AN EMPIRICAL ANALYSIS OF VULNERABILITY DISCLOSURE POLICIES. Research in Progress Submission to WISE 2010 Total Word Count: 3409
|
|
- Jonas Hubbard
- 8 years ago
- Views:
Transcription
1 AN EMPIRICAL ANALYSIS OF VULNERABILITY DISCLOSURE POLICIES Research in Progress Submission to WISE 2010 Total Word Count: 3409 Sabyasachi Mitra College of Management Georgia Institute of Technology Atlanta, Georgia Sam Ransbotham Carroll School of Management Boston College Chestnut Hill, Massachusetts September 2010
2 INTRODUCTION The importance of information security in the current business environment can hardly be overstated. Recent research indicates that security concerns are major impediments to the widespread adoption of electronic commerce and that equity markets penalize the announcement of software vulnerabilities (Telang and Wattal 2007). Furthermore, recent legislation such as Sarbanes-Oxley mandate penalties for inadequate security. Clearly, information security is no longer a purely technical issue and effective economic frameworks and incentives are becoming as important as technical design in protecting systems (Anderson and Moore 2006, p. 610). Attackers often compromise computer systems by exploiting vulnerabilities present in the software running on these systems (Cavusoglu et al. 2007, Cavusoglu et al. 2008). The impact of a software vulnerability depends on whether the software vendor and security professionals have the opportunity to eliminate the vulnerability or otherwise protect systems before they are attacked. Consequently, the discovery and disclosure process for vulnerabilities plays a vital role in information security. There is considerable debate on the design of effective disclosure processes that advantage security professionals and disadvantage attackers, but there is no consensus on the optimal design. When a vulnerability is discovered by attackers, they either exploit the vulnerability or sell the vulnerability to other attackers on the black market. In both cases, the vulnerability is first exploited before it is observed in the wild by security professionals. On the other hand, there are two primary methods that security professionals use to disclose vulnerabilities. First, security professionals may choose Immediate Disclosure they publicly disclose the vulnerability immediately through security mailing lists such as Bugtraq. When disclosed through immediate disclosure, the vulnerability information is immediately disseminated to a wide audience of security professionals who can install countermeasures, to vendors who can develop patches, as well as to potential attackers who can exploit the information to their advantage. Second, security professionals may choose Non-public Disclosure they report the vulnerability to organizations like CERT (Computer Emergency Response Team). CERT, for example, immediately notifies the software vendor and discloses the vulnerability to the public when a patch is available from the vendor, or after a specific period (typically 45 days after notifying the vendor). In non-public disclosure, security service providers and potential attackers receive notification at the time of public disclosure, while vendors are notified in advance. A current and significant debate in the security industry revolves around the benefits and drawbacks of immediate disclosure. The dominant viewpoint, termed as Responsible Disclosure, encourages disclosure through CERT and other similar mechanisms that provide a reasonable time for the vendor to develop patches. The basic motivation behind responsible disclosure, which is supported by many software companies, security vendors and security organizations such as CERT, is that the alternative immediate disclosure creates an unsafe period when the vulnerability may be exploited before the patch is developed and deployed. Proponents of responsible disclosure therefore argue that responsible disclosure will lead to lower attack volume, more protected systems, and a safer security environment. On the other hand, immediate disclosure is often motivated by the need to force unresponsive vendors to address a vulnerability and to create incentives for developing secure software (Arora et al. 2006, Arora et al. 2008). Proponents argue that immediate disclosure will lead to more responsive software vendors and more alert security service providers, and consequently a safer information security environment. In this paper, we shed light on this overall debate through a large-scale empirical study that compares vulnerabilities disclosed through the immediate disclosure and non-public disclosure mechanisms. Specifically, we gauge the impact of immediate disclosure by analyzing over 2.4 billion information security alerts for 960 clients of an US based security service provider. We examine two measures of impact: (a) attack diffusion does immediate disclosure accelerate the diffusion of attacks corresponding to the vulnerability through the population of target systems and increase the number of affected systems, and (b) attack volume does immediate disclosure increase the volume of attacks that are based on the 1
3 vulnerability? Diffusion speed is important because it allows vendors to release a patch and for security service providers to protect systems before they are attacked, while attack volume measures of the amount of malicious activity (Park et al. 2007). There are two primary contributions of our research to the literature on optimal policies and methods to ensure the security of information systems. First, while several analytical models in the literature examine optimal vulnerability disclosure and patching policies (Arora et al. 2006, Arora et al. 2008, August and Tunca 2006, August and Tunca 2008, Cavusoglu, et al. 2007), this research is one of a few that empirically evaluates a contemporary vulnerability disclosure phenomenon through the examination of intrusion detection system (IDS) data, providing needed diversity in research methods. Second, while economic models based on rational choice form the basis of the published research in this area (Arora et al. 2008, Cavusoglu et al. 2007, Kannan and Telang 2005), we develop our hypotheses through a review of the innovation diffusion literature (Rogers 2003), providing additional diversity in the theoretical lenses used