ebook img

A Survey on Security Metrics PDF

0.47 MB·
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview A Survey on Security Metrics

A A Survey on Security Metrics1 MARCUSPENDLETON,TheUniversityofTexasatSanAntonio RICHARDGARCIA-LEBRON,TheUniversityofTexasatSanAntonio SHOUHUAIXU,TheUniversityofTexasatSanAntonio Theimportanceofsecuritymetricscanhardlybeoverstated.Despitetheattentionthathasbeenpaidbythe academia,governmentandindustryinthepastdecades,thisimportantproblemstubbornlyremainsopen. In this survey, we present a survey of knowledge on security metrics. The survey is centered on a novel 6 taxonomy,whichclassifiessecuritymetricsintofourcategories:metricsformeasuringthesystemvulnera- 1 bilities,metricsformeasuringthedefenses, metricsformeasuringthethreats, andmetricsformeasuring 0 thesituations.Theinsightunderlyingthetaxonomyisthatsituations(oroutcomesofcyberattack-defense 2 interactions)are caused by certain threats (or attacks)against systemsthat havecertain vulnerabilities n (includinghumanfactors)andemploycertaindefenses.Inadditiontosystematicallyreviewingthesecurity a metricsthathavebeenproposedintheliterature,wediscussthegapsbetweenthestateoftheartandthe J ultimategoals. 0 2 1. INTRODUCTION ] Security metrics is one of the most important open problems in security research. R It has been recognized on the Hard Problem List of the United States INFOSEC C Research Council (both 1999 and 2005 editions) [Council2007], has been reit- . erated in 2011 by the United States National Science and Technology Council s c [ScienceandCouncil2011], and most recently has been listed as one of the five hard [ problemsinScienceofSecurity(August2015)[Nicoletal.]. The security metrics problem certainly has received a lot of attention, in- 1 cluding government and industry bodies [Chewetal.; (IATAC)2009; Institute; v forInternetSecurity2010].Forexample,theUnitedStatesNationalInstituteofStan- 2 9 dardsandTechnologyproposedthreecategoriesofsecuritymetrics—implementation, 7 effectiveness,andimpact[Chewetal.];theCenterforInternetSecuritydefined28se- 5 curity metrics in another three categories—management, operational, and technical 0 [forInternetSecurity2010]. However, these efforts are almost exclusively geared to- . wardscyberdefenseadministrationsandoperations.Theyneitherdiscusshowthese- 1 0 curitymetricsmaybeusedasparametersinsecuritymodeling(i.e.,theoreticaluseof 6 security metrics), nor discuss what the gaps are between the state-of-the-artand the 1 ultimate goals and how these gaps may be bridged. This motivates us to survey the : knowledgein the field,whilehopingto shedsome lightonthe difficultiesof theprob- v lemandthedirectionsforfutureresearch.Tothebestofourknowledge,thisisthefirst i X surveyofsecuritymetrics,despitethattherehavebeensomeeffortswithamuchnar- r rower focus (e.g., [Landwehretal.1994; Chandolaetal.2009; Milenkoskietal.2015; a RoundyandMiller2013;Ugarte-Pedreroetal.2015]). Thepaperisorganizedasfollows.Section2discussesthescopeandmethodologyof thesurvey.Section 3 describessecurity metricsfor measuringsystem vulnerabilities. Section 4 reviews security metrics for measuring defenses. Section 5 presents secu- ritymetricsformeasuringthreats.Section6describessecuritymetricsformeasuring situations. Section 7 discusses the gaps between the state-of-the-art and the security metricsthataredesirable.Section8concludesthepaper. 1Author’saddresses:M.PendletonandR.Lebron-GarciaandS.Xu,DepartmentofComputerScience,The UniversityofTexasatSanAntonio.Correspondence:ShouhuaiXu([email protected]) ACMJournalName,Vol.V,No.N,ArticleA,Publicationdate:JanuaryYYYY. A:2 M.Pendletonetal. 2. SCOPEANDMETHODOLOGY 2.1. Terminology The term security metrics has a range of meanings, with no widely accepted defini- tion [Jansen2009]. It is howeverintuitive that security metrics reflect some security attributesquantitatively. Throughout the paper, the term systems is used in a broad sense, and is used in contrast to the term building-blocks,used to describe concepts such as cryptographic primitives.Thediscussioninthepresentpaperappliestotwokindsofsystems:(i)en- terprisesystems,whichincludenetworkedsystemsofmultiplecomputers/devices(e.g., companynetworks),clouds,andeventheentirecyberspace,and(ii)computersystems, which represent individual computers/devices. This distinction is important because an enterprise system consists of many computers/devices, and measuring security of anenterprisesystemnaturallyrequirestomeasuresecurityoftheindividualcomput- ers. ThetermattackingcomputerrepresentsacomputerorIPaddressfromwhichcyber