Vulnerability management for safe configurations in autonomic networks and systems / Gestion des vulnérabilités dans les réseaux et systèmes autonomes

Barrère Cambrún, Martín

12 June 2014

Le déploiement d'équipements informatiques à large échelle, sur les multiples infrastructures interconnectées de l'Internet, a eu un impact considérable sur la complexité de la tâche de gestion. L'informatique autonome permet de faire face à cet enjeu en spécifiant des objectifs de haut niveau et en déléguant les activités de gestion aux réseaux et systèmes eux-mêmes. Cependant, lorsque des changements sont opérés par les administrateurs ou par les équipements autonomes, des configurations vulnérables peuvent être involontairement introduites. Ces vulnérabilités offrent un point d'entrée pour des attaques de sécurité. À cet égard, les mécanismes de gestion des vulnérabilités sont essentiels pour assurer une configuration sûre de ces environnements. Cette thèse porte sur la conception et le développement de nouvelles méthodes et techniques pour la gestion des vulnérabilités dans les réseaux et systèmes autonomes, afin de leur permettre de détecter et de corriger leurs propres expositions aux failles de sécurité. Nous présenterons tout d'abord un état de l'art sur l'informatique autonome et la gestion de vulnérabilités. Nous décrirons ensuite notre approche d'intégration du processus de gestion des vulnérabilités dans ces environnements, et en détaillerons les différentes facettes, notamment : extension de l'approche dans le cas de vulnérabilités distribuées, prise en compte du facteur temps en considérant une historisation des paramètres de configuration, et application en environnements contraints en utilisant des techniques probabilistes. Nous présenterons également les prototypes et les résultats expérimentaux qui ont permis d'évaluer ces différentes contributions / Over the last years, the massive deployment of computing devices over disparate interconnected infrastructures has dramatically increased the complexity of network management. Autonomic computing has emerged as a novel paradigm to cope with this challenging reality. By specifying high-level objectives, autonomic computing aims at delegating management activities to the networks themselves. However, when changes are performed by administrators and self-governed entities, vulnerable configurations may be unknowingly introduced. Nowadays, vulnerabilities constitute the main entry point for security attacks. Therefore, vulnerability management mechanisms are vital to ensure safe configurations, and with them, the survivability of any autonomic environment. This thesis targets the design and development of novel autonomous mechanisms for dealing with vulnerabilities, in order to increase the security of autonomic networks and systems. We first present a comprehensive state of the art in autonomic computing and vulnerability management. Afterwards, we present our contributions which include autonomic assessment strategies for device-based vulnerabilities and extensions in several dimensions, namely, distributed vulnerabilities (spatial), past hidden vulnerable states (temporal), and mobile security assessment (technological). In addition, we present vulnerability remediation approaches able to autonomously bring networks and systems into secure states. The scientific approaches presented in this thesis have been largely validated by an extensive set of experiments which are also discussed in this manuscript

Sécurité

Gestion de réseaux

Informatique autonome

Gestion de vulnérabilités

Security

Network management

Autonomic computing

Vulnerability management

005.8

Effective Vulnerability Management for Small Scale Organisations in Ghana

Lartey, Jerry

January 2019

Most Small and Medium scale Enterprises (SMEs) in Ghana are notparticularly anxious about the consequences of inadequacy or lack of anyform of vulnerability management operation in their normal businesspractices. This case study research explores how a local Internet ServiceProvider (ISP) in Ghana and its local client-base can manage vulnerabilitieswith a targeted patch management practise integrated into their operations.To answer the research question “How can a SME local Internet ServiceProvider (ISP) in Accra, Ghana, assist their local customer base to integrateeffective cybersecurity vulnerability management into their operations?“,This case study comprised the Subject Matter Expert of one local ISP as well as4 other technical Subject Matter Experts of the ISP’s clients about their patchmanagement operations. This case study research revealed that most SMEs donot consider vulnerability management as a key concern in the operation oftheir organisation and therefore, proposes a way to highlight the importanceof vulnerability management whiles doing so at a cost-effective manner. Theimplications of targeted cybersecurity patch management for the local ISP andtheir client-base is also addressed by this thesis research.

Vulnerability management

patch management

small-scale organisations

Ghana

local ISPs

Cybersecurity Framework

small and medium-sized enterprises

subject matter experts

open source.

