Cyber vulnerabilities and the threat of attack: Making things better:

Slides:

Advertisements

Similar presentations

1 James Houghton Michael Siegel Advancing Cybersecurity Using System Dynamics Simulation Modeling For Analyzing & Disrupting Cybercrime Ecosystem & Vulnerability.

Advertisements

1 Michael Siegel James Houghton Advancing Cybersecurity Using System Dynamics Simulation Modeling For System Resilience, Patching, and Software Development.

Craig Rimando Luke White. “hacking” - negative connotation Not always that way Originally a compliment Not all hacking necessarily bad “Good” hacking?

Black, White, Grey Hat Hackers Not all hackers are bad…which one’s which?

APT in Corporate America and the Exposure to Foothold Scenarios Nathaniel Puffer Technical Lead, Neohapsis Labs.

Managed Security Monitoring. 2 ©2015 EarthLink. All rights reserved. Today’s top IT concerns — sound familiar? Source: IT Security Risks 2014: A Business.

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

David Flournoy Bit9 Mid-Atlantic Regional Manager

© 2015 Cisco and/or its affiliates. All rights reserved. 1 The Importance of Threat-Centric Security William Young Security Solutions Architect It’s Our.

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

 The hackers is a persons that they have a many knowledge in the area of computer and are capable of deceive the security.

CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.

Network Vulnerability Scanning Xiaozhen Xue Dept. of Computer Science Texas Tech University, USA Akbar Siami Namin Dept. of Computer.

1 Explorations in Cyber International Relations (ECIR) Dr. Michael Siegel Daniel Goldsmith Explorations in Cyber International Relations OSD Minerva Research.

Security Awareness Challenges of Security No single simple solution to protecting computers and securing information Different types of attacks Difficulties.

VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.

UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.

Did You Hear That Alarm? The impacts of hitting the information security snooze button.

Staying Ahead of the Curve in Cyber Security Bill Chang CEO, SingTel Group Enterprise.

 Protect customers with more secure software  Reduce the number of vulnerabilities  Reduce the severity of vulnerabilities  Address compliance requirements.

Security Overview for Microsoft Infrastructures Fred Baumhardt and James Noyce Infrastructure Solutions and Security Solutions Teams Microsoft Security.

1 We’ve been p0wn’d? Review of 2015 Surface Transportation Cybersecurity Incidents 2015 TRB Session 850 Edward Fok USDOT/FHWA – Resource Center.

Pharming > 50% of all PCs compromised Application Attacks BotArmies/DDOS 2 Organized Cyber-crime Ecosystem Hacktivism Cyber Terrorism Phishing Identity.

PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.

Security Awareness Challenges of Securing Information No single simple solution to protecting computers and securing information Different types of attacks.

© 2010 Verizon. All Rights Reserved. PTE / DBIR.

Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D.

Security Innovation & Startup. OPEN THREAT EXCHANGE (OTX): THE HISTORY AND FUTURE OF OPEN THREAT INTELLIGENCE COMMUNITY ALIENVAULT OTX.

CSCE 522 Secure Software Development Best Practices.

WEIS Economic Analysis of Incentives to Disclose Software Vulnerabilities Dmitri Nizovtsev Washburn University Marie Thursby Georgia Institute of.

CSCE 522 Secure Software Development Best Practices.

Ethical Hacking Han Li  Ethical Hacking is testing the resources for a good cause and for the betterment of technology.  Technically Ethical Hacking.

Securing Your Enterprise with Enterprise Manager 10g Amir Najmi Principal Member of Technical Staff System Management Products Oracle Corporation Session.

November 19, 2008 CSC 682 Use of Virtualization to Thwart Malware Written by: Ryan Lehan Presented by: Ryan Lehan Directed By: Ryan Lehan Produced By:

CSCE 201 Secure Software Development Best Practices.

Sky Advanced Threat Prevention

Web Security Introduction to Ethical Hacking, Ethics, and Legality.

Is finding security holes a good idea? Presented By: Jeff Wheeler CSC 682.