attacks are launched against others, while noting that the attacking computer itself may be a compromised one (i.e., not owned by a human attacker). The term incident representsasuccessfulattack(e.g.,malwareinfectionordatabreach). Forapplicationsofsecuritymetrics,wewillfocusontwouses.Thetheoreticaluseis to incorporate security metrics as parameters into some security models that may be built to understand security from a more holistic perspective. There have been some initialstudiesinpursuingsuchmodels,suchas[LeMayetal.;Xu2014a],whichoften aim to characterize the evolution of the global security state. The practical use is to guidedailysecuritypractice,suchascomparingthesecurityoftwosystemsandcom- paring the security of one system during two different periods of time (e.g., last year vs.presentyear). 2.2. Scope Wehavetolimitthescopeoftheliteraturethatissurveyedinthepresentpaper.This is because every security paper that improves upon a previous result—be it a better defense or more powerful attack—would be considered relevant in terms of security metrics.However,mostsecuritypublicationsdidnotaddressthesecuritymetricsper- spective,perhapsbecauseitissufficienttoshow,forexample,anewlyproposeddefense candefeatanattackthatcouldnotbedefeatedbypreviousdefenses.Thissuggestsus to survey the literature that made a reasonable effort at defining security metrics. This selection criterion is certainly subjective, but we hope the readers find the re- sultingsurveyanddiscussioninformative.Itisworthmentioningthatourfocusison securitymetrics,ratherthanthespecificapproachesforanalyzingthem.Wetreatthe analysisapproachesasanorthogonalissuebecauseasecuritymetricmaybeanalyzed viamultipleapproaches. Even within the scope discussed above, we still need to narrow down our fo- cus. This is because security, and security metrics thereof, can be discussed at multiple levels of abstractions, including systems and building-blocks as mentioned above. For building-blocks, great success has been achieved in measuring the con- crete security of cryptographic primitives [Bellareetal.], while other notable re- sults include metrics for measuring privacy [Dwork; Shokrietal.], information flow [Mardzieletal.2014], side-channel leakage [SchneiderandMoradi2015], and hard- waresecurity[Rostamietal.2014].Ontheotherhand,ourunderstandingofsecurity metricsformeasuringsecurityofsystemslagsfarbehind,asthepresentpapershows. One thing that is worth clarifying is that the exposure of cryptographic keys, due to the use of weak randomness in the key generation algorithm or Heartbleed-like at- ACMJournalName,Vol.V,No.N,ArticleA,Publicationdate:JanuaryYYYY. ASurveyonSecurityMetrics A:3 tacks, is treated as a systems security problem. This is plausible because the formal frameworkfor analyzing cryptographicsecurity assumes that the cryptographickeys arenotexposed. The aforementioned discrepancy between the metrics for systems security and the metricsforbuilding-blockssecurityisunacceptablebecausetheformerisoftenneeded andusedintheprocessofbusinessdecision-making.Thissuggestsustofocusonsys- temizingtheunderdevelopedfieldofsystemssecuritymetrics.Theimportanceofthis underdevelopedfield can be seen by efforts that have been made by governmentand industrial bodies [Chewetal.; (IATAC)2009; Institute; forInternetSecurity2010]. This prompts us to consider both these metrics and those that appeared in academic venues. 2.3. Surveymethodology Oursurveymethodologyiscenteredontheperspectiveofcyberattack-defenseinterac- tions,whichappliestobothenterprisesystemsandcomputersystemsmentionedabove. Figure 1 illustrates a snapshot of an enterprise system. At time t, the enterprise system consists of n computers(or devices,virtual machines in the case of cloud),de- noted by the vector C(t) = {c1(t),...,cn(t)}, where n could vary with time t (i.e., n couldbeafunctionoftimet).Eachcomputer,ci(t),mayhaveavectorvi(t)ofvulnera- bilities, including the computer user’s vulnerability to social-engineeringattacks, the vulnerability caused by the use of weak passwords, and the software vulnerabilities thatmayincludesomezero-dayand/orsomeunpatchedones.Attacksarerepresented by red arrows, and defenses are represented by blue bars. Defenses accommodate both the defenses that are installed on the individual computers (e.g., anti-malware tools) and the defenses that are employed at the perimeter of the enterprise system (e.g., firewalls). The thickness of red arrows and blue bars reflect the