Computer Systems

Datorsystem

企業資訊安全風險評估－以電腦病毒為例

洪裕傑, Hung,Yu-Chieh

Unknown Date

隨著網際網路的快速成長，資訊安全已成為企業最重視的議題之一。企業必須保護自己免於網路威脅(Cyber-Threat)，不過防止企業免受網際威脅已非易事，這也為企業資訊安全風險埋下了一顆不定時炸彈。換句話說，資訊安全風險是現今企業所面臨的主要挑戰之一，企業資訊安全防護的好壞將直接反應在企業的盈虧上，甚至可能影響到顧客對該企業產品或服務的滿意度等，對企業的殺傷力是不容忽視的。目前的防毒軟體(Anti-Virus)與威脅管理系統(Threat Management System)所能提供的基本功能都是大同小異，其效能也在伯仲之間，但是企業使用的成效則大不相同。因此如何掌握左右企業資訊安全風險的主要影響因子，並根據該影響因子提供企業一套資訊安全策略以解決其所面臨的風險與使得金錢上的損失降到最低，將是改善企業資訊安全風險的關鍵成功因素。 本研究首先透過與五位企業安全維護有實務經驗的專家訪談，了解資訊安全之重要影響因素並不在於投入防毒軟體的預算金額，反而是企業的資訊安全策略類型，如使用者與資訊安全人員關係型態、資訊安全人員的素質、高階主管對資訊安全政策的支持之類因素更重要。 接著藉由問卷調查，以國內某著名防毒軟體客戶為樣本，發出1910份郵寄問卷與網路問卷邀請email信，共回收102份有效問卷，回收率5.3%。問卷共分為兩大部份：組織特徵（包括公司背景、過去三年病毒感染情形、防毒系統、資訊安全管理現況）及防毒能力評估（防毒軟體的使用、監控與過濾、追蹤裝置、區隔網路等四類防毒技術的使用，與弱點管理、病毒碼部署、帳號管理、應用程式與網路使用的權限、回應與恢復程序等五類安全程序政策，組織的責任與能力、組織的順從、對教育訓練的重視等三項組織因素）。以「病毒爆發數量」、「病毒爆發影響嚴重性」、「偵測病毒數」與「偵測感染事件事」為應變數，以公司概況及防毒能力評估各變項為自變數進行單因子與多因子變異數分析，分析結果顯示組織大小及防毒軟體的使用、弱點管理、帳號管理等安全程序政策是影響「病毒爆發數量」的重要因素；組織大小、網路管理等組織特徵，防毒軟體的使用、弱點管理、病毒碼部署等安全程序政策及教育訓練等是影響「病毒爆發影響嚴重性」的重要因素；組織大小與防毒軟體的使用、監控與過濾等防毒技術的使用，弱點管理影響「偵測病毒數」的重要因素；組織大小、弱點管理、與教育訓練等是影響「偵測感染事件數」的重要因素。 本研究藉由分析企業在資訊安全所面臨到的風險，得以建立並發展相關評量的模型，研究結果除了可以提供廠商與設計人員在開發企業資訊安全風險評量時參考的依據，也為後續的相關實證研究提供一些建議的方向。 / Following the growth of the www internet in the latest years, information security has become the most important topic among all enterprise companies. Enterprise companies have to protect themselves from Cyber-Threat, but this is not an easy job at all. That means a hidden bomb has already been planted inside their information systems. In another words, the information security threat is the main challenge that all enterprise companies are facing right now. The performance of the defensive system that an enterprise company is using directly impacts whether this company can have a profit gain or loss; furthermore, this affects the customers’ satisfaction about the company’s products and services. This threat can harm the company and should not be ignored. Right now the basic service that Anti Virus software and Threat Management System can provide and their performance are functionally the same, but the effective factor of how each different companies use them may yield a big difference. Hence, knowing how to control the main factor of the information security threat of the company and knowing how to provide the best and the most secured strategy according to the threat to solve any possible future threat such that the loss of profit can be minimized, will be the most important aspect for an enterprise company to be succeeded. This research was conducted by interviewing with five experienced enterprise security maintenance experts at first. From the conservation, we have learned that the main factor of the information security is not depending on the amount of budget that the company has spent on anti-virus software. In fact the strategy type that the company uses for information security is the main reason. This includes the