18,137 research outputs found
Dynamic real-time risk analytics of uncontrollable states in complex internet of things systems, cyber risk at the edge
The Internet of Things (IoT) triggers new types of cyber risks. Therefore,
the integration of new IoT devices and services requires a self-assessment of
IoT cyber security posture. By security posture this article refers to the
cybersecurity strength of an organisation to predict, prevent and respond to
cyberthreats. At present, there is a gap in the state of the art, because there
are no self-assessment methods for quantifying IoT cyber risk posture. To
address this gap, an empirical analysis is performed of 12 cyber risk
assessment approaches. The results and the main findings from the analysis is
presented as the current and a target risk state for IoT systems, followed by
conclusions and recommendations on a transformation roadmap, describing how IoT
systems can achieve the target state with a new goal-oriented dependency model.
By target state, we refer to the cyber security target that matches the generic
security requirements of an organisation. The research paper studies and adapts
four alternatives for IoT risk assessment and identifies the goal-oriented
dependency modelling as a dominant approach among the risk assessment models
studied. The new goal-oriented dependency model in this article enables the
assessment of uncontrollable risk states in complex IoT systems and can be used
for a quantitative self-assessment of IoT cyber risk posture
Mining Threat Intelligence about Open-Source Projects and Libraries from Code Repository Issues and Bug Reports
Open-Source Projects and Libraries are being used in software development
while also bearing multiple security vulnerabilities. This use of third party
ecosystem creates a new kind of attack surface for a product in development. An
intelligent attacker can attack a product by exploiting one of the
vulnerabilities present in linked projects and libraries.
In this paper, we mine threat intelligence about open source projects and
libraries from bugs and issues reported on public code repositories. We also
track library and project dependencies for installed software on a client
machine. We represent and store this threat intelligence, along with the
software dependencies in a security knowledge graph. Security analysts and
developers can then query and receive alerts from the knowledge graph if any
threat intelligence is found about linked libraries and projects, utilized in
their products
- …