The speed of (in)security Analysis of the speed of security vs insecurity

Similar documents
0-Day Patch Exposing Vendors (In)security Performance

THE SECURITY EXPOSURE

Vulnerabilità e Attacchi alle Infrastrutture IT Simone Riccetti. Sr. IT Security Architect

AN EMPIRICAL ANALYSIS OF VULNERABILITY DISCLOSURE POLICIES. Research in Progress Submission to WISE 2010 Total Word Count: 3409

Towards Unifying Vulnerability Information for Attack Graph Construction

Five ways to simplify the vulnerability management lifecycle. Scott Sidel, CISSP, CEH, ETC May 2005

6. Exercise: Writing Security Advisories

Secunia Vulnerability Intelligence Manager

GENERIC FIRE RISK ASSESSMENT FOR

INSIDE. Management Process. Symantec Corporation TM. Best Practices Roles & Responsibilities. Vulnerabilities versus Exposures.

CDM Vulnerability Management (VUL) Capability

Analysis of update delays in Signature-based Network Intrusion Detection Systems

Defining and Assessing Quantitative Security Risk Measures Using Vulnerability Lifecycle and CVSS Metrics

Beyond Heuristics: Learning to Classify Vulnerabilities and Predict Exploits

Automated Firewall Rules Generation Based on Value-Centric Threat Modeling

Spooks in the Machine

Top 10 Security Trends

76% Secunia Vulnerability Review. Key figures and facts from a global IT-Security perspective. Published February 26, secunia.

Vulnerability Intelligence & 3 rd party patch management

QRadar SIEM and FireEye MPS Integration

An Empirical Analysis of Exploitation Attempts based on Vulnerabilities in Open Source Software

The Value of Vulnerability Management*

Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme

Optimizing Network Vulnerability

Extreme Networks Security Analytics G2 Vulnerability Manager

WhiteHat Security White Paper. Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program

Proactive Vulnerability Management Using Rapid7 NeXpose

Cloud Infrastructure Security Management

Understanding ZDI: Separating Fact from Fiction WHITE PAPER

MWR InfoSecurity Security Advisory. Symantec s Altiris Deployment Solution File Transfer Race Condition. 7 th January 2010

IBM Security QRadar Vulnerability Manager

Using Vulnerable Hosts to Assess Cyber Security Risk in Critical Infrastructures

Standard: Vulnerability Management and Assessment

Copyright (2004) Purdue Research Foundation. All rights reserved.

BUILDING AN EFFECTIVE VULNERABILITY MANAGEMENT PROGRAM. Henrik Åkerstrand Account Executive Nordics

APPLICATION SECURITY RESPONSE: WHEN HACKERS COME A-KNOCKING

An Empirical Analysis of Software Vendors Patching Behavior: Impact of Vulnerability Disclosure 1

NEXT GENERATION APPLICATION SECURITY

Risk Analytics for Cyber Security

A SECURITY COMPARISON OF OPEN-SOURCE AND CLOSED- SOURCE OPERATING SYSTEMS

Cyber Adversary Characterization. Know thy enemy!

PASTA Abstract. Process for Attack S imulation & Threat Assessment Abstract. VerSprite, LLC Copyright 2013

CPNI TECHNICAL NOTE 04/2008 VULNERABILITY ASSESSMENT TOOLS

Vulnerability Management

Panel: SwA Practices - Getting to Effectiveness in Implementation

Data Driven Assessment of Cyber Risk:

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

IT Risk Management: Guide to Software Risk Assessments and Audits

Accelerate Patching Progress in the Enterprise. Wolfgang Kandek CTO Qualys, Inc.

PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

Value Driven Security Threat Modeling Based on Attack Path Analysis

Vulnerability Management in Software: Before Patch Tuesday KYMBERLEE PRICE BUGCROWD

Is Penetration Testing recommended for Industrial Control Systems?