to study the phenomenon. Finally, we empirically evaluate a research question that is of significant practical importance whether immediate disclosure has a detrimental effect on security. We believe that our findings are of significant practical interest to policy makers and vendors. MODELING THE DIFFUSION OF ATTACKS We model the diffusion of attacks through the population of target systems through the familiar s- curve that has been extensively used to model the diffusion of innovations in the literature (Rogers 2003). Let N(t) be the cumulative number of target systems affected at time t where t is measured from the time the vulnerability is disclosed. Let P be the height of the s-curve, or the maximum number of target systems in the population affected by the vulnerability (referred to as penetration of the diffusion process). D is the time when P/2 systems are affected by the vulnerability (the s-curve reaches half of its ultimate penetration level) and captures the delay associated with the diffusion process. R is the slope of the s-curve which is dependent on factors such as the type of vulnerability, complexity of developing exploits, and the impact of the vulnerability on systems. N(t) is modeled using the following familiar form of the s-curve. (1) IMMEDIATE DISCLOSURE: A CONTRARIAN VIEW The dominant view in the information security community is that immediate disclosure will lead to a less secure environment because public disclosure of the vulnerability can lead to systems being attacked before the vendor provides a patch. We provide a contrarian view of immediate disclosure that focuses on the role of security service providers and the race between attackers who exploit vulnerabilities and security service providers who install countermeasures. When a patch is not available or installed, specific countermeasures can provide partial protection against attacks. For example, Ransbotham and Mitra (2009) describe three types of countermeasures in systems that limit the impact of a vulnerability: (a) access control methods that limit access to the affected software to specific groups, (b) feature control methods that disable functionality and features in the affected software and devices, and (c) traffic control methods that filter suspicious traffic based on signature based attack detection. Countermeasures are easier to implement than patches, but they provide temporary and imperfect protection until the core vulnerability is removed through patching or a software upgrade. Our basic argument is that immediate disclosure induces a race between attackers who attack systems and security service providers who develop and install countermeasures to protect systems. This race, which is similar in concept to a patent race in the economics literature (Denicolo 2000), accelerates the diffusion process of attacks because attackers are aware of the vulnerability at the time of disclosure. However, like in a patent race, this race also raises urgency among security service providers and 2
4 accelerates the development and deployment of countermeasures. Consequently, the time window for successful exploitation by attackers is small until countermeasures are installed, and the vulnerability has a short life span. This leads to a lower penetration level of attacks among the population of target systems since many target systems have countermeasures installed and the population of vulnerable systems rapidly decreases. The short life span of the vulnerability and its lower penetration levels among target systems reduce the overall volume of attacks as attackers divert their attention to more profitable opportunities. This forms the basis of the following three primary hypotheses: H1: The diffusion of attacks through the population of target systems will have less delay for vulnerabilities reported through immediate disclosure than through non-public disclosure. H2: The diffusion of attacks through the population of target systems will have reduced penetration for vulnerabilities reported through immediate disclosure than through non-public disclosure. H3: The volume of attacks will be lower for vulnerabilities reported through immediate disclosure than through non-public disclosure. DATA Our primary data source is a proprietary database of alerts generated from intrusion detection systems (IDS) installed in client firms of a security service provider. Each time the IDS detects a signature in an incoming data stream, it generates an alert for further analysis. The dataset provides a unique research opportunity because it contains real alert data (as opposed to data from a research setting) from a large number of clients with varied infrastructure across many industries. The alert database contained over four hundred million alerts generated during 2006 and Our analysis is based on a panel dataset of the number of alerts generated every day during the two-year period of our analysis, summarized by target firm and specific vulnerability. Our second main data source is the National Vulnerabilities Database (NVD 2008) that combines several other public vulnerability data sources such as CERT, Bugtraq, XForce and Secunia. We believe that ours is the first study that combines the NVD data with actual intrusion detection data from a large number of firms to empirically evaluate a contemporary information security issue. We match the signatures for each unique vulnerability in our intrusion alert database with detailed information available through the NVD. The matching is done through a CERT assigned unique ID that links our two databases together. It is important for our analysis that we insure that the effects we see are due to immediate disclosure and not due to characteristics of the vulnerability itself. Thus, we use the following variables from the NVD data as controls in our empirical analysis. Once the attacker has access, vulnerabilities require varying degrees of complexity to exploit and are categorized by experts as Low or High Complexity. We also include an indicator variable (Sig) that is set to 1 if a signature was available at the time that the vulnerability was disclosed, 0 otherwise. Because disclosure through Bugtraq is immediate, we include an additional variable (Immediate) to capture the effects of immediate disclosure. The impact of a vulnerability