Measuring the attack surfaces of two FTP daemons

Software consumers often need to choose between different software that provide the same functionality. Today, se-curity is a quality that many consumers, especially system administrators, care about and will use in choosing one soft-ware system over another. An attack surface metric is a security metric for comparing the relative security of simi-lar software systems [8]. The measure of a system’s attack surface is an indicator of the system’s security: given two systems, we compare their attack surface measurements to decide whether one is more secure than another along each of the following three dimensions: methods, channels, and data. In this paper, we use the attack surface metric to mea-sure the attack surfaces of two open source FTP daemons: ProFTPD 1.2.10 and Wu-FTPD 2.6.2. Our measurements show that ProFTPD is more secure along the method dimen-sion, ProFTPD is as secure as Wu-FTPD along the channel dimension, and Wu-FTPD is more secure along the data di-mension. We also demonstrate how software consumers can use the attack surface metric in making a choice between the two FTP daemons

An n-sided polygonal model to calculate the impact of cyber security events

This paper presents a model to represent graphically the impact of cyber events (e.g., attacks, countermeasures) in a polygonal systems of n-sides. The approach considers information about all entities composing an information system (e.g., users, IP addresses, communication protocols, physical and logical resources, etc.). Every axis is composed of entities that contribute to the execution of the security event. Each entity has an associated weighting factor that measures its contribution using a multi-criteria methodology named CARVER. The graphical representation of cyber events is depicted as straight lines (one dimension) or polygons (two or more dimensions). Geometrical operations are used to compute the size (i.e, length, perimeter, surface area) and thus the impact of each event. As a result, it is possible to identify and compare the magnitude of cyber events. A case study with multiple security events is presented as an illustration on how the model is built and computed.Comment: 16 pages, 5 figures, 2 tables, 11th International Conference on Risks and Security of Internet and Systems, (CRiSIS 2016), Roscoff, France, September 201

Reducing Attack Surface of a Web Application by Open Web Application Security Project Compliance

The attack surface of a system is the amount of application area that is exposed to the adversaries. The overall vulnerability can be reduced by reducing the attack surface of a web application. In this paper, we have considered the web components of two versions of an in-house developed project management web application and the attack surface has been calculated prior and post open web application security project (OWASP) compliance based on a security audit to determine and then compare the security of this Project Management Application. OWASP is an open community to provide free tools and guidelines for application security. It was observed that the attack surface of the software reduced by 45 per cent once it was made OWASP compliant. The vulnerable surface exposed by the code even after OWASP compliance was due to the mandatory access points left in the software to ensure accessibility over a network.Defence Science Journal, 2012, 62(5), pp.324-330, DOI:http://dx.doi.org/10.14429/dsj.62.129

A Survey of Metrics Employed to Assess Software Security

Measuring and assessing software security is a critical concern as it is undesirable to develop risky and insecure software. Various measurement approaches and metrics have been defined to assess software security. For researchers and software developers, it is significant to have different metrics and measurement models at one place either to evaluate the existing measurement approaches, to compare between two or more metrics or to be able to find the proper metric to measure the software security at a specific software development phase. There is no existing survey of software security metrics that covers metrics available at all the software development phases. In this paper, we present a survey of metrics used to assess and measure software security, and we categorized them based on software development phases. Our findings reveal a critical lack of automated tools, and the necessity to possess detailed knowledge or experience of the measured software as the major hindrances in the use of existing software security metrics

An Attack Graph-Based Probabilistic Security Metric

Abstract. To protect critical resources in today’s networked environments, it is desirable to quantify the likelihood of potential multi-step attacks that combine multiple vulnerabilities. This now becomes feasible due to a model of causal re-lationships between vulnerabilities, namely, attack graph. This paper proposes an attack graph-based probabilistic metric for network security and studies its effi-cient computation. We first define the basic metric and provide an intuitive and meaningful interpretation to the metric. We then study the definition in more com-plex attack graphs with cycles and extend the definition accordingly. We show that computing the metric directly from its definition is not efficient in many cases and propose heuristics to improve the efficiency of such computation.

