The Computer Misuse Act 1990 to support vulnerability research? Proposal for a defence for hacking as a strategy in the fight against cybercrime.

Despite the recent push towards security by design, most softwares and hardwares on the market still include numerous vulnerabilities, i.e. flaws or weaknesses whose discovery and exploitation by criminal hackers compromise the security of the networked and information systems, affecting millions of users, as acknowledged by the 2016 UK Government in its Cybersecurity Strategy. Conversely, when security researchers find and timely disclose vulnerabilities to vendors who supply the IT products or who provide a service dependent on the IT products, they increase the opportunities for vendors to remove the vulnerabilities and close the security gap. They thus significantly contribute to the fight against cybercrime and, more widely, to the management of the digital security risk. However, in 2015, the European Network and Information Security Agency concluded that the threat of prosecution under EU and US computer misuse legislations ‘can have a chilling effect’, with security researchers ‘discentivise[d]’ to find vulnerabilities. Taking stock of these significant, but substantially understudied, criminal law challenges that these security researchers face in the UK when working independently, without the vendors’ prior authorisation, this paper proposes a new defence to the offences under the Computer Misuse Act, an innovative solution to be built in light of both the scientific literature on vulnerability research and the exemption proposals envisaged prior to the Computer Misuse Act 1990. This paper argues that a defence would allow security researchers, if prosecuted, to demonstrate that contrary to criminal hackers, they acted in the public interest and proportionally

Evaluation of the most preferred operating systems on computers in terms of vulnerabilitiesBilgisayarlarda en çok tercih edilen işletim sistemlerinin güvenlik açıklıkları açısından değerlendirilmesi

Because it is one of the most fundamental programsrunning on the computer, operating systems, are known to provide security infrastructure for other programs and services that run on computer. Unless any precautions are taken against vulnerabilities on the operating system, the system becomes eligible to be exploited, it paves the way to achieve the target of attackers. Hence, remediation of vulnerabilities on the operating system is evaluated to be extremely significant. In this study,a new database was created by questioning vulnerabilities existing in the most widely used operating systems on desktop and laptop computers from National Vulnerability Database of the US and CVEDETAILS databases. With regard to these vulnerabilities, CVSS scoring system which is used for scoring them created by FIRST was examined, in the light of the of re-scoring of identified vulnerabilities, the analysis of security of the operating systems was done with quantitative methods. One of the most important element of cyber security, fundementals of vulnerabilities, and role in the exploitation of the vulnerabilities of the computers were explained. In this study recently occured cyber security incidents because of vulnerabilities were also examined, and information about vulnerabilities allowing attack in these events was collected. Consequently, considering hosting the vulnerabilities, it is aimed to assess the availability of the operating systems in terms of security. ÖzetBilgisayar üzerinde çalışan en temel programlardan biri olması sebebiyle işletim sistemlerinin bilgisayar üzerinde çalışan diğer programlara ve servislere güvenlik altyapısı sağladığı bilinmektedir. İşletim sistemi üzerindeki güvenlik açıklıklarına karşı gereken önlemler alınmaz ise, sistem istismar edilmeye uygun hale gelmekte, bu durum saldırganların hedeflerine ulaşması için zemin hazırlamaktadır. Bu sebeple, işletim sistemlerinin üzerindeki güvenlik açıklıklarının kapatılmasının son derece önemli olduğu değerlendirilmektedir. Bu çalışmada bilgisayarlarda en çok kullanılan işletim sistemlerinde var olan güvenlik açıklıkları ABD’nin Ulusal Açıklık Veritabanı ve CVEDETAILS veritabanlarından sorgulanarak yeni bir veritabanı oluşturulmuştur. Toplanan açıklıklarla ilgili olarak FIRST tarafından oluşturulmuş CVSS puanlama sistemiyle yapılan puanlamalar incelenmiş, tespit edilen açıklıkların yeniden puanlamaları yapılarak çıkan sonuçlar ışığında işletim sistemlerinin güvenlik açısından analizi nicel yöntemlerle yapılmıştır. Siber güvenliğin en önemli unsurlarından birisi olan güvenlik açıklıklarıyla ilgili temel hususlar ile açıklıkların bilgisayarların istismar edilmesindeki rolü ortaya konulmuştur. Çalışmada ayrıca; yakın geçmişte açıklıklar kullanılarak gerçekleştirilen siber güvenlik olayları incelenmiş, bu olaylarda saldırıya imkan sağlayan açıklıklarla ilgili bilgiler toplanmıştır. Sonuçta, barındırdığı açıklıklar dikkate alındığında, işletim sistemlerinin kullanılabilirliğinin güvenlik açısından değerlendirmesi hedeflenmektedir

The global vulnerability discovery and disclosure system: a thematic system dynamics approach

