Cyber vulnerabilities and the threat of attack: Making things better : Michael Siegel James Houghton...
-
Upload
chloe-stewart -
Category
Documents
-
view
212 -
download
0
Transcript of Cyber vulnerabilities and the threat of attack: Making things better : Michael Siegel James Houghton...
![Page 1: Cyber vulnerabilities and the threat of attack: Making things better : Michael Siegel James Houghton MIT Sloan School of Management .](https://reader035.fdocuments.us/reader035/viewer/2022070400/56649ecf5503460f94bdc780/html5/thumbnails/1.jpg)
Cyber vulnerabilities and the threat of attack:
Making things better:
Michael SiegelJames Houghton
MIT Sloan School of Managementhttp://ic3.mit.edu
![Page 2: Cyber vulnerabilities and the threat of attack: Making things better : Michael Siegel James Houghton MIT Sloan School of Management .](https://reader035.fdocuments.us/reader035/viewer/2022070400/56649ecf5503460f94bdc780/html5/thumbnails/2.jpg)
Vulnerabilities and Cybersecurity
Vulnerabilities
Secu-rity
![Page 3: Cyber vulnerabilities and the threat of attack: Making things better : Michael Siegel James Houghton MIT Sloan School of Management .](https://reader035.fdocuments.us/reader035/viewer/2022070400/56649ecf5503460f94bdc780/html5/thumbnails/3.jpg)
Vulnerabilities
3
![Page 4: Cyber vulnerabilities and the threat of attack: Making things better : Michael Siegel James Houghton MIT Sloan School of Management .](https://reader035.fdocuments.us/reader035/viewer/2022070400/56649ecf5503460f94bdc780/html5/thumbnails/4.jpg)
4
Creating a Vulnerability Typology
Vulnerability Characteristics
Quantity of Vulnerabilities Scarce - Numerous
Ease of Vulnerability Discovery Easy - Difficult to Find
Likelihood of Vulnerability Rediscovery
Low - High
Patching Dynamics
Technical Difficulty of Remediation
Easy - Hard to Fix
Logistical Difficulty of Remediation
Easy - Hard to Access
Average Life of a Vulnerability Short - Long
Market Dynamics
Third Party Market for Vulnerability
Offensive, Defensive, Mixed, Etc.
Market Size Small - Large
Bug Bounty Program Yes, No
Human Dynamics
Attackers Criminals, States, Patriots, Etc.
Researcher Pool Small - Large
![Page 5: Cyber vulnerabilities and the threat of attack: Making things better : Michael Siegel James Houghton MIT Sloan School of Management .](https://reader035.fdocuments.us/reader035/viewer/2022070400/56649ecf5503460f94bdc780/html5/thumbnails/5.jpg)
System Dynamics ModelingModels Human Systems
Gives Structure to Data
Simulates Dynamic Be-havior
Formalizes connection,causality, and feedback
Process Improvement Market Crises Government Stability Software Development
Hopes
Fears
Time
![Page 6: Cyber vulnerabilities and the threat of attack: Making things better : Michael Siegel James Houghton MIT Sloan School of Management .](https://reader035.fdocuments.us/reader035/viewer/2022070400/56649ecf5503460f94bdc780/html5/thumbnails/6.jpg)
UndiscoveredVulnerabilities
Patching
![Page 7: Cyber vulnerabilities and the threat of attack: Making things better : Michael Siegel James Houghton MIT Sloan School of Management .](https://reader035.fdocuments.us/reader035/viewer/2022070400/56649ecf5503460f94bdc780/html5/thumbnails/7.jpg)
UndiscoveredVulnerabilities
Patching
OffensiveStockpile
Deployment
Discovery
Patching
![Page 8: Cyber vulnerabilities and the threat of attack: Making things better : Michael Siegel James Houghton MIT Sloan School of Management .](https://reader035.fdocuments.us/reader035/viewer/2022070400/56649ecf5503460f94bdc780/html5/thumbnails/8.jpg)
Black HatCapabilityLearning,
RecruitingLeaving,Erosion
Undiscovered
VulnerabilitiesPatchin
g
Offensive
Stockpile Deployme
nt
Discovery
Patching
![Page 9: Cyber vulnerabilities and the threat of attack: Making things better : Michael Siegel James Houghton MIT Sloan School of Management .](https://reader035.fdocuments.us/reader035/viewer/2022070400/56649ecf5503460f94bdc780/html5/thumbnails/9.jpg)
Undiscovered
VulnerabilitiesPatchin
g
Offensive
Stockpile Deployme
nt
Discovery
Patching
Black HatCapabilityLearning,
RecruitingLeaving,Erosion
White HatCapabilityLearning,
RecruitingLeaving,Erosion
![Page 10: Cyber vulnerabilities and the threat of attack: Making things better : Michael Siegel James Houghton MIT Sloan School of Management .](https://reader035.fdocuments.us/reader035/viewer/2022070400/56649ecf5503460f94bdc780/html5/thumbnails/10.jpg)
![Page 11: Cyber vulnerabilities and the threat of attack: Making things better : Michael Siegel James Houghton MIT Sloan School of Management .](https://reader035.fdocuments.us/reader035/viewer/2022070400/56649ecf5503460f94bdc780/html5/thumbnails/11.jpg)
