Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber vulnerabilities and the threat of attack: Making things better:

Published byChloe Stewart Modified over 9 years ago

Similar presentations

Presentation on theme: "Cyber vulnerabilities and the threat of attack: Making things better:"— Presentation transcript:

1 Cyber vulnerabilities and the threat of attack: Making things better:
Michael Siegel James Houghton MIT Sloan School of Management

2 Vulnerabilities and Cybersecurity

3 Vulnerabilities

4 Creating a Vulnerability Typology
Vulnerability Characteristics Quantity of Vulnerabilities Scarce - Numerous Ease of Vulnerability Discovery Easy - Difficult to Find Likelihood of Vulnerability Rediscovery Low - High Patching Dynamics Technical Difficulty of Remediation Easy - Hard to Fix Logistical Difficulty of Remediation Easy - Hard to Access Average Life of a Vulnerability Short - Long Market Dynamics Third Party Market for Vulnerability Offensive, Defensive, Mixed, Etc. Market Size Small - Large Bug Bounty Program Yes, No Human Dynamics Attackers Criminals, States, Patriots, Etc. Researcher Pool We need to know the characteristics of the software products/environments that we’re dealing with.

5 System Dynamics Modeling
Models Human Systems Simulates Dynamic Behavior Process Improvement Market Crises Government Stability Software Development Hopes Fears Used for over 50 years Eliminate limitations of linear logics and over-simplicity Based on system structure, behavior patterns, interconnections of positive & negative feedback loops SDM helps to uncover ‘hidden’ dynamics in system Helps understand ‘unfolding’ of situations, Helps anticipate & predict new modes Explore range of unintended consequences Time Formalizes connection, causality, and feedback Gives Structure to Data

6 Undiscovered Vulnerabilities Patching
There are only so many ways an attacker can interact with the system, and so there is a large, but finite number of vulnerabilities. As we don’t know exactly what they are, we’ll call them ‘Undiscovered Vulnerabilities’. In system dynamics, when we want to show that we’re tracking a stock of something, we put it in a box. <Advance> Now, software vendors do their best to minimize this stock, and actively search for and patch vulnerabilities both before and after the software is released. Perhaps surprisingly, they are helped by a whole group of white-hat hackers who may have other jobs, but who find vulnerabilities and report them to vendors to be patched. We’ll track the flow of vulnerabilities out of this stock and call it ‘Patching’.

7 Offensive Stockpile Undiscovered Vulnerabilities Discovery Patching
Deployment Other actors are also looking for vulnerabilities. Black-hat hackers find these vulnerabilities and stockpile them for use in zero-day exploits. This stock decreases as vulnerabilities get patched, <Advance> or as they are deployed in attacks. <Advance> This is the stock that has the largest impact on cyber risk - not the total number of vulnerabilities, but the availability of those vulnerabilities for use in exploits by offensive actors. <Add a case study? Something with a human face and a name?>

8 Black Hat Capability Undiscovered Vulnerabilities Offensive Stockpile
Learning, Recruiting Leaving, Erosion Undiscovered Vulnerabilities Offensive Stockpile Lets look at how this discovery takes place. Black hat hackers have some level of capability which depends on their numbers and their average skill. Over time, their capability erodes as technology changes and people leave the group. <Advance> Black hats also have some level of motivation which is dependent on the perceived reward for finding vulnerabilities, in terms of money, reputation, or pride. <Advance> Together, these factors influence the rate at which vulnerabilities are discovered and stockpiled. Discovery Patching Patching Deployment

9 Black Hat Capability Undiscovered Vulnerabilities Offensive Stockpile
Learning, Recruiting Leaving, Erosion Undiscovered Vulnerabilities Offensive Stockpile Remember that army of white hat hackers that we discussed before? Well they behave in similar ways, and respond to similar pressures. Growth in their capacity influences the rate of patching. Now we have a highly simplified model of the human components of the vulnerability system. As fun as this was, we didn’t build it just to look at. We want to know how we can change the behavior of the system. What can we do - what inputs can we change - to make the system behave the way we want? Well, lets think like a hacker. What could we change? <Poll audience> Discovery Patching Patching Deployment White Hat Capability Learning, Recruiting Leaving, Erosion

10 Lets jump over for a second and look at the data. This chart shows the

11 Discovery Correlation
Undiscovered Vulnerabilities Offensive Stockpile Discovery Patching Patching Deployment White Hat Capability Discovery Correlation

12 No Correlation White Hat Black Hat

13 Some Correlation White Hat Black Hat

14 In Simulation

15 How does discovery correlation arise?
Fixed code base Heterogeneous vulnerabilities Common techniques between research groups

16 For a young piece of software
With our model parameters, 9% overlap

17 For a hardened piece of software
With our model parameters, 0.8% overlap

18 Dynamics of Threats and Resilience (using System Dynamics modeling)
* Verizon Data Breach Report 67% were aided by significant errors (of the victim) How did breaches (threats) occur? * 64% resulted from hacking 38% utilized Malware How are security and threat processes (resilience) managed? * Over 80% of the breaches had patches available for more than 1 year 75% of cases go undiscovered or uncontained for weeks or months

