Economic Factors of Vulnerability Trade and Exploitation

Cybercrime markets support the development and diffusion of new attack technologies, vulnerability exploits, and malware. Whereas the revenue streams of cyber attackers have been studied multiple times in the literature, no quantitative account currently exists on the economics of attack acquisition and deployment. Yet, this understanding is critical to characterize the production of (traded) exploits, the economy that drives it, and its effects on the overall attack scenario. In this paper we provide an empirical investigation of the economics of vulnerability exploitation, and the effects of market factors on likelihood of exploit. Our data is collected first-handedly from a prominent Russian cybercrime market where the trading of the most active attack tools reported by the security industry happens. Our findings reveal that exploits in the underground are priced similarly or above vulnerabilities in legitimate bug-hunting programs, and that the refresh cycle of exploits is slower than currently often assumed. On the other hand, cybercriminals are becoming faster at introducing selected vulnerabilities, and the market is in clear expansion both in terms of players, traded exploits, and exploit pricing. We then evaluate the effects of these market variables on likelihood of attack realization, and find strong evidence of the correlation between market activity and exploit deployment. We discuss implications on vulnerability metrics, economics, and exploit measurement.Comment: 17 pages, 11 figures, 14 table

My Software has a Vulnerability, should I worry?

(U.S) Rule-based policies to mitigate software risk suggest to use the CVSS score to measure the individual vulnerability risk and act accordingly: an HIGH CVSS score according to the NVD (National (U.S.) Vulnerability Database) is therefore translated into a "Yes". A key issue is whether such rule is economically sensible, in particular if reported vulnerabilities have been actually exploited in the wild, and whether the risk score do actually match the risk of actual exploitation. We compare the NVD dataset with two additional datasets, the EDB for the white market of vulnerabilities (such as those present in Metasploit), and the EKITS for the exploits traded in the black market. We benchmark them against Symantec's threat explorer dataset (SYM) of actual exploit in the wild. We analyze the whole spectrum of CVSS submetrics and use these characteristics to perform a case-controlled analysis of CVSS scores (similar to those used to link lung cancer and smoking) to test its reliability as a risk factor for actual exploitation. We conclude that (a) fixing just because a high CVSS score in NVD only yields negligible risk reduction, (b) the additional existence of proof of concepts exploits (e.g. in EDB) may yield some additional but not large risk reduction, (c) fixing in response to presence in black markets yields the equivalent risk reduction of wearing safety belt in cars (you might also die but still..). On the negative side, our study shows that as industry we miss a metric with high specificity (ruling out vulns for which we shouldn't worry). In order to address the feedback from BlackHat 2013's audience, the final revision (V3) provides additional data in Appendix A detailing how the control variables in the study affect the results.Comment: 12 pages, 4 figure

The future of corporate reporting: a review article

Significant changes in the corporate external reporting environment have led to proposals for fundamental changes in corporate reporting practices. Recent influential reports by major organisations have suggested that a variety of new information types be reported, in particular forward-looking, non-financial and soft information. This paper presents a review and synthesis of these reports and provides a framework for classifying and describing suggested information types. The existence of academic antecedents for certain current proposals are identified and the ambiguous relationship between research and practice is explored. The implications for future academic research are discussed and a research agenda is introduced

Security Risk Management - Approaches and Methodology

In today’s economic context, organizations are looking for ways to improve their business, to keep head of the competition and grow revenue. To stay competitive and consolidate their position on the market, the companies must use all the information they have and process their information for better support of their missions. For this reason managers have to take into consideration risks that can affect the organization and they have to minimize their impact on the organization. Risk management helps managers to better control the business practices and improve the business process.Risk Management, Security, Methodology

The global vulnerability discovery and disclosure system: a thematic system dynamics approach

Vulnerabilities within software are the fundamental issue that provide both the means, and opportunity for malicious threat actors to compromise critical IT systems (Younis et al., 2016). Consequentially, the reduction of vulnerabilities within software should be of paramount importance, however, it is argued that software development practitioners have historically failed in reducing the risks associated with software vulnerabilities. This failure is illustrated in, and by the growth of software vulnerabilities over the past 20 years. This increase which is both unprecedented and unwelcome has led to an acknowledgement that novel and radical approaches to both understand the vulnerability discovery and disclosure system (VDDS) and to mitigate the risks associate with software vulnerability centred risk is needed (Bradbury, 2015; Marconato et al., 2012). The findings from this research show that whilst technological mitigations are vital, the social and economic features of the VDDS are of critical importance. For example, hitherto unknown systemic themes identified by this research are of key and include; Perception of Punishment; Vendor Interactions; Disclosure Stance; Ethical Considerations; Economic factors for Discovery and Disclosure and Emergence of New Vulnerability Markets. Each theme uniquely impacts the system, and ultimately the scale of vulnerability based risks. Within the research each theme within the VDDS is represented by several key variables which interact and shape the system. Specifically: Vender Sentiment; Vulnerability Removal Rate; Time to fix; Market Share; Participants within VDDS, Full and Coordinated Disclosure Ratio and Participant Activity. Each variable is quantified and explored, defining both the parameter space and progression over time. These variables are utilised within a system dynamic model to simulate differing policy strategies and assess the impact of these policies upon the VDDS. Three simulated vulnerability disclosure futures are hypothesised and are presented, characterised as depletion, steady and exponential with each scenario dependent upon the parameter space within the key variables

