Why Cooperate? Ethical Analysis of InfoSec Vulnerability Disclosure

Vendors, security consultants and information security researchers seek guidance on if and when to disclose information about specific software or hardware security vulnerabilities. We apply Kantianism to argue that vendors and third parties (InfoSec researchers, consultants, and other interested parties) have an ethical obligation to inform customers and business partners (such as channel partners or providers of complementary products and services) about specific software vulnerabilities (thus addressing if disclosure should occur). We apply Utilitarianism to address the question of when disclosure should occur. By applying these two philosophical perspectives we conclude that to maximize social welfare, vendors should release software fixes as soon as possible, and third parties should adopt a coordinated disclosure policy to avoid placing customers and business partners at unnecessary risk

Networks of Cybercrime Prevention: A Process Study of the Credit Card

This research-in-progress paper reports on a project that seeks to develop a new process perspective on incentive mechanisms in cybercrime prevention networks. Adopting such a view is of great importance given the continuous innovations in cybercrime that makes fighting it a constant endeavour, involving actors from multiple networks. To this end, we zoom in on specific prevention encounters occurring throughout the process of producing prevention measures, to identify incentive mechanisms needed to bring heterogeneous actors together in cybercrime prevention networks. Our longitudinal case study of credit card fraud and how it has developed over time resulted in identifying eleven prevention encounters that are critical in the fraud prevention lifecycle. Upon completion of this re-search, we anticipate to contribute to current literature on security networks in three ways. First, offer a new understanding on incentive mechanisms that accounts for the role of contextual conditions in shaping these incentives. Second, add diversity to research methods used to study incentives by adopting a qualitative case study approach. Third, we shed more light on the role of technology in building incentive mechanisms in cybercrime prevention networks

Are Markets for Vulnerabilities Effective?

Security vulnerabilities are inextricably linked to information systems. Unable to eliminate these vulnerabilities, the security community is left to minimize their impact. Unfortunately, current reward structures may be skewed towards benefiting nefarious usage of vulnerability information rather than responsible disclosure. Recently suggested market-based mechanisms offer some hope by providing incentives to responsible security researchers. However, concerns exist that any benefits gained through increased incentives may be more than lost through information leakage. Using two years of security alert data, we examine the effectiveness of market-based mechanisms. While market-mechanisms do not reduce the likelihood that a vulnerability will be exploited, we find evidence that markets increase the time to vulnerability exploit and decrease the overall volume of alerts

Assessing the Value of Network Security Technologies

Proper configuration of security technologies is critical to balance the access and protection requirements of information. The common practice of using a layered security architecture that has multiple technologies amplifies the need for proper configuration because the configuration decision about one security technology has ramifications for the configuration decisions about others. We study the impact of configuration on the value obtained from a firewall and an Intrusion Detection System (IDS). We also study how a firewall and an IDS interact with each other in terms of value contribution. We show that the firm may be worse off when it deploys a technology if the technology (either the firewall or the IDS) is improperly configured. A more serious consequence for the firm is that even if each of these (improperly configured) technologies offers a positive value when deployed alone, deploying both may be detrimental to the firm. Configuring the IDS and the firewall optimally eliminates the conflict between them, resulting in a non-negative value to the firm. When optimally configured, we find that these technologies may complement or substitute each other. Further, we find that while the optimal configuration of an IDS is the same whether it is deployed alone or together with a firewall, the optimal configuration of a firewall has a lower detection rate (i.e., allow more access) when it is deployed with an IDS than when deployed alone. Our results highlight the complex interactions between firewall and IDS technologies when they are used together in a security architecture, and, hence, the need for proper configuration in order to benefit from these technologies

Assessing the Value of Network Security Technologies

Proper configuration of security technologies is critical to balance the access and protection requirements of information. The common practice of using a layered security architecture that has multiple technologies amplifies the need for proper configuration because the configuration decision about one security technology has ramifications for the configuration decisions about others. We study the impact of configuration on the value obtained from a firewall and an Intrusion Detection System (IDS). We also study how a firewall and an IDS interact with each other in terms of value contribution. We show that the firm may be worse off when it deploys a technology if the technology (either the firewall or the IDS) is improperly configured. A more serious consequence for the firm is that even if each of these (improperly configured) technologies offers a positive value when deployed alone, deploying both may be detrimental to the firm. Configuring the IDS and the firewall optimally eliminates the conflict between them, resulting in a non-negative value to the firm. When optimally configured, we find that these technologies may complement or substitute each other. Further, we find that while the optimal configuration of an IDS is the same whether it is deployed alone or together with a firewall, the optimal configuration of a firewall has a lower detection rate (i.e., allow more access) when it is deployed with an IDS than when deployed alone. Our results highlight the complex interactions between firewall and IDS technologies when they are used together in a security architecture, and, hence, the need for proper configuration in order to benefit from these technologies