Undiscovered
VulnerabilitiesPatchin
g
Offensive
Stockpile Deployme
nt
Discovery
Patching
White HatCapability
Discovery Correlation
![Page 12: Cyber vulnerabilities and the threat of attack: Making things better : Michael Siegel James Houghton MIT Sloan School of Management .](https://reader035.fdocuments.us/reader035/viewer/2022070400/56649ecf5503460f94bdc780/html5/thumbnails/12.jpg)
No Correlation
Wh
ite
Hat
Black Hat
![Page 13: Cyber vulnerabilities and the threat of attack: Making things better : Michael Siegel James Houghton MIT Sloan School of Management .](https://reader035.fdocuments.us/reader035/viewer/2022070400/56649ecf5503460f94bdc780/html5/thumbnails/13.jpg)
Some Correlation
White Hat
Black Hat
![Page 14: Cyber vulnerabilities and the threat of attack: Making things better : Michael Siegel James Houghton MIT Sloan School of Management .](https://reader035.fdocuments.us/reader035/viewer/2022070400/56649ecf5503460f94bdc780/html5/thumbnails/14.jpg)
In Simulation
![Page 15: Cyber vulnerabilities and the threat of attack: Making things better : Michael Siegel James Houghton MIT Sloan School of Management .](https://reader035.fdocuments.us/reader035/viewer/2022070400/56649ecf5503460f94bdc780/html5/thumbnails/15.jpg)
How does discovery correlation arise?
- Fixed code base
- Heterogeneous vulnerabilities
- Common techniques between re-search groups
![Page 16: Cyber vulnerabilities and the threat of attack: Making things better : Michael Siegel James Houghton MIT Sloan School of Management .](https://reader035.fdocuments.us/reader035/viewer/2022070400/56649ecf5503460f94bdc780/html5/thumbnails/16.jpg)
For a young piece of software
With our model parameters, 9% overlap
![Page 17: Cyber vulnerabilities and the threat of attack: Making things better : Michael Siegel James Houghton MIT Sloan School of Management .](https://reader035.fdocuments.us/reader035/viewer/2022070400/56649ecf5503460f94bdc780/html5/thumbnails/17.jpg)
For a hardened piece of software
With our model parameters, 0.8% overlap
![Page 18: Cyber vulnerabilities and the threat of attack: Making things better : Michael Siegel James Houghton MIT Sloan School of Management .](https://reader035.fdocuments.us/reader035/viewer/2022070400/56649ecf5503460f94bdc780/html5/thumbnails/18.jpg)
Dynamics of Threats and Resilience(using System Dynamics modeling)
Systems Notat Risk
Systems AtRisk
AffectedSystems
Risk Promotion
Risk Reduction
Attack Onset
Recovery
Adverse Behaviors &Management Risk Management
ThreatManagement
Real-WorldImplications
Financial,Data,
Integrity,Reputation
* Verizon Data Breach Report
67% were aided by significant errors (of the victim)
How did breaches (threats) occur? *
64% resulted from hacking
38% utilized Malware
How are security and threat processes (resilience) managed? *
18
Over 80% of the breaches had patches available for
more than 1 year
75% of cases go undiscovered or uncontained for weeks or
months
![Page 19: Cyber vulnerabilities and the threat of attack: Making things better : Michael Siegel James Houghton MIT Sloan School of Management .](https://reader035.fdocuments.us/reader035/viewer/2022070400/56649ecf5503460f94bdc780/html5/thumbnails/19.jpg)
Making the Case
200
150
100
50
00 10 20 30 40 50 60 70 80 90 100
Time (Year)
Yea
r
200
170
140
110
800 10 20 30 40 50 60 70 80 90 100
Time (Year)
Yea
r
200
170
140
110
800 10 20 30 40 50 60 70 80 90 100
Time (Year)
Yea
r
Not Compromised Attack Vectors Infected
Technical
10
7.5
5
2.5
0
0 10 20 30 40 50 60 70 80 90 100Time (Year)
20
17
14
11
8
0 10 20 30 40 50 60 70 80 90 100Time (Year)
“Upstream Costs” “Downstream Costs”
Managers
2,000
1,500
1,000
500
0
0 10 20 30 40 50 60 70 80 90 100Time (Year)
Total Costs
Senior Management (CIO)
Blue is base case; red case is patching with configuration standards; green is current case
![Page 20: Cyber vulnerabilities and the threat of attack: Making things better : Michael Siegel James Houghton MIT Sloan School of Management .](https://reader035.fdocuments.us/reader035/viewer/2022070400/56649ecf5503460f94bdc780/html5/thumbnails/20.jpg)
Summary
Models can explain the dynamics of vulnerabilities and researcher motivation and exploits
Understanding the tools and techniques of finding vulnerabilities helps to improve security
Models help understand the security issues in patching and software release dynamics
Solving security problems “upstream” is more effective than fixing them “downstream.”
These analyses and modeling techniques can apply to any type of organization