SecRush – New Generation Vulnerability Management Framework

Tese de Mestrado, Segurança Informática, 2022, Universidade de Lisboa, Faculdade de CiênciasVulnerabilities have been increasing over the years without signs of decreasing soon. With this ex ponential growth, it is important for organizations to define a vulnerability management plan to proceed with what should be done if they encounter a vulnerability. However, existing plans and metrics do not fit the current reality. Existing plans are not independent of vulnerability detection tools. The classifica tion systems currently used (the most common is CVSS) fail to provide information on the variation of risk that a particular vulnerability entails for the organization. As this is not constant, being exception ally high when there is a form of active exploitation, as well as its location in the network and business needs. SecRush presents itself as a new vulnerability management framework with a new risk-based vulnerability management process. It has a set of procedures inspired by agile methodologies to mitigate vulnerabilities and a new classification system - SecScore – able to provide a prioritization in context with the organization. SecScore varies its ranking through temporal factors (specific risk index depend ing on the organization’s risk appetite and the availability of an exploit) and environmental factors (asset visibility to the external network and importance of the asset to the organization’s mission). This project intends not only to contribute with a set of procedures independent of the security tools used but also to improve the currently existing classification systems for prioritization, which cannot adapt to the different contexts in which they are found

Cyber Security and Critical Infrastructures 2nd Volume

The second volume of the book contains the manuscripts that were accepted for publication in the MDPI Special Topic "Cyber Security and Critical Infrastructure" after a rigorous peer-review process. Authors from academia, government and industry contributed their innovative solutions, consistent with the interdisciplinary nature of cybersecurity. The book contains 16 articles, including an editorial that explains the current challenges, innovative solutions and real-world experiences that include critical infrastructure and 15 original papers that present state-of-the-art innovative solutions to attacks on critical systems

A Relevance Model for Threat-Centric Ranking of Cybersecurity Vulnerabilities

The relentless and often haphazard process of tracking and remediating vulnerabilities is a top concern for cybersecurity professionals. The key challenge they face is trying to identify a remediation scheme specific to in-house, organizational objectives. Without a strategy, the result is a patchwork of fixes applied to a tide of vulnerabilities, any one of which could be the single point of failure in an otherwise formidable defense. This means one of the biggest challenges in vulnerability management relates to prioritization. Given that so few vulnerabilities are a focus of real-world attacks, a practical remediation strategy is to identify vulnerabilities likely to be exploited and focus efforts towards remediating those vulnerabilities first. The goal of this research is to demonstrate that aggregating and synthesizing readily accessible, public data sources to provide personalized, automated recommendations that an organization can use to prioritize its vulnerability management strategy will offer significant improvements over what is currently realized using the Common Vulnerability Scoring System (CVSS). We provide a framework for vulnerability management specifically focused on mitigating threats using adversary criteria derived from MITRE ATT&CK. We identify the data mining steps needed to acquire, standardize, and integrate publicly available cyber intelligence data sets into a robust knowledge graph from which stakeholders can infer business logic related to known threats. We tested our approach by identifying vulnerabilities in academic and common software associated with six universities and four government facilities. Ranking policy performance was measured using the Normalized Discounted Cumulative Gain (nDCG). Our results show an average 71.5% to 91.3% improvement towards the identification of vulnerabilities likely to be targeted and exploited by cyber threat actors. The ROI of patching using our policies resulted in a savings in the range of 23.3% to 25.5% in annualized unit costs. Our results demonstrate the efficiency of creating knowledge graphs to link large data sets to facilitate semantic queries and create data-driven, flexible ranking policies. Additionally, our framework uses only open standards, making implementation and improvement feasible for cyber practitioners and academia