is categorized by experts into one or more categories, and we use an indicator variable for each impact category that is set to 1 if the potential for the specific impact is present, 0 otherwise. The NVD classifies vulnerabilities into seven different types based on the specific software flaw that the vulnerability represents, and we used indicator variables to control for vulnerability type. We also include an indicator variable (Patch) that is set to 1 if a patch was available on the focal day of analysis, 0 otherwise. We also include the Age of the vulnerability (log transformed) at the time of our analysis, measured as the number of days since the vulnerability was reported. RESULTS To evaluate H1 and H2, we estimate equation (1) through non-linear least squares estimation of parameters. In (1), the variables P, R and D are allowed to vary as a function of focal (Immediate) and other control variables. The results are reported in Table 1. Based on the estimated parameters, we find 3
5 that immediate disclosure reduces delay (D) of diffusion (accelerates the diffusion process) and decreases penetration (P) of attacks based on the vulnerability. Thus, we find support for H1 and H2. The results from our evaluation of H3 are reported in Table 2. The dependent variable is the number of attacks (log transformed) on a specific date for a specific client and for a specific vulnerability. Table 2 reports results from a two-stage Heckman selection model that incorporates selection bias in the data since many vulnerabilities in the NVD data are never exploited in our sample. The coefficient of the Immediate variable is negative and significant, indicating that immediate disclosure reduces the volume of attacks. Thus, we find support for H3. Interestingly, we also find that public availability of an attack signature increases penetration of attacks and increases the number of attacks, indicating that the signature contains information that the attacker can utilize to build tools and exploit the vulnerability. Contrary to expectations, the public availability of a signature also increases the delay associated with the attack diffusion process and more research is needed to understand the reasons behind this coefficient estimate. Some of the other variables in the models also provide interesting insights. For example, vulnerabilities that require complex execution methods (e.g. social engineering) have delayed diffusion processes and lower attack volumes. SUMMARY AND IMPLICATIONS Contrary to the dominant view in the security industry and the practitioner literature, we find that immediate disclosure of vulnerabilities reduces delay in the attack diffusion process (as expected), but also reduces penetration of attacks in the population of target systems and reduces the volume of attacks. Our results can be explained by viewing the attack process as a race between attackers who attack systems and security service providers who develop countermeasures, similar to a patent race that has been examined in the economics literature (Denicolo 2000). This race accelerates the attack diffusion process, but also increases awareness, forces security service providers to be more vigilant, accelerates the deployment of countermeasures, and reduces the window of opportunity for attackers before countermeasures are installed. Our results have two important implications for policy makers, security organizations such as CERT, and software vendors. First, limited public disclosure of vulnerability information can combine the benefits of non-public and immediate disclosure to skew the race towards securing systems. For example, organizations such as CERT can immediately disclose the vulnerability to security service providers (as well as the software vendor) so that they can develop countermeasures to protect systems until a patch is made available by the software vendor. This will provide an advantage to security service providers in the attack and countermeasures race without publicly disclosing the signature and other attack details. This limited disclosure to security service providers is particularly important since our results indicate that public disclosure of signatures increases attack penetration and attack volume. Second, while immediate disclosure causes security service providers to be more vigilant and limits the penetration level and volume of attacks based on the vulnerability, it is possible (and perhaps even likely) that the effect on those who are not protected through such services is in the opposite direction as attackers focus their attention on such targets in the absence of others. Also, a similar diversion-based argument applies to vulnerabilities not disclosed through immediate disclosure. In general, the attack and countermeasures race for immediate disclosure vulnerabilities may cause security service providers to focus less on other (perhaps more critical) vulnerabilities. Overall, our analysis and results indicate that the effects of different disclosure methods are complex and nuanced, and represent a fruitful area of further research with important practical implications. FUTURE RESEARCH We intend to provide a more complete analysis of the effect of immediate disclosure through additional empirical evaluation. We envision two immediate directions for further analysis: (a) is 4
6 immediate disclosure and the consequent race more effective for certain types of vulnerabilities, and (b) is there a diversionary and negative effect of immediate disclosure and the consequent race on other vulnerabilities? Both of the above analyses can be performed through the intrusion detection data available to us such as by interacting the Immediate variable with other focal and control variables, and evaluating changes in attack volume of other vulnerabilities subsequent to the date of immediate disclosure of the focal vulnerabilities examined here. In addition to the above, the intrusion detection data can be used to empirically evaluate the findings of various analytical models in this area. For example, Ransbotham et al. (2008) evaluates the impact of disclosure through market based mechanisms such as idefense and Tipping Point (Kannan and Telang 2005). The data set can be used to evaluate the antecedents of attacks for a firm (Ransbotham and Mitra 2009), or whether different patching policies affect the number of attacks (August and Tunca 2008). Additionally, the data set can be used to evaluate the impact of social, political and other events on attack activity. Space limitations do not allow us to describe many of our findings here. In summary, linking the intrusion detection data with the NVD database provides a rich data source to evaluate various information security related debates of significant practical importance. Anderson, R., T. Moore The Economics of Information Security. Science. 