attack and de- fense power, respectively. Some attacks penetrate through the defenses (e.g., attacks against computer cn(t)), while others fail (e.g., attacks against computer c1(t)). The outcomeoftheattack-defenseinteractionattimetisreflectedbyasecuritystate vec- tor S(t) = {s1(t),...,sn(t)}, where si(t) = 0 means computer ci(t) is secure at time t and si(t) = 1 means computerci(t) is compromisedat time t.However,the defender’s observation of the security state vector S(t), denotedby O(t) = {o1(t),...,on(t)}, may notbeperfectbecauseoffalse-positive,false-negative,ornoise. Figure 2 illustrates a snapshot of a computer system ci(t) at time t, where we also usebluebarstorepresentdefenses,useredarrowstorepresentattacks,andusetheir thicknesstoreflecttheirdefense/attackpower.Atahighlevel,ci(t)mayhavearange of vulnerabilities, which correspond to vi(t) in Figure 1. The vulnerabilities include the computer user’s vulnerability (or susceptibility) to social-engineeringattacks, the vulnerability caused by the use of weakpasswords, and softwarevulnerabilities. The defensemay include(i)theuse ofsomefilteringmechanismsthataredeployedat the enterprisesystemperimetertoblock(forexample)trafficfrommaliciousorblacklisted IP addresses, (ii) the use of some attackdetection mechanisms to detect and block at- tacksbeforetheyreachcomputerci(t),and(iii)theuseofsomeproactivedefensemech- anisms (e.g., address space randomization) to try to prevent the exploitation of some vulnerabilities.Supposethe attacker has avectorof 12attacks. Attack 1 successfully compromisesci(t)becausetheuserisluredinto(e.g.)clickingamaliciousURL.Attack 4successfullycompromisesci(t)becausethepasswordinquestioniscorrectlyguessed. Attacks 6and 7successfully compromiseci(t) because theyexploitazero-dayvulner- ability,despitethepossible employmentofproactivedefensemechanismsonci(t).At- tack 9 successfully compromises ci(t) because the vulnerability is unpatched and the attack is neither filtered nor detected. Attack 12 successfully compromises ci(t) be- cause the cryptographic key in question is exposed by (e.g.,) Heartbleed-like attacks ACMJournalName,Vol.V,No.N,ArticleA,Publicationdate:JanuaryYYYY. A:4 M.Pendletonetal. (d) Attacks: Solid arrows represent attacks against a computer/device, with thickness of an arrow indicating the attack power. Dashed arrow means no attack is launched against a computer. (c) Defenses: Blue bars represent defenses for protecting computers/devices. Thickness of a bar indicates the defense power. C(t) = c (t) c (t) c (t) (cid:857) c (t) c (t) 1 2 3 n-1 n (a) A vector of n computers/devices in an enterprise system of interest. V(t) = v (t) v (t) v (t) (cid:857) v (t) v (t) 1 2 3 n-1 n (b) Vulnerabilities despite patching and defense. S(t) = s (t)=0 s (t)=0 s (t)=0 (cid:857) s (t)=1 s (t)=1 1 2 3 n-1 n (e) Outcome of attack-defense interactions at time t are reflected by state vector: s(t)=1 means c is compromised, and s(t)=0 otherwise. i i i O(t) = o (t)=0 o (t)=1 o (t)=? (cid:857) o (t)=1 o (t)=0 1 2 3 n-1 n (cid:894)(cid:296)(cid:895)(cid:3)(cid:24)(cid:286)(cid:296)(cid:286)(cid:374)(cid:282)(cid:286)(cid:396)(cid:859)(cid:400)(cid:3)(cid:381)(cid:271)(cid:400)(cid:286)(cid:396)(cid:448)(cid:258)(cid:410)(cid:349)(cid:381)(cid:374)(cid:400)(cid:3)(cid:381)(cid:296)(cid:3)(cid:410)(cid:346)(cid:286)(cid:3)(cid:400)(cid:286)(cid:272)(cid:437)(cid:396)(cid:349)(cid:410)(cid:455)(cid:3)(cid:400)(cid:410)(cid:258)(cid:410)(cid:286)(cid:3)(cid:258)(cid:410)(cid:3)(cid:410)(cid:349)(cid:373)(cid:286)(cid:3)(cid:410)(cid:855)(cid:3)(cid:381) (t) is a 2 false-positive, o (t) is a false-negative, and o (t) is not conclusive. n 3 Fig.1. Anabstractrepresentationofasnapshotofanenterprisesystemattimet,wherethedefenses(i.e., bluebars)accommodateboththedefensesthatareinstalledontheindividualcomputers(e.g.,anti-malware tools)andthedefensesthatareemployedattheperimeteroftheenterprisesystem(e.g.,firewalls).Some attackspenetratethroughthedefenses(e.g.,attacksagainstcomputercn(t)),whileothersfail(e.g.,attacks againstcomputerc1(t)).Computerci(t)mayhaveavectorvi(t)ofvulnerabilities,someofwhichmaynot beknowntothedefender(i.e.,zero-day).Theoutcomeoftheattack-defenseinteractionattimetisreflected byasecuritystatevectorS(t)={s1(t),...,sn(t)},wheresi(t)=0meanscomputerci(t)issecureattime tandsi(t)=1meanscomputerci(t)iscompromisedattimet.However,thedefender’sobservationofthe securitystatevectorS(t),denotedbyO(t)={o1(t),...,on(t)},maynotbeperfectbecauseoffalse-positives, false-negatives,ornon-decisions. against