DOCSLIB.ORG

Data-Driven Insights from Vulnerability Discovery Metrics International Workshop on Data-Driven Decisions, Experimentation and Evolution (Ddree) May 27, 2019

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Data-Driven Insights from Vulnerability Discovery Metrics International Workshop on Data-Driven Decisions, Experimentation and Evolution (Ddree) May 27, 2019 Data-driven Insights from Vulnerability Discovery Metrics International Workshop on Data-Driven Decisions, Experimentation and Evolution (DDrEE) May 27, 2019 Nuthan Munaiah Andrew Meneely PhD Candidate Associate Professor [email protected] [email protected] Department of Software Engineering Rochester Institute of Technology Rochester, NY Motivation | Security matters. | “… payouts for … exploits range from $5,000 to $1,500,000 …” [1] | Exploits as (cyber)weapons [2] | Developers must defend against innovative attacks | Security as an integral part of the development lifecycle | Leverage processes, tools, and techniques | Inculcate an attacker mindset ZERODIUM – How to Sell Your 0Day Exploit to ZERODIUM [1] S. Collins and S. McCombie. 2012. Stuxnet: The Emergence of a New Cyber Weapon and its Implications. Journal of Policing, Intelligence and Counter Terrorism [2] Motivation 3 | Metrics empirically validated using historical vulnerabilities | Metrics can ... | ... help discover vulnerabilities | ... reveal engineering failures that may have led to vulnerabilities | Numerous metrics exist [1] but their use has been limited [2] | Challenges: Granularity, effectiveness, actionability, and usability Morrison, P., Moye, D., Pandita, R., & Williams, L. 2018. Mapping the field of software life cycle security metrics. Information and Software Technology [1] Morrison, P., Herzig, K., Murphy, B., & Williams, L. (2015). Challenges with Applying Vulnerability Prediction Models. Symposium and Bootcamp on the Science of Security [2] Motivation 4 Project Vulnerable Model Metrics Measurements Neutral Motivation 5 | Interpretation | What are the metrics telling us? | What should we ask developers to do? | Example | Dependency [1]: Why does #include<foo.h> make foo.c vulnerable? | Churn [2]: Why does high churn make foo.c vulnerable? | Metrics as more than mere explanatory variables in a model | Metrics as agents of feedback Neuhaus et al. Predicting Vulnerable Software Components. CCS’07 [1] Zimmermann et al. Searching for a Needle in a Haystack: Predicting Security Vulnerabilities for Windows Vista. ICST’10 [2] Motivation 6 Project Vulnerable Model Metrics Measurements Neutral Motivation 7 Comments Project Model Metrics Measurements Reviewers Developer Feedback Security Template(s) Feedback Feedback Generation Motivation 8 Vision, Goal, and Questions Vision Assist developers in engineering secure software by providing a technique that generates scientific, interpretable, and actionable feedback on security as the software evolves Questions | When to show the feedback? | What should the feedback contain? | Where should the feedback be shown? Vision, Goal, and Questions 10 Goal Propose an approach to generate natural language feedback on security through the interpretation of vulnerability discovery metrics Research Questions | Generalizability Are vulnerability discovery metrics similarly distributed across projects? | Thresholds Are thresholds of vulnerability discovery metrics effective at classifying risk from vulnerabilities? Vision, Goal, and Questions 11 Dataset Metrics that we collected and analyzed in our study Dataset | We collected ten empirically-validated metrics in literature | Continuous-/Discrete-valued | Boolean-valued | Churn | Collaboration Centrality | Known Offender | Complexity | Contribution Centrality | Nesting | Source Lines of Code | # Inputs | # Outputs | # Paths | Implemented as docker containers to ease dissemination | Churn and Collaboration Centrality used as exemplars Dataset | Metrics 14 | Churn is a measure of amount change to a file $ git log --no-merges --no-renames --numstat --pretty=%H ... 