Economic Factors of Vulnerability Trade and Exploitation

Cybercrime markets support the development and diffusion of new attack technologies, vulnerability exploits, and malware. Whereas the revenue streams of cyber attackers have been studied multiple times in the literature, no quantitative account currently exists on the economics of attack acquisition and deployment. Yet, this understanding is critical to characterize the production of (traded) exploits, the economy that drives it, and its effects on the overall attack scenario. In this paper we provide an empirical investigation of the economics of vulnerability exploitation, and the effects of market factors on likelihood of exploit. Our data is collected first-handedly from a prominent Russian cybercrime market where the trading of the most active attack tools reported by the security industry happens. Our findings reveal that exploits in the underground are priced similarly or above vulnerabilities in legitimate bug-hunting programs, and that the refresh cycle of exploits is slower than currently often assumed. On the other hand, cybercriminals are becoming faster at introducing selected vulnerabilities, and the market is in clear expansion both in terms of players, traded exploits, and exploit pricing. We then evaluate the effects of these market variables on likelihood of attack realization, and find strong evidence of the correlation between market activity and exploit deployment. We discuss implications on vulnerability metrics, economics, and exploit measurement.Comment: 17 pages, 11 figures, 14 table

Transforming Uncertainties into Risks and Poverty Alleviation: Lessons Learnt from the Successful Rescuing of Miners in Chile

Abstract: The objective of this paper is to suggest how the Chilean model used to rescue the 33 miners trapped underground, can be used to accelerate the development of new means for poverty alleviation mainly in developing economies. For that, the Chilean model is described and analyzed within the framework of uncertainty and risk with emphasis on the success of all operations, under time constraints. The attained results underline that this “point in time” process can be used to extract poor individuals and households and sustain their inclusion in normal economic and social activities. But, this is conditioned on the development of further participative research-actions, innovations and monitoring processes applied to multiple small scales, well localized and targeted poverty alleviation projectsUncertainty, risks, miners, Chili, poverty alleviation

Spatial modelling of adaptation strategies for urban built infrastructures exposed to flood hazards

The recent 2010/2011 floods in the central and southern Queensland (Australia) prompted this research to investigate the application of geographical information system (GIS) and remote sensing in modelling the current flood risk, adaptation/coping capacity, and adaptation strategies. Identified Brisbane City as the study area, the study aimed to develop a new approach of formulating adaptation/coping strategies that will aid in addressing flood risk management issues of an urban area with intensive residential and commercial uses. Fuzzy logic was the spatial analytical tool used in the integration of flood risk components (hazard, vulnerability, and exposure) and in the generation of flood risk and adaptation capacity indices. The research shows that 875 ha, 566 ha, and 828 ha were described as areas with relatively low, relatively moderate, and relatively high risk to flooding, respectively. Identified adaptation strategies for areas classified as having relatively low (RL), relatively moderate (RM), relatively high (RH), and likely very high (LVH) adaptation/coping capacity were mitigation to recovery phases, mitigation to response phases, mitigation to preparedness phases, and mitigation phase, respectively. Integrating the results from the flood risk assessment, quantitative description of adaptation capacity, and identification of adaptation strategies, a new analytical technique identified as flood risk-adaptation capacity index-adaptation strategies (FRACIAS) linkage model was developed for this study

Adversarial behaviours knowledge area

The technological advancements witnessed by our society in recent decades have brought improvements in our quality of life, but they have also created a number of opportunities for attackers to cause harm. Before the Internet revolution, most crime and malicious activity generally required a victim and a perpetrator to come into physical contact, and this limited the reach that malicious parties had. Technology has removed the need for physical contact to perform many types of crime, and now attackers can reach victims anywhere in the world, as long as they are connected to the Internet. This has revolutionised the characteristics of crime and warfare, allowing operations that would not have been possible before. In this document, we provide an overview of the malicious operations that are happening on the Internet today. We first provide a taxonomy of malicious activities based on the attacker’s motivations and capabilities, and then move on to the technological and human elements that adversaries require to run a successful operation. We then discuss a number of frameworks that have been proposed to model malicious operations. Since adversarial behaviours are not a purely technical topic, we draw from research in a number of fields (computer science, criminology, war studies). While doing this, we discuss how these frameworks can be used by researchers and practitioners to develop effective mitigations against malicious online operations.Published versio

Managing Risk in Agriculture under Drought Situation in Uttar Pradesh: A Case Study