Climate change adaptation in industry and business

This report delivers a best practice framework to integrate financial risk assessment, governance and disclosure with existing governance principles around climate change adaptation.AbstractThe Australian business community has long been aware of the risks and opportunities associated with greenhouse gas mitigation and climate change policies. Some businesses have taken initial steps to adapt to the expected effects of climate change; however, most enterprises are only vaguely aware of the breadth of adaptation that may be required. Associated with strategic adaptation are the principles of financial/operational risk management and governance, as well as financial impact disclosure to investors and regulators. We develop a consolidated framework in which boards and executive managers can develop a robust approach to climate change adaptation governance, climate change risk assessment and financial disclosure. The project outlines a matrix of disclosures required for investors to enable them to evaluate corporate exposure to climate change risk.The project initially comprised a set of workshops with members of the Australian business community, industry representatives, regulatory authorities and academics with expertise in business risk and disclosure effects. Each workshop focused on a separate theme that built upon the work of previous workshops. A set of follow-up discussions was held with some of the key members who contributed to the project, including the Australian Stock Exchange (ASX) Investor Group on Climate Change (IGCC), the Australian Accounting Standards Board (AASB) and the Australian Institute of Company Directors. This discussion permitted each body to comment on the final report, advise on the mechanics of the costing, reporting and disclosure approaches of climate change adaptation, and lend their expertise to the formulation of an appropriate framework.The scope of the research is constrained to firm behaviour and the requirements for investor disclosure and governance of adaptation activities. The project therefore focuses on financial analyses – including real options – undertaken by firms with regard to investing in climate change adaptation activities and projects. While the economic costs and benefits are important to organisational adaptation activities, they represent a secondary level of analysis that may need to be carried out on either an independent or cumulative scale by governments or other bodies to measure the wider effects.As the degree of sophistication in climate change adaptation activities, modelling and cost estimation increases, along with the anticipated growth in interest of both company boards and managers, it is expected that accounting standards, ASX listing rules and disclosures required under the Corporations Act would need to explicitly reflect these corporate actions. The asset allocation of banks, mutual funds, superannuation funds and other investments is also likely to adapt as companies quantify their exposure to climate change. The makeup of assets in investment portfolios may therefore markedly shift, and thus indirectly adjust to the climate change adaptation activities of companies in the broader market

Automated Dynamic Firmware Analysis at Scale: A Case Study on Embedded Web Interfaces

Embedded devices are becoming more widespread, interconnected, and web-enabled than ever. However, recent studies showed that these devices are far from being secure. Moreover, many embedded systems rely on web interfaces for user interaction or administration. Unfortunately, web security is known to be difficult, and therefore the web interfaces of embedded systems represent a considerable attack surface. In this paper, we present the first fully automated framework that applies dynamic firmware analysis techniques to achieve, in a scalable manner, automated vulnerability discovery within embedded firmware images. We apply our framework to study the security of embedded web interfaces running in Commercial Off-The-Shelf (COTS) embedded devices, such as routers, DSL/cable modems, VoIP phones, IP/CCTV cameras. We introduce a methodology and implement a scalable framework for discovery of vulnerabilities in embedded web interfaces regardless of the vendor, device, or architecture. To achieve this goal, our framework performs full system emulation to achieve the execution of firmware images in a software-only environment, i.e., without involving any physical embedded devices. Then, we analyze the web interfaces within the firmware using both static and dynamic tools. We also present some interesting case-studies, and discuss the main challenges associated with the dynamic analysis of firmware images and their web interfaces and network services. The observations we make in this paper shed light on an important aspect of embedded devices which was not previously studied at a large scale. We validate our framework by testing it on 1925 firmware images from 54 different vendors. We discover important vulnerabilities in 185 firmware images, affecting nearly a quarter of vendors in our dataset. These experimental results demonstrate the effectiveness of our approach