9fc98e1974efa18497673aed79346e79227a84c5 1 0 chrome/test/data/webui/settings/cr_settings_browsertest.js ... | Collaboration centrality is a measure of diversity in perspective Alex baz.cc maz.hh Ahmed maz.hh Cody Dan scr.c foo.c Colin bar.c maz.hh Congyue Dataset | Metrics 15 Projects from which the metrics were collected from in our study Dataset Google Chrome Linux Apache Tomcat Mozilla Firefox OpenBSD WildFly Web Operating Application Browser System Server C/C++ Java | Large, mature, open source, and prolific history Dataset | Projects 17 Summary of the dataset used in the analysis Dataset Domain Project Language # Files SLOC* Chrome 930,265 9,054,450 Web Browser Firefox 509,221 6,977,203 C/C++ Linux 110,299 13,101,179 Operating System OpenBSD 142,337 9,147,222 Tomcat 6,038 326,748 Application Server Java WildFly 38,166 524,240 * Across all programming languages Dataset | Summary 19 Results Generalizability Are vulnerability discovery metrics similarly distributed across projects? Results Are vulnerability discovery metrics similarly distributed across projects? | Role of domain and language | Analyses | Violin Plots | Kruskal–Wallis, Mann–Whitney–Wilcoxon, and Cliff's δ | We use churn and collaboration as exemplars Results | Generalizability 22 | Churn appears similarly distributed but collaboration does not | We must, however, quantify the assessment Results | Generalizability 23 | Kruskal–Wallis: No similarly distributed metric (α = 2.78E-03) Cliff's δ (Effect) Dimension X Y Churn Collaboration Operating System 0.2148 (S) 0.1881 (S) Web Browser Domain 0.1928 (S) 0.3062 (S) Application Server Operating System 0.0667 (N) 0.3110 (S) Language C/C++ Java 0.1497 (S) 0.3078 (S) Chrome Firefox 0.0610 (N) 0.1043 (N) Project Linux OpenBSD 0.2056 (S) 0.9915 (L) Tomcat WildFly 0.1153 (N) 0.9955 (L) Effect (N) δ < 0.147 (S) 0.147 ≤ δ < 0.33 (L) δ > 0:474 Results | Generalizability 24 Generalizability Are vulnerability discovery metrics similarly distributed across projects? All metrics, except collaboration, are generalizable (i.e. have similar distributions) across the projects considered in our study irrespective of domain and language. Results | Generalizability 25 Thresholds Are thresholds of vulnerability discovery metrics effective at classifying risk from vulnerabilities? Results Are thresholds of vulnerability discovery metrics effective at classifying risk from vulnerabilities? | When does a metric foreshadow a problem (i.e. vulnerability)? | Unsupervised approach proposed by Alves et al. [1] | Delineate risk levels (low, medium, high, and critical) using thresholds | Analyses | % Historically-vulnerable Files Covered | Odds and Change in Odds Alves, T. L., Ypma, C., & Visser, J. 2010. Deriving Metric Thresholds from Benchmark Data. International Conference on Software Maintenance. [1] Results | Thresholds 27 | Deriving Metric Thresholds from Benchmark Data [1] | Unsupervised approach based solely on distribution of metric values | Six step process to determine thresholds Project File Churn Weight Chrome foo.c 8 20 Chrome bar.c 15 5 Firefox baz.cc 20 20 Firefox cat.h 8 50 Firefox maz.hh 15 3 Firefox mox.cc 25 19 Alves, T. L., Ypma, C., & Visser, J. 2010. Deriving Metric Thresholds from Benchmark Data. International Conference on Software Maintenance. [1] Results | Thresholds 28 Project File Churn Weight Total % Weight Chrome foo.c 8 20 80.00% 25 Chrome bar.c 15 5 20.00% Firefox baz.cc 20 20 21.74% Firefox cat.h 8 50 54.35% 92 Firefox maz.hh 15 3 3.26% Firefox mox.cc 25 19 20.65% Results | Thresholds 29 Project File Churn Weight Total % Weight Chrome foo.c 8 20 80.00% 25 Chrome bar.c 15 5 20.00% Firefox baz.cc 20 20 21.74% Firefox cat.h 8 50 54.35% 92 Firefox maz.hh 15 3 3.26% Firefox mox.cc 25 19 20.65% Churn % Weight Mean % Weight 8 54.35% Churn Mean % Weight Cumulative (54.35 + 80.00) / 2 % 8 80.00% 