which no defense is employed (i.e., the lack of blue bars). All of the other at- tacksareblockedbysomeofthedefensemechanismsorthepatchofthevulnerability inquestion. Ourmethodologyleadsto4categoriesofsecuritymetricswithrespecttovulnerabil- ities,defenses,threats,andsituations.Aswerevieweachcategoryofsecuritymetrics, we also discuss their theoretical and practical uses mentioned above as well as what the idealmetrics may be,which hints at the gap betweenthe state-of-the-artand the ideal metrics we need to close. The insight behind the taxonomy is that, in princi- ple,situations(oroutcomesofcyberattack-defenseinteractions)arecausedbycertain threats(orattacks)againstsystemsthathavecertainvulnerabilities(includinghuman factors) and employ certain defenses. We here give a brief overview of the categories, whichwillberespectivelyelaboratedinSections3-6. ACMJournalName,Vol.V,No.N,ArticleA,Publicationdate:JanuaryYYYY. ASurveyonSecurityMetrics A:5 Attack Successful Attack Filtering Computer detection attacks 1 User vulnerability 2 3 Password vulnerability 4 5 Unknown vulnerability 6 (w/ proactive defense) 7 Unknown vulnerability (w/o proactive defense) 8 Unpatchedvulnerability 9 10 Patched vulnerability 11 Cryptographic key 12 vulnerability Fig.2. A snapshot of attacks againsta computer (or device), say ci(t), in the enterprise systemat time t,wherebluebarsalsorepresent defensesandredarrowsrepresent attacks(theirthicknessreflect their defense/attackpower).Ifci(t)wascompromisedattimet1 < tandisnotcleanedupattimet,orifci(t) iscompromisedattimet,thensi(t) = 1.Ifthedefendercorrectlyobservesthestateofci(t)attimet,the observationisoi(t)=1.Forcryptographickeyvulnerabilities(e.g.,Heartbleed-likevulnerabilitiesthatare notpatched),thereisessentiallynodefensethatcanblocktheattack. 2.3.1. Metrics for measuring vulnerabilities.This category of metrics aim to measure the vulnerabilitiesofsystems.AsillustratedinFigure1(a),anenterprisesystemconsists ofavectorC(t)=(c1(t),...,cn(t))ofcomputersattimet.AsillustratedinFigure1(b), the enterprise system may have a vector V(t) = (v1(t),...,vn(t)) of set of vulnerabil- ities at time t, where vi(t) is, as illustrated in Figure 2, the vector of vulnerabilities with respect to ci(t). Vulnerabilities include user vulnerabilities, password guessabil- ity, and software vulnerabilities. Software vulnerabilities can be known or unknown (i.e.,zero-day)tothedefender. 2.3.2. Metricsformeasuringdefenses. Thiscategoryofmetricsaimtomeasurethepower oreffectivenessofthedefensemechanismsthatareemployedtoprotectenterpriseand computersystems.AsFigure1(c)andFigure2illustrate,weusebluebarstorepresent defensesandtheirthicknesstoindicatetheirpower.Inpractice,somecomputersmay be well defended (illustrated by thick blue bars), some computers may be poorly de- fended(illustratedbythinbluebars),andsomecomputersorzero-dayvulnerabilities maynotbedefendedatall(illustratedbytheabsenceofbluebars). 2.3.3. Metrics for measuring threats. This category of metrics measure the threat land- scape as wellas the poweror effectivenessof attacks. The threat landscape describes aspects of the attacking computers. As illustrated in Figure 1(d) and Figure 2, we useredarrowstorepresentattacksandtheirthicknesstoindicatetheirattackpower. Some computers may be attacked by powerful attacks (illustrated by thick arrows), somecomputersmaybeattackedbylesspowerfulattacks(illustratedbythinarrows), andsomecomputersmaynotbeattackedatall(illustratedbydasharrows). 2.3.4. Metrics for measuring situations. This category of metrics measure outcomes of attack-defense interactions, especially the evolution of the global security state S(t) overtimet[LeMayetal.;Xu2014a].AsillustratedinFigure1(e)andFigure2,secu- ACMJournalName,Vol.V,No.N,ArticleA,Publicationdate:JanuaryYYYY. A:6 M.Pendletonetal. ritystate si(t)=1meanscomputerci(t)iscompromisedattimet,andsi(t)=0other- wise.However,thedefendermaynotknowthetruestatevectorS(t)=(s1(t),...,sn(t)) becauseofmeasurementorobservationerrorssuchasfalse-positives,false-negatives, and non-decisions, as illustrated in Figure 1(f). In other words, it is possible that the observation vector O(t) = (o1(t),...,on(t)) observed by the defender is not equal to S(t). 3. METRICS:MEASURINGSYSTEMVULNERABILITIES Thesemetricsaimtomeasurethevulnerabilitiesofenterpriseandcomputersystems via their users, the passwords of their users, their interfaces, their software vulnera- bilities,andthevulnerabilitiesofthecryptographickeystheyuse. 