DOCSLIB.ORG

BUGS in the SYSTEM a Primer on the Software Vulnerability Ecosystem and Its Policy Implications

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

ANDI WILSON, ROSS SCHULMAN, KEVIN BANKSTON, AND TREY HERR BUGS IN THE SYSTEM A Primer on the Software Vulnerability Ecosystem and its Policy Implications JULY 2016 About the Authors About New America New America is committed to renewing American politics, Andi Wilson is a policy analyst at New America’s Open prosperity, and purpose in the Digital Age. We generate big Technology Institute, where she researches and writes ideas, bridge the gap between technology and policy, and about the relationship between technology and policy. curate broad public conversation. We combine the best of With a specific focus on cybersecurity, Andi is currently a policy research institute, technology laboratory, public working on issues including encryption, vulnerabilities forum, media platform, and a venture capital fund for equities, surveillance, and internet freedom. ideas. We are a distinctive community of thinkers, writers, researchers, technologists, and community activists who Ross Schulman is a co-director of the Cybersecurity believe deeply in the possibility of American renewal. Initiative and senior policy counsel at New America’s Open Find out more at newamerica.org/our-story. Technology Institute, where he focuses on cybersecurity, encryption, surveillance, and Internet governance. Prior to joining OTI, Ross worked for Google in Mountain About the Cybersecurity Initiative View, California. Ross has also worked at the Computer The Internet has connected us. Yet the policies and and Communications Industry Association, the Center debates that surround the security of our networks are for Democracy and Technology, and on Capitol Hill for too often disconnected, disjointed, and stuck in an Senators Wyden and Feingold. unsuccessful status quo. This is what New America’s Cybersecurity Initiative is designed to address. Working across our International Security program and the Open Kevin Bankston is the Director of New America’s Open Technology Institute, we believe that it takes a wider Technology Institute, where he works in the public interest network to face the multitude of diverse security issues. to promote policy and regulatory reforms to strengthen We engage across organizations, issue areas, professional communities by supporting open communications fields, and business sectors. And through events, writing networks, platforms, and technologies. He previously and research, our aim is to help improve cybersecurity in served as OTI’s Policy Director. ways that work—for the countries, for companies and for individuals. is a fellow with the Belfer Center's Cyber Security Trey Herr Our work is made possible through the generous support Project at the Harvard Kennedy School. He focuses of the William and Flora Hewlett Foundation, the Arizona on trends in state developed malicious software, the State University, Microsoft Corporation, Symantec Inc., The structure of criminal markets for malware components, Home Depot, Endgame Inc., and Facebook. and the proliferation of malware. Trey is also a non- resident fellow with New America’s Cybersecurity Initiative. About the Open Technology Institute Acknowledgments The Open Technology Institute (OTI) works at the intersection of technology and policy to ensure that every The authors would like to thank Chris Riley, Joe Hall, Katie community has equitable access to digital technology Moussouris and our other external reviewers for their and its benefits. We promote universal access to input and comments on an earlier version of this paper. communications technologies that are both open and This paper does not necessarily reflect their views. We secure, using a multidisciplinary approach that brings would also like to thank Donna Wentworth for her many together advocates, researchers, organizers, and valuable contributions to the paper. As well, we appreciate innovators. the extensive help of New America’s staff and fellows, especially Ian Wallace, Jordan McCarthy, Liz Woolery, Robert Morgus, and Robyn Greene. Contents Executive Summary 2 Introduction 4 What Are Vulnerabilities? 5 Who Discovers Vulnerabilities? 7 What Are Exploits and How Are They Used? 9 How Are Vulnerabilities Disclosed So They Can Be Patched? 10 How Are Vulnerabilities Patched (or Not)? 12 Which Laws Discourage Security Research and Vulnerability Disclosure? 13 What is the Vulnerabilities Market? 