8 67.17% 67.17% 15 3.26% 15 11.63% 78.80% (3.26 + 20.00) / 2 % 15 20.00% 20 10.87% 89.67% 20 21.74% 21.74 / 2 % 25 10.33% 100.00% 25 20.65% 20.65 / 2 % Results | Thresholds 30 | Risk Levels | Low metric < 70% | Medium 70% ≤ metric < 80% | High 80% ≤ metric < 90% | Critical metric ≥ 90% Churn Cumulative Risk Range 8 67.17% Low metric < 15 15 78.80% Medium 15 ≤ metric < 20 20 89.67% High 20 ≤ metric < 25 25 100.00% Critical metric ≥ 25 Results | Thresholds 31 | Thresholds | 3,403 at 70% | 5,682 at 80% | 12,005 at 90% Results | Thresholds 32 | Known offender metric from Chrome | % Historically-vulnerable Files Covered Medium High Critical Aggregate 3,403 ≤ m < 5,682 5,682 ≤ m < 12,005 m ≥ 12,005 7.68% 8.39% 5.85% 21.92% | Odds and Change in Odds (∆) Medium High Critical Odds ∆Low Odds ∆Low ∆Medium Odds ∆Low ∆High 4.57E-02 13.9862 7.96E-02 24.3699 1.7424 1.12E-01 34.3548 1.4097 Results | Thresholds 33 Thresholds Are thresholds of vulnerability discovery metrics effective at classifying risk from vulnerabilities? On average, non-trivial risk levels delineated by thresholds of generalizable vulnerability discovery metrics captured 23.85% of the historically vulnerable files in Chrome, providing support for the effectiveness of the thresholds in classifying risk from vulnerabilities Results | Thresholds 34 Insights https://chromium-review.googlesource.com/c/chromium/src/+/1552152 We believe all files modified in this change are at a higher risk of having undiscovered vulnerabilities. These suspect files are presented below along with the evidence that was used to support to assessment. • chrome/browser/about_flags.cc - The file has been changed a lot (churn at 97th percentile) by many developers who also changed many other files (contribution at 100th percentile) with these developers belonging to disparate developer groups (collaboration at 72nd percentile) and is hard to test exhaustively (nesting at 75th percentile). • chrome/browser/android/chrome_feature_list.cc - The file has been changed by many developers who also changed
Load more

Recommended publications
  • BUGS in the SYSTEM a Primer on the Software Vulnerability Ecosystem and Its Policy Implications
    ANDI WILSON, ROSS SCHULMAN, KEVIN BANKSTON, AND TREY HERR BUGS IN THE SYSTEM A Primer on the Software Vulnerability Ecosystem and its Policy Implications JULY 2016 About the Authors About New America New America is committed to renewing American politics, Andi Wilson is a policy analyst at New America’s Open prosperity, and purpose in the Digital Age. We generate big Technology Institute, where she researches and writes ideas, bridge the gap between technology and policy, and about the relationship between technology and policy. curate broad public conversation. We combine the best of With a specific focus on cybersecurity, Andi is currently a policy research institute, technology laboratory, public working on issues including encryption, vulnerabilities forum, media platform, and a venture capital fund for equities, surveillance, and internet freedom. ideas. We are a distinctive community of thinkers, writers, researchers, technologists, and community activists who Ross Schulman is a co-director of the Cybersecurity believe deeply in the possibility of American renewal. Initiative and senior policy counsel at New America’s Open Find out more at newamerica.org/our-story. Technology Institute, where he focuses on cybersecurity, encryption, surveillance, and Internet governance. Prior to joining OTI, Ross worked for Google in Mountain About the Cybersecurity Initiative View, California. Ross has also worked at the Computer The Internet has connected us. Yet the policies and and Communications Industry Association, the Center debates that surround the security of our networks are for Democracy and Technology, and on Capitol Hill for too often disconnected, disjointed, and stuck in an Senators Wyden and Feingold. unsuccessful status quo.