Exploitation Development and Implementation PRESENTER: BRADLEY GREEN.

By. Andrew Largent COSC-480. Upstream Intelligence (UI) is data about IP’s, domains and Autonomous System Numbers (ASN) acting or representing the presence.

©2012 Bit9. All Rights Reserved Peter Llorens, PERegional Sales Manager, FL, Caribbean & Latin America Julio GutierrezSales Engineer, FL, Caribbean & Latin.

Zero Day Attacks Jason Kephart. Purpose The purpose of this presentation is to describe Zero-Day attacks, stress the danger they pose for computer security.

Welcome Information Security Office Services Available to Counties Security Operations Center Questions.

Vulnerability / Cybersecurity Research Discussion Dwayne Melancon, CISA Chief Technology Officer and VP of Research & Development.

TruSTAR Sensitive & Proprietary Cloud CISC: Cyber incident exchange and collaboration February, 2016 “We cannot solve problems with the same thinking we.

CSCE 548 Secure Software Development Penetration Testing.

International Conference on Cyber Warfare and Security (ICCWS 2016) Effectiveness of Migration-based Moving Target Defense in Cyber Systems Noam Ben-Asher.

Defining your requirements for a successful security (and compliance

Increasing Information and Data Security in Today’s Cybersecurity World 2017 Conference Review 6/6/2017.

Abusing 3rd-Party Services For Command And Control

Your Partner for Superior Cybersecurity

Your security risk is higher than ever.

Cybersecurity - What’s Next? June 2017

Case Study - Target.

Juniper Software-Defined Secure Network

2016 Data Breach Investigations Report

THR2099 What to do BEFORE all hell breaks loose: Building a modern cybersecurity strategy.

Compliance with hardening standards

Teaching Computing to GCSE

Secure Browsing Because malware usually doesn’t identify itself.

National Cyber Security

Panda Adaptive Defense Platform and Services

The Global Challenges of Cybersecurity and Digital Terrorism

Dynamic Process for Source Control

Anatomy of a Large Scale Attack

Computer Science and Engineering

Strategic threat assessment

Ethical Hacking ‘Ethical hacking’ is the branch of computer science that involves cybersecurity and preventing cyberattacks. Ethical hackers are not malicious.

CYBER SECURITY SPACE OPERATIONS AND RESILIENCY.

MAZARS’ CONSULTING PRACTICE Helping your Business Venture Further

Presentation transcript:

Cyber vulnerabilities and the threat of attack: Making things better: Michael Siegel James Houghton MIT Sloan School of Management http://ic3.mit.edu

Vulnerabilities and Cybersecurity

Vulnerabilities

Creating a Vulnerability Typology Vulnerability Characteristics Quantity of Vulnerabilities Scarce - Numerous Ease of Vulnerability Discovery Easy - Difficult to Find Likelihood of Vulnerability Rediscovery Low - High Patching Dynamics Technical Difficulty of Remediation Easy - Hard to Fix Logistical Difficulty of Remediation Easy - Hard to Access Average Life of a Vulnerability Short - Long Market Dynamics Third Party Market for Vulnerability Offensive, Defensive, Mixed, Etc. Market Size Small - Large Bug Bounty Program Yes, No Human Dynamics Attackers Criminals, States, Patriots, Etc. Researcher Pool We need to know the characteristics of the software products/environments that we’re dealing with.

System Dynamics Modeling Models Human Systems Simulates Dynamic Behavior Process Improvement Market Crises Government Stability Software Development Hopes Fears Used for over 50 years Eliminate limitations of linear logics and over-simplicity Based on system structure, behavior patterns, interconnections of positive & negative feedback loops SDM helps to uncover ‘hidden’ dynamics in system Helps understand ‘unfolding’ of situations, Helps anticipate & predict new modes Explore range of unintended consequences Time Formalizes connection, causality, and feedback Gives Structure to Data

Undiscovered Vulnerabilities Patching There are only so many ways an attacker can interact with the system, and so there is a large, but finite number of vulnerabilities. As we don’t know exactly what they are, we’ll call them ‘Undiscovered Vulnerabilities’. In system dynamics, when we want to show that we’re tracking a stock of something, we put it in a box. <Advance> Now, software vendors do their best to minimize this stock, and actively search for and patch vulnerabilities both before and after the software is released. Perhaps surprisingly, they are helped by a whole group of white-hat hackers who may have other jobs, but who find vulnerabilities and report them to vendors to be patched. We’ll track the flow of vulnerabilities out of this stock and call it ‘Patching’.