relational model between the users and the information security members, the quality of the information security members, the support of information security strategy from the top manager, and etc. These are more important factors. We have then conducted a survey among the customers from one of the famous anti virus software in Taiwan. We have sent out 1910 questionnaire mails and online survey invitation emails, we have collected back 102 copies of valid questionnaires (5.3% of the total). The questionnaire contains two parts: the characteristic of the company (including the background of company, the virus infection situation in the past three years, the anti virus system, the present situation of information security management), and the performance evaluation of the anti-virus system (which one(s) out of the four anti-virus techniques that the current company is applying: using anti-virus software, monitoring and filtering, using some tools for tracing, and the separation of local area network. Which one(s) out of five security process strategies that the company is using: weakness management, virus pattern deployment, account management, permission of using application and network, and response and restore process. And the factor of company: the responsibility and ability, the obedient, and the weight that was put for educational training.) Using the infection number of virus, the impact severity of virus spread, the quantity of detectable virus, and the number of detectable infection events as dependent variables, along with using the situation of company and each items in anti-virus ability evaluation as single factor or multiple factor variant analysis, the analyzed result shows that the size of companies and the security process strategies such as the use of anti-virus software, weakness management, and account management, are the main factors of the infection number of virus. The characteristic of the company such as the size of companies and its network management, the security process strategies such as the use of anti-virus, weakness management, and virus pattern deployment, and the educational training are the main reasons of affecting the severity of virus spread. The size of company, the use of anti virus technique such as the use of anti-virus software and the monitoring and filtering, and weakness management are the main factors of the number of detected virus. The size of company, weakness management, and the educational training are the main factor of the number of events of detected infection. According to the analysis of the threat of information security that an enterprise company would face, this research has built and developed a related evaluation model. The result from this research not only can provide a reference for companies and software designers when they evaluate their enterprise information security, but also suggest a new direction for future research.

