Advancing Cybersecurity Through Interdisciplinary Collaboration
Learn about IC3's mission to enhance cybersecurity through simulation modeling, vulnerability markets, and software development. Explore the dynamics of cyber threats and resilience management, uncovering hidden system dynamics using System Dynamics modeling.
Uploaded on | 0 Views
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity (IC)3 3 Sept 2014 Advancing Cybersecurity Using Simulation Modeling I. II. Vulnerability Markets Patching and Software Development Michael Siegel James Houghton 1
Mission: Resiliency of Organizations & Markets Effective and innovative solutions to cyber insecurity require coordinated efforts to support the resiliency of the cyber organizational ecosystem the individuals, firms, and markets occupying the cyber domain, as well as the interactions among actors Key questions: Behavioral: What are the attitudes and perceptions of the private sector about cyber security? Managerial: What solutions can feasibly be manipulated by the firm or sector itself, and what can be encouraged or directed by outside actors? Technological: What is effecting product security of key IT components? Modeling framework to unpack cyber dynamics and provide organizational framework 2
Brief Overview of System Dynamics SDM used as modeling & simulation method over 50 years Eliminate limitations of linear logics and over-simplicity Based on system structure, behavior patterns, interconnections of positive & negative feedback loops SDM has been applied to numerous domains Software development projects Process Improvement projects Crisis and threat in the world oil market Stability and instability of countries many many others SDM helps to uncover hidden dynamics in system Helps understand unfolding of situations, Helps anticipate & predict new modes Explore range of unintended consequences 3
Mission: Dynamics of Threats and Resilience How did breaches (threats) occur? * 67% were aided by significant errors (of the victim) 38% utilized Malware 64% resulted from hacking Threat Management Adverse Behaviors & Management Risk Management Real-World Implications Risk Promotion Financial, Data, Integrity, Reputation Attack Onset Systems Not at Risk Systems At Risk Affected Systems Risk Reduction Recovery How are security and threat processes (resilience) managed? * Over 80% of the breaches had patches available for more than 1 year 75% of cases go undiscovered or uncontained for weeks or months * Verizon Data Breach Report 4
Relating Actions to Outcomes Key Question: What is controlling the rates of change and how can we be more anticipatory rather than reactive? Threat Management Adverse Behaviors & Management Risk Management Real-World Implications Risk Promotion Financial, Data, Integrity, Reputation Attack Onset Systems Not at Risk Systems At Risk Affected Systems Risk Reduction Recovery 5
Attack Vector Identification Firm Vendor Performance Resilience and Responsiveness Resources Motivation Skills Awareness Attacker Capabilities Indentifying Exploits Identified Attack Vectors Not Compromised Compromised Patching Reverse Engineering Visibility Technical Capabilities Process Architecture Info Sharing Sector Performance Firm Knowledge And Awareness 6
System Compromising Firm Architecture Resilience Performance Attacker Capabilities Availability Data Security Public Awareness Identified Attack Vectors Compromising Not Compromised Compromised Remediating Establishing Footholds Firm Knowledge And Awareness Sector Performance Defensive Procedures 7
Simulation Modeling Overview Initial Application Security Attacking Compromising Rate Software Security Compromising Delays Compromising Rate Height Application Software Security Test Input for Compromising Rate Change in Security Implied Compromising Rate Base Application Software Security Change in Compromising Rate Effect of Investment on Application Security Compromising Rate Time Normalized Software Security <Attack Vector Gap> Compromising Rate Duration Test for Change in Application Security Effect of Application Software Security on Vulnerability Identification Application Security Height Function for Effect of Normalized Software Security Application Security Duration <Compromising Rate> <Vulnerability Identification Rate> Application Security Time Change in Systems Indentifying Vulnerabilities Compromising Not Identified Attack Vectors Compromised Compromised System Change Reducing Vulnerabilities Recovery Patching Patch Delay <Action to Reduce Vulnerabilities> <Recovery Rate> Change in Patch Delay Fraction Vulnerable Fraction Compromised Time to Update Patch Delay Base Patch Delay New Patch Delay Total Systems 8