From a case study under the village level study (VLS), it has been found that in the drought agriculture year 2002-03, the farmers of Uttar Pradesh followed their best choice and own outlook for risk aversion and invariably preferred those crops and techniques which involved damage control and low investment and provided insurance against loss. The water harvesting for irrigation, intercropping, growing of low-value crops, high concentration for fodder and grain rather than grain alone, and preferential low-use of monetary inputs are some of the means commonly used by the farmers during droughts. It has been concluded that rainfall probability analyses would be a component of agricultural managing/ reducing risk while large area of the Indo-Gagetic plains is falling in the state. The major weakness in generating this type of information and analysis is that it provides no specific information about the upcoming season with which the farmer must deal. Some suggestions have been given to mitigate risk in agriculture. Need has been pointed out for preparing a draught vulnerability index for different districts. It has been realized that the IMD’s monsoon forecast methodology needs some serious re-thinking. The intensive climate information /farmer interface intensification of watershed programme; tighter agriculture risk management, and sustained crop diversification will have to be considered. It has been suggested that the preparedness measures can be taken by two different agencies: the assisting agency, and the drought-prone areas themselves. Drawing on field information assembled from drought relief performance, state government may develop a way of drawing inference from experience. A particular activity in drought situation should be analyzed and assessed by degree of success, with the region given for the results. These judgments may be recorded and filed in a retrieval system called ‘lessons learnt’; which could be used as a useful reference source in deciding such question as what quantities are required to care for a particular number of people under a particular kind of environment or situation. The contingency plan for drinking water, irrigation water, food security, cropping system, drought warning system and research on drought- resistant varieties of crops may be updated.Agricultural and Food Policy,

Towards Realistic Threat Modeling: Attack Commodification, Irrelevant Vulnerabilities, and Unrealistic Assumptions

Current threat models typically consider all possible ways an attacker can penetrate a system and assign probabilities to each path according to some metric (e.g. time-to-compromise). In this paper we discuss how this view hinders the realness of both technical (e.g. attack graphs) and strategic (e.g. game theory) approaches of current threat modeling, and propose to steer away by looking more carefully at attack characteristics and attacker environment. We use a toy threat model for ICS attacks to show how a realistic view of attack instances can emerge from a simple analysis of attack phases and attacker limitations.Comment: Proceedings of the 2017 Workshop on Automated Decision Making for Active Cyber Defens

My Software has a Vulnerability, should I worry?

(U.S) Rule-based policies to mitigate software risk suggest to use the CVSS score to measure the individual vulnerability risk and act accordingly: an HIGH CVSS score according to the NVD (National (U.S.) Vulnerability Database) is therefore translated into a "Yes". A key issue is whether such rule is economically sensible, in particular if reported vulnerabilities have been actually exploited in the wild, and whether the risk score do actually match the risk of actual exploitation. We compare the NVD dataset with two additional datasets, the EDB for the white market of vulnerabilities (such as those present in Metasploit), and the EKITS for the exploits traded in the black market. We benchmark them against Symantec's threat explorer dataset (SYM) of actual exploit in the wild. We analyze the whole spectrum of CVSS submetrics and use these characteristics to perform a case-controlled analysis of CVSS scores (similar to those used to link lung cancer and smoking) to test its reliability as a risk factor for actual exploitation. We conclude that (a) fixing just because a high CVSS score in NVD only yields negligible risk reduction, (b) the additional existence of proof of concepts exploits (e.g. in EDB) may yield some additional but not large risk reduction, (c) fixing in response to presence in black markets yields the equivalent risk reduction of wearing safety belt in cars (you might also die but still..). On the negative side, our study shows that as industry we miss a metric with high specificity (ruling out vulns for which we shouldn't worry). In order to address the feedback from BlackHat 2013's audience, the final revision (V3) provides additional data in Appendix A detailing how the control variables in the study affect the results.Comment: 12 pages, 4 figure

Estudi comparatiu de la publicació científica de la UPC i l’Escola de Camins vs.altres universitats d’àmbit internacional (2009-2018)

L'informe se centra en la publicació científica especialitzada en l'àmbit temàtic propi de l'Escola de Camins: l'enginyeria civil. Es comparen indicadors bibliomètrics de la UPC i l'Escola de Camins amb els d'altres universitats internacionals amb activitat de recerca notable en l'àmbit de l'enginyeria civilPostprint (published version