19 Senior Management (CIO)
Making the Case Blue is base case; red case is patching with configuration standards; green is current case 200 150 100 50 10 20 30 40 60 70 80 90 Time (Year) Year 170 140 110 Not Compromised Attack Vectors Infected Technical 10 7.5 5 2.5 20 30 40 50 60 70 80 90 100 Time (Year) 17 14 11 8 “Upstream Costs” “Downstream Costs” Managers 2,000 1,500 1,000 500 10 20 30 40 50 60 70 80 90 100 Time (Year) Total Costs Senior Management (CIO)

20 Summary Models can explain the dynamics of vulnerabilities and researcher motivation and exploits Understanding the tools and techniques of finding vulnerabilities helps to improve security Models help understand the security issues in patching and software release dynamics Solving security problems “upstream” is more effective than fixing them “downstream.” These analyses and modeling techniques can apply to any type of organization

Download ppt "Cyber vulnerabilities and the threat of attack: Making things better:"

Similar presentations

1 James Houghton Michael Siegel Advancing Cybersecurity Using System Dynamics Simulation Modeling For Analyzing & Disrupting Cybercrime Ecosystem & Vulnerability.

1 James Houghton Michael Siegel Advancing Cybersecurity Using System Dynamics Simulation Modeling For Analyzing & Disrupting Cybercrime Ecosystem & Vulnerability.
1 Michael Siegel James Houghton Advancing Cybersecurity Using System Dynamics Simulation Modeling For System Resilience, Patching, and Software Development.

1 Michael Siegel James Houghton Advancing Cybersecurity Using System Dynamics Simulation Modeling For System Resilience, Patching, and Software Development.
Craig Rimando Luke White. “hacking” - negative connotation Not always that way Originally a compliment Not all hacking necessarily bad “Good” hacking?

Craig Rimando Luke White. “hacking” - negative connotation Not always that way Originally a compliment Not all hacking necessarily bad “Good” hacking?
Black, White, Grey Hat Hackers Not all hackers are bad…which one’s which?

Black, White, Grey Hat Hackers Not all hackers are bad…which one’s which?
APT in Corporate America and the Exposure to Foothold Scenarios Nathaniel Puffer Technical Lead, Neohapsis Labs.

APT in Corporate America and the Exposure to Foothold Scenarios Nathaniel Puffer Technical Lead, Neohapsis Labs.
Managed Security Monitoring. 2 ©2015 EarthLink. All rights reserved. Today’s top IT concerns — sound familiar? Source: IT Security Risks 2014: A Business.

Managed Security Monitoring. 2 ©2015 EarthLink. All rights reserved. Today’s top IT concerns — sound familiar? Source: IT Security Risks 2014: A Business.
© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.
David Flournoy Bit9 Mid-Atlantic Regional Manager

David Flournoy Bit9 Mid-Atlantic Regional Manager
© 2015 Cisco and/or its affiliates. All rights reserved. 1 The Importance of Threat-Centric Security William Young Security Solutions Architect It’s Our.

© 2015 Cisco and/or its affiliates. All rights reserved. 1 The Importance of Threat-Centric Security William Young Security Solutions Architect It’s Our.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
 The hackers is a persons that they have a many knowledge in the area of ​​ computer and are capable of deceive the security.

 The hackers is a persons that they have a many knowledge in the area of ​​ computer and are capable of deceive the security.
CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.

CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.
Network Vulnerability Scanning Xiaozhen Xue Dept. of Computer Science Texas Tech University, USA Akbar Siami Namin Dept. of Computer.

Network Vulnerability Scanning Xiaozhen Xue Dept. of Computer Science Texas Tech University, USA Akbar Siami Namin Dept. of Computer.
1 Explorations in Cyber International Relations (ECIR) Dr. Michael Siegel Daniel Goldsmith Explorations in Cyber International Relations OSD Minerva Research.

1 Explorations in Cyber International Relations (ECIR) Dr. Michael Siegel Daniel Goldsmith Explorations in Cyber International Relations OSD Minerva Research.
Security Awareness Challenges of Security No single simple solution to protecting computers and securing information Different types of attacks Difficulties.

Security Awareness Challenges of Security No single simple solution to protecting computers and securing information Different types of attacks Difficulties.
VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.

VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.
UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.

UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.
Did You Hear That Alarm? The impacts of hitting the information security snooze button.

Did You Hear That Alarm? The impacts of hitting the information security snooze button.
Staying Ahead of the Curve in Cyber Security Bill Chang CEO, SingTel Group Enterprise.

Staying Ahead of the Curve in Cyber Security Bill Chang CEO, SingTel Group Enterprise.
 Protect customers with more secure software  Reduce the number of vulnerabilities  Reduce the severity of vulnerabilities  Address compliance requirements.

 Protect customers with more secure software  Reduce the number of vulnerabilities  Reduce the severity of vulnerabilities  Address compliance requirements.

Similar presentations

Ads by Google