23 research outputs found
Web security in the finance sector: Analysing the security of financial web applications: A case study
Nowadays, information security is an increasing concern in institutions and organizations. This concern is even greater in the finance sector, not only because the financial amount involved but also clients and organization’s private and sensitive information. As a way to test security in infrastructures, networks, deployed web applications and many other assets, organizations have been performing penetration testing (pentest) which simulates an attacker’s behavior in a controlled environment in order to identify its vulnerabilities. This article focusses on the analysis of the results of security audits conducted on several financial web applications from one institution with aid of automatic tools in order to assess their web applications security level. To help in security matters, many organizations build security frameworks for vulnerability assessment, security assessment, threat modeling, penetration testing, risk management and many more. As for penetration testing, organizations such as OWASP provide vulnerability and security information, a testing methodology, risk analysis and penetration testing tools.info:eu-repo/semantics/acceptedVersio
My Software has a Vulnerability, should I worry?
(U.S) Rule-based policies to mitigate software risk suggest to use the CVSS
score to measure the individual vulnerability risk and act accordingly: an HIGH
CVSS score according to the NVD (National (U.S.) Vulnerability Database) is
therefore translated into a "Yes". A key issue is whether such rule is
economically sensible, in particular if reported vulnerabilities have been
actually exploited in the wild, and whether the risk score do actually match
the risk of actual exploitation.
We compare the NVD dataset with two additional datasets, the EDB for the
white market of vulnerabilities (such as those present in Metasploit), and the
EKITS for the exploits traded in the black market. We benchmark them against
Symantec's threat explorer dataset (SYM) of actual exploit in the wild. We
analyze the whole spectrum of CVSS submetrics and use these characteristics to
perform a case-controlled analysis of CVSS scores (similar to those used to
link lung cancer and smoking) to test its reliability as a risk factor for
actual exploitation.
We conclude that (a) fixing just because a high CVSS score in NVD only yields
negligible risk reduction, (b) the additional existence of proof of concepts
exploits (e.g. in EDB) may yield some additional but not large risk reduction,
(c) fixing in response to presence in black markets yields the equivalent risk
reduction of wearing safety belt in cars (you might also die but still..). On
the negative side, our study shows that as industry we miss a metric with high
specificity (ruling out vulns for which we shouldn't worry).
In order to address the feedback from BlackHat 2013's audience, the final
revision (V3) provides additional data in Appendix A detailing how the control
variables in the study affect the results.Comment: 12 pages, 4 figure
Web applications security and vulnerability analysis financial web applications security audit – a case study
Information security can no longer be neglected in any area. It is a concern to everyone and every organization. This is particularly important in the finance sector, not only because the financial amounts involved but also clients and organization’s private and sensitive information. As a way to test security in infrastructures, networks, deployed web applications and many other assets, organizations have been performing penetration testing which simulates an attacker’s behavior in a controlled environment in order to identify its vulnerabilities. This article focus on the analysis of the results of security audits conducted on several financial web applications from one institution with aid of automatic tools in order to assess their web applications security level. To help in security matters, many organizations build security frameworks for vulnerability assessment, security assessment, threat modeling, penetration testing, risk management and many more. As for penetration testing, organizations such as OWASP provide vulnerability and security information, a testing methodology, risk analysis and penetration testing tools.info:eu-repo/semantics/publishedVersio
The Effect of Security Education and Expertise on Security Assessments: the Case of Software Vulnerabilities
In spite of the growing importance of software security and the industry
demand for more cyber security expertise in the workforce, the effect of
security education and experience on the ability to assess complex software
security problems has only been recently investigated. As proxy for the full
range of software security skills, we considered the problem of assessing the
severity of software vulnerabilities by means of a structured analysis
methodology widely used in industry (i.e. the Common Vulnerability Scoring
System (\CVSS) v3), and designed a study to compare how accurately individuals
with background in information technology but different professional experience
and education in cyber security are able to assess the severity of software
vulnerabilities. Our results provide some structural insights into the complex
relationship between education or experience of assessors and the quality of
their assessments. In particular we find that individual characteristics matter
more than professional experience or formal education; apparently it is the
\emph{combination} of skills that one owns (including the actual knowledge of
the system under study), rather than the specialization or the years of
experience, to influence more the assessment quality. Similarly, we find that
the overall advantage given by professional expertise significantly depends on
the composition of the individual security skills as well as on the available
information.Comment: Presented at the Workshop on the Economics of Information Security
(WEIS 2018), Innsbruck, Austria, June 201
Economic Factors of Vulnerability Trade and Exploitation
Cybercrime markets support the development and diffusion of new attack
technologies, vulnerability exploits, and malware. Whereas the revenue streams
of cyber attackers have been studied multiple times in the literature, no
quantitative account currently exists on the economics of attack acquisition
and deployment. Yet, this understanding is critical to characterize the
production of (traded) exploits, the economy that drives it, and its effects on
the overall attack scenario. In this paper we provide an empirical
investigation of the economics of vulnerability exploitation, and the effects
of market factors on likelihood of exploit. Our data is collected
first-handedly from a prominent Russian cybercrime market where the trading of
the most active attack tools reported by the security industry happens. Our
findings reveal that exploits in the underground are priced similarly or above
vulnerabilities in legitimate bug-hunting programs, and that the refresh cycle
of exploits is slower than currently often assumed. On the other hand,
cybercriminals are becoming faster at introducing selected vulnerabilities, and
the market is in clear expansion both in terms of players, traded exploits, and
exploit pricing. We then evaluate the effects of these market variables on
likelihood of attack realization, and find strong evidence of the correlation
between market activity and exploit deployment. We discuss implications on
vulnerability metrics, economics, and exploit measurement.Comment: 17 pages, 11 figures, 14 table
Selecting Countermeasures for ICT systems Before They are Attacked
A countermeasure is any change to a system to reduce the probability it is successfully attacked. We
propose a model based approach that selects countermeasures through multiple simulations of the
behaviors of an ICT system and of intelligent attackers that implement sequences of attacks. The
simulations return information on the attacker sequences and the goals they reach we use to compute
the statistics that drive the selection. Since attackers change their sequences as countermeasures are
deployed, we have defined an iterative strategy where each iteration selects some countermeasures,
updates the system models and runs the simulations to discover any new attacker sequence. The
discovery of new sequences starts a new iteration. The Haruspex suite automates the proposed approach.
Some of its tools acquire information on the target system and on the attackers and build
the corresponding models. Another tool simulates the attacks through the models of the system and
of the attackers. The tool to select countermeasures invokes the other ones to discover how countermeasures
influence the attackers. We apply the whole suite to three systems and discuss how the
connection topology influences the countermeasures to adop
A Software Vulnerability Rating Approach Based on the Vulnerability Database
CVSS is a specification for measuring the relative
severity of software vulnerabilities. The performance values of
the CVSS given by CVSS-SIG cannot describe the reasons for
the software vulnerabilities. This approach fails to distinguish
between software vulnerabilities that have the same score but
different levels of severity. In this paper, a software vulnerability
rating approach (SVRA) is proposed. The vulnerability database
is used by SVRA to analyze the frequencies of CVSS’s metrics
at different times. Then, the equations for both exploitability
and impact subscores are given in terms of these frequencies.
SVRA performs a weighted average of these two subscores to
create an SVRA score. The score of a vulnerability is dynamically
calculated at different times using the vulnerability database.
Experiments were performed to validate the efficiency of the
SVRA
Design of methodology for vulnerability assesment
Práce se zabĂ˝vá problematikou hodnocenĂ bezpeÄŤnostnĂch zranitelnostĂ. CĂlem práce je vytvoĹ™it novou metodu hodnocenĂ zranitelnostĂ, která bude lĂ©pe prioritizovat kritickĂ© zranitelnosti a reflektovat parametry, kterĂ© v aktuálnÄ› vyuĹľĂvanĂ˝ch metodách nejsou pouĹľity. NejdĹ™Ăve popisuje souÄŤasnĂ© metody, kterĂ© se pro hodnocenĂ zranitelnostĂ pouĹľĂvajĂ, a parametry, kterĂ© jsou v jednotlivĂ˝ch metodách pouĹľity. PrvnĂ popsanou metodou je Common Vulnerability Scoring System, u kterĂ© jsou popsanĂ© i všechny tĹ™i typy skĂłre, kterĂ© tato metoda pouĹľĂvá. Druhou analyzovanou metodou je OWASP Risk Rating Methodology. Druhá část je vÄ›nována návrhu vlastnĂ metody, která má za cĂl hodnotit zranitelnosti tak, aby bylo snadnÄ›jšà urÄŤit ty s vysokou prioritou. Metoda vycházĂ ze tĹ™ech skupin parametrĹŻ. PrvnĂ skupina popisuje technickĂ© hodnocenĂ zranitelnosti, druhá vycházĂ z poĹľadavkĹŻ na zajištÄ›nĂ dĹŻvÄ›rnosti, integrity a dostupnosti aktiva a tĹ™etĂ skupina parametrĹŻ hodnotĂ implementovaná protiopatĹ™enĂ. Všechny tyto tĹ™i skupiny parametrĹŻ jsou pro prioritizaci dĹŻleĹľitĂ©. Parametry popisujĂcĂ zranitelnost jsou rozdÄ›leny na stálĂ© a aktuálnĂ, kdy mezi aktuálnĂ patřà pĹ™edevšĂm informace ze sluĹľeb Threat Intelligence a nároÄŤnost exploitace. Parametry dopadu na dĹŻvÄ›rnost, integritu a dostupnost jsou provázány s poĹľadavky na zajištÄ›nĂ tÄ›chto parametrĹŻ, neboli s prioritou aktiva, a dále s hodnocenĂm protiopatĹ™enĂ, která naopak zvyšujĂ ochranu dĹŻvÄ›rnosti, integrity a dostupnosti. Priorita aktiva a kvalita protiopatĹ™enĂ se hodnotĂ na základÄ› dotaznĂkĹŻ, kterĂ© jsou pĹ™edloĹľeny vlastnĂkĹŻm zkoumanĂ˝ch aktiv v rámci hodnocenĂ zranitelnostĂ. V tĹ™età části práce je navrĹľená metoda srovnána s v souÄŤasnosti velmi pouĹľĂvanou metodou Common Vulnerability Scoring System. Na nÄ›kolika pĹ™Ăkladech jsou ukázány silnĂ© stránky navrĹľenĂ© metody, kdy je vidÄ›t efektivita prioritizace pĹ™i zohlednÄ›nĂ poĹľadavkĹŻ na zajištÄ›nĂ dĹŻvÄ›rnosti, integrity a dostupnosti a zvýšená ochrana tÄ›chto parametrĹŻ dĂky implementovanĂ˝m protiopatĹ™enĂm. Metoda byla prakticky testována v laboratornĂm prostĹ™edĂ, kde byly na nÄ›kolika rĹŻznĂ˝ch aktivech nasimulovány zranitelnosti. Tyto zranitelnosti byly ohodnoceny navrĹľenou metodou, byla zohlednÄ›na priorita aktiva a kvalita protiopatĹ™enĂ a vše bylo zahrnuto do vĂ˝slednĂ© priority zranitelnostĂ. V rámci tohoto testovánĂ bylo potvrzeno, Ĺľe navrĹľená metoda efektivnÄ›ji prioritizuje zranitelnosti, kterĂ© jsou jednoduše exploitovatelnĂ©, v poslednĂ dobÄ› ÄŤasto zneuĹľĂvanĂ© a jsou pĹ™Ătomny na aktivech s minimálnĂ ochranou a vyššà prioritou.The thesis deals with the assessment of security vulnerabilities. The aim of this work is to create a new method of vulnerability assessment, which will better prioritize critical vulnerabilities and reflect parameters that are not used in currently used methods. Firstly, it describes the common methods used to assess vulnerabilities and the parameters used in each method. The first described method is the Common Vulnerability Scoring System for which are described all three types of scores. The second analysed method is OWASP Risk Rating Methodology. The second part is devoted to the design of the own method, which aims to assess vulnerabilities that it is easier to identify those with high priority. The method is based on three groups of parameters. The first group describes the technical assessment of the vulnerability, the second is based on the requirements to ensure the confidentiality, integrity and availability of the asset and the third group of parameters evaluates the implemented security measures. All three groups of parameters are important for prioritization. Parameters describing the vulnerability are divided into permanent and up-to-date, where the most important up-to-date parameter are Threat Intelligence and easy of exploitation. The parameters of the impact on confidentiality, integrity and availability are linked to the priority of the asset, and to the evaluation of security measures, which increase the protection of confidentiality, integrity and availability. The priority of the asset and the quality of the countermeasures are assessed based on questionnaires, which are submitted to the owners of the examined assets as part of the vulnerability assessment. In the third part of the thesis, the method is compared with the currently widely used the Common Vulnerability Scoring System. The strengths of the proposed method are shown in several examples. The effectiveness of prioritization is based primarily on the priority of the asset and the security measures in place. The method was practically tested in a laboratory environment, where vulnerabilities were made on several different assets. These vulnerabilities were assessed using the proposed method, the priority of the asset and the quality of the measures were considered, and everything was included in the priority of vulnerability. This testing confirmed that the method more effectively prioritizes vulnerabilities that are easily exploitable, recently exploited by an attacker, and found on assets with minimal protection and higher priority.