Vulnerabilities within software are the fundamental issue that provide both the means, and opportunity for malicious threat actors to compromise critical IT systems (Younis et al., 2016). Consequentially, the reduction of vulnerabilities within software should be of paramount importance, however, it is argued that software development practitioners have historically failed in reducing the risks associated with software vulnerabilities. This failure is illustrated in, and by the growth of software vulnerabilities over the past 20 years. This increase which is both unprecedented and unwelcome has led to an acknowledgement that novel and radical approaches to both understand the vulnerability discovery and disclosure system (VDDS) and to mitigate the risks associate with software vulnerability centred risk is needed (Bradbury, 2015; Marconato et al., 2012). The findings from this research show that whilst technological mitigations are vital, the social and economic features of the VDDS are of critical importance. For example, hitherto unknown systemic themes identified by this research are of key and include; Perception of Punishment; Vendor Interactions; Disclosure Stance; Ethical Considerations; Economic factors for Discovery and Disclosure and Emergence of New Vulnerability Markets. Each theme uniquely impacts the system, and ultimately the scale of vulnerability based risks. Within the research each theme within the VDDS is represented by several key variables which interact and shape the system. Specifically: Vender Sentiment; Vulnerability Removal Rate; Time to fix; Market Share; Participants within VDDS, Full and Coordinated Disclosure Ratio and Participant Activity. Each variable is quantified and explored, defining both the parameter space and progression over time. These variables are utilised within a system dynamic model to simulate differing policy strategies and assess the impact of these policies upon the VDDS. Three simulated vulnerability disclosure futures are hypothesised and are presented, characterised as depletion, steady and exponential with each scenario dependent upon the parameter space within the key variables

The entangled cyberspace: an integrated approach for predicting cyber-attacks

This thesis was submitted for the award of Doctor of Philosophy and was awarded by Brunel University LondonSignificant studies in cyber defence analysis have predominantly revolved around a single linear analysis of information from a single source of evidence (The Network). These studies were limited in their ability to understand the dynamics of entanglements related to cyber-incidents. This research integrates evidence beyond the network in an attempt to understand and predict phases of the kill-chain across the information space. This research provides a multi-dimensional phased analysis of the traditional kill-chain model using structural vector autoregressive models. In the ‘Entangled Cyberspace Framework’, each phase of the kill-chain corresponds to a single dimension of the information space based on time observations of certain events. Events are represented as time signals, where each phase is characterised by multiple time signals representing multiple events on that phase. Multiple time signals are analysed using structural models for multiple time series analysis (Vector Auto-Regressive models). At each phase of the kill-chain, we perform a lagged co-integration analysis of events across the information space. This nature of analysis detects hidden entanglements that characterise events in the kill-chain beyond the network. The measured prediction accuracy and error measured at each stage of the experiment represents the usefulness of selected events in characterising the defined stage of the kill-chain. The entangled cyberspace, in theory, is the fusion of three conceptual foundations: a) A multi-dimensional characterisation of cyberspace, b) A sequential phased model for perpetrating cyber-attacks and c) A structural model for integrating and simultaneously analysing multiple sources of evidence. It starts with the characterisation of the information space into different dimensions of interest. The framework goes further to identify evidence sources across these characterised dimensions and integrates them in the analytical context under consideration (e.g. Malware Injection). The concrete findings show that our approach and analytical methodology are capable of detecting entanglements when applied to a set of entangled activities across the information space. The findings also prove that activities beyond the network have significant effects on the nature of the unfolding cyber-attack vector. The predictive features of events across the kill-chain were also presented in this research as opinion and emotion drivers on the social dimension, packet data details and social and cultural events on the economic layer. Finally, co-integration detected between events across and within dimensions of the information space proves the existence of both inter-dimensional and intra-dimensional entanglements that affect the nature of events unfolding during the kill-chain (from the adversary’s point of view). The novelty of this research rests in the ability to hop across the information space for detecting evidential clues of activities that are related-to cyber-incidents. This research also expands the standard multi-dimensional information space to include SPEC factors as indicators of cyber-incidents. This research improves the current information security management model, specifically in the monitoring, analysis and detection phases. This research provides a methodology that accommodates a robust evidence base for understanding the attack surface. Practically, this research provides a basis for creating applications and tools for protecting critical national infrastructure by integrating data from social platforms, real-world political, cultural and economic events and the cyber-physical

Security-related vulnerability life cycle analysis

International audienceThis paper deals with the characterization of security-related vulnerabilities based on public data reported in the Open Source Vulnerability Database. We focus on the analysis of vulnerability life cycle events corresponding to the vulnerability discovery, the vulnerability disclosure, the patch release, and the exploit availability. We study the distribution of the time between these events considering different operating systems (Windows, Unix, Mobile OS), and different attributes such as the vulnerability impact on confidentiality, integrity or availability, the access vector reflecting how the vulnerability is exploited, and the complexity of the exploit. The results obtained highlight some interesting trends and behaviours, concerning, e.g. the time between the disclosure of a vulnerability and the availability of a patch or of the exploit, that are sometimes specific to the considered operating system or the vulnerability attributes. The results are also aimed at providing useful inputs to security risk assessment and modelling studies