Enhancing Trust –A Unified Meta-Model for Software Security Vulnerability Analysis

Over the last decade, a globalization of the software industry has taken place which has facilitated the sharing and reuse of code across existing project boundaries. At the same time, such global reuse also introduces new challenges to the Software Engineering community, with not only code implementation being shared across systems but also any vulnerabilities it is exposed to as well. Hence, vulnerabilities found in APIs no longer affect only individual projects but instead might spread across projects and even global software ecosystem borders. Tracing such vulnerabilities on a global scale becomes an inherently difficult task, with many of the resources required for the analysis not only growing at unprecedented rates but also being spread across heterogeneous resources. Software developers are struggling to identify and locate the required data to take full advantage of these resources. The Semantic Web and its supporting technology stack have been widely promoted to model, integrate, and support interoperability among heterogeneous data sources. This dissertation introduces four major contributions to address these challenges: (1) It provides a literature review of the use of software vulnerabilities databases (SVDBs) in the Software Engineering community. (2) Based on findings from this literature review, we present SEVONT, a Semantic Web based modeling approach to support a formal and semi-automated approach for unifying vulnerability information resources. SEVONT introduces a multi-layer knowledge model which not only provides a unified knowledge representation, but also captures software vulnerability information at different abstract levels to allow for seamless integration, analysis, and reuse of the modeled knowledge. The modeling approach takes advantage of Formal Concept Analysis (FCA) to guide knowledge engineers in identifying reusable knowledge concepts and modeling them. (3) A Security Vulnerability Analysis Framework (SV-AF) is introduced, which is an instantiation of the SEVONT knowledge model to support evidence-based vulnerability detection. The framework integrates vulnerability ontologies (and data) with existing Software Engineering ontologies allowing for the use of Semantic Web reasoning services to trace and assess the impact of security vulnerabilities across project boundaries. Several case studies are presented to illustrate the applicability and flexibility of our modelling approach, demonstrating that the presented knowledge modeling approach cannot only unify heterogeneous vulnerability data sources but also enables new types of vulnerability analysis

Essays on exploitation and exploration in software development

Software development includes two types of activities: software improvement activities by correcting faults and software enhancement activities by adding new features. Based on organizational theory, we propose that these activities can be classified as implementation-oriented (exploitation) and innovation-oriented (exploration). In the context of open source software (OSS) development, developing a patch would be an example of an exploitation activity. Requesting a new software feature would be an example of an exploration activity. This dissertation consists of three essays which examine exploitation and exploration in software development. The first essay analyzes software patch development (exploitation) in the context of software vulnerabilities which could be exploited by hackers. There is a need for software vendors to make software patches available in a timely manner for vulnerabilities in their products. We develop a survival analysis model of the patch release behavior of software vendors based on a cost-based framework of software vendors. We test this model using a data set compiled from the National Vulnerability Database (NVD), United States Computer Emergency Readiness Team (US-CERT), and vendor web sites. Our results indicate that vulnerabilities with high confidentiality impact or high integrity impact are patched faster than vulnerabilities with high availability impact. Interesting differences in the patch release behavior of software vendors based on software type (new release vs. update) and type of vendor (open source vs. proprietary) are found. The second essay studies exploitation and exploration in the content of OSS development. We empirically examine the differences between exploitation (patch development) and exploration (feature request) networks of developers in OSS projects in terms of their social network structure, using a data set collected from the SourceForge database. We identify a new category of developers (ambidextrous developers) in OSS projects who contribute to patch development as well as feature request activities. Our results indicate that a patch development network has greater internal cohesion and network centrality than a feature request network. In contrast, a feature request network has greater external connectivity than a patch development network. The third essay explores ambidexterity and ambidextrous developers in the context of OSS project performance. Recent research on OSS development has studied the social network structure of software developers as a determinant of project success. However, this stream of research has focused on the project level, and has not recognized the fact that software projects could consist of different types of activities, each of which could require different types of expertise and network structures. We develop a theoretical construct for ambidexterity based on the concept of ambidextrous developers. We empirically illustrate the effects of ambidexterity and network characteristics on OSS project performance. Our results indicate that a moderate level of ambidexterity, external cohesion, and technological diversity are desirable for project success. Project success is also positively related to internal cohesion and network centrality. We illustrate the roles of ambidextrous developers on project performance and their differences compared to other developers

The global vulnerability discovery and disclosure system: a thematic system dynamics approach