    [Show full text]
  • The Million Dollar Dissident: NSO Group's Iphone Zero-Days Used Against a UAE Human Rights Defender
    Research Teaching News Lab Projects GLA2010 In the News About Publications Newsletter People Archives Events Opportunities Contact The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender August 24, 2016 Categories: Bill Marczak, John Scott-Railton, Reports and Briefings Authors: Bill Marczak and John Scott-Railton, Senior Researchers at the Citizen Lab, with the assistance of the research team at Lookout Security. Media coverage: The New York Times, Motherboard, Gizmodo, Wired, Washington Post, ZDNet. This report describes how a government targeted an internationally recognized human rights defender, Ahmed Mansoor, with the Trident, a chain of zero-day exploits designed to infect his iPhone with sophisticated commercial spyware. 1. Executive Summary Ahmed Mansoor is an internationally recognized human rights defender, based in the United Arab Emirates (UAE), and recipient of the Martin Ennals Award (sometimes referred to as a “Nobel Prize for human rights”). On August 10 and 11, 2016, Mansoor received SMS text messages on his iPhone promising “new secrets” about detainees tortured in UAE jails if he clicked on an included link. Instead of clicking, Mansoor sent the messages to Citizen Lab researchers. We recognized the links as belonging to an exploit infrastructure connected to NSO Group, an Israel-based “cyber war” company that sells Pegasus, a government- exclusive “lawful intercept” spyware product. NSO Group is reportedly owned by an American venture capital firm, Francisco Partners Management. The ensuing investigation, a collaboration between researchers from Citizen Lab and from Lookout Security, determined that the links led to a chain of zero-day exploits (“zero-days”) that would have remotely jailbroken Mansoor’s stock iPhone 6 and installed sophisticated spyware.
    [Show full text]
  • BUGS in the SYSTEM a Primer on the Software Vulnerability Ecosystem and Its Policy Implications
    ANDI WILSON, ROSS SCHULMAN, KEVIN BANKSTON, AND TREY HERR BUGS IN THE SYSTEM A Primer on the Software Vulnerability Ecosystem and its Policy Implications JULY 2016 About the Authors About New America New America is committed to renewing American politics, Andi Wilson is a policy analyst at New America’s Open prosperity, and purpose in the Digital Age. We generate big Technology Institute, where she researches and writes ideas, bridge the gap between technology and policy, and about the relationship between technology and policy. curate broad public conversation. We combine the best of With a specific focus on cybersecurity, Andi is currently a policy research institute, technology laboratory, public working on issues including encryption, vulnerabilities forum, media platform, and a venture capital fund for equities, surveillance, and internet freedom. ideas. We are a distinctive community of thinkers, writers, researchers, technologists, and community activists who Ross Schulman is a co-director of the Cybersecurity believe deeply in the possibility of American renewal. Initiative and senior policy counsel at New America’s Open Find out more at newamerica.org/our-story. Technology Institute, where he focuses on cybersecurity, encryption, surveillance, and Internet governance. Prior to joining OTI, Ross worked for Google in Mountain About the Cybersecurity Initiative View, California. Ross has also worked at the Computer The Internet has connected us. Yet the policies and and Communications Industry Association, the Center debates that surround the security of our networks are for Democracy and Technology, and on Capitol Hill for too often disconnected, disjointed, and stuck in an Senators Wyden and Feingold. unsuccessful status quo.
    [Show full text]
  • Malware Trends
    NCCIC National Cybersecurity and Communications Integration Center Malware Trends Industrial Control Systems Emergency Response Team (ICS-CERT) Advanced Analytical Laboratory (AAL) October 2016 This product is provided subject only to the Notification Section as indicated here:http://www.us-cert.gov/privacy/ SUMMARY This white paper will explore the changes in malware throughout the past several years, with a focus on what the security industry is most likely to see today, how asset owners can harden existing networks against these attacks, and the expected direction of developments and targets in the com- ing years. ii CONTENTS SUMMARY .................................................................................................................................................ii ACRONYMS .............................................................................................................................................. iv 1.INTRODUCTION .................................................................................................................................... 1 1.1 State of the Battlefield ..................................................................................................................... 1 2.ATTACKER TACTIC CHANGES ........................................................................................................... 2 2.1 Malware as a Service ...................................................................................................................... 2 2.2 Destructive Malware ......................................................................................................................