3.1. Measuringsystemusers’vulnerabilities One metric is user’s susceptibility to phishing attacks [Shengetal.2010]. This online studyof1,001usersshowsthatphishingeducationcanreducetheuser’ssusceptibility tophishingattacksandthatyoungpeople(18to25yearsold)aremoresusceptibleto phishingattacks.Thismetricismeasuredviathefalse-positiveratethatausertreats legitimateemailorwebsiteasaphish,andthefalse-negativeratethatausertreatsa phishing email or website as legitimate and subsequently clicks the link in the email orsubmitsinformationtothewebsite. Another metric is user’s susceptibility to malware infection [LalondeLevesqueetal.]. This clinical study of interactions between human users, anti-malware software, and malware involves 50 users, who monitor their laptopsforpossibleinfectionsduringaperiodof4months.Duringthisperiodoftime, 38% of users are found to be exposed to malware, which indicates the value of the anti-malware tool (because these laptops would have been infected if anti-malware software was not used). The study also shows that user demographics (e.g., gender, age)arenotsignificantfactorsindeterminingauser’ssusceptibilitytomalwareinfec- tion, which contradicts the aforementioned finding in regards to users’ susceptibility to phishing attacks [Shengetal.2010]. Nevertheless, it is interesting to note that (i) users installing many applications are more susceptible to malware infections, becausethechanceofinstallingmaliciousapplicationsishigher,and(ii)usersvisiting manywebsitesaremoresusceptibletomalwareinfections,becausesomewebsitesare malicious[LalondeLevesqueetal.]. It is important to understand and measure the degrees of users’ susceptibilities to each individual class of attacks and to multiple classes of attacks collectively (e.g., multiple forms of social-engineering attacks). For this purpose, research needs to be conducted to quantify how the susceptibilities are dependent upon factors that affect users’ security decisions (e.g., personality such as high vs. low atten- tion control [Neupaneetal.2015]). This area is little understood [Howeetal.2012; Shengetal.2010; LalondeLevesqueetal.], but the reward is high. For the theoreti- cal use of security metrics, these metrics can be incorporated into security models as parametersto model(e.g.)the timeoreffortthatis neededin orderforan attacker to exploit user vulnerabilities to compromise a computer or to penetrate into an enter- prise system. For the practical use of security metrics, these metrics can be used to tailor defensesfor individualusers (e.g.,a careless employeemay have to go through some security proxy in order to access Internet websites). It would be appropriate to say that being able to measure these security metrics is as important as being able to measure individual users’ susceptibility to cancers because of (e.g.) her genes. As the ability to quantify an individual’s predisposition to diseases can lead to proactive treatment, the ability to quantify security can lead to tailored and more effective de- fenses. ACMJournalName,Vol.V,No.N,ArticleA,Publicationdate:JanuaryYYYY. ASurveyonSecurityMetrics A:7 3.2. Measuringpasswordvulnerabilities The parameterized password guessability metric measures the number of guesses an attacker with a particular cracking algorithm (i.e., a particular threat model) needs tomakebeforerecoveringapassword[Weiretal.2010;Bonneau2012a;Kelleyetal.; Uretal.]. This metric is easier to use than earlier metrics such as password entropy [Burretal.2006],which cannot tell which passwordsare easier to crack than others, andstatisticalpasswordguessability[Bonneau2012b;Bonneau2012a; Kelleyetal.], whichismoreappropriateforevaluatingpasswordsasawhole(ratherthanforevalu- atingthemindividually). The parameterized password guessability metric should be used with caution if a single password cracking algorithm is used, because different cracking algorithms canhaveverydifferentstrategieswithvaryingresults[Uretal.].Whenthedefender is uncertain about the threat model, multiple cracking strategies need to be consid- ered. For both theoretical and practical uses of password vulnerability metrics, we might need to consider the worst-case and/or the average-case parameterized pass- word guessabilities. This is one of the few sub-categories of security metrics that are betterunderstood. 