314(5799) Arora, A., J.P. Caulkins, R. Telang Sell First, Fix Later: Impact of Patching on Software Quality. Management Science. 52(3) Arora, A., R. Telang, X. Hao Optimal Policy for Software Vulnerability Disclosure. Management Science. 54(4) August, T., T.I. Tunca Network Software Security and User Incentives. Management Science. 52(11) August, T., T.I. Tunca Let the Pirates Patch? An Economic Analysis of Software Security Patch Restrictions. Information Systems Research. 19(1) Cavusoglu, H., H. Cavusoglu, S. Raghunathan Efficiency of Vulnerability Disclosure Mechanisms to Disseminate Vulnerability Knowledge. IEEE Transactions on Software Engineering. 33(3) Cavusoglu, H., H. Cavusoglu, J. Zhang Security Patch Management: Share the Burden or Share the Damage? Management Science. 54(4) Denicolo, V Two-Stage Patent Races and Patent Policy. RAND Journal of Economics. 31(3) Kannan, K., R. Telang Market for Software Vulnerabilities? Think Again. Management Science. 51(5) Nvd National Vulnerability Database. Park, I., R. Sharman, H.R. Rao, S. Upadhyaya Short Term and Total Life Impact Analysis of Worms in Computer Systems Decision Support Systems Ransbotham, S., S. Mitra Choice and Chance: A Conceptual Model of Paths to Information Security Compromise. Information Systems Research. 20(1) Ransbotham, S., S. Mitra, J. Ramsey Are Markets for Vulnerabilities Effective? Proceedings of the Twenty-ninth International Conference on Information Systems Rogers, E.M Diffusion of Innovations. The Free Press, New York, NY. Telang, R., S. Wattal An Empirical Analysis of the Impact of Software Vulnerability Announcements on Firm Stock Price. IEEE Transactions on Software Engineering. 33(8)
7 TABLE 1: Diffusion Analysis of Attacks Based on Immediate and Non-Public Disclosure P (Penetration) R (Rate) D (Delay) Constant (3.5941)*** (0.0008)*** (0.2565)*** Patch Available (0.9488) (0.0003)* (0.0915)*** High Complexity (1.2958)*** (0.0004)*** (0.0928)*** Signature Available (3.4006)*** (0.0014)*** (0.1442)*** Immediate (0.9367)*** (0.0003)*** (0.0942)*** Impact Indicators Included Included Included Type Indicators Included Included Included No. of Observations 132,768 Adjusted R % 132,768 daily observations of 333 vulnerabilities from Robust standard errors in parentheses; 2 tailed significance: * p<.05; ** p<.01; *** p<.001 Nonlinear regression on number of firms affected, where the cumulative penetration (P), the rate of diffusion (R) and delay (D) are linear functions of the variables shown in the table. TABLE 2: Volume of Alerts per Client Firm per Vulnerability Number of Alerts (log) Model 0 (Controls) Model 1 (Full Model) Constant (0.101)*** (0.101)*** Age of Vulnerability (ln) (0.002)*** (0.002)*** Patch Available (0.002)*** (0.003)*** High Complexity (0.003)*** Signature Available (0.003)*** Immediate (0.002)*** Vulnerability Impact Indicators Indicators Vulnerability Type Indicators Indicators Alert Month Indicators Indicators Selection Stage Constant (0.008)** (0.008)*** Patch Available (0.003)*** (0.003)*** High Complexity (0.004)*** Signature Available (0.004)*** Immediate (0.003)*** Vulnerability Impact Indicators Indicators Vulnerability Type Indicators Indicators Publication Month Indicators Indicators Wald X 2 (x10 6 ) 1.20*** 1.18*** Heckman two stage regression; n = 1,302,931; 709,090 uncensored; 333 vulnerabilities; standard errors in parenthesis. Two-tailed significance: * (p<0.05); ** (p<0.01); *** (p<0.001) 6
An Empirical Analysis of Exploitation Attempts based on Vulnerabilities in Open Source Software
WORKSHOP ON THE ECONOMICS OF INFORMATION SECURITY June 2010 An Empirical Analysis of Exploitation Attempts based on Vulnerabilities in Open Source Software Sam Ransbotham Carroll School of Management,
More informationData Driven Assessment of Cyber Risk:
Data Driven Assessment of Cyber Risk: Challenges in Assessing and Mitigating Cyber Risk Mustaque Ahamad, Saby Mitra and Paul Royal Georgia Tech InformationSecurity Center Georgia Tech Research Institute
More informationVirtual Patching: a Compelling Cost Savings Strategy
Virtual Patching: a Compelling Cost Savings Strategy An Ogren Group Special Report November 2010 Executive Summary IT patch processes are at a critical crossroads. Exploits appear in the wild only a day
More informationAn Empirical Analysis of Software Vendors Patching Behavior: Impact of Vulnerability Disclosure 1
An Empirical Analysis of Software Vendors Patching Behavior: Impact of Vulnerability Disclosure 1 Ashish Arora, Ramayya Krishnan, Rahul Telang, Yubao Yang {ashish, rk2x, rtelang, yubaoy}@andrew.cmu.edu
More informationVirtual Patching: a Proven Cost Savings Strategy
Virtual Patching: a Proven Cost Savings Strategy An Ogren Group Special Report December 2011 Executive Summary Security executives, pushing the limits of traditional labor-intensive IT patch processes
More information6. Exercise: Writing Security Advisories
CERT Exercises Toolset 49 49 6. Exercise: Writing Security Advisories Main Objective Targeted Audience Total Duration Time Schedule Frequency The objective of the exercise is to provide a practical overview
More informationSecurity Vulnerabilities and Patches Explained IT Security Bulletin for the Government of Canada
Security Vulnerabilities and Patches Explained IT Security Bulletin for the Government of Canada ITSB-96 Last Updated: March 2015 1 Introduction Patching operating systems and applications is one of the
More informationHardware and Software Security
Today, with the big advancement of technology and the need to share data globally at all time. Security has become one of the most important topics when we talk about data sharing. This means that the
More informationManaged Intrusion, Detection, & Prevention Services (MIDPS) Why E-mail Sorting Solutions? Why ProtectPoint?