Impact of Juniper Training and Certification on Network Management Activities

Dedicated and Distributed Vulnerability Management

A patch management discussion

A Novel Quantitative Approach For Measuring Network Security

Patch Management Best Practices

Cisco Security IntelliShield Alert Manager Service

Manage Vulnerabilities (VULN) Capability Data Sheet

Safeguarding Company IT Assets through Vulnerability Management

We conducted a systematic study on data available through Symantec s

OPEN SOURCE SECURITY

VoIP: The Evolving Solution and the Evolving Threat. Copyright 2004 Internet Security Systems, Inc. All rights reserved worldwide

Virtual Patching: a Proven Cost Savings Strategy

REDUCE YOUR OPEN SOURCE SECURITY RISK: STRATEGIES, TACTICS, AND TOOLS

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

Application Security in the Software Development Lifecycle

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

How to Prepare for a Data Breach

Software Vulnerability Assessment

Addressing FISMA Assessment Requirements

Secunia Corporate Software Inspector (Secunia CSI) ver.5.0

State of Oregon. State of Oregon 1

Data Center Security in a World Without Perimeters

Memorandum. Vulnerability Assessment of FAA's Operational Air Traffic Control System Report Number QC JA-20

Continuous Network Monitoring

FEELING VULNERABLE? YOU SHOULD BE.

Overview. Introduction. Conclusions WINE TRIAGE. Zero day analysis. Symantec Research Labs (SRL)

Patch Management Policy

Role Comparison Security Report Database Server Role

Gold study sponsor: Is cyber security now too hard for enterprises? Cyber security trends in the UK. Executive Summary

Insecurity in Security Software

Managing non-microsoft updates

FY 2007 E GOVERNMENT ACT REPORT FINAL SEPTEMBER 2007

Best Practices for Vulnerability Management

Guidelines for Security Vulnerability Reporting and Response Organization for Internet Safety Version September 2004

FERPA: Data & Transport Security Best Practices

ISSECO Syllabus Public Version v1.0

Vulnerability Assessment in Autonomic Networks and Services: A Survey

Microsoft Patch Analysis

CMS REPORTING PROCEDURE FOR INFORMATION SECURITY (IS) ASSESSMENTS

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Industrial Cyber Security Risk

IOActive Security Advisory

Security Content Automation Protocol for Governance, Risk, Compliance, and Audit

TECHNICAL NOTE 08/04 IINTRODUCTION TO VULNERABILITY ASSESSMENT TOOLS

Closing the Vulnerability Gap of Third- Party Patching

Information Security: A Perspective for Higher Education

Transcription:

The speed of (in)security Analysis of the speed of security vs insecurity BlackHat 2006 USA Las Vegas Stefan Frei + Martin May Communication Systems Group ETH Zurich Switzerland http://www.csg.ethz.ch http://www.techzoom.net/risk 1

Abstract To understand the security risks inherent with the use and operation of today's information and communication systems, analysis of the vulnerabilities' technical details is not sufficient. Defending against attacks requires a quantitative understanding of the vulnerability lifecycle (e.g. the discovery-, disclosure-, exploit- and patch-date). Specifically, one has to understand how exploitation and remediation of vulnerabilities, as well as the distribution of information thereof is handled by the industry. While the explanation of the discovery-, exploit-, and patch-date is rather intuitive, we propose a new defnition for the disclosure-date of a vulnerability. In our research, we examine how vulnerabilities are handled in large-scale, analyzing more than 80,000 security advisories published since 1996. Based on this information, we quantify and discuss the gap between the time of exploit- and patch-availability: the dynamics of (in)security. 2

Motivation Large scale risk assessment for risk assessment, the knowledge of technical details of vulnerabilities is not sufficient timing is essential (patch- vs exploit-availability) vulnerability disclosure-date not yet suitably defined Contributions we propose a concise definition for the disclosure-date we present an analysis of 14,000+ vulnerabilities 1996.. we propose a methodology to measure security risk 3

Outline Revisiting the vulnerability disclosure-date Comparing Security Information Providers (SIP) Analysis of the relation between discovery-, exploit-, and patch-dates Distribution functions and trends Conclusion 4

What is the disclosure-date? first discussion of a potential vulnerability in a security list? vage information from vendor (e.g. with patch)? rumors?.. these do not qualify as disclosure-date! Our requirements: vulnerability information is freely available to public disclosed by a trusted and independent source vulnerability is analyzed and rated by experts 5

Definition of the disclosure-date To ensure the quality and availability of relevant security information, we propose the following definition of the disclosure-date: The time of disclosure is the first date a vulnerability is described on a channel where the disclosed information on the vulnerability fullfills the following requirements: The vulnerability information.. 1. is freely available to the public. 2. is published by trusted and independent channel. 3. was analyzed by experts that risk rating information is included in the disclosure. 6