3.3. Measuringinterface-inducedvulnerabilities Theinterfacetoaccessanenterpriseorcomputersystemfromtheoutsideworld(e.g., serviceaccesspoints)offerspotentialopportunitiesforlaunchingcyberattacksagainst the system. The attack surface metric measures the number and severity of attack vectors that can be launched against a system through its service access points such as sockets and RPC endpoints [ManadhataandWing2011]. It is worth mentioning thattheattacksurfaceisnotnecessarilydependentuponsoftwarevulnerabilities.The attack surface should be used with caution because reducing the attack surface (e.g., uninstallingasecuritysoftware)doesnotnecessarilyimprovesecurity[Nayaketal.]. Ithasbeensuggestedtodefineavariantofattack surfaceastheportionoftheattack surfacethathasbeenexercised[Nayaketal.].Thisvariant,whileusefulinanalyzing historical data (i.e.,incidents that have occurred),may or may not be appropriate for measuring security in the future because an attack surface not exercised in the past maybeexercisedinthefuture. Suppose we are to model security from higher levels of abstractions by treating system interface. We would need to measure interface-induced system susceptibility, which measures how the exercise of attack surface is dependentupon the features of attacksurfaces.Forpracticalpurposes,itisidealtobeabletopredictinterface-induced system susceptibilities, namelythe interfacesthat willbe exploitedto launch attacks in the near future. Knowing which interfaces are more likely to be abused to launch attacks would allow the defender to employ tailored defenses that pay particular at- tentiontotheseinterfaces. 3.4. Measuringsoftwarevulnerabilities Software vulnerabilities are the main venue for launching cyber attacks. We classify the metrics for measuring software vulnerabilities into three sub-categories: spatial characteristics,temporalcharacteristics,andseverity. 3.4.1. Measuringsoftwarevulnerabilityspatialcharacteristics. Thesemetricsreflecthowspa- tially vulnerable an enterprise or computer system is. The number of unpatched vul- nerabilitiesattimet canbedeterminedbyusingvulnerabilityscanners[Chewetal.; forInternetSecurity2010].Thevulnerabilityprevalencemetricmeasuresthepopular- ityofavulnerabilityinasystem[Zhangetal.2014b].Thismetricisimportantbecause a single vulnerability may exist in many computersof an enterprise or cloud system, ACMJournalName,Vol.V,No.N,ArticleA,Publicationdate:JanuaryYYYY. A:8 M.Pendletonetal. and because an attacker can launch a single attack against all the computers that possess a prevalent vulnerability. Another variant metric is the number of exploited vulnerabilitiesthathavebeenexploitedinthepast[Nayaketal.;Allodi].Thismetric is important because some vulnerabilities may never get exploited in the real world because,forexample,manyvulnerabilitiesaredifficulttoexploitortheirexploitation does not reward the attacker with many compromised computers. For example, one study [Nayaketal.] shows that at most 35% of the known vulnerabilities have been exploited,withasmallnumberofvulnerabilities(e.g.,CVE-2008-4250andCVE-2009- 4324) being responsible for many attacks. Another study [Allodi] shows that 10% of thevulnerabilitiesareresponsiblefor90%attacks. When using these metrics as parameters in security modeling, we would need to estimate the susceptibility of a computer to attacks that exploitsoftware vulnerabili- tiesattimet.Whenusingthesemetricstocomparethesecurityoftwosystemsorthe security of a system during two periods of time, one must be cautious about (i) some vulnerabilitiesneverbeingexploited,(ii)thevaryingcapabilitiesofscannersinterms of their scanning depth and completeness,and (iii) the threats may be different(e.g., twosystemsmaybetargetedbydifferentattackersandtheremaybezero-dayattacks that are not detected yet). In other words, the theoretical and practical uses of these security metrics require us to estimate, or even predict, the vulnerability situation awareness metric. This metric measures the number of vulnerabilities of a system at timetandthelikelihoodofeachofthesevulnerabilitiesbeingexploitedattimet′ ≥t. 3.4.2. Measuringsoftwarevulnerabilitytemporalcharacteristics. Temporal characteristics of softwarevulnerabilitiesincludetheirevolutionandlifetime. Measuring evolution of software vulnerabilities. The historical vulnerability metric measures the degree that a system is vulnerable, or the number of vulnerabilities, in the past [Al-Shaeretal.2008; Ahmedetal.2008]. The future vulnerability metric measuresthenumberofvulnerabilitiesthatwillbediscoveredduringafutureperiod oftime[Al-Shaeretal.2008;Ahmedetal.2008].Interestingvariantsofthesemetrics includehistoricalexploitedvulnerabilities,namelythenumberofvulnerabilitiesthat were