15 Why Governments Do (or Don't) Disclose the Vulnerabilities They Find or Buy 19 Conclusion: What Policies Will Foster the Discovery, Disclosure, and Patching of 20 Vulnerabilities? Notes 25 EXECUTIVE SUMMARY In recent years, a seemingly endless string of fix or exploit them. These bug-hunters range from massive data breaches in both the private and independent researchers, to small academic teams public sectors have been front-page news. Whether or security firms, to large tech companies working the target is a company like Sony or a government to improve their products, or even governments— agency like OPM, such breaches are very often made including our own government, and other much less possible by a software vulnerability—a “bug” in the rights-respecting states—seeking to use these flaws system—that was unknown or left unaddressed by for law enforcement or intelligence investigations. the target or its software vendor. After finding a vulnerability, the discoverer has three basic options: not disclosing the vulnerability The existence of such vulnerabilities—or “vulns” to the public or the software vendor; fully disclosing for short—is unavoidable. Software is complex and the vuln to the public, which in some cases may humans are fallible, so vulnerabilities are bound be the best way to get it patched but in others to occur. Much of cybersecurity can be reduced to may leave users of the software dangerously a constant race between the software developers exposed; and partial or “responsible” disclosure and security experts trying to discover and patch to the vendor so that they can fix the bug before it vulnerabilities, and the attackers seeking to uncover becomes public. Partial disclosure is often preferred and exploit those vulnerabilities. The question for because it can sometimes take months for a vendor policymakers is, what can they do to help speed the to fix their product, and even longer for all the discovery and patching of vulnerabilities so that affected users to update their software to patch the our computer systems—and therefore our economic security hole. stability, our national security, and consumers’ privacy—are safer? This paper is intended to Confusing the issue of disclosure is the fact that be a primer on the vulnerability ecosystem for there is a range of laws—such as the Computer policymakers and advocates seeking to answer that Fraud and Abuse Act, the Digital Millennium question, describing what vulns are, who discovers Copyright Act, and the Electronic Communications them, who buys them, how and when they do (or Privacy Act—that by their broad and vague terms don’t) get patched, and why. arguably criminalize and create civil penalties for actions that security researchers routinely engage There is a wide range of actors seeking to discover in while conducting legitimate security research. security flaws in software, whether to fix them, Unless reformed, these laws will continue to chill exploit them, or sell them to someone else who will researchers’ disclosure of critical vulnerabilities, for 2 OPEN TECHNOLOGY INSTITUTE fear that they will be sued or even thrown in jail. use of them for a variety of purposes, from law enforcement to foreign intelligence surveillance, Another disincentive to researchers’ disclosure and the longer they are secret and unpatched, the of vulnerabilities so that they can be patched is longer they are useful. Governments have to weigh the existence of open markets for vulnerabilities, the security value of disclosure versus the benefit of where researchers can often get top dollar from stockpiling and using vulnerabilities for their own criminal networks or governments seeking to purposes. exploit those vulnerabilities, or from intermediary agents who buy from researchers and then resell to In conclusion, we offer five initial policy criminals and states. Companies have responded by recommendations to ensure that more creating innovative vulnerability reward programs vulnerabilities are discovered and patched sooner: (VRPs), including “bug bounty” programs where (1) The U.S. government should minimize its they pay rewards for bugs that are submitted. participation in the vulnerability market, since it Some of these programs also seek to reduce the is the largest buyer in a market that discourages legal chill on researchers by promising not to sue researchers from disclosing vulns to be patched; those who submit through these programs. It is (2) The U.S. government should establish strong, sometimes difficult for these programs to compete clear procedures for government disclosure of the with the much more lucrative open market, but vulnerabilities it buys or discovers, with a heavy they give researchers who want to help improve presumption toward disclosure; (3) Congress should cybersecurity—and perhaps get a little cash or establish clear rules of the road for government recognition for their discovery—a legitimate avenue hacking in order to better protect cybersecurity and to pursue. civil liberties; (4) Government and industry should support bug bounty programs as an alternative to Researchers often have a range of incentives to the vulnerabilities market and
Recommended publications
  • BUGS in the SYSTEM a Primer on the Software Vulnerability Ecosystem and Its Policy Implications