    [Show full text]
  • Threatpost | the First Stop for Security News
    Threatpost | The first stop for security news Categories Category List Cloud Security Critical Infrastructure Cryptography Government Category List Hacks Malware Mobile Security Privacy Category List SAS Vulnerabilities Web Security Authors Michael Mimoso Christopher Brook Additional Categories Slideshows The Kaspersky Lab News Service Featured Authors Michael Mimoso Christopher Brook The Kaspersky Lab News Service Featured Posts All Wireless ‘BlueBorne’ Attacks Target Billions of… Apache Foundation Refutes Involvement in Equifax… Popular D-Link Router Riddled with Vulnerabilities Many Questions, Few Answers For Equifax… Equifax Says Breach Affects 143 Million… New Dridex Phishing Campaign Delivers Fake… Podcasts Latest Podcasts All Threatpost News Wrap, September 1, 2017 Threatpost News Wrap, August 25, 2017 Threatpost News Wrap, August 18, 2017 Threatpost News Wrap, August 11, 2017 Threatpost News Wrap, August 4, 2017 Black Hat USA 2017 Preview Recommended The Kaspersky Lab Security News Service Videos Latest Videos All Mark Dowd on Exploit Mitigation Development iOS 10 Passcode Bypass Can Access… BASHLITE Family Of Malware Infects 1… How to Leak Data From Air-Gapped… Bruce Schneier on the Integration of… Chris Valasek Talks Car Hacking, IoT,… Recommended The Kaspersky Lab Security News Service Search Twitter Facebook Google LinkedIn YouTube RSS Welcome > Blog Home>Vulnerabilities > Zerodium Offering $1M for Tor Browser Zero Days 0 0 22 0 Zerodium Offering $1M for Tor Browser Zero Days by Chris Brook September 13, 2017 , 12:54 pm The exploit acquisition vendor Zerodium is doubling down again. Weeks after the company said it would pay $500,000 for zero days in private messaging apps such as Signal and WhatsApp, Zerodium said Wednesday it will pay twice that for a zero day in Tor Browser.
    [Show full text]
  • Ethical Hacking
    Ethical Hacking Alana Maurushat University of Ottawa Press ETHICAL HACKING ETHICAL HACKING Alana Maurushat University of Ottawa Press 2019 The University of Ottawa Press (UOP) is proud to be the oldest of the francophone university presses in Canada and the only bilingual university publisher in North America. Since 1936, UOP has been “enriching intellectual and cultural discourse” by producing peer-reviewed and award-winning books in the humanities and social sciences, in French or in English. Library and Archives Canada Cataloguing in Publication Title: Ethical hacking / Alana Maurushat. Names: Maurushat, Alana, author. Description: Includes bibliographical references. Identifiers: Canadiana (print) 20190087447 | Canadiana (ebook) 2019008748X | ISBN 9780776627915 (softcover) | ISBN 9780776627922 (PDF) | ISBN 9780776627939 (EPUB) | ISBN 9780776627946 (Kindle) Subjects: LCSH: Hacking—Moral and ethical aspects—Case studies. | LCGFT: Case studies. Classification: LCC HV6773 .M38 2019 | DDC 364.16/8—dc23 Legal Deposit: First Quarter 2019 Library and Archives Canada © Alana Maurushat, 2019, under Creative Commons License Attribution— NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0) https://creativecommons.org/licenses/by-nc-sa/4.0/ Printed and bound in Canada by Gauvin Press Copy editing Robbie McCaw Proofreading Robert Ferguson Typesetting CS Cover design Édiscript enr. and Elizabeth Schwaiger Cover image Fragmented Memory by Phillip David Stearns, n.d., Personal Data, Software, Jacquard Woven Cotton. Image © Phillip David Stearns, reproduced with kind permission from the artist. The University of Ottawa Press gratefully acknowledges the support extended to its publishing list by Canadian Heritage through the Canada Book Fund, by the Canada Council for the Arts, by the Ontario Arts Council, by the Federation for the Humanities and Social Sciences through the Awards to Scholarly Publications Program, and by the University of Ottawa.
    [Show full text]
  • Computer Security
    CS155 Computer Security Course overview Dan Boneh Admin • Course web site: https://cs155.Stanford.edu • Profs: Dan Boneh and Zakir Durumeric • Three programming projects (pairs) and two written homeworks • Project #1 posted on Thu. Please attend section this Friday! • Use EdDiscussions and Gradescope • Automatic 72 hour extension Dan Boneh Live lectures on Zoom Lectures are recorded … posted on canvas ask questions Dan Boneh The computer security problem • Lots of buggy software • Social engineering is very effective • Money can be made from finding and exploiting vulns. 1. MarketpLace for expLoits (gaining a foothoLd) 2. MarketpLace for maLware (post compromise) 3. Strong economic and poLiticaL motivation for using both current state of computer security Dan Boneh Top 10 products by totaL number of “distinct” vuLnerabiLities in 2019 source: https://www.cvedetails.com/top-50-products.php?year=2019 Dan Boneh Vulnerable applications being exploited Java Android Browser Office Source: Kaspersky Security Bulletin 2020 Dan Boneh A global problem Top 10 countries by share of attacked users: Source: Kaspersky Security Bulletin 2020 Dan Boneh Goals for this course • Understand expLoit techniques – Learn to defend and prevent common expLoits • Understand the avaiLabLe security tooLs • Learn to architect secure systems Dan Boneh This course Part 1: basics (architecting for security) • Securing apps, OS, and Legacy code: sandboxing, access controL, and security testing Part 2: Web security (defending against a web attacker) • BuiLding robust web sites, understand the browser security modeL Part 3: network security (defending against a network attacker) • Monitoring and architecting secure networks. Part 4: securing mobile applications Dan Boneh Don’t try this at home ! Dan Boneh Introduction What motivates attackers? … economics Dan Boneh Why compromise end user machines? 1.