Vulnerabilities within software are the fundamental issue that provide both the means, and opportunity for malicious threat actors to compromise critical IT systems (Younis et al., 2016). Consequentially, the reduction of vulnerabilities within software should be of paramount importance, however, it is argued that software development practitioners have historically failed in reducing the risks associated with software vulnerabilities. This failure is illustrated in, and by the growth of software vulnerabilities over the past 20 years. This increase which is both unprecedented and unwelcome has led to an acknowledgement that novel and radical approaches to both understand the vulnerability discovery and disclosure system (VDDS) and to mitigate the risks associate with software vulnerability centred risk is needed (Bradbury, 2015; Marconato et al., 2012). The findings from this research show that whilst technological mitigations are vital, the social and economic features of the VDDS are of critical importance. For example, hitherto unknown systemic themes identified by this research are of key and include; Perception of Punishment; Vendor Interactions; Disclosure Stance; Ethical Considerations; Economic factors for Discovery and Disclosure and Emergence of New Vulnerability Markets. Each theme uniquely impacts the system, and ultimately the scale of vulnerability based risks. Within the research each theme within the VDDS is represented by several key variables which interact and shape the system. Specifically: Vender Sentiment; Vulnerability Removal Rate; Time to fix; Market Share; Participants within VDDS, Full and Coordinated Disclosure Ratio and Participant Activity. Each variable is quantified and explored, defining both the parameter space and progression over time. These variables are utilised within a system dynamic model to simulate differing policy strategies and assess the impact of these policies upon the VDDS. Three simulated vulnerability disclosure futures are hypothesised and are presented, characterised as depletion, steady and exponential with each scenario dependent upon the parameter space within the key variables

Pro-active visualization of cyber security on a National Level : a South African case study

The need for increased national cyber security situational awareness is evident from the growing number of published national cyber security strategies. Governments are progressively seen as responsible for cyber security, but at the same time increasingly constrained by legal, privacy and resource considerations. Infrastructure and services that form part of the national cyber domain are often not under the control of government, necessitating the need for information sharing between governments and commercial partners. While sharing of security information is necessary, it typically requires considerable time to be implemented effectively. In an effort to decrease the time and effort required for cyber security situational awareness, this study considered commercially available data sources relating to a national cyber domain. Open source information is typically used by attackers to gather information with great success. An understanding of the data provided by these sources can also afford decision makers the opportunity to set priorities more effectively. Through the use of an adapted Joint Directors of Laboratories (JDL) fusion model, an experimental system was implemented that visualized the potential that open source intelligence could have on cyber situational awareness. Datasets used in the validation of the model contained information obtained from eight different data sources over a two year period with a focus on the South African .co.za sub domain. Over a million infrastructure devices were examined in this study along with information pertaining to a potential 88 million vulnerabilities on these devices. During the examination of data sources, a severe lack of information regarding the human aspect in cyber security was identified that led to the creation of a novel Personally Identifiable Information detection sensor (PII). The resultant two million records pertaining to PII in the South African domain were incorporated into the data fusion experiment for processing. The results of this processing are discussed in the three case studies. The results offered in this study aim to highlight how data fusion and effective visualization can serve to move national cyber security from a primarily reactive undertaking to a more pro-active model

IS security networks in credit card fraud prevention.

In our increasingly connected world, maintaining the security of information systems is challenging. Today’s interconnected business environment calls for a change in how IS security is achieved to include thinking about the entire networks of relationships involved in preventing threats rather than just focusing on individual organizational security processes. Despite acknowledging the role of distributed and heterogeneous actors in achieving a secure environment, there is a lack of knowledge of how these actors actually prevent security threats. Moreover, the heterogeneity of actors involved gives rise to the issue of incentives needed to align their interests to ensure successful collective security efforts. This PhD thesis addresses these issues by zooming in on security networks, defined as collective efforts pursued by distributed actors to develop and adopt prevention measures to achieve security, to explain how these networks prevent security threats and identify the incentive mechanisms for converging the network’s heterogeneous actors. I challenge equilibrium and linearity assumptions identified in the current literature and argue for the need to adopt different theoretical and methodological approaches to uncover the dynamics in these networks. Through a historical case study of credit card fraud and how its prevention measures evolved over the last 55 years, I develop a process model of prevention encounters in security networks. The model depicts the dynamic and interactive nature of the prevention process and shows how the three proposed prevention mechanisms, namely, proposing solutions, resolving dissonance, and paving the way, interact to achieve prevention. The thesis further proposes three new forms of incentive mechanisms (transformative, preparatory, and captive) that are crucial for the survival of collective security efforts and show how they interact with the three prevention mechanisms. By this, this research complements the current security networks literature by offering a process model that explains how security networks achieve prevention. In addition, the interplay between the three incentive mechanisms reveals that incentives are not only ready-made structures or one-time event as depicted in the current literature but that they should also be seen as a socially dynamic process