric (0.04) (0.04) -0.07* (0.04) -0.06* (0.04) Post 9/ ** (0.12) -0.40** (0.11) -0.48** (0.12) -0.43** (0.11) Constant 3.86** (0.19) 3.92** (0.19) 3.94** (0.18) 3.97** (0.19) R2R N 1181 Notes: * indicates significant at 10% level, ** indicates significant at 5% level and

22 Results Vendors are 56% faster when T = 0 compared to when T > 0. On an average the disclosure happens in our sample in 20 days. If we believe that the effect is linear then on an average, one day decrease in the disclosure window increases the patching speed by 2.8%.

23 Conclusions We find that disclosure has significant and expected result on vendor’s patching behavior. There is a significant CERT effect. Involvement of CERT leads to faster patching time irrespective of disclosure. Open source vendors patch faster; more severe vulnerabilities are patched faster and there is a significant post 9/11 effect.