Managed Intrusion, Detection, & Prevention Services (MIDPS) Why E-mail Sorting Solutions? Why ProtectPoint? Why? Focused on Managed Intrusion Security Superior-Architected Hardened Technology Security
More informationDEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER
DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND Introduction > New security threats are emerging all the time, from new forms of malware and web application exploits that target
More informationBanking Security using Honeypot
Banking Security using Honeypot Sandeep Chaware D.J.Sanghvi College of Engineering, Mumbai smchaware@gmail.com Abstract New threats are constantly emerging to the security of organization s information
More informationIBM Security QRadar Vulnerability Manager
IBM Security QRadar Vulnerability Manager Improve security and compliance by prioritizing security gaps for resolution Highlights Help prevent security breaches by discovering and highlighting high-risk
More informationImpact of Software Vulnerability Announcements on the Market Value of Software Vendors an Empirical Investigation 1
Impact of Software Vulnerability Announcements on the Market Value of Software Vendors an Empirical Investigation 1 Rahul Telang, Sunil Wattal {rtelang, swattal}@andrew.cmu.edu Abstract Researchers in
More informationIncident Response and the Role of External Services
Incident Response and the Role of External Services Andrea Rigoni Business Development Manager - Government Sector Symantec Corp. Andrea_Rigoni@symantec.com Abstract: Managing security is a complex task
More informationLet the Pirates Patch? An Economic Analysis of Network Software Security Patch Restrictions
Let the Pirates Patch? An Economic Analysis of Network Software Security Patch Restrictions Terrence August and Tunay I. Tunca Graduate School of Business, Stanford University Stanford, CA, 94305 Extended
More informationThe Bass Model: Marketing Engineering Technical Note 1
The Bass Model: Marketing Engineering Technical Note 1 Table of Contents Introduction Description of the Bass model Generalized Bass model Estimating the Bass model parameters Using Bass Model Estimates
More informationMay 11, 2011. (Revision 4) Ron Gula Chief Technology Officer
Correlating IDS Alerts with Vulnerability Information May 11, 2011 (Revision 4) Ron Gula Chief Technology Officer Copyright 2011. Tenable Network Security, Inc. All rights reserved. Tenable Network Security
More informationInformation Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus
Information Technology Engineers Examination Information Security Specialist Examination (Level 4) Syllabus Details of Knowledge and Skills Required for the Information Technology Engineers Examination
More informationManaging Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services
Managing Vulnerabilities for PCI Compliance White Paper Christopher S. Harper Managing Director, Agio Security Services PCI STRATEGY Settling on a PCI vulnerability management strategy is sometimes a difficult
More informationOhio Supercomputer Center
Ohio Supercomputer Center Intrusion Prevention and Detection No: Effective: OSC-12 5/21/09 Issued By: Kevin Wohlever Director of Supercomputer Operations Published By: Ohio Supercomputer Center Original
More informationINSIDE. Management Process. Symantec Corporation TM. Best Practices Roles & Responsibilities. Vulnerabilities versus Exposures.
Symantec Corporation TM Symantec Product Vulnerability Management Process Best Practices Roles & Responsibilities INSIDE Vulnerabilities versus Exposures Roles Contact and Process Information Threat Evaluation
More informationNetwork Security, Vulnerabilities and Disclosure Policy
Network Security, Vulnerabilities and Disclosure Policy Jay Pil Choi, (MSU) Chaim Fershtman (Tel Aviv University, CEPR) Neil Gandal (Tel Aviv University, CEPR) May, 2008 Background The Slammer, Blaster,
More informationState of Vermont. Intrusion Detection and Prevention Policy. Date: 11-02-10 Approved by: Tom Pelham Policy Number:
State of Vermont Intrusion Detection and Prevention Policy Date: 11-02-10 Approved by: Tom Pelham Policy Number: 1 Table of Contents 1.0 Introduction... 3 1.1 Authority... 3 1.2 Purpose... 3 1.3 Scope...
More informationHow To Protect A Network From Attack From A Hacker (Hbss)
Leveraging Network Vulnerability Assessment with Incident Response Processes and Procedures DAVID COLE, DIRECTOR IS AUDITS, U.S. HOUSE OF REPRESENTATIVES Assessment Planning Assessment Execution Assessment
More informationUnderstanding ZDI: Separating Fact from Fiction WHITE PAPER
Understanding ZDI: Separating Fact from Fiction WHITE PAPER Contents Introduction... 1 Background... 1 Rise in Zero Day Vulnerabilities... 2 Enter the Zero Day Initiative (ZDI)... 2 The ZDI Process...
More informationSecurity Patch Management
The knowledge behind the network. Security Patch Management By Felicia M. Nicastro Senior Network Systems Consultant International Network Services Security Patch Management March 2003 INS Whitepaper 1
More informationApplying machine learning techniques to achieve resilient, accurate, high-speed malware detection
White Paper: Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection Prepared by: Northrop Grumman Corporation Information Systems Sector Cyber Solutions Division
More informationSeamless Mobile Security for Network Operators. Build a secure foundation for winning new wireless services revenue.
