Abstract
The security of information technology and computer networks is effected by a wide variety of actors and processes which together make up a security ecosystem; here we examine this ecosystem, consolidating many aspects of security that have hitherto been discussed only separately. First, we analyze the roles of the major actors within this ecosystem and the processes they participate in, and the the paths vulnerability data take through the ecosystem and the impact of each of these on security risk. Then, based on a quantitative examination of 27,000 vulnerabilities disclosed over the past decade and taken from publicly available data sources, we quantify the systematic gap between exploit and patch availability. We provide the first examination of the impact and the risks associated with this gap on the ecosystem as a whole. Our analysis provides a metric for the success of the “responsible disclosure” process. We measure the prevalence of the commercial markets for vulnerability information and highlight the role of security information providers (SIP), which function as the “free press” of the ecosystem.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
Keywords
- Public Disclosure
- Security Vulnerability
- Responsible Disclosure
- Risk Vulnerability
- Vulnerability Information
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Packetstorm Security. http://packetstormsecurity.org
Anderson, R., Moore, T.: The Economics of Information Security. Science 314(5799), 610– 613 (2006). http://dx.doi.org/10.1126/science.1130992
Arbaugh, W.A., Fithen, W.L., McHugh, J.: Windows of vulnerability: A case study analysis. Computer 33(12), 52–59 (2000). DOI http://doi.ieeecomputersociety.org/10.1109/2.889093
Arora, A., Krishnan, R., Nandkumar, A., Telang, R., Yang, Y.: Impact of vulnerability disclosure and patch availability – an empirical analysis. In: R. Anderson (ed.) Workshop on the Economics of Information Security (WEIS). Cambridge, UK (2004)
Arora, A., Telang, R., Xu, H.: Optimal policy for software vulnerability disclosure. In: Workshop on the Economics of Information Security (WEIS) (2004)
Boehme, R.: Vulnerability markets. what is the economic value of a zero-day exploit? In: Private Investigations (Proc. of 22nd Chaos Communication Congress). CCC (2005). DOI http://doi.acm.org/10.1145/1162666.1162671
Chambers, J.T., Thompson, J.W.: Niac vulnerability disclosure framework. Department of Homeland Security DHS (2004)
Christey, S., Wysopal, C.: Responsible vulnerability disclosure process (2002). http:// tools.ietf.org/html/draft-christey-wysopal-vuln-disclosure-00
David, B., Pongsin, P., Dawn, S., Jiang, Z.: Automatic patch-based exploit generation is possible. In: IEEE Security and Privacy, 2008, pp. 143–157 (2008)
Duebendorfer, T., Frei, S.: Why Silent Updates Boost Security. Tech. Rep. 302, TIK, ETH Zurich (2009). http://www.techzoom.net/silent-updates
Electronic Frontier Foundation EFF: Coders’ Rights Project Vulnerability Reporting FAQ
Frei, S., Dubendorfer, T., Ollmann, G., May, M.: Understanding the web browser threat. Tech. Rep. 288, ETH Zurich (2008). http://www.techzoom.net/papers
Frei, S., Duebendorfer, T., Plattner, B.: Firefox (In)Security Update Dynamics Exposed. Computer Communication Review 39(1) (2009)
Frei, S., Tellenbach, B., Plattner, B.: 0-day patch - exposing vendors (in)security performance. BlackHat Europe (2008). http://www.techzoom.net/papers
FrSIRT: French Security Incident Response Team. http://www.frsirt.com
Hasan Cavusoglu, H.C., Raghunathan, S.: Emerging issues in responsible vulnerability disclosure. In: WITS (2004)
H.D. Moore: The Metasploit Project. http://www.metasploit.com
IBM Internet Security Systems: The Lifecycle of a Vulnerability. www.iss.net/ documents/whitepapers/ISS_Vulnerability_Lifecycle_Whitepaper. pdf (2005)
IBM Internet Security Systems - X-Force: X-Force Advisory. http://www.iss.net
IBM Internet Security Systems - X-Force: Responsible vulnerability disclosure process (2004). http://documents.iss.net/literature/vulnerability_ guidelines.pdf
iDefense: Vulnerability Contributor Program. Http://labs.idefense.com/vcp
Kannan, K., Telang, R.: An economic analysis of market for software vulnerabilities. In: Workshop on the Economics of Information Security (WEIS) (2004)
