cyber vulnerabilities and the threat of attack: making things better : michael siegel james houghton...
TRANSCRIPT
Cyber vulnerabilities and the threat of attack:
Making things better:
Michael SiegelJames Houghton
MIT Sloan School of Managementhttp://ic3.mit.edu
Vulnerabilities and Cybersecurity
Vulnerabilities
Secu-rity
Vulnerabilities
3
4
Creating a Vulnerability Typology
Vulnerability Characteristics
Quantity of Vulnerabilities Scarce - Numerous
Ease of Vulnerability Discovery Easy - Difficult to Find
Likelihood of Vulnerability Rediscovery
Low - High
Patching Dynamics
Technical Difficulty of Remediation
Easy - Hard to Fix
Logistical Difficulty of Remediation
Easy - Hard to Access
Average Life of a Vulnerability Short - Long
Market Dynamics
Third Party Market for Vulnerability
Offensive, Defensive, Mixed, Etc.
Market Size Small - Large
Bug Bounty Program Yes, No
Human Dynamics
Attackers Criminals, States, Patriots, Etc.
Researcher Pool Small - Large
System Dynamics ModelingModels Human Systems
Gives Structure to Data
Simulates Dynamic Be-havior
Formalizes connection,causality, and feedback
Process Improvement Market Crises Government Stability Software Development
Hopes
Fears
Time
UndiscoveredVulnerabilities
Patching
UndiscoveredVulnerabilities
Patching
OffensiveStockpile
Deployment
Discovery
Patching
Black HatCapabilityLearning,
RecruitingLeaving,Erosion
Undiscovered
VulnerabilitiesPatchin
g
Offensive
Stockpile Deployme
nt
Discovery
Patching
Undiscovered
VulnerabilitiesPatchin
g
Offensive
Stockpile Deployme
nt
Discovery
Patching
Black HatCapabilityLearning,
RecruitingLeaving,Erosion
White HatCapabilityLearning,
RecruitingLeaving,Erosion
Undiscovered
VulnerabilitiesPatchin
g
Offensive
Stockpile Deployme
nt
Discovery
Patching
White HatCapability
Discovery Correlation
No Correlation
Wh
ite
Hat
Black Hat
Some Correlation
White Hat
Black Hat
In Simulation
How does discovery correlation arise?
- Fixed code base
- Heterogeneous vulnerabilities
- Common techniques between re-search groups
For a young piece of software
With our model parameters, 9% overlap
For a hardened piece of software
With our model parameters, 0.8% overlap
Dynamics of Threats and Resilience(using System Dynamics modeling)
Systems Notat Risk
Systems AtRisk
AffectedSystems
Risk Promotion
Risk Reduction
Attack Onset
Recovery
Adverse Behaviors &Management Risk Management
ThreatManagement
Real-WorldImplications
Financial,Data,
Integrity,Reputation
* Verizon Data Breach Report
67% were aided by significant errors (of the victim)
How did breaches (threats) occur? *
64% resulted from hacking
38% utilized Malware
How are security and threat processes (resilience) managed? *
18
Over 80% of the breaches had patches available for
more than 1 year
75% of cases go undiscovered or uncontained for weeks or
months
Making the Case
200
150
100
50
00 10 20 30 40 50 60 70 80 90 100
Time (Year)
Yea
r
200
170
140
110
800 10 20 30 40 50 60 70 80 90 100
Time (Year)
Yea
r
200
170
140
110
800 10 20 30 40 50 60 70 80 90 100
Time (Year)
Yea
r
Not Compromised Attack Vectors Infected
Technical
10
7.5
5
2.5
0
0 10 20 30 40 50 60 70 80 90 100Time (Year)
20
17
14
11
8
0 10 20 30 40 50 60 70 80 90 100Time (Year)
“Upstream Costs” “Downstream Costs”
Managers
2,000
1,500
1,000
500
0
0 10 20 30 40 50 60 70 80 90 100Time (Year)
Total Costs
Senior Management (CIO)
Blue is base case; red case is patching with configuration standards; green is current case
Summary
Models can explain the dynamics of vulnerabilities and researcher motivation and exploits
Understanding the tools and techniques of finding vulnerabilities helps to improve security
Models help understand the security issues in patching and software release dynamics
Solving security problems “upstream” is more effective than fixing them “downstream.”
These analyses and modeling techniques can apply to any type of organization