54 research outputs found
Smart cards: State-of-the-art to future directions
The evolution of smart card technology provides an interesting case study of the relationship and interactions between security and business requirements. This paper maps out the milestones for smart card technology, discussing at each step the opportunities and challenges. The paper reviews recently proposed innovative ownership/management models and the security challenges associated with them. The paper concludes with a discussion of possible future directions for the technology, and the challenges these present
Coordination in Network Security Games: a Monotone Comparative Statics Approach
Malicious softwares or malwares for short have become a major security
threat. While originating in criminal behavior, their impact are also
influenced by the decisions of legitimate end users. Getting agents in the
Internet, and in networks in general, to invest in and deploy security features
and protocols is a challenge, in particular because of economic reasons arising
from the presence of network externalities.
In this paper, we focus on the question of incentive alignment for agents of
a large network towards a better security. We start with an economic model for
a single agent, that determines the optimal amount to invest in protection. The
model takes into account the vulnerability of the agent to a security breach
and the potential loss if a security breach occurs. We derive conditions on the
quality of the protection to ensure that the optimal amount spent on security
is an increasing function of the agent's vulnerability and potential loss. We
also show that for a large class of risks, only a small fraction of the
expected loss should be invested.
Building on these results, we study a network of interconnected agents
subject to epidemic risks. We derive conditions to ensure that the incentives
of all agents are aligned towards a better security. When agents are strategic,
we show that security investments are always socially inefficient due to the
network externalities. Moreover alignment of incentives typically implies a
coordination problem, leading to an equilibrium with a very high price of
anarchy.Comment: 10 pages, to appear in IEEE JSA
Analysis of the NIST database towards the composition of vulnerabilities in attack scenarios
The composition of vulnerabilities in attack scenarios has been traditionally performed based on detailed pre- and post-conditions. Although very precise, this approach is dependent on human analysis, is time consuming, and not at all scalable. We investigate the NIST National Vulnerability Database (NVD) with three goals: (i) understand the associations among vulnerability attributes related to impact, exploitability, privilege, type of vulnerability and clues derived from plaintext descriptions, (ii) validate our initial composition model which is based on required access and resulting effect, and (iii) investigate the maturity of XML database technology for performing statistical analyses like this directly on the XML data. In this report, we analyse 27,273 vulnerability entries (CVE 1) from the NVD. Using only nominal information, we are able to e.g. identify clusters in the class of vulnerabilities with no privilege which represent 52% of the entries
Pricing and Investments in Internet Security: A Cyber-Insurance Perspective
Internet users such as individuals and organizations are subject to different
types of epidemic risks such as worms, viruses, spams, and botnets. To reduce
the probability of risk, an Internet user generally invests in traditional
security mechanisms like anti-virus and anti-spam software, sometimes also
known as self-defense mechanisms. However, such software does not completely
eliminate risk. Recent works have considered the problem of residual risk
elimination by proposing the idea of cyber-insurance. In this regard, an
important research problem is the analysis of optimal user self-defense
investments and cyber-insurance contracts under the Internet environment. In
this paper, we investigate two problems and their relationship: 1) analyzing
optimal self-defense investments in the Internet, under optimal cyber-insurance
coverage, where optimality is an insurer objective and 2) designing optimal
cyber-insurance contracts for Internet users, where a contract is a (premium,
coverage) pair
Economic Factors of Vulnerability Trade and Exploitation
Cybercrime markets support the development and diffusion of new attack
technologies, vulnerability exploits, and malware. Whereas the revenue streams
of cyber attackers have been studied multiple times in the literature, no
quantitative account currently exists on the economics of attack acquisition
and deployment. Yet, this understanding is critical to characterize the
production of (traded) exploits, the economy that drives it, and its effects on
the overall attack scenario. In this paper we provide an empirical
investigation of the economics of vulnerability exploitation, and the effects
of market factors on likelihood of exploit. Our data is collected
first-handedly from a prominent Russian cybercrime market where the trading of
the most active attack tools reported by the security industry happens. Our
findings reveal that exploits in the underground are priced similarly or above
vulnerabilities in legitimate bug-hunting programs, and that the refresh cycle
of exploits is slower than currently often assumed. On the other hand,
cybercriminals are becoming faster at introducing selected vulnerabilities, and
the market is in clear expansion both in terms of players, traded exploits, and
exploit pricing. We then evaluate the effects of these market variables on
likelihood of attack realization, and find strong evidence of the correlation
between market activity and exploit deployment. We discuss implications on
vulnerability metrics, economics, and exploit measurement.Comment: 17 pages, 11 figures, 14 table
- âŠ