資訊安全

病毒

網路威脅

弱點管理

Information Security

Virus

Cyber-Threat

Vulnerability Management

Explaining change : Comparing network snapshots for vulnerability management

Persson, Andreas, Landenstad, Lukas

January 2018

Background. Vulnerability management makes it easier for companies to find, manage and patch vulnerabilities in a network. This is done by scanning the network for known vulnerabilities. The amount of information collected during the scans can be large and prolong the analysis process of the findings. When presenting the result of found vulnerabilities it is usually represented as a trend of number of found vulnerabilities over time. The trends do not explain the cause of change in found vulnerabilities.  Objectives. The objective of this thesis is to investigate how to explain the cause of change in found vulnerabilities, by comparing vulnerability scanning reports from different points in time. Another objective of this thesis is to create an automated system that connects changes in vulnerabilities to specific events in the network. Methods. A case study was conducted where three reports, from vulnerability scans of Outpost24's internal test network, were examined in order to understand the structure of the reports and mapping them to events. To complement the case study, an additional simulated test network was set up in order to conduct self defined tests and obtain higher accuracy when identifying the cause of change in found vulnerabilities. Results. The observations done in the case study provided us with information on how to parse the data and how to identify the cause of change with a rule-based system. Interpretation of the data was done and the changes were grouped into three categories; added, removed or modified. After conducting the test cases, the results were then interpreted to find signatures in order to identify the cause of change in vulnerabilities. These signatures were then made into rules, implemented into a proof-of-concept tool. The proof of concept tool compared scan reports in pairs in order to find differences. These differences were then matched with the rules and if it did not match any rule, the change in the report was flagged as an ''unexplained'' change. The proof-of-concept tool was then used to investigate the cause of change between the reports from the case study. The framework was validated by evaluating the rules gathered from the simulated test network on the data from the case study. Furthermore, a domain expert verified that the identified causes were accurate by manually comparing the vulnerability reports from the case study. Conclusions. It is possible to identify the cause of change in found vulnerabilities from vulnerability scan reports by constructing signatures for events and use these signatures as rules. This can also be implemented automatically, as a software, in order to identify the cause of change faster than manual labor. / Bakgrund. Sårbarhetshantering underlättar arbetet för företag att hitta, hantera och korrigera sårbarheter i ett nätverk. Det görs genom att skanna nätverket efter kända sårbarheter. Mängden information som samlas under skanningar kan vara stor och medföra till att analysprocessen av upptäckterna försenas. Resultaten av de upptäckta sårbarheterna brukar vanligtvis presenteras som en trend av antalet funna sårbarheter över ett tidsintervall. Trenderna förklarar dock inte andledningen till de funna sårbarheterna. Syfte. Målet med denna avhandling är att undersöka hur det är möjligt att identifiera anledningen till skillnaden i funna sårbarheter genom att jämföra sårbarhetsrapporter från olika tidpunkter. Ett andra mål är att utveckla ett automatiskt system som kopplar skillnaderna i funna sårbarheter till specifika händelser i nätverket. Metod. En fallstudie utfördes där tre sårbarhetsrapporter, från Outpost24s interna testnätverk, undersöktes för att få förståelse kring strukturen av rapporterna samt för att koppla upptäckter i rapporterna till händelser. För att komplementera fallstudien satte vi upp ett nytt, simulerat testnätverk för att kunna utföra egna tester samt för att uppnå en högre precision vid identifiering av förändringar. Resultat. Utifrån fallstudien fick vi förståelse för hur vi skulle tolka informationen från rapporterna samt för hur man kan ge orsak till förändring genom ett regelbaserad system. Informationen från rapporterna tolkades och förändringarna delades in i tre olika kategorier; tillagda, borttagna eller modifierade. Utifrån testerna från det simulerade nätverket byggdes signaturer som identifierar orsak till föränding av funna sårbarheter. Signaturerna användes sedan för att göra regler, vilka implementerades i ett konceptverktyg. Konceptverktyget jämförde sårbarhetsrapporter i par för att upptäcka skillnader. De identifierade skillnaderna försökte sedan matchas ihop med reglerna och skulle skillnaden inte matcha någon regel så flaggas skillnaden som ''oförklarad''. Konceptverktyget användes slutligen för att finna orsak till förändringar i rapporterna från fallstudien. Ramverket validerates genom att utvärdera hur reglerna byggda utifrån det simulerade nätverket presterade för fallstudien. En domänexpert verifierade att händelserna som presenterades och orsaken till förändringarna var korrekta genom att analysera sårbarhetsrapporterna från fallstudien manuellt. Slutsatser. Det är möjligt att identifiera orsak till förändringar i upptäckta sårbarheter i sårbarhetsrapporter genom att identifiera signaturer för händelser, och använda dessa signaturer i ett reglerbaserat system. Systemet är också möjligt att implementera automatiskt, i form av mjukvara, för att kunna identifiera orsaken till förändring snabbare än om det skulle gjorts manuellt.

Vulnerability management

comparing

vulnerability scan reports

cause of change

decision support system

Sårbarhetshantering

jämförelse

sårbarhetsskanning

sårbarhetsrapport

orsak till förändring

Computer Sciences

Datavetenskap (datalogi)

