Exploring a Controls-Based Assessment of Infrastructure Vulnerability

  • Oliver J. Farnan
  • Jason  R. C. Nurse
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9572)


Assessing the vulnerability of an enterprise’s infrastructure is an important step in judging the security of its network and the trustworthiness and quality of the information that flows through it. Currently, low-level infrastructure vulnerability is often judged in an ad hoc manner, based on the criteria and experience of the assessors. While methodological approaches to assessing an organisation’s vulnerability exist, they are often targeted at higher-level threats, and can fail to accurately represent risk. Our aim in this paper therefore, is to explore a novel, structured approach to assessing low-level infrastructure vulnerability. We do this by placing the emphasis on a controls-based evaluation over a vulnerability-based evaluation. This work aims to investigate a framework for the pragmatic approach that organisations currently use for assessing low-level vulnerability. Instead of attempting to find vulnerabilities in infrastructure, we instead assume the network is insecure, and measure its vulnerability based on the controls that have (and have not) been put in place. We consider different control schemes for addressing vulnerability, and show how one of them, namely the Council on Cyber Security’s Top 20 Critical Security Controls, can be applied.


Vulnerability Assessment Penetration Testing Security Assessment Vulnerability Score Attack Vector 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Ahmed, M.S., Al-Shaer, E., Khan, L.: A novel quantitative approachfor measuring network security. In: INFOCOM 27th Conference onComputer Communications. IEEE (2008)Google Scholar
  2. 2.
    Allan, C., Annear, J., Beck, E., Van Beveren, J.: A framework for the adoption of ICT and security technologies by SMEs. In: 16th Annual Conference of Small Enterprise Association of Australia and New Zealand, vol. 28, pp. 65–81 (2003)Google Scholar
  3. 3.
    Austrailian Signals Directorate - Strategies to Mitigate TargettedCyber Intrusions (2014).
  4. 4.
    Austrailian Signals Directorate - Top 4 Strategies to MitigateTargetted CyberIntrusions (2014).
  5. 5.
    Bhattacharjee, J., Sengupta, A., Mazumdar, C.: A formal methodology for enterprise information security risk assessment. In: International Conference on Risks and Security of Internet and Systems (CRiSIS), pp. 1–9. IEEE (2013)Google Scholar
  6. 6.
    Boyer, W., McQueen, M.: Ideal based cyber security technical metrics for control systems. In: Lopez, J., Hämmerli, B.M. (eds.) CRITIS 2007. LNCS, vol. 5141, pp. 246–260. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  7. 7.
    Chakrabarti, A., Manimaran, G.: Internet infrastructure security: a taxonomy. IEEE Netw. 16(6), 13–21 (2002)CrossRefGoogle Scholar
  8. 8.
    Chen, H., Chen, Y., Summerville, D.H.: A survey on the application of FPGAs for network infrastructure security. IEEE Commun. Surv. Tutorials 13(4), 541–561 (2011)CrossRefGoogle Scholar
  9. 9.
    Penetration Testing with Core Impact Pro (2014).
  10. 10.
    Council on Cybersecurity (2014).
  11. 11.
    Council on Cybersecurity: The ASD 35 and the Council on CyberSecurity Critical Security Controls (2014).
  12. 12.
    Council on Cybersecurity: The Critical Security Controls for Effective Cyber Defence, version 5.1 (2015).
  13. 13.
    CPNI: Critical Security Controls Guidance (2014).
  14. 14.
    CVE Details The ultimate security vulnerability datasource (2014).
  15. 15.
    Feng, N., Wang, H.J., Li, M.: A security risk analysis model for information systems: causal relationships of risk factors and vulnerability propagation analysis. Inf. Sci. 256, 57–73 (2014)CrossRefGoogle Scholar
  16. 16.
    Geers, K.: Live fire exercise: preparing for cyber war. J. Homel. Secur. Emerg. Manage. 7(1), 1–6 (2010)Google Scholar
  17. 17.
    The Heartbleed Bug (2014).
  18. 18.
    Holm, H., Ekstedt, M., Andersson, D.: Empirical analysis of system-level vulnerability metrics through actual attacks. IEEE Trans. Dependable Secure Comput. 9(6), 825–837 (2012)CrossRefGoogle Scholar
  19. 19.
    COBIT 4.1: Framework for IT Governance and Control (2014).
  20. 20.
    ISO/IEC 27001 Information security management (2014).
  21. 21.
    Jajodia, S., Noel, S.: Topological vulnerability analysis. In: Jajodia, S., Liu, P., Swarup, V., Wang, C. (eds.) Cyber Situational Awareness, pp. 139–154. Springer, New York (2010)CrossRefGoogle Scholar
  22. 22.
    Karger, P.A., Schell, R.R.: Multics Security Evaluation Volume II. Vulnerability Analysis. Technical report, DTIC Document (1974)Google Scholar
  23. 23.
    Karger, P.A., Schell, R.R.: Multics security evaluation: vulnerability analysis. In: 18th Annual Computer Security Applications Conference, pp. 127–146. IEEE (2002)Google Scholar
  24. 24.
    Will vulnerabiliy assessments and penetration testing find all the security vulnerabilities in your systems? (2014).
  25. 25.
    Lai, Y.P., Hsia, P.L.: Using the vulnerability information of computer systems to improve the network security. Comput. Commun. 30(9), 2032–2047 (2007)CrossRefGoogle Scholar
  26. 26.
    Liu, S., Kuhn, R., Rossman, H.: Surviving insecure IT: effective patch management. IT Prof. 11(2), 49–51 (2009)CrossRefGoogle Scholar
  27. 27.
    McQueen, M.A., Boyer, W.F., Flynn, M.A., Beitel, G.A.: Time-to-compromise model for cyber risk reduction estimation. Quality of Protection, pp. 49–64. Springer, New York (2006)CrossRefGoogle Scholar
  28. 28.
    NIST: National vulnerability database (2014).
  29. 29.
    OpenVAS Open Vulnerability Assessment System (2014).
  30. 30.
    SANS: 90% of SANS Survey Respondents Are Adopting, or Plan toAdopt, the Critical Security Controls (2014).
  31. 31.
    SANS Critical Security Controls for Effective Cyber Defence (2014).
  32. 32.
    Schneier, B.: Schneier on Security: The Internet of Things is Wildly Insecure and Often Unