Predicting Exploitation of Disclosed Software Vulnerabilities Using Open-source Data

Each year, thousands of software vulnerabilities are discovered and reported to the public. Unpatched known vulnerabilities are a significant security risk. It is imperative that software vendors quickly provide patches once vulnerabilities are known and users quickly install those patches as soon as they are available. However, most vulnerabilities are never actually exploited. Since writing, testing, and installing software patches can involve considerable resources, it would be desirable to prioritize the remediation of vulnerabilities that are likely to be exploited. Several published research studies have reported moderate success in applying machine learning techniques to the task of predicting whether a vulnerability will be exploited. These approaches typically use features derived from vulnerability databases (such as the summary text describing the vulnerability) or social media posts that mention the vulnerability by name. However, these prior studies share multiple methodological shortcomings that inflate predictive power of these approaches. We replicate key portions of the prior work, compare their approaches, and show how selection of training and test data critically affect the estimated performance of predictive models. The results of this study point to important methodological considerations that should be taken into account so that results reflect real-world utility

Risk mitigation decisions for it security

Enterprises must manage their information risk as part of their larger operational risk management program. Managers must choose how to control for such information risk. This article defines the flow risk reduction problem and presents a formal model using a workflow framework. Three different control placement methods are introduced to solve the problem, and a comparative analysis is presented using a robust test set of 162 simulations. One year of simulated attacks is used to validate the quality of the solutions. We find that the math programming control placement method yields substantial improvements in terms of risk reduction and risk reduction on investment when compared to heuristics that would typically be used by managers to solve the problem. The contribution of this research is to provide managers with methods to substantially reduce information and security risks, while obtaining significantly better returns on their security investments. By using a workflow approach to control placement, which guides the manager to examine the entire infrastructure in a holistic manner, this research is unique in that it enables information risk to be examined strategically. © 2014 ACM

A Survey on Wireless Security: Technical Challenges, Recent Advances and Future Trends

This paper examines the security vulnerabilities and threats imposed by the inherent open nature of wireless communications and to devise efficient defense mechanisms for improving the wireless network security. We first summarize the security requirements of wireless networks, including their authenticity, confidentiality, integrity and availability issues. Next, a comprehensive overview of security attacks encountered in wireless networks is presented in view of the network protocol architecture, where the potential security threats are discussed at each protocol layer. We also provide a survey of the existing security protocols and algorithms that are adopted in the existing wireless network standards, such as the Bluetooth, Wi-Fi, WiMAX, and the long-term evolution (LTE) systems. Then, we discuss the state-of-the-art in physical-layer security, which is an emerging technique of securing the open communications environment against eavesdropping attacks at the physical layer. We also introduce the family of various jamming attacks and their counter-measures, including the constant jammer, intermittent jammer, reactive jammer, adaptive jammer and intelligent jammer. Additionally, we discuss the integration of physical-layer security into existing authentication and cryptography mechanisms for further securing wireless networks. Finally, some technical challenges which remain unresolved at the time of writing are summarized and the future trends in wireless security are discussed.Comment: 36 pages. Accepted to Appear in Proceedings of the IEEE, 201

Subnational Environmental Constitutionalism and Reform in New York State

The State of New York’s constitution was perhaps the first in the world to embody environmental constitutionalism, most directly in what is known as its “Forever Wild” mandate from 1894. In contrast to many subnational environmental provisions, courts in New York have regularly enforced Forever Wild. New York’s Constitution also contains a remarkable mandate that every twenty years voters decide whether to hold elections for delegates to convene a convention to amend the state’s constitution, with the next such opportunity on November 7, 2017. This article explores how subnational constitutionalism from around the world informs discussions about whether and how to amend the charter, and has three parts. Part I provides a primer to the field of subnational environmental constitutionalism. Part II explores the opportunities and challenges in enforcing existing subnational environmental provisions. Part III then examines a case study involving language to consider at a constitutional convention for the State of New York

A framework for cost-sensitive automated selection of intrusion response

In recent years, cost-sensitive intrusion response has gained significant interest due to its emphasis on the balance between potential damage incurred by the intrusion and cost of the response. However, one of the challenges in applying this approach is defining a consistent and adaptable measurement framework to evaluate the expected benefit of a response. In this thesis we present a model and framework for the cost-sensitive assessment and selection of intrusion response. Specifically, we introduce a set of measurements that characterize the potential costs associated with the intrusion handling process, and propose an intrusion response evaluation method with respect to the risk of potential intrusion damage, the effectiveness of the response action and the response cost for a system. The proposed framework has the important quality of abstracting the system security policy from the response selection mechanism, permitting policy adjustments to be made without changes to the model. We provide an implementation of the proposed solution as an IDS-independent plugin tool, and demonstrate its advantages over traditional static response systems and an existing dynamic response system

The Impact of Persuasive Response Sequence and Consistency when IT Service Providers Address Auditor-Identified Issues in SOC2 Reports

We examine how an IT service provider’s persuasive communication related to SOC2 report findings influences management’s (i.e., user-entities’) perceptions of the outsourced services. Within SOC2 reports, service providers can attempt to influence management’s impressions of auditor-identified issues and, due to the report’s limited audience, also follow-up with management about these issues. Using dual-process theories of persuasion, we predict the type of persuasion used by a service provider in a SOC2 report (contend or concede), and its consistency with follow-up persuasive appeals (contend or concede), will influence management’s perceptions of the services provided. In an experiment, only when the service provider first contends the auditor’s findings does a follow-up concession (rather than contention) result in more favorable perceptions. Persuasion tactics also influence management’s processing of risk factors, which impact their trust in the service. Thus, IT service providers’ initial and follow-up persuasive communications influence management’s assessment of SOC2 auditor-identified issues

Security Limitations with Cloud Computing: Well-defined Security Measures Using Cloud Computing

Due to the ever-growing threat of security breaches that information technology (IT) organizations continually face, protecting customer information stored in the cloud is critical to ensure data integrity. Research shows that new categories of data breaches frequently emerge; thus, security strategies that build trust in consumers and improve system performance are crucial. The purpose of this qualitative multiple case study was to explore and analyze the strategies used by database administrators (DBAs) to secure data in a private infrastructure as a service (IaaS) cloud environment. The participants comprised of six DBAs from two IT companies in Baltimore, Maryland, with experience and knowledge of security strategies to secure data in private IaaS clouds. The disruptive innovation theory was the foundational framework for this study. Data were collected using semistructured interviews and a review of seven organizational documents. A thematic analysis was used to analyze the data. Two key themes are addressed in this article: importance of well-defined security measures in cloud computing and limitations of existing security controls in cloud computing. The findings of well-defined security strategies may benefit DBAs and IT organizations by providing strategies that may prevent future data breaches. Well-defined security strategies may protect an individual’s data which, in turn, may promote individual well-being and build strong communities. Keywords: cloud computing, security strategies, data breaches DOI: 10.7176/JIEA/11-2-05 Publication date: June 30th 202