WOPR: A Dynamic Cybersecurity Detection and Response Framework

Malware authors develop software to exploit the flaws in any platform and application which suffers a vulnerability in its defenses, be it through unpatched known attack vectors or zero-day attacks for which there is no current solution. It is the responsibility of cybersecurity personnel to monitor, detect, respond to and protect against such incidents that could affect their organization. Unfortunately, the low number of skilled, available cybersecurity professionals in the job market means that many positions go unfilled and cybersecurity threats are unknowingly allowed to negatively affect many enterprises.The demand for a greater cybersecurity posture has led several organizations to de- velop automated threat analysis tools which can be operated by less-skilled infor- mation security analysts and response teams. However, the diverse needs and organizational factors of most businesses presents a challenge for a “one size fits all” cybersecurity solution. Organizations in different industries may not have the same regulatory and standards compliance concerns due to processing different forms and classifications of data. As a result, many common security solutions are ill equipped to accurately model cybersecurity threats as they relate to each unique organization.We propose WOPR, a framework for automated static and dynamic analysis of software to identify malware threats, classify the nature of those threats, and deliver an appropriate automated incident response. Additionally, WOPR provides the end user the ability to adjust threat models to fit the risks relevant to an organization, allowing for bespoke automated cybersecurity threat management. Finally, WOPR presents a departure from traditional signature-based detection found in anti-virus and intrusion detection systems through learning system-level behavior and matching system calls with malicious behavior

Visualizing Contextual Information for Network Vulnerability Management

The threat of data breach rises every day, and many organizations lack the resources to patch every vulnerability they might have. Yet, these organizations do not prioritize what vulnerabilities to patch in an optimal way, in part due to a lack of context needed to make these decisions. Our team proposes the Vulnerability Visualization (VV) tool, a web visualization dashboard for increasing analyst prioritization capabilities through visualization of context for network scans. Evaluations demonstrate that the VV tool enhances the vulnerability management (VM) process through augmenting the discovery and prioritization of vulnerabilities. We show that adding context to the VM process through visualization allows people to make better decisions for vulnerability remediation

Cybersecurity Paradigm Shift: The Risks of Net Neutrality Repeal to Energy Reliability, Public Safety, and Climate Change Solutions

This Article contends that the Federal Communications Commission’s (FCC) January 2018 repeal of net neutrality rules created a “zero-day” cybersecurity vulnerability for the energy sector and other criti¬¬¬cal infrastructure. “A zero-day cybersecurity vulnerability is a previously unknown flaw in a computer program that exposes the program to external manipulation.” The flaw may also reside in compromised hardware that creates a “back door” into the internet-connected device. This Article argues that cybersecurity has been primarily viewed from a “hacker paradigm” that obscures systemic threats an Internet Service Provider (ISP) can create to energy reliability and cybersecurity through paid priority and other ISP practices… This Article contends that federal regulators, responsible entities under the FPA, and state energy sector regulators must act to identify and mitigate risks triggered by the FCC’s repeal of net neutrality rules. The energy sector’s state and federal legal duties do not allow it to rely on the market and unenforceable ISP promises to protect reliability, cybersecurity, and public safety. An open and neutral internet—the goal of net neutrality—is necessary to protect energy reliability crucial to America’s economy, public safety, national security, and deployment of climate change solutions. Following this introduction, section two of this Article discusses the ISP’s gatekeeper position on the internet and introduces the “hacker paradigm” and “cat video paradigm” that pervade internet and cybersecurity regulation. Section three provides an overview of federal energy sector reliability standards, highlighting the states’ role in energy reliability for the distribution segment of the energy grid. Section four discusses models for energy sector and critical infrastructure cybersecurity governance. Section five provides an overview of mandatory federal cybersecurity standards for the energy sector’s BPS. Section six explores the “hacker-focused” paradigm of many cybersecurity standards including the NERC standards FERC enforces for the energy sector. Section seven examines the Energy-Internet nexus, emphasizing the internet’s increasing integration into the energy sector. Section eight discusses simulations that test the electric grid for communications-induced faults and cascading failures. Section nine analyzes the consequences of FERC’s net neutrality repeal on energy sector reliability, cybersecurity, renewable energy deployment, and public safety. Finally, section ten recommends that FERC and state public utility commissions conduct grid simulations to test the effect of ISP-induced communications delays on grid reliability and renewable integration. It recommends that state energy regulators initiate proceedings to examine cybersecurity requirements for distribution-level energy resources. Those proceedings should request data from energy sector jurisdictional entities about ISP contracts and conduct, and then consider whether to limit contracts with such entities to ISPs that observe net neutrality. FERC should examine net neutrality repeal as a cybersecurity, reliability and resiliency risk in its Grid Resiliency and Reliability docket. Federal and state law require energy sector participants and regulators to ensure ISPs do not degrade Energy-Internet traffic or violate market manipulation rules and thereby compromise reliability, public safety, just and reasonable rates, the environment, and realization of climate change solutions