    BUGS in the SYSTEM a Primer on the Software Vulnerability Ecosystem and Its Policy Implications

    ANDI WILSON, ROSS SCHULMAN, KEVIN BANKSTON, AND TREY HERR BUGS IN THE SYSTEM A Primer on the Software Vulnerability Ecosystem and its Policy Implications JULY 2016 About the Authors About New America New America is committed to renewing American politics, Andi Wilson is a policy analyst at New America’s Open prosperity, and purpose in the Digital Age. We generate big Technology Institute, where she researches and writes ideas, bridge the gap between technology and policy, and about the relationship between technology and policy. curate broad public conversation. We combine the best of With a specific focus on cybersecurity, Andi is currently a policy research institute, technology laboratory, public working on issues including encryption, vulnerabilities forum, media platform, and a venture capital fund for equities, surveillance, and internet freedom. ideas. We are a distinctive community of thinkers, writers, researchers, technologists, and community activists who Ross Schulman is a co-director of the Cybersecurity believe deeply in the possibility of American renewal. Initiative and senior policy counsel at New America’s Open Find out more at newamerica.org/our-story. Technology Institute, where he focuses on cybersecurity, encryption, surveillance, and Internet governance. Prior to joining OTI, Ross worked for Google in Mountain About the Cybersecurity Initiative View, California. Ross has also worked at the Computer The Internet has connected us. Yet the policies and and Communications Industry Association, the Center debates that surround the security of our networks are for Democracy and Technology, and on Capitol Hill for too often disconnected, disjointed, and stuck in an Senators Wyden and Feingold. unsuccessful status quo.
  • The Million Dollar Dissident: NSO Group's Iphone Zero-Days Used Against a UAE Human Rights Defender

    The Million Dollar Dissident: NSO Group's Iphone Zero-Days Used Against a UAE Human Rights Defender

    Research Teaching News Lab Projects GLA2010 In the News About Publications Newsletter People Archives Events Opportunities Contact The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender August 24, 2016 Categories: Bill Marczak, John Scott-Railton, Reports and Briefings Authors: Bill Marczak and John Scott-Railton, Senior Researchers at the Citizen Lab, with the assistance of the research team at Lookout Security. Media coverage: The New York Times, Motherboard, Gizmodo, Wired, Washington Post, ZDNet. This report describes how a government targeted an internationally recognized human rights defender, Ahmed Mansoor, with the Trident, a chain of zero-day exploits designed to infect his iPhone with sophisticated commercial spyware. 1. Executive Summary Ahmed Mansoor is an internationally recognized human rights defender, based in the United Arab Emirates (UAE), and recipient of the Martin Ennals Award (sometimes referred to as a “Nobel Prize for human rights”). On August 10 and 11, 2016, Mansoor received SMS text messages on his iPhone promising “new secrets” about detainees tortured in UAE jails if he clicked on an included link. Instead of clicking, Mansoor sent the messages to Citizen Lab researchers. We recognized the links as belonging to an exploit infrastructure connected to NSO Group, an Israel-based “cyber war” company that sells Pegasus, a government- exclusive “lawful intercept” spyware product. NSO Group is reportedly owned by an American venture capital firm, Francisco Partners Management. The ensuing investigation, a collaboration between researchers from Citizen Lab and from Lookout Security, determined that the links led to a chain of zero-day exploits (“zero-days”) that would have remotely jailbroken Mansoor’s stock iPhone 6 and installed sophisticated spyware.
  • Databreaches in Healthcare the Attractiveness of Leaked Healthcare Data for Cybercriminals 2 Whitepaper: Databreaches in Healthcare

    Databreaches in Healthcare the Attractiveness of Leaked Healthcare Data for Cybercriminals 2 Whitepaper: Databreaches in Healthcare

    Databreaches in Healthcare The attractiveness of leaked healthcare data for cybercriminals 2 Whitepaper: Databreaches in healthcare Table of Contents Introduction.................................................................................................. 5 An international problem ............................................................................................................................ 6 The risk of digitization ................................................................................................................................ 6 The medical IoT ............................................................................................................................................ 7 Overview of the attack vector: What has Healthcare suffered in the past? ............................................ 8 What are the most common causes of health data compromise? ................................................................... 10 Hacking/IT incidents ................................................................................................................................. 10 Social Engineering......................................................................................................................................11 Examples ......................................................................................................................................................11 Why is the healthcare vertical such an attractive target?.......................................................................
  • Software Assurance