Seamless Mobile Security for Network Operators Build a secure foundation for winning new wireless services revenue. New wireless services drive revenues. Faced with the dual challenges of increasing revenues
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationCNA NetProtect Essential SM. 1. Do you implement virus controls and filtering on all systems? Background:
1. Do you implement virus controls and filtering on all systems? Anti-Virus anti-virus software packages look for patterns in files or memory that indicate the possible presence of a known virus. Anti-virus
More informationA National Model for Cyber Protection Through Disrupting Attacker Command and Control Channels
A National Model for Cyber Protection Through Disrupting Attacker Command and Control Channels Jeff Brown, CISO, Raytheon Company In today s cyber security environment there is one inescapable truth. There
More informationExtreme Networks Security Analytics G2 Vulnerability Manager
DATA SHEET Extreme Networks Security Analytics G2 Vulnerability Manager Improve security and compliance by prioritizing security gaps for resolution HIGHLIGHTS Help prevent security breaches by discovering
More informationCountry Case Study on Incident Management Capabilities CERT-TCC, Tunisia
Country Case Study on Incident Management Capabilities CERT-TCC, Tunisia Helmi Rais CERT-TCC Team Manager National Agency for Computer Security, Tunisia helmi.rais@ansi.tn helmi.rais@gmail.com Framework
More informationPATCH MANAGEMENT. February 2008. The Government of the Hong Kong Special Administrative Region
PATCH MANAGEMENT February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
More informationCalifornia State University, Chico. Information Security Incident Management Plan
Information Security Incident Management Plan Version 0.8 January 5, 2009 Table of Contents Introduction... 3 Scope... 3 Objectives... 3 Incident Management Procedures... 4 Roles and Responsibilities...
More informationPretend or Prevent? Intranet. Internet Router IDS Hub Firewall. Overview. Recognizing attacks. Intercepting attacks. White Paper
Overview Pretend or Prevent? No matter what it s called, if a network security system doesn t shoot first and ask questions later, it doesn t qualify as intrusion prevention by Jon Ramsey Intrusion detection
More informationWe study the question of whether a software vendor should allow users of unlicensed (pirated) copies of
Information Systems Research Vol. 19, No. 1, March 2008, pp. 48 70 issn 1047-7047 eissn 1526-5536 08 1901 0048 informs doi 10.1287/isre.1070.0142 2008 INFORMS Let the Pirates Patch? An Economic Analysis
More informationSITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA
SITA Information Security SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA September, 2012 Contents 1. Introduction... 3 1.1 Overview...
More informationApplying LT Auditor+ to Address Regulatory Compliance Issues
Applying LT Auditor+ to Address Regulatory Compliance Issues An Executive White Paper By BLUE LANCE, Inc. BLUE LANCE INC. www.bluelance.com 713.255.4800 info@bluelance.com In today s business environments,
More informationAHS Flaw Remediation Standard
AGENCY OF HUMAN SERVICES AHS Flaw Remediation Standard Jack Green 10/14/2013 The purpose of this procedure is to facilitate the implementation of the Vermont Health Connect s security control requirements
More informationPROACTIVE PROTECTION MADE EASY
PROACTIVE PROTECTION AUTHOR: ANDREW NIKISHIN KASPERSKY LAB Heuristic Analyzer Policy-Based Security Intrusion Prevention System (IPS) Protection against Buffer Overruns Behaviour Blockers Different Approaches
More informationPerformance Evaluation of Intrusion Detection Systems
Performance Evaluation of Intrusion Detection Systems Waleed Farag & Sanwar Ali Department of Computer Science at Indiana University of Pennsylvania ABIT 2006 Outline Introduction: Intrusion Detection
More informationNetwork Instruments white paper
Network Instruments white paper USING A NETWORK ANALYZER AS A SECURITY TOOL Network Analyzers are designed to watch the network, identify issues and alert administrators of problem scenarios. These features
More informationTHE SECURITY EXPOSURE
Secunia Whitepaper - February 2010 THE SECURITY EXPOSURE OF SOFTWARE PORTFOLIOS An empirical analysis of the patching challenge faced by the average private user In this paper, we examine the software
More informationA Decision Maker s Guide to Securing an IT Infrastructure
A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose
More informationPCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com
Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration
More informationIntegrating Security into Your Corporate Infrastructure
Integrating Security into Your Corporate Infrastructure December 13, 2001 Matthew K. Miller, CISSP, GIAC Manager, Security Services RedSiren Technologies 1 Who is RedSiren? We are a MSSP Managed Security
More informationIBM Managed Security Services (Cloud Computing) hosted e-mail and Web security - express managed Web security
IBM Managed Security Services (Cloud Computing) hosted e-mail and Web security - express managed Web security INTC-8608-01 CE 12-2010 Page 1 of 8 Table of Contents 1. Scope of Services...3 2. Definitions...3
More informationData Breach Notifications. Submission by the Australian Communications Consumer Action Network to the Attorney General s Department
Data Breach Notifications Submission by the Australian Communications Consumer Action Network to the Attorney General s Department November 2012 About ACCAN The Australian Communications Consumer Action
More informationAnalysis of update delays in Signature-based Network Intrusion Detection Systems
Analysis of update delays in Signature-based Network Intrusion Detection Systems Hugo Gascon, Agustin Orfila, Jorge Blasco Carlos III University of Madrid Madrid, Spain Abstract Network Intrusion Detection
More informationFIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 4 Finding Network Vulnerabilities Learning Objectives Name the common categories of vulnerabilities Discuss common system
More informationResponsible Vulnerability Disclosure: Guidance for Researchers, Vendors and End Users
Research Publication Date: 17 October 2006 ID Number: G00144061 Responsible Vulnerability Disclosure: Guidance for Researchers, Vendors and End Users Amrit T. Williams, John Pescatore, Paul E. Proctor
More informationSecurity Information Management (SIM)
1. A few general security slides 2. What is a SIM and why is it needed 3. What are the features and functions of a SIM 4. SIM evaluation criteria 5. First Q&A 6. SIM Case Studies 7. Final Q&A Brian T.