Requirement details Requirement 1 From the security perspective, only a free and public disclosure can ensure that all interested parties get the relevant information. Security through obscurity is a concept that never worked. Requirement 2 Only a channel independent of a vendor or a government is unbiased and enables a fair dissemination of security critical information. A channel is considered trusted when it is a widely accepted source of security information in the industry (e.g by having reliably delivered security information over a long period of time). Requirement 3 Analysis and risk rating ensures the quality of the disclosed information. The mere discussion on a potential flaw in a mailing list or vage information from a vendor do therefore not qualify. 7

Security Information Providers Potential providers for the disclosure-date CERT (Computer Emergency Response Team, USA) www.cert.org, started before 1996 Secunia (Secunia, Denmark) www.secunia.com, since 2002 FrSirt (French Security Incident Response Team, France) www.frsirt.com, since 2004 ISS X-Force (Internet Security Systems, USA) www.iss.net, since 1996 Securityfocus (Symantec, USA) www.securityfocus.com, since 1996 8

Candidates to provide the disclosure-date Number of vulnerabilities disclosed per day from 1996-2006 Cert Secunia FrSirt ISS x-force Securityfocus ISS+Securityfocus: - well established - long history - largest dataset Secunia+FrSirt good for recent vulnerabilities 9

Data and analysis Data used for this analysis Disclosure-date - taken from ISS X-Force or Securityfocus, whichever is earlier - well known sources, data available since 1996, they differ only slightly - two data providers. potential bias for own products neutralized Vulnerabilities from NVD 1 and OSVDB 2-14,000+ vulnerabilites with a CVE entry and risk metric information - correlated with information from 80,000+ security advisories Relation between disclosure-date and - discovery-date available for some vulnerabilities, usually after disclosure - exploit-date from known exploit sites (milw0rm, frsirt, metasploit,..) - patch-date from vendor, originator of the software 1) www.nvd.nist.gov, 2) www.osvdb.org 10

Discovery-date Analysis Discovery-date vs disclosure-date increase in number of discovered vulnerabilities Y-Axis: days between discoveryand disclosure-date in days X-Axis: disclosure-date Data - 9733 discovery dates - 42% before disclosure - 58% at disclosure 11

Exploit Availability Exploit availability date vs disclosure-date higher concentration near disclosure-date: 0-day exploits Y-Axis: days between exploitand disclosure-date in days X-Axis: disclosure-date Data - 3428 exploits - 23% before disclosure - 58% at disclosure - 19 % after disclosure 12

Patch Availability Patch availability date vs disclosure-date many patches available only well after disclosure Y-Axis: days between patch- and disclosure-date in days X-Axis: disclosure-date Data -1551 patches - 15% before disclosure - 54% at disclosure - 31% after disclosure 13

Exploits per year exploits get analysed faster by security industry Y-Axis: cumulated probability for exploit dates 2001-2005 X-Axis: days from disclosuredate Increasing number of exploits available at (or short after) the disclosure-date 14

Patches per year unpatched after 100 days Y-Axis: cumulated probability for patch-dates 2001-2005 X-Axis: days from disclosuredate 15

The Speed of (In)security The dynamics of security vs insecurity gap between available security vs insecurity Y-Axis: cumulated probability for exploit- and patchavailability dates X-Axis: days from disclosuredate Data: - 3416 exploits - 1477 patches - from 1996-2006 16

Interpretation Risk Metric We see that the exploit-cdf remains above the patch-cdf over the full range of 300 days after disclosure. This gap, which quantifies the difference between exploit- and patch-availability, indicats the risk exposure and its development over time. This metric enables us to empirically measure and assess the state of the security industry. CDF Cummulated Distribution Function 17

Conclusion first analysis of relation between patch- and exploitdates on this scale large dataset (14,000+ vulnerabilites, 80,000+ advisories) measured gap between patch- and exploit-availability Future continued monitoring and database updates online risk analysis tool at www.techzoom.net/risk 18

Thank you Thank you All plots are online at www.techzoom.net/risk Research sponsored by Swiss Federal Institute of Technology, Zurich www.csg.ethz.ch 19

References Security Information Providers www.cert.org CERT www.secunia.com Secunia www.frsirt.com FrSirt www.iss.net ISS Internet Security Systems www.securityfocus.com SecurityFocus Vulnerability Databases www.nvd.nist.gov National Vulnerability Database www.osvdb.org Open Source Vulnerability Database Misc www.csg.ethz.ch Swiss Federal Institute of Technology, ComSys Group www.techzoom.net/risk Dynamics of Insecurity online en.wikipedia.org/wiki/cumulative_distribution_function Statistics 20

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information