    Software Assurance

    Information Assurance State-of-the-Art Report Technology Analysis Center (IATAC) SOAR (SOAR) July 31, 2007 Data and Analysis Center for Software (DACS) Joint endeavor by IATAC with DACS Software Security Assurance Distribution Statement A E X C E E C L I L V E R N E Approved for public release; C S E I N N I IO DoD Data & Analysis Center for Software NF OR MAT distribution is unlimited. Information Assurance Technology Analysis Center (IATAC) Data and Analysis Center for Software (DACS) Joint endeavor by IATAC with DACS Software Security Assurance State-of-the-Art Report (SOAR) July 31, 2007 IATAC Authors: Karen Mercedes Goertzel Theodore Winograd Holly Lynne McKinley Lyndon Oh Michael Colon DACS Authors: Thomas McGibbon Elaine Fedchak Robert Vienneau Coordinating Editor: Karen Mercedes Goertzel Copy Editors: Margo Goldman Linda Billard Carolyn Quinn Creative Directors: Christina P. McNemar K. Ahnie Jenkins Art Director, Cover, and Book Design: Don Rowe Production: Brad Whitford Illustrations: Dustin Hurt Brad Whitford About the Authors Karen Mercedes Goertzel Information Assurance Technology Analysis Center (IATAC) Karen Mercedes Goertzel is a subject matter expert in software security assurance and information assurance, particularly multilevel secure systems and cross-domain information sharing. She supports the Department of Homeland Security Software Assurance Program and the National Security Agency’s Center for Assured Software, and was lead technologist for 3 years on the Defense Information Systems Agency (DISA) Application Security Program. Ms. Goertzel is currently lead author of a report on the state-of-the-art in software security assurance, and has also led in the creation of state-of-the-art reports for the Department of Defense (DoD) on information assurance and computer network defense technologies and research.
  • Reforming Vulnerability Disclosure Programs in the Private Sector

    Reforming Vulnerability Disclosure Programs in the Private Sector

    Debugging the System: Reforming Vulnerability Disclosure Programs in the Private Sector Jasmine Arooni* TABLE OF CONTENTS I. INTRODUCTION ..................................................................................... 445 II. VULNERABILITY DISCLOSURE PROGRAMS IN PRACTICE: HOW DO THEY WORK? .............................................................................................. 448 III. THE CURRENT LEGAL LANDSCAPE: LEGAL RISKS FACED BY VDP SECURITY RESEARCHERS .................................................................. 450 A. The Computer Fraud and Abuse Act and Its Impact on Security Research ..................................................................................... 451 B. The DMCA and Its Impact on Security Research ....................... 453 C. Safe Harbor Language: A Superficial Fix, Not a Complete Solution ....................................................................................... 454 IV. THE DOJ’S DISCRETIONARY GUIDANCE FOR PRIVATE VDPS ............. 455 V. THE U.S. GOVERNMENT’S INFLUENTIAL ROLE IN VDP GOVERNANCE .................................................................................................... 456 A. The U.S. Government as a “Crowdsourcer”: Validating the Importance of Public Engagement to Cybersecurity ................. 457 B. The U.S. Government as a “Rule Maker”: The DHS’ Compulsory Authority over Government VDPs .............................................. 458 C. The Government as an “Example”: The Impact of Government VDPs on the Private Sector, as Evidenced Through
  • How to Analyze the Cyber Threat from Drones

    How to Analyze the Cyber Threat from Drones

    C O R P O R A T I O N KATHARINA LEY BEST, JON SCHMID, SHANE TIERNEY, JALAL AWAN, NAHOM M. BEYENE, MAYNARD A. HOLLIDAY, RAZA KHAN, KAREN LEE How to Analyze the Cyber Threat from Drones Background, Analysis Frameworks, and Analysis Tools For more information on this publication, visit www.rand.org/t/RR2972 Library of Congress Cataloging-in-Publication Data is available for this publication. ISBN: 978-1-9774-0287-5 Published by the RAND Corporation, Santa Monica, Calif. © Copyright 2020 RAND Corporation R® is a registered trademark. Cover design by Rick Penn-Kraus Cover images: drone, Kadmy - stock.adobe.com; data, Getty Images. Limited Print and Electronic Distribution Rights This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited. Permission is given to duplicate this document for personal use only, as long as it is unaltered and complete. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial use. For information on reprint and linking permissions, please visit www.rand.org/pubs/permissions. The RAND Corporation is a research organization that develops solutions to public policy challenges to help make communities throughout the world safer and more secure, healthier and more prosperous. RAND is nonprofit, nonpartisan, and committed to the public interest. RAND’s publications do not necessarily reflect the opinions of its research clients and sponsors. Support RAND Make a tax-deductible charitable contribution at www.rand.org/giving/contribute www.rand.org Preface This report explores the security implications of the rapid growth in unmanned aerial systems (UAS), focusing specifically on current and future vulnerabilities.
  • The CLASP Application Security Process