    [Show full text]
  • Security Now! #705 - 03-12-19 Spoiler
    Security Now! #705 - 03-12-19 Spoiler This week on Security Now! This week we look at the 0-day exploit bidding war that's underway, the NSA's release of Ghidra, Firefox's addition of privacy enhancements which were first developed for the Tor version of Firefox, a pair of 0-days that were biting people in the wild, news of a worrisome breach at Citrix, the risk of claiming to be an unhackable aftermarket car alarm, a new and interesting "windows developers chatting with users" idea at Microsoft, a semi-solution to Windows updates crashing systems, detailed news of the Marriott/Starwood breach, a bit of miscellany from Elaine, a SpinRite question answered, and then we finish with SPOILER, the latest research exploiting yet another new and different consequence of speculation on Intel machines. See next page for the picture of the week... Happy 30th Birthday to the World Wide Web! http://info.cern.ch/Proposal.html 1 Security News Zerodium: $500,000 for a Hypervisor 0-Day Last week's topic was "Careers in Bug Hunting." While we were delivering that podcast, and although we were primarily talking about HackerOne, I mentioned Zerodium as a admitted alternative cash-out source if someone found a particularly tasty and important 0-day flaw. As it happens, while we were delivering that podcast Zerodium was upping the ante! They tweeted: We're paying up to $500,000 for #0day exploits targeting VMware ESXi (vSphere) or Microsoft Hyper-V, and allowing Guest-to-Host escapes. The exploits must work with default configs, be reliable, and lead to full access to the host.
    [Show full text]
  • Android Exploits Commanding Higher Price Than Ever Before
    Memo 10/09/2019 - TLP:WHITE Android exploits commanding higher price than ever before Reference: Memo [190910-1] – Version: 1.0 Keywords: Android, iOS, exploit, vulnerability Sources: Zerodium, Google, Wired Key Points The price of android exploits exceeds the price of iOS exploits for the first time This is possibly because Android security is improving over iOS The release of Android 10 is also a likely cause for the price hike Summary Zerodium1, a cyber security exploit broker dealing in zero-day vulnerabilities, has published its most recent price list. It indicates that the price of an Android full-chain exploit with persistence can fetch the developer up to 2,500,000 dollars. The going rate for a similar exploit for Apple’s iOS has gone down by 500,000 dollars and is now worth 2,000,000. This is the first confirmed time when Android exploits are valued more than iOS. Zerodium payouts for mobile devices Up to $2,500,000 Android zero click full compromise chain with persistence. Up to $2,000,000 iOS zero click full compromise chain with persistence. Up to $1,500,000 WhatsApp zero click remote code execution with iMessage remote code execution with local local privilege escalation on iOS or Android. privilege escalation. Up to $1,000,000 WhatsApp remote code execution with local privilege SMS/MMS remote code execution with local escalation on iOS or Android. privilege escalation on iOS or Android. Comments Zero-click exploits do not require interaction from the user. This is very difficult to achieve and thus commands the highest prices.
