Windows of Vulnerability: A Case Study Analysis

نویسندگان

  • William A. Arbaugh
  • William L. Fithen
  • John McHugh
چکیده

52 Computer Windows of Vulnerability: A Case Study Analysis C omplex information and communication systems give rise to design, implementation, and management errors. These errors can lead to a vulnerability—a flaw in an information technology product that could allow violations of security policy. Anecdotal evidence alone suggests that known and patchable vulnerabilities cause the majority of system intrusions. Although no empirical study has substantiated this anecdotal evidence, none has refuted it either. Nor have studies conducted to determine the number of computers at risk for security breaches focused on the intrusion trends of specific vulnerabilities. 1,2 Here we propose a life-cycle model that describes the states a vulnerability can enter during its lifetime. We then use our vulnerability model to present a case study analysis of specific computer vulnerabilities. Although the term " life cycle " implies a fixed and linear progression from one phase to the next, the discovery and exploitation of system vulnerabilities does not always follow such a tidy pattern. Instead—and, appropriately, given the nature of our model—the progression varies depending on interactions between the host system, the intruding scripts, and the programs that exploit its vulnerabilities. Thus our life cycle models a host and its viral parasites more closely than it does an isolated organism. In general, a vulnerability appears to transition through distinct states: birth, discovery, disclosure, the release of a fix, publication, and automation of the exploitation. Intuitively, you would expect the number of intrusions into computer systems as a result of using a specific vulnerability over time to resemble the graph in Figure 1. 3,4 The assumption here is that intrusions increase once the community discovers a vulnerability , with the rate of increase accelerating as news of the vulnerability spreads to a wider audience. This trend continues until the vendor releases a patch or workaround, and the intrusion rate decreases. Ideally, the decrease would be a steep decline rather than the slow decrease Figure 1 shows. It does, however , take time for news of the patch to spread, and longer still for users to install it. In addition, cautious organizations require testing prior to system changes— rightfully so—to ensure that the patch does not create new problems. Some organizations install the patch when they " get to it, " and others may never install the patch, for any of several reasons. Determining the exact shape of the vulnerability curve in Figure …

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Empirical Seismic Vulnerability and Damage of Bottom Frame Seismic Wall Masonry Structure: A Case Study in Dujiangyan (China) Region

In order to understand the seismic performance and mechanism of bottom frame seismic wall masonry structure (BFSWMS) and its vulnerability in empirical seismic damage, based on the statistical and numerical analysis of the field seismic damage observation data of 2178 Dujiangyan structures in the Wenchuan great earthquake urban of China on May 12, 2008, a non-linear function model between the s...

متن کامل

Analysis of spatial vulnerability of threatened strategic urban centers from the point of view of passive defense (case study: Bojnurd city)

Background and objective: Safety and security against threats is one of the most basic principles in order to achieve the desired standards of urban comfort, and attention to the passive defense of cities against external threats has always been considered since the beginning of the formation of cities. Therefore, the purpose of this study is to provide management strategies to reduce the exist...

متن کامل

An Analysis of Contributory Factors in the Formation of Carpentry Latticework

Gerehchini (latticework) is one of the most prominent patterns used in Iranian handicrafts and buildings. It should not be considered as a mere visual pattern, but in principle as a solution to solve executive challenges. Carpentry latticework is a type of geometrical pattern used in making fences, doors and most of all latticed windows. Due to the vulnerability of wood material, especially owi...

متن کامل

An Analysis of Spatial Pathology of the Physical and Social Structure of the City with Non-Relevant Defense Approach Case Study: Tehran Metropolitan Area

Using the passive defense principles in urban plans and projects is important in the context of land use planning, reinforced concrete, citizen education, and increasing urban resiliency. Observing and adhering to these principles will reduce the vulnerability of the city and citizens to security and military threats. Therefore, this study aims at evaluating the spatial pathology of the physica...

متن کامل

Vulnerability analysis of urban texture in earthquakes: A case study of District 2 of Tabriz city

Introduction: Natural disasters are known as one of the most important factors in the destruction of human settlements. One of the key concerns for urban planners is examining how natural disasters affect human settlements, particularly cities. Earthquake is one of these natural disasters that has always threatened human settlements and can cause a lot of damage and casualties in a short period...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:
  • IEEE Computer

دوره 33  شماره 

صفحات  -

تاریخ انتشار 2000