Offensive Stockpile Undiscovered Vulnerabilities Discovery Patching Deployment Other actors are also looking for vulnerabilities. Black-hat hackers find these vulnerabilities and stockpile them for use in zero-day exploits. This stock decreases as vulnerabilities get patched, <Advance> or as they are deployed in attacks. <Advance> This is the stock that has the largest impact on cyber risk - not the total number of vulnerabilities, but the availability of those vulnerabilities for use in exploits by offensive actors. <Add a case study? Something with a human face and a name?>

Black Hat Capability Undiscovered Vulnerabilities Offensive Stockpile Learning, Recruiting Leaving, Erosion Undiscovered Vulnerabilities Offensive Stockpile Lets look at how this discovery takes place. Black hat hackers have some level of capability which depends on their numbers and their average skill. Over time, their capability erodes as technology changes and people leave the group. <Advance> Black hats also have some level of motivation which is dependent on the perceived reward for finding vulnerabilities, in terms of money, reputation, or pride. <Advance> Together, these factors influence the rate at which vulnerabilities are discovered and stockpiled. Discovery Patching Patching Deployment

Black Hat Capability Undiscovered Vulnerabilities Offensive Stockpile Learning, Recruiting Leaving, Erosion Undiscovered Vulnerabilities Offensive Stockpile Remember that army of white hat hackers that we discussed before? Well they behave in similar ways, and respond to similar pressures. Growth in their capacity influences the rate of patching. Now we have a highly simplified model of the human components of the vulnerability system. As fun as this was, we didn’t build it just to look at. We want to know how we can change the behavior of the system. What can we do - what inputs can we change - to make the system behave the way we want? Well, lets think like a hacker. What could we change? <Poll audience> Discovery Patching Patching Deployment White Hat Capability Learning, Recruiting Leaving, Erosion

Lets jump over for a second and look at the data. This chart shows the

Discovery Correlation Undiscovered Vulnerabilities Offensive Stockpile Discovery Patching Patching Deployment White Hat Capability Discovery Correlation

No Correlation White Hat Black Hat

Some Correlation White Hat Black Hat

In Simulation

How does discovery correlation arise? Fixed code base Heterogeneous vulnerabilities Common techniques between research groups

For a young piece of software With our model parameters, 9% overlap

For a hardened piece of software With our model parameters, 0.8% overlap

Dynamics of Threats and Resilience (using System Dynamics modeling) * Verizon Data Breach Report 67% were aided by significant errors (of the victim) How did breaches (threats) occur? * 64% resulted from hacking 38% utilized Malware How are security and threat processes (resilience) managed? * Over 80% of the breaches had patches available for more than 1 year 75% of cases go undiscovered or uncontained for weeks or months

Senior Management (CIO) Making the Case Blue is base case; red case is patching with configuration standards; green is current case 200 150 100 50 10 20 30 40 60 70 80 90 Time (Year) Year 170 140 110 Not Compromised Attack Vectors Infected Technical 10 7.5 5 2.5 20 30 40 50 60 70 80 90 100 Time (Year) 17 14 11 8 “Upstream Costs” “Downstream Costs” Managers 2,000 1,500 1,000 500 10 20 30 40 50 60 70 80 90 100 Time (Year) Total Costs Senior Management (CIO)

Summary Models can explain the dynamics of vulnerabilities and researcher motivation and exploits Understanding the tools and techniques of finding vulnerabilities helps to improve security Models help understand the security issues in patching and software release dynamics Solving security problems “upstream” is more effective than fixing them “downstream.” These analyses and modeling techniques can apply to any type of organization