exploited in the past, and future exploited vulnerabilities, namely the number of vulnerabilities that will be exploited during a future period of time. The tendency- to-be-exploited metric measures the tendency that a vulnerability may be exploited, where the “tendency” may be computed from (e.g.) the information that was posted on Twitter before vulnerability disclosures [Sabottkeetal.2015]. This metric may be usedtoprioritizevulnerabilitiesforpatching. Measuringsoftwarevulnerabilitylifetime. Itisidealthateachvulnerabilityisimme- diatelypatcheduponitsdisclosure.Despitetheenforcementofpatchingpolicies,some vulnerabilitiesmaynevergetpatched.Thevulnerabilitylifetimemetricmeasureshow long it takes to patch a vulnerability since its disclosure. Different vulnerability life- timesmaybeexhibitedattheclient-end,theserver-end,andthecloud-end. Client-end vulnerabilities are often exploited to launch targeted attacks (e.g., spear-fishing)[Hardyetal.2014;Marczaketal.2014].Thesevulnerabilitiesarehard to patch completely because of their prevalence (i.e., a vulnerability may ap- pear in multiple programs) [Nappaetal.2015]. A study conducted in year 2010 [FreiandKristensen2010] shows that 50% of 2 million Windows users in question are exposed to 297 vulnerabilities over a period of 12 months. A more recent study [Nappaetal.2015] shows that despite the presence of 13 automated patching mech- anisms (other than the Windows update), the median fraction of computers that are patchedwhenexploitsareavailableisnogreaterthan14%,themediantimeforpatch- ing50%ofvulnerablecomputersis45daysafterdisclosure. ACMJournalName,Vol.V,No.N,ArticleA,Publicationdate:JanuaryYYYY. ASurveyonSecurityMetrics A:9 One would think that server-end vulnerabilities are more rapidly patched than client-end ones. Let us consider the disclosure of two severe vulnerabilities in OpenSSL. First, for the pseudorandom-number-generation vulnerability in Debian Linux’s OpenSSL, a study [Yileketal.] shows that 30% of the computers that were vulnerable 4 days after disclosure remain vulnerable almost 180 days later (i.e., 184 daysafterdisclosure).Thisissomewhatsurprisingbecausetheprivatekeysgenerated bythevulnerablecomputersmighthavebeenexposedtotheattacker.Second,forthe HeartbleedvulnerabilityinOpenSSLthatcanberemotelyexploitedtoreadavulner- ableserver’ssensitivememorythatmaycontaincryptographickeysandpasswords,a study[Durumericetal.2014]estimatesthat24%-55%oftheHTTPSserversinAlexa’s Top1Millionwebsiteswereinitiallyvulnerable.Moreover,11%oftheHTTPSservers in Alexa’s Top 1 Million remain vulnerable 2 days after disclosure, and 3% of the HTTPSserversinAlexa’sTop1Millionwerestillvulnerable60daysafterdisclosure. Onemaythinkthatvulnerabilitiesinthecloudarewellmanaged,perhapsbecause cloud users can run public virtual machine images (in addition to their own images). A study [Zhangetal.2014b] shows that many of the 6,000 public Amazon Machine Images(AMIs)offeredbyAmazonWebServices(AWS)Elastic ComputeCloud(EC2), contain a considerable number of vulnerabilities, and that Amazon typically notifies cloudusersaboutvulnerabilities14daysaftertheirdisclosure. Summarizingthetemporalmetricsdiscussedabove,weobservethatdefendersneed todoasubstantiallybetterjobatreducingthelifetimeofsoftwarevulnerabilitiesafter disclosure. Because vulnerability lifetime may never be reduced to 0, it is important to know the vulnerability vector V(t) or vi(t) at any time t. For using vulnerability lifetimeinsecuritymodeling,weneedtoknowitsstatistical distributionandhowthe distributionisdependentuponvariousfactors. 3.4.3. Measuring software vulnerability severity. This metric measures the degree of damage that can be caused by the exploitation of a vulnerability. A popu- lar example is the CVSS score, which considers the following three factors [ofIncidentResponseand(FIRST)]. The base score reflects the vulnerability’s time- and environment-invariantcharacteristics, such as its access condition, the complex- ity to exploiting it, and the impact once exploited. The temporal and environmental scores reflect its time- and environment-dependentcharacteristics. Another example is the availability of exploits in black markets [BilgeandDumitras], which is inter- estingbecausethepublicreleaseofvulnerabilitiesisoftenfollowedbytheincreaseof exploits. However, many vulnerabilities have the same CVSS scores [Jansen2009; AllodiandMassacci2014]. The practice of using CVSS scores (or base scores) to pri- oritize the patching of vulnerabilities has been considered both harmful, because in- formation about low-severity bugs can lead to the development of high-severity at- tacks [AllodiandMassacci2014; Arnoldetal.; Brumleyetal.], and ineffective, be- cause patching a vulnerability solely because of its high CVSS score makes no differ- encethanpatchingvulnerabilitiesrandomly[AllodiandMassacci2014].Forpractical use, it would be ideal if we can precisely define the intuitive metric of patching pri- ority. For theoretical use, it would be ideal if we can quantify the global damage of a vulnerability to an enterprise system upon its exploitation, which may in turn help measurethepatchingpriority. 