Automated Vulnerability Management / Automatiserad sårbarhetshantering

Ma, Yuhan

January 2023

The field of software security is constantly evolving, and security must be taken into consideration throughout the entire product life cycle. This is particularly important in today’s dynamic security landscape, where threats and vulnerabilities constantly change. One of the organizations’ biggest challenges is identifying and managing vulnerabilities in their software systems. This is where automating aspects of vulnerability management can play a crucial role. This thesis aims to investigate the feasibility of using natural language processing to automate vulnerability management. The main objective of the work is to develop a proof-of-concept system that simplifies the work of developers and testers by automatically filtering and categorizing vulnerabilities. The system will use natural language processing to distinguish and classify vulnerabilities based on the details of the vulnerability description. This helps organizations to identify and manage vulnerabilities conveniently, meanwhile saving time and resources. In addition, the system will be integrated with the defect-tracking tool, becoming part of the software development process. Therefore, the vulnerabilities can be identified and managed as early as possible in the development cycle, making resolving them easier and more cost-effective. Integrating the defect-tracking tool will also make it easier for organizations to track and resolve vulnerabilities promptly. In conclusion, this work aims to demonstrate that an automated vulnerability management system using natural language processing is feasible and effective. By simplifying the work of developers and testers, organizations can improve their overall software security posture and reduce their risk of security incidents. The expected outcome of this work is a proof-of-concept system that can be used as a model for organizations which aim to improve their vulnerability management processes. / Området mjukvarusäkerhet utvecklas ständigt och säkerhet måste beaktas under hela produktens livscykel. Detta är särskilt viktigt i dagens dynamiska säkerhetslandskap, där hot och sårbarheter ständigt förändras. En av organisationernas största utmaningar är att identifiera och hantera sårbarheter i sina mjukvarusystem. Det är här automatisering av sårbarhetshantering kan spela en avgörande roll. Denna avhandling syftar till att undersöka möjligheten att använda bearbetning av naturligt språk för att automatisera sårbarhetshantering. Huvudsyftet med forskningen är att utveckla prototyp som förenklar arbetet för utvecklare och testare genom att automatiskt filtrera och kategorisera sårbarheter. Systemet kommer att använda naturlig språkbehandling för att särskilja och klassificera sårbarheter baserat på detaljerna i sårbarhetsbeskrivningen. Detta hjälper organisationer att identifiera och hantera sårbarheter, samtidigt som det sparar tid och resurser. Dessutom kommer systemet att integreras i ett automatiserat flöde och blir då en del av mjukvaruutvecklingsprocessen. Detta säkerställer att sårbarheter identifieras och hanteras så tidigt som möjligt i utvecklingscykeln, vilket gör det enklare och mer kostnadseffektivt att lösa dem. Integrationen med defektspårningsverktyg kommer också att göra det lättare för organisationer att följa sårbarheter och lösa dem snabbt. Sammanfattningsvis syftar detta arbete till att visa att ett automatiserat sårbarhetshanteringssystem som använder naturligt språkbehandling är genomförbart och effektivt. Genom att förenkla arbetet för utvecklare och testare kan organisationer förbättra sin övergripande mjukvarusäkerhet och minska risken för säkerhetsincidenter. Det förväntade resultatet av detta arbete är ett proof-of-concept-system som kan användas som en modell för organisationer som strävar efter att förbättra sina processer för sårbarhetshantering.

Software security

Machine learning

Automation

Vulnerability management

Natural language processing

Programvarusäkerhet

Maskininlärning

Automation

Sårbarhetshantering

Bearbetning av naturligt språk

Computer and Information Sciences

Data- och informationsvetenskap

BRIDGING THE GAP IN VULNERABILITY MANAGEMENT : A tool for centralized cyber threat intelligence gathering and analysis

Vlachos, Panagiotis

January 2023

A large number of organizations these days are offering some kind of digital services, relyon digital technologies for processing, storing, and sharing of information, are harvesting moderntechnologies to offer remote working arrangements and may face direct cybersecurity risks. Theseare some of the properties of a modern organization. The cybersecurity vulnerability managementprograms of most organizations have been relying on one-dimensional information to prioritizeefforts of remedying security flaws for many years. When combined with the ever-growing attacksurface of modern organizations, the number of vulnerabilities disclosed yearly and the limitedresources available to cybersecurity teams, this renders the goal of securing an organization almostimpossible. This thesis aims at reviewing existing methodologies as observed in academicliterature and in the industry, highlighting their disadvantages, as well as the importance of adynamic, data-driven and informed approach and finally providing a tool that can assist thevulnerability prioritization efforts and increase resource utilization and efficiency. The thesis isinspired by Design Science Research, to design and develop a web-based cybersecurity tool thatcan be utilized towards a data-rich and rigorous approach of Vulnerability Management, by relyingon various cyber threat intelligence metrics.