More informationVULNERABILITY MANAGEMENT
Vulnerability Management (VM) software differ in the richness of reporting, and the capabilities for application and security configuration assessment. Companies must consider how a VM technology will
More informationThe 2014 Next Generation Firewall Challenge
Network World and Robin Layland present The 2014 Next Generation Firewall Challenge Guide to Understanding and Choosing a Next Generation Firewall to Combat Today's Threats 2014 The 2014 Next Generation
More informationCORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT
CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT How advancements in automated security testing software empower organizations to continuously measure information
More informationCYBER SECURITY INFORMATION SHARING & COLLABORATION
Corporate Information Security CYBER SECURITY INFORMATION SHARING & COLLABORATION David N. Saul Senior Vice President & Chief Scientist 28 June 2013 Discussion Flow The Evolving Threat Environment Drivers
More informationSecurity Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP belka@att.net
Security Frameworks An Enterprise Approach to Security Robert Belka Frazier, CISSP belka@att.net Security Security is recognized as essential to protect vital processes and the systems that provide those
More informationHONEYPOT SECURITY. February 2008. The Government of the Hong Kong Special Administrative Region
HONEYPOT SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
More informationBig Data Integration: A Buyer's Guide
SEPTEMBER 2013 Buyer s Guide to Big Data Integration Sponsored by Contents Introduction 1 Challenges of Big Data Integration: New and Old 1 What You Need for Big Data Integration 3 Preferred Technology
More informationRethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council
Rethinking Information Security for Advanced Threats CEB Information Risk Leadership Council Advanced threats differ from conventional security threats along many dimensions, making them much more difficult
More informationThe Dirty Secret Behind the UTM: What Security Vendors Don t Want You to Know
The Dirty Secret Behind the UTM: What Security Vendors Don t Want You to Know I n t r o d u c t i o n Until the late 1990s, network security threats were predominantly written by programmers seeking notoriety,
More informationA Database Security Management White Paper: Securing the Information Business Relies On. November 2004
A Database Security Management White Paper: Securing the Information Business Relies On November 2004 IPLocks, Inc. 441-A W. Trimble Road, San Jose, CA 95131 USA A Database Security Management White Paper:
More informationCHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC
: INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS 1 FIVE KEY RECOMMENDATIONS During 2014, NTT Group supported response efforts for a variety of incidents. Review of these engagements revealed some observations
More informationUnderstanding SCADA System Security Vulnerabilities
Understanding SCADA System Security Vulnerabilities Talking Points Executive Summary Common Misconceptions about SCADA System Security Common Vulnerabilities Affecting SCADA Networks Tactics to Strengthen
More informationCopyright (2004) Purdue Research Foundation. All rights reserved.
CS390S, Week 1: Introduction to Secure Programming Pascal Meunier, Ph.D., M.Sc., CISSP January 10, 2007 Developed thanks to support and contributions from Symantec Corporation, support from the NSF SFS
More informationDETECT AND RESPOND TO THREATS FROM THE DATA CENTER TO THE CLOUD
SOLUTION OVERVIEW: ALERT LOGIC THREAT MANAGER WITH ACTIVEWATCH DETECT AND RESPOND TO THREATS FROM THE DATA CENTER TO THE CLOUD Protecting your infrastructure requires you to detect threats, identify suspicious
More informationUNDERSTANDING THE COST ASSOCIATED WITH DATA SECURITY BREACHES
UNDERSTANDING THE COST ASSOCIATED WITH DATA SECURITY BREACHES Kholekile L. Gwebu, Associate Professor of Decision Sciences, Peter T. Paul College of Business and Economics, University of New Hampshire,
More informationKEY STEPS FOLLOWING A DATA BREACH
KEY STEPS FOLLOWING A DATA BREACH Introduction This document provides key recommended steps to be taken following the discovery of a data breach. The document does not constitute an exhaustive guideline,
More informationWhite Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security
White Paper Automating Your Code Review: Moving to a SaaS Model for Application Security Contents Overview... 3 Executive Summary... 3 Code Review and Security Analysis Methods... 5 Source Code Review
More informationTaking a Proactive Approach to Linux Server Patch Management Linux server patching
Taking a Proactive Approach to Linux Server Patch Management Linux server patching In years past, Linux server patch management was often thought of in terms of we don t patch our servers unless there
More informationCyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.