    The CLASP Application Security Process

    The CLASP Application Security Process Secure Software, Inc. Copyright (c) 2005, Secure Software, Inc. The CLASP Application Security Process The CLASP Application Security Process TABLE OF CONTENTS CHAPTER 1 Introduction 1 CLASP Status 4 An Activity-Centric Approach 4 The CLASP Implementation Guide 5 The Root-Cause Database 6 Supporting Material 7 CHAPTER 2 Implementation Guide 9 The CLASP Activities 11 Institute security awareness program 11 Monitor security metrics 12 Specify operational environment 13 Identify global security policy 14 Identify resources and trust boundaries 15 Identify user roles and resource capabilities 16 Document security-relevant requirements 17 Detail misuse cases 18 Identify attack surface 19 Apply security principles to design 20 Research and assess security posture of technology solutions 21 Annotate class designs with security properties 22 Specify database security configuration 23 Perform security analysis of system requirements and design (threat modeling) 24 Integrate security analysis into source management process 25 Implement interface contracts 26 Implement and elaborate resource policies and security technologies 27 Address reported security issues 28 Perform source-level security review 29 Identify, implement and perform security tests 30 The CLASP Application Security Process i Verify security attributes of resources 31 Perform code signing 32 Build operational security guide 33 Manage security issue disclosure process 34 Developing a Process Engineering Plan 35 Business objectives 35 Process
  • The Economic Functioning of Online Drugs Markets

    The Economic Functioning of Online Drugs Markets

    ISSN 2042-2695 CEP Discussion Paper No 1490 Revised August 2017 (Replaced July 2017 version) The Economic Functioning of Online Drugs Markets V. Bhaskar Robin Linacre Stephen Machin Abstract The economic functioning of online drug markets using data scraped from online platforms is studied. Analysis of over 1.5 million online drugs sales shows online drugs markets tend to function without the significant moral hazard problems that, a priori, one might think would plague them. Only a small proportion of online drugs deals receive bad ratings from buyers, and online markets suffer less from problems of adulteration and low quality that are a common feature of street sales of illegal drugs. Furthermore, as with legal online markets, the market penalizes bad ratings, which subsequently lead to significant sales reductions and to market exit. The impact of the well-known seizure by law enforcement of the original Silk Road and the shutdown of Silk Road 2.0 are also studied, together with the exit scam of the market leader at the time, Evolution. There is no evidence that these exits deterred buyers or sellers from online drugs trading, as new platforms rapidly replaced those taken down, with the online market for drugs continuing to grow. Keywords: dark web, drugs JEL codes:K42 This paper was produced as part of the Centre’s Communities Programme. The Centre for Economic Performance is financed by the Economic and Social Research Council. Acknowledgements Robin Linacre contributed to this paper in a personal capacity and in his own time. The research is not linked to any of his work for either the Sentencing Council or the Ministry of Justice.
  • A Dropbox Whitepaper Dropbox for Business Security

    A Dropbox Whitepaper Dropbox for Business Security

    Dropbox for Business security A Dropbox whitepaper Dropbox for Business security Contents Introduction 3 Product features (security, control, and visibility) 3 Under the hood 7 Application security 10 Apps for Dropbox 12 Network security 13 Vulnerability management 14 Dropbox information security 16 Physical security 17 Compliance 17 Privacy 19 Dropbox Trust Program 20 Summary 21 Dropbox for Business security Millions of users trust Dropbox to easily and reliably store, sync, and share photos, videos, docs, and other files across devices. Dropbox for Business brings that same simplicity to the workplace, with advanced features that help teams share instantly across their organizations and give admins the visibility and control they need. But more than just an easy-to-use tool for storage and sharing, Dropbox for Business is designed to keep important work files secure. To do this, we’ve created a sophisticated infrastructure onto which account administrators can layer and customize policies of their own. In this paper, we’ll detail the back-end policies, as well as options available to admins, that make Dropbox the secure tool for getting work done. Product features (security, control, and visibility) Dropbox provides the administrative control and visibility features that empower both IT and end users to effectively manage their businesses and data. Below is a sampling of features available to team admins and users, as well as third-party integrations for managing core IT processes. Admin management features No two organizations are exactly alike, so we’ve developed a number of tools that empower admins to customize Dropbox for Business to their teams’ particular needs.
  • Threats and Vulnerabilities in Federation Protocols and Products