    [Show full text]
  • Countering the Proliferation of Offensive Cyber Capabilities
    COUNTERING THE PROLIFERATION OF OFFENSIVE CYBER CAPABILITIES Mr. Robert Morgus, Cybersecurity Initiative & International Security Program, New America Mr. Max Smeets, Centre for International Security and Cooperation (CISAC), Stanford University Mr. Trey Herr, Harvard Kennedy School MEMO №2 GCSC ISSUE BRIEF 161 TABLE OF CONTENTS SECTION 1: INTRODUCTION 163 SECTION 2: SCOPE OF ANALYSIS 165 SECTION 3: THE PILLARS AND OBJECTIVES OF COUNTERPROLIFERATION 167 SECTION 4: THE TRACE FRAMEWORK 169 SECTION 5: MAKING PROGRESS ON PROLIFERATION: APPLYING THE TRACE MODEL 177 Potential International Agreements 177 Arms Control Agreement 178 Export Control Arrangement 180 Tools for States or Like-minded Actors 181 Enhance Offensive and Defensive Capability 182 Diplomatic Toolbox 183 SECTION 6: RECOMMENDATIONS 184 1. Patience. 184 2. Increase the cost of developing offensive cyber capabilities 185 3. Further explore ways to increase barriers to spreading offensive cyber capability 186 CONCLUSIONS 187 GCSC ISSUE BRIEF 162 SECTION 1: INTRODUCTION The tenor of the cyber stability debate, often moribund and moving more sideways than forward, changed with the 2010 United Nations Governmental Group of Experts (UN GGE) Consensus Report that international law applied to cyberspace.164 It followed a position paper by the Obama administration published in January of that year to bring the various sides closer together. Though it wasn’t a steep trend line which followed, the slow process towards cyber norms was considered to be meaningful and positive.165 Despite this and subsequent progress, however, the events of 2017 have shed doubt on this progressive dynamic. The collapse of the UN GGE process in June sent an alarming message that we are moving away from establishing a meaningful cyber stability regime, rather than towards it.
    [Show full text]
  • Bugs in the Market: Creating a Legitimate, Transparent, and Vendor-Focused Market for Software Vulnerabilities
    BUGS IN THE MARKET: CREATING A LEGITIMATE, TRANSPARENT, AND VENDOR-FOCUSED MARKET FOR SOFTWARE VULNERABILITIES Jay P. Kesan* & Carol M. Hayes** Ukraine, December 23, 2015. Hundreds of thousands of homes lost power. Call center communications were blocked. Authorities reported that 103 cities experienced a total blackout. The alleged cause? BlackEnergy malware. With so much of our daily lives reliant on computers, is modern civilization just a stream of ones and zeroes away from disaster? Malware like BlackEnergy relies on uncorrected security flaws in computer systems. Sometimes, the system owner fails to install a patch. Other times, there is no patch because the software vendor either did not know about or did not correct a critical security flaw. Meanwhile, the victim country’s government or its allies may have knowledge of the same flaw, but kept the information secret so that it could be used against its enemies. There is an urgent need for a new legal and economic approach to cybersecurity that will curtail socially harmful behavior by security researchers and governments. Laws aimed at curbing cyberattacks typically focus on punishment, with little to no wiggle room provided for socially beneficial hacking behavior. Around the world, governments hoard zero-day vulnerabilities while permitting software vendors to sue security researchers who plan to demonstrate critical security flaws at industry conferences. There is also a growing market for buying and selling security flaws, and the buyers do not always have society’s best interests in mind. This Article delves into the world of cybersecurity and software and provides an interdisciplinary analysis of the current crisis, contributing to the limited but growing literature addressing these new threats that cannot be contained by traditional philosophies of war and weaponry.
    [Show full text]
  • Kaspersky Lab Threat Predictions for 2018
    Kaspersky Security Bulletin: KASPERSKY LAB THREAT PREDICTIONS FOR 2018 Version 1.1. KASPERSKY SECURITY BULLETIN: THREAT PREDICTIONS FOR 2018 CONTENTS Introduction ..................................................................................................3 Advanced Persistent Threat Predictions by the Global Research and Analysis Team (GReAT) .....................4 Introduction .............................................................................................5 Our record ................................................................................................6 What can we expect in 2018? ...........................................................7 Conclusion .............................................................................................18 Industry and Technology Predictions .............................................19 Introduction ..........................................................................................20 Threat Predictions for Automotive ..........................................21 Threat Predictions for Connected Health ........................... 26 Threat Predictions for Financial Services ............................30 Threat Predictions for Industrial Security ........................... 35 Threat Predictions for Cryptocurrencies ........................... 39 Conclusion ............................................................................................42 This report was updated on December 6, 2017 – with additional content for Threat Predictions for Financial Services
    [Show full text]