Windows of Vulnerability: A Case Study Analysis

52 Computer Windows of Vulnerability: A Case Study Analysis C omplex information and communication systems give rise to design, implementation, and management errors. These errors can lead to a vulnerability—a flaw in an information technology product that could allow violations of security policy. Anecdotal evidence alone suggests that known and patchable vulnerabilities cause the majority of system intrusions. Although no empirical study has substantiated this anecdotal evidence, none has refuted it either. Nor have studies conducted to determine the number of computers at risk for security breaches focused on the intrusion trends of specific vulnerabilities. 1,2 Here we propose a life-cycle model that describes the states a vulnerability can enter during its lifetime. We then use our vulnerability model to present a case study analysis of specific computer vulnerabilities. Although the term " life cycle " implies a fixed and linear progression from one phase to the next, the discovery and exploitation of system vulnerabilities does not always follow such a tidy pattern. Instead—and, appropriately, given the nature of our model—the progression varies depending on interactions between the host system, the intruding scripts, and the programs that exploit its vulnerabilities. Thus our life cycle models a host and its viral parasites more closely than it does an isolated organism. In general, a vulnerability appears to transition through distinct states: birth, discovery, disclosure, the release of a fix, publication, and automation of the exploitation. Intuitively, you would expect the number of intrusions into computer systems as a result of using a specific vulnerability over time to resemble the graph in Figure 1. 3,4 The assumption here is that intrusions increase once the community discovers a vulnerability , with the rate of increase accelerating as news of the vulnerability spreads to a wider audience. This trend continues until the vendor releases a patch or workaround, and the intrusion rate decreases. Ideally, the decrease would be a steep decline rather than the slow decrease Figure 1 shows. It does, however , take time for news of the patch to spread, and longer still for users to install it. In addition, cautious organizations require testing prior to system changes— rightfully so—to ensure that the patch does not create new problems. Some organizations install the patch when they " get to it, " and others may never install the patch, for any of several reasons. Determining the exact shape of the vulnerability curve in Figure …