3.5. Measuringcryptographickeyvulnerabilities Cryptographic keys are vulnerable when the underlying random number generators areweak,aswitnessedby thepseudorandom-number-generationvulnerabilityinDe- bian Linux’s OpenSSL [Yileketal.]. Here we highlight the weak cryptographic keys ACMJournalName,Vol.V,No.N,ArticleA,Publicationdate:JanuaryYYYY. A:10 M.Pendletonetal. caused by using the fast /dev/urandom as a replacement of the slow /dev/random in Linux [Heningeretal.2012]. The differencebetween them is that the formerreturns therequestednumberofbytesimmediatelyeventhoughnotenoughentropyhasbeen collected,whilethelatterreturnstherequestednumberofbytesonlyaftertheentropy poolcontainstherequiredfreshentropy.Asaconsequenceofusing/dev/urandom,the same key materials (e.g., prime numbers) can be generated and used by multiple de- vices.A study showsthat RSA private keysfor0.50% ofthe TLS hosts examinedand 0.03% of SSH hosts examined can be exposed because their RSA moduli shared non- trivialfactors[Heningeretal.2012].ThestudyalsoshowsthattheDSAprivatekeys for1.03%oftheSSHhostsexaminedcanbeextractedduetotheinsufficientrandom- nessintheirdigitalsignatures.Theseproblemsmainlyexistinembeddeddevices,in- cluding routersand firewalls,because they generatecryptographickeyson their first boot. Thiskindofvulnerabilityshouldhavebeenpreventedbyprudentialengineeringin the use of randomness, which requires the programmer to understand, for example, thedifferencebetween/dev/randomand/dev/urandom.Nevertheless,itwouldbeideal toknowwhetheranewlygeneratedcryptographickeyisweakornot. 4. METRICS:MEASURINGDEFENSES Thesemetricsmeasurethedefensesemployedtoprotectenterpriseandcomputersys- tems via the effectivenessof blacklisting, the power of attack detection,the effective- ness of software diversification, the effectiveness of memory randomization, and the overalleffectivenessofthesedefenses. 4.1. Measuringtheeffectivenessofblacklisting Blacklisting is a useful, lightweight defense mechanism. Suppose a malicious entity (e.g., attacking computer, IP address, malicious URL, botnet command-and-control server,anddropzoneserver)is observedat time t.Then,the trafficflowingto or from the malicious entity can be blocked starting at some time t′ ≥ t. The reaction time is thedelayt′−tbetweentheobservationofthemaliciousentityattimetandtheblack- listingofthemaliciousentityattimet′ [Ku¨hreretal.].Thecoveragemetricmeasures theportionofmaliciousentitiesthatareblacklisted.Forexample,astudyshowsthat theunionof15malwareblacklists coversonly20%ofthemaliciousdomainsthatare compromisedbysomemajormalwarefamilies[Ku¨hreretal.]. Thesemetricsarewithrespecttotheobserversandblacklistsinquestion.Forprac- ticaluse,thesemetricscanbeusedtocomparetheeffectivenessofdifferentblacklists andcanguidethedesignofbetterblacklistingsolutions(e.g.,achievingacertainreac- tiontimeandacertaindegreeofcoverage).Fortheoreticaluseinsecuritymodeling,we mightneedtoaccommodatethemintoaunifiedmetric,whichmaybecalledblacklist- ing probability and may be measured by the conditional probability that a malicious entityattimet(e.g.,URLorIPaddress)isblacklistedattimet.Thiswouldrequireus tounderstandthevariousfactorsthatcanimpactmaliciousentitiestobeblacklisted. 4.2. Measuringthepowerofattackdetection Attack detection tools, such as cyber instruments (e.g., honeypots and blackholes that monitor unused IP addresses for attacks), intrusion detection systems and anti- malwareprograms,aim todetectattacks. Theeffectivenessofattack detectioncanbe measuredby their individualeffectiveness,relativeeffectiveness,andcollectiveeffec- tiveness. 4.2.1. Measuring the individual detection power. For instrument-based attack detection, the detection time metric measures the delay between the time t0 at which a compro- ACMJournalName,Vol.V,No.N,ArticleA,Publicationdate:JanuaryYYYY.

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.