Making the Case Blue is base case; red case is patching with configuration standards; green is current case Infected Attack Vectors Not Compromised 200 200 200 170 170 150 140 140 100 Technical 110 110 50 80 80 0 0 10 20 30 40 50 60 70 80 90 100 0 10 20 30 40 50 60 70 80 90 100 0 10 20 30 40 50 60 70 80 90 100 Week Week Week Upstream Costs Downstream Costs 20 10 17 7.5 Managers 14 5 11 2.5 8 0 0 10 20 30 40 50 60 70 80 90 100 0 10 20 30 40 50 60 70 80 90 100 Week Week Total Costs 2,000 1,500 Senior Management (CIO) 1,000 500 0 0 10 20 30 40 50 60 70 80 90 100 Week 9
Summary of Results Solving problems upstream is more effective than fixing them downstream. Differentials in time delays in physical processes (such as patching) and behavioral processes (such as changing individual behavior) are key to understanding the efficacy of proposed interventions. Nonlinearities and tipping points may exist due to inertia and path-dependence in systems. 10
Resolving Emergent Issues In Cyber Security: Vulnerability Markets
How do white markets influence black market pricing? An exploit s price factors in both how widely the target software is used as well as the difficulty of cracking it. Greenberg - Forbes Black Market (Forbes 2012) White Market (2014) IOS $100k-$250k $0k Android $30k-$60k $0.5k $3.1k MS Windows $60k-$120k $50-$100k Internet Explorer $80k-$200k 11k
What is the lifecycle of cybercrime? Selling a bug to the Russian mafia guarantees it will be dead in no time, and they pay very little money They monetize exploits in the most brutal and mediocre way possible -Grugq, third party broker Greenberg, Forbes Blackhole Estimated Values 4 $500 Infections $400 We are setting aside a $100K budget to purchase browser and browser plug-in vulnerabilities, which are going to be used exclusively by us, without being released to public - Paunch, Author of Blackhole, Jan 13 3 $300 2 $200 1 $100 Millions Vulnerability Budget Thousands 0 7/1/11 $0 Krebs on Security 1/1/12 7/1/12 1/1/13 7/1/13 Data from Microsoft Security Bulletins, Krebs on
How do bug bounty programs influence vulnerability supply? Bounty Evolution: $100,000 for New Mitigation Bypass Techniques Wanted Dead or Alive Microsoft is announcing the first evolution of its bounty programs, first announced in June of 2013. We are expanding the pool of talent who can participate and submit novel mitigation bypass techniques and defensive ideas to include responders and forensic experts who find active attacks in the wild. - Katie Moussouris, BlueHat Blog
How does State investment in cyber capability influence foreign behavior? The Chinese are conducting espionage on a massive scale. [If we] ban sales of exploits to the U.S. and European allies the only possible outcome is that the Chinese will increase their internal production and skills and the West will fall behind. -Grugq, third party broker Greenberg, Forbes
Cyber Security Challenge: Resolving Problems As Part Of A Larger System Bug Bounty Vulnerability Supply State Actor Market Influence Cyber Crime Lifecyle White/Black Market Competition
Summary Cybersecurity solutions require a holistic approach Systems modeling considers, behavior, management, policy and technology The case of patching and software quality provide insights into timing and approaches Bug bounty programs and vulnerability markets have significant effect on security and the cyber ecosystem 18
BACKUP 19
Valuing Software Portfolios Using System Dynamics Models Project value changes over time depending on maintenance At first the value rises as application development takes shape It then adjusts overtime according to the maintenance spend The graph shows the value of one application given different maintenance Application Task Backlog Value 400 10 0 300 packages 200 100 0 A project may have a high initial expected value, but maintenance dynamics may erode that value over time 0 0 6 12 18 24 30 36 42 48 54 60 Time (Month) Time Application Task Backlog : test2 Application Task Backlog : test1 Application Task Backlog : test4 Application Task Backlog : test3 when the red case may be more likely We plan for the blue case