Vulnerability management

Cyber threat intelligence

Common vulnerability scoring system

Exploit prediction scoring system

Övrig annan teknik

Environmentally aware vulnerability prioritisation within large networks : A proposed novel method

Lenander, Marcus, Tigerström, Jakob

January 2022

Background. Software vulnerabilities are a constant threat to organisations, businesses, and individuals. Keeping all devices patched from security software vulnerabilities is complex and time-consuming. Companies must use resources efficiently to ensure that the most severe security vulnerability is prioritised first. Today’s state-of-the-art prioritisation method only relies on the severity of the vulnerability without its environmental context. We propose a novel method that automatically prioritises the vulnerabilities in a device based on its environmental information, such as role and criticality. Objectives. This thesis aims to analyse to what extent vulnerabilities can be prioritised based on the environmental information of the device. Furthermore, we investigate the possibility of automatically estimating the role and criticality of a device and to what extent they can more accurately reflect the severity of the vulnerabilities present in the device. Methods. The proposed novel method uses environmental information found by a vulnerability scanner. Based on this information, the method estimates the role of the device. The role is then used by the method to estimate the criticality of the device. Based on the criticality and environmental information, a new vulnerability score is calculated for each vulnerability, and the list is reprioritised based on the latest score. We further apply an experimental study to analyse the assessment of the method against experts' assessment. Results. The experimental study indicates that the method performs slightly better than the state-of-the-art method. The proposed novel method estimated the primary role with an accuracy of 100% and the secondary role with an accuracy of 71.4%. The method's criticality assessment has a moderate agreement with the experts' criticality assessment. Overall, the method's reprioritised vulnerability lists correlate almost perfectly with the experts' vulnerability lists. Conclusions. Considering the environmental information during the prioritisation of vulnerabilities is beneficial. We find that our method performs slightly better than the state-of-the-art method. The proposed method needs further improvements to give a better criticality estimation. However, more research is required to claim that system administrators could benefit from using the proposed method when prioritising vulnerabilities. / Bakgrund. Sårbarheter i programvara är ett konstant hot mot organisationer och företag såväl som till privatpersoner. Att se till att enheterna är säkra är en komplex och tidskrävande uppgift. Det är därför viktigt att prioritera den tiden som finns dit där den gör mest nytta, det vill säga att åtgärda den allvarligaste sårbarheten först. Den allra bästa sårbarheter prioriterings metoden baseras på allvarlighetsgraden utan att ta hänsyn till sårbarhetens miljömetrik. Därav föreslår vi en ny prioriterings metod som automatiskt prioriterar sårbarheterna baserat på en enhets miljömetrik så som roll och kritikalitet. Syfte. Syftet med detta arbetet är att avgöra i vilken utsträckning det går att prioritera sårbarheter baserat på des miljömetrik. Utöver detta ska vi även undersöka huruvida man kan automatiskt uppskatta en enhets roll och kritikalitet för att bättre reflektera sårbarhetens allvarlighetsgrad. Metod. Den föreslagna metoden använder sig av sammanhangs information som tillhandahålls av en sårbarhets scanner. Utifrån denna information kommer enhetens roll att uppskattas. Den estimerade rollen kommer då användas av metoden för att bestämma enhetens kritikalitet. Baserat på kritikaliteten och sammanhangs informationen kommer en ny allvarlighetsgrad beräknas för all sårbarheter.  Listan av sårbarheter kommer omprioriteras med hänsyn till de senast beräknade allvarlighetsgraderna. Ett experiment utförs sedan för att analysera huruvida bra den nya prioriterings metoden är och för att validera resultatet kommer det jämföras mot experters prioritering. Resultat. Den experimentella studien indikerar på att vår metod presterar lite bättre än den den allra bästa sårbarheter prioriterings metoden. Den föreslagna metoden kan uppskatta den primära rollen med en träffsäkerhet på 100% och sekundära rollen med 71.4% träffsäkerhet. Metodens uppskattning av kritikaliteten är måttlig överensstämmande med den av experternas uppskattning. Överlag korrelerar metodens prioritiseringlista bättre med experternas än vad den allra senaste prioritiserings metoden gör. Slutsats. Genom att ta hänsyn till en enhets miljömetrik vid beräkningen av sårbarhetens allvarlighetsgrad får man ett bättre resultat än om den inte skulle varit med i beräkningen. Vi ser att vår metod fungerar bättre över lag än av den allra senaste prioritiserings metoden gör. Den föreslagna metoden behöver forskas mer på för att säkert kunna säga att den är användbar.

Software vulnerability management

vulnerability prioritisation

CVSS

environmental metrics

cyber security

Hantering av sårbarhet i programvara

prioritering av sårbarheter

CVSS

Miljömetrik

cybersäkerhet

Computer Sciences

Datavetenskap (datalogi)