DrAGON: A Framework for Computing Preferred Defense Policies from Logical Attack Graphs

Attack graphs provide formalism for modelling the vulnerabilities using a compact representation scheme. Two of the most popular attack graph representations are scenario attack graphs, and logical attack graphs. In logical attack graphs, the host machines present in the network are represented as exploit nodes, while the configurations (IDS rules, firewall policies etc.) running on them are represented as fact nodes. The actual user privileges that are possible on each of these hosts are represented as privilege nodes. Existing work provides methods to analyze logical attack graphs and compute attack paths of varying costs. In this thesis we develop a framework for analyzing the attack graph from a defender perspective. Given an acyclic logical dependency attack graph we compute defense policies that cover all known exploits that can be used by the attacker and also are preferred with respect to minimizing the impacts. In contrast to previous work on analysis of logical attack graphs where quantitative costs are assigned to the vulnerabilities (exploits), our framework allows attack graph analysis using descriptions of vulnerabilities on a qualitative scale. We develop two algorithms for computing preferred defense policies that are optimal with respect to defender preferences. Our research to the best of our knowledge is the first fully qualitative approach to analyzing these logical attack graphs and formulating defense policies based on the preferences and priorities of the defender. We provide a prototype implementation of our framework that allows logical attack graphs to be input using a simple text file (custom language), or using a GUI tool in graphical markup language (GML) format. Our implementation uses the NVD (National Vulnerability Database) as the source of CVSS impact metrics for vulnerabilities in the attack graph. Our framework generates a preferred order of defense policies using an existing preference reasoner. Preliminary experiments on various attack graphs show the correctness and efficiency of our approach

Attack graph compression

Attack graph has emerged as a useful tool for defending against multi-step network attacks involving correlated vulnerabilities. However, most current representations of attack graphs are not scalable [35]. Even the attack graph of a reasonably large network is usually incomprehensible to the human eyes. For realistic networks with tens of thousands of hosts and hundreds of vulnerabilities, even computing the attack graph may become infeasible. On the other hand, an attack graph of a real-world network usually has much redundancy due to the presence of hosts with similar configurations, such as those in an office or computer lab. To out best knowledge, existing work can at best hide such scalability issues through visualization techniques but cannot remove the redundant information, which does not comprise real solutions. This thesis presents a scalable representation of attack graphs for removing such redundancy. The representation is based on a well known compression technique, namely, reference encoding. More precisely, we use one host as the reference to other hosts with similar vulnerabilities and connectivity; details of the latter can then be omitted in the resultant attack graph. We introduce our compression model step by step. We start with a simple case where hosts have identical connectivity and vulnerabilities. We show that a one-host model can be used in some cases but it has limitations in representing remote exploits across different machines. We then introduce a two-node model to address the limitation and show that the one-host model is actually a special case of the two-node model. Next, we study the more realistic case where hosts may have different connectivity and vulnerabilities. We show that in some cases small differences are better hidden in textual rules while in other cases the differences are better handled by leaving the involved hosts outside the compression model. To evaluate the proposed compression model, we will describe a case study on a small network. We will also show experimental results based on random network topologies generated by existing tools. Both results confirm that our model can significantly reduce the complexity of attack graphs

Measuring network security using Bayesian Network-based attack graphs

Given the increasing dependence of our societies on networked information systems, the overall security of such systems should be measured and improved. Recent research has explored the application of attack graphs and probabilistic security metrics to address this challenge. However, such work usually shares several limitations. First, individual vulnerabilities' scores are usually assumed to be independent. This assumption will not hold in many realistic cases where exploiting a vulnerability may change the score of other vulnerabilities. Second, the evolving nature of vulnerabilities and networks has generally been ignored. The scores of individual vulnerabilities are constantly changing due to released patches and exploits, which should be taken into account in measuring network security. To address these limitations, this thesis first proposes a Bayesian Network-based attack graph model for combining scores of individual vulnerabilities into a global measurement of network security. The application of Bayesian Networks allows us to handle dependency between scores and provides a sound theoretical foundation to network security metrics. We then extend the model using Dynamic Bayesian Networks in order to reason about the patterns and trends in changing scores of vulnerabilities. Finally, we implement and evaluate the proposed models through simulation studies