Kerckhoffs, A.: La cryptographie militaire. Journal des sciences militaires IX, 5–83 (1883)
Leita, C., Dacier, M., Wicherski, G.: SGNET: a distributed infrastructure to handle zero-day exploits. Tech. Rep. EURECOM+2164, Institut Eurecom, France (2007)
Levy, E.: Approaching zero. IEEE Security and Privacy 2(4), 65–66 (2004). DOI http://doi. ieeecomputersociety.org/10.1109/MSP.2004.33
Lindner, F.F.: Software security is software reliability. Commun. ACM 49(6), 57–61 (2006). DOI http://doi.acm.org/10.1145/1132469.1132502
Maillart, T., Sornette, D.: Heavy-tailed distribution of cyber-risks (2008). URL http:// www.citebase.org/abstract?id=oai:arXiv.org:0803.2256
McKinney, D.: Vulnerability bazaar. IEEE Security and Privacy 5(6), 69–73 (2007). DOI http://doi.ieeecomputersociety.org/10.1109/MSP.2007.180
Microsoft: Windows Error Reporting. Http://technet.microsoft.com/enus/ library/bb490841.aspx
Miller, C.: The legitimate vulnerability market: Inside the secretive world of 0-day exploit sales. In: Workshop on the Economics of Information Security (WEIS) (2007)
Milw0rm: Milw0rm Exploit Archive. http://www.milw0rm.com
MITRE : CVE Vulnerability Terminology 3. http://cve.mitre.org/about/ terminology.html
MITRE: Common Vulnerabilities and Exposures (CVE). http://cve.mitre.org
Oborne, M.W.: The Security Economy. OECD, Paris : (2004). ISBN 92-64-10772-X
OISA Organization for Internet Safety: Guidelines for Security Vulnerability Reporting and Response. http://www.oisafety.org/guidelines/
Ollmann, G.: The evolution of commercial malware development kits and colour-by-numbers custom malware. Computer Fraud & Security 2008(9), 4 – 7 (2008). http://dx.doi. org/10.1016/S1361-3723(08)70135-0
OSVDB: Open Source Vulnerability Database. Http://www.osvdb.org
Ozment, A.: Improving vulnerability discovery models. In: QoP ’07: Proceedings of the 2007 ACM workshop on Quality of protection, pp. 6–11. ACM, New York, NY, USA (2007). DOI http://doi.acm.org/10.1145/1314257.1314261
Pfleeger, S.L., Rue, R., Horwitz, J., Balakrishnan, A.: Investing in cyber security: The path to good practice. The RAND Journal Vol 19, No. 1 (2006)
Radianti, J., Gonzalez, J.J.: Understanding hidden information security threats: The vulnerability black market. Hawaii International Conference on System Sciences 0, 156c (2007). DOI http://doi.ieeecomputersociety.org/10.1109/HICSS.2007.583
Schneier, B.: Locks and Full Disclosure. IEEE Security and Privacy 01(2), 88 (2003)
Schneier, B.: The nonsecurity of secrecy. Commun. ACM 47(10), 120 (2004)
Secunia: Vulnerability Intelligence Provider. http://www.secunia.com
SecurityTracker: SecurityTracker. http://www.SecurityTracker.com
Securityvulns: Computer Security Vulnerabilities. http://securityvulns.com/
Shepherd, S.A.: Vulnerability Disclosure. SANS InfoSec Reading Room (2003)
Shostack, A., Stewart, A.: The new school of information security. Addison-Wesley (2008)
Stefan Frei and Martin May: Putting private and government CERT’s to the test. In: 20th Annual FIRST Conference, June 22-27, 2008, Vancouver, Canada (2008)
Symantec: SecurityFocus. http://www.securityfocus.com/vulnerabilities
Symantec: Report on the Underground Economy (2008)
Thomas, B., Clergue, J., Schaad, A., Dacier, M.: A comparison of conventional and online fraud. In: CRIS’04, 2nd Int. Conf. on Critical Infrastructures, Oct 25-27, 2004 - Grenoble
TippingPoint: Zero day initiative (zdi). http://www.zerodayinitiative.com/
US-CERT: US-CERT. http://www.us-cert.gov/aboutus.html
Whipp, M.: Black market thrives on vulnerability trading. PCpro (2006). http://www. pcpro.co.uk/news/84523
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer Science+Business Media, LLC
About this paper
Cite this paper
Frei, S., Schatzmann, D., Plattner, B., Trammell, B. (2010). Modeling the Security Ecosystem - The Dynamics of (In)Security. In: Moore, T., Pym, D., Ioannidis, C. (eds) Economics of Information Security and Privacy. Springer, Boston, MA. https://doi.org/10.1007/978-1-4419-6967-5_6
Download citation
DOI: https://doi.org/10.1007/978-1-4419-6967-5_6
Published:
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4419-6966-8
Online ISBN: 978-1-4419-6967-5
eBook Packages: Computer ScienceComputer Science (R0)