Cyber Security Automation of energy systems provides attack surfaces that previously did not exist Cyber attacks have matured from teenage hackers to organized crime to nation states Centralized control
More informationNational Institute of Standards and Technology
1 Title: Author: Affiliation: Postal Address: Network Security Testing Using Mobile Agents T. Karygiannis National Institute of Standards and Technology NIST Information Technology Laboratory Building
More informationFull-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform
Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform Solution Brief Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform Finding
More informationCORE Security and the Payment Card Industry Data Security Standard (PCI DSS)
CORE Security and the Payment Card Industry Data Security Standard (PCI DSS) Addressing the PCI DSS with Predictive Security Intelligence Solutions from CORE Security CORE Security +1 617.399-6980 info@coresecurity.com
More informationTitle: Designing User Incentives for Cybersecurity
Title: Designing User Incentives for Cybersecurity Authors: Terrence August 1, Robert August 2, Hyoduk Shin 3 ACM, (2014). This is the author's version of the work. It is posted here by permission of ACM
More informationADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT
ADDING NETWORK INTELLIGENCE INTRODUCTION Vulnerability management is crucial to network security. Not only are known vulnerabilities propagating dramatically, but so is their severity and complexity. Organizations
More informationManaging Vulnerabilities For PCI Compliance
Managing Vulnerabilities For PCI Compliance Christopher S. Harper Vice President of Technical Services, Secure Enterprise Computing, Inc. June 2012 NOTE CONCERNING INTELLECTUAL PROPERTY AND SOLUTIONS OF
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationOpen Source Voting Systems
Presented to: 2015 State Certification Testing of Voting Systems National Conference Paul W. Craft Kathleen A. McGregor May, 19, 2015 Introduction One concern raised in the aftermath of Election 2000 was
More informationSECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES
REQUIREMENT 6.1 TO 6.2 SECURITY PATCH MANAGEMENT INSTALLATION POLICY AND PROCEDURES 6.1 TO 6.2 OVERVIEW In accordance with Payment Card Industry Data Security Standards (PCI DSS) requirements, [company
More informationHow To Audit The Mint'S Information Technology
Audit Report OIG-05-040 INFORMATION TECHNOLOGY: Mint s Computer Security Incident Response Capability Needs Improvement July 13, 2005 Office of Inspector General Department of the Treasury Contents Audit
More informationPCI DSS Requirements - Security Controls and Processes
1. Build and maintain a secure network 1.1 Establish firewall and router configuration standards that formalize testing whenever configurations change; that identify all connections to cardholder data
More informationI D C E X E C U T I V E B R I E F
Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015 www.idc.com I D C E X E C U T I V E B R I E F P e netration Testing: Taking the Guesswork Out of Vulnerability
More informationIntrusion Detections Systems
Intrusion Detections Systems 2009-03-04 Secure Computer Systems Poia Samoudi Asli Davor Sutic Contents Intrusion Detections Systems... 1 Contents... 2 Abstract... 2 Introduction... 3 IDS importance...
More informationEnterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006
Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationEffective Threat Management. Building a complete lifecycle to manage enterprise threats.
Effective Threat Management Building a complete lifecycle to manage enterprise threats. Threat Management Lifecycle Assimilation of Operational Security Disciplines into an Interdependent System of Proactive
More informationCOMPLIANCE ALERT 10-12
HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment
More informationMANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE
WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both. But it s
More informationA Channel Company White Paper. Online Security. Beyond Malware and Antivirus. Brought to You By:
A Channel Company White Paper Online Security Beyond Malware and Antivirus Brought to You By: Abstract Security has always encompassed physical and logical components. But in the face of Bring Your Own
More informationExploring the Drivers of E-Commerce through the Application of Structural Equation Modeling
Exploring the Drivers of E-Commerce through the Application of Structural Equation Modeling Andre F.G. Castro, Raquel F.Ch. Meneses and Maria R.A. Moreira Faculty of Economics, Universidade do Porto R.Dr.
More informationA BRAINSTORMING ON SECURITY FIRE DRILLS
A BRAINSTORMING ON SECURITY FIRE DRILLS Classification, Feasibility, Usefulness and Implications Maurizio Molina, DANTE Nino Jogun, CARNET on behalf of GÉANT3 project, SA2/T4 TF-CSIRT, Tallin, 25 th Sep.
More informationIs there Information Content in Insider Trades in the Singapore Exchange?
Is there Information Content in Insider Trades in the Singapore Exchange? Wong Kie Ann a, John M. Sequeira a and Michael McAleer b a Department of Finance and Accounting, National University of Singapore
More informationIBM Global Technology Services Statement of Work. for. IBM Infrastructure Security Services - Penetration Testing - Express Penetration Testing
IBM Global Technology Services Statement of Work for IBM Infrastructure Security Services - Penetration Testing - Express Penetration Testing The information in this Statement of Work may not be disclosed
More informationEffective Practice: Integrating Vulnerability Scanning with Web Authentication
Effective Practice: Integrating Vulnerability Scanning with Web Authentication Submitting Institution: University of California, Davis Date Submitted: 8/2/2004 Category: Vulnerability Assessment Subject
More informationCurrent IBAT Endorsed Services
Current IBAT Endorsed Services Managed Network Intrusion Prevention and Detection Service SecureWorks provides proactive management and real-time security event monitoring and analysis across your network
More informationFAIR TRADE IN INSURANCE INDUSTRY: PREMIUM DETERMINATION OF TAIWAN AUTOMOBILE INSURANCE. Emilio Venezian Venezian Associate, Taiwan
FAIR TRADE IN INSURANCE INDUSTRY: PREMIUM DETERMINATION OF TAIWAN AUTOMOBILE INSURANCE Emilio Venezian Venezian Associate, Taiwan Chu-Shiu Li Department of Economics, Feng Chia University, Taiwan 100 Wen
More informationProtecting Your Organisation from Targeted Cyber Intrusion
Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology
More information0days: How hacking really works. V 1.0 Jan 29, 2005 Dave Aitel dave@immunitysec.com
0days: How hacking really works V 1.0 Jan 29, 2005 Dave Aitel dave@immunitysec.com Who am I? NSA->@stake->Immunity CEO of Immunity, Inc. Consulting (product assessments) Immunity CANVAS Immunity Partner's
More information