    Threats and Vulnerabilities in Federation Protocols and Products

    Threats and Vulnerabilities in Federation Protocols and Products Teemu Kääriäinen, CSSLP / Nixu Corporation OWASP Helsinki Chapter Meeting #30 October 11, 2016 Contents • Federation Protocols: OpenID Connect and SAML 2.0 – Basic flows, comparison between the protocols • OAuth 2.0 and OpenID Connect Vulnerabilities and Best Practices – Background for OAuth 2.0 security criticism, vulnerabilities related discussion and publicly disclosed vulnerabilities, best practices, JWT, authorization bypass vulnerabilities, mobile application integration. • SAML 2.0 Vulnerabilities and Best Practices – Best practices, publicly disclosed vulnerabilities • OWASP Top Ten in Access management solutions – Focus on Java deserialization vulnerabilites in different commercial and open source access management products • Forgerock OpenAM, Gluu, CAS, PingFederate 7.3.0 Admin UI, Oracle ADF (Oracle Identity Manager) Federation Protocols: OpenID Connect and SAML 2.0 • OpenID Connect is an emerging technology built on OAuth 2.0 that enables relying parties to verify the identity of an end-user in an interoperable and REST-like manner. • OpenID Connect is not just about authentication. It is also about authorization, delegation and API access management. • Reasons for services to start using OpenID Connect: – Ease of integration. – Ability to integrate client applications running on different platforms: single-page app, web, backend, mobile, IoT. – Allowing 3rd party integrations in a secure, interoperable and scalable manner. • OpenID Connect is proven to be secure and mature technology: – Solves many of the security issues that have been an issue with OAuth 2.0. • OpenID Connect and OAuth 2.0 are used frequently in social login scenarios: – E.g. Google and Microsoft Account are OpenID Connect Identity Providers. Facebook is an OAuth 2.0 authorization server.
  • Fuzzing with Code Fragments

    Fuzzing with Code Fragments

    Fuzzing with Code Fragments Christian Holler Kim Herzig Andreas Zeller Mozilla Corporation∗ Saarland University Saarland University [email protected] [email protected] [email protected] Abstract JavaScript interpreter must follow the syntactic rules of JavaScript. Otherwise, the JavaScript interpreter will re- Fuzz testing is an automated technique providing random ject the input as invalid, and effectively restrict the test- data as input to a software system in the hope to expose ing to its lexical and syntactic analysis, never reaching a vulnerability. In order to be effective, the fuzzed input areas like code transformation, in-time compilation, or must be common enough to pass elementary consistency actual execution. To address this issue, fuzzing frame- checks; a JavaScript interpreter, for instance, would only works include strategies to model the structure of the de- accept a semantically valid program. On the other hand, sired input data; for fuzz testing a JavaScript interpreter, the fuzzed input must be uncommon enough to trigger this would require a built-in JavaScript grammar. exceptional behavior, such as a crash of the interpreter. Surprisingly, the number of fuzzing frameworks that The LangFuzz approach resolves this conflict by using generate test inputs on grammar basis is very limited [7, a grammar to randomly generate valid programs; the 17, 22]. For JavaScript, jsfunfuzz [17] is amongst the code fragments, however, partially stem from programs most popular fuzzing tools, having discovered more that known to have caused invalid behavior before. LangFuzz 1,000 defects in the Mozilla JavaScript engine. jsfunfuzz is an effective tool for security testing: Applied on the is effective because it is hardcoded to target a specific Mozilla JavaScript interpreter, it discovered a total of interpreter making use of specific knowledge about past 105 new severe vulnerabilities within three months of and common vulnerabilities.
  • Malware Trends

    Malware Trends

    NCCIC National Cybersecurity and Communications Integration Center Malware Trends Industrial Control Systems Emergency Response Team (ICS-CERT) Advanced Analytical Laboratory (AAL) October 2016 This product is provided subject only to the Notification Section as indicated here:http://www.us-cert.gov/privacy/ SUMMARY This white paper will explore the changes in malware throughout the past several years, with a focus on what the security industry is most likely to see today, how asset owners can harden existing networks against these attacks, and the expected direction of developments and targets in the com- ing years. ii CONTENTS SUMMARY .................................................................................................................................................ii ACRONYMS .............................................................................................................................................. iv 1.INTRODUCTION .................................................................................................................................... 1 1.1 State of the Battlefield ..................................................................................................................... 1 2.ATTACKER TACTIC CHANGES ........................................................................................................... 2 2.1 Malware as a Service ...................................................................................................................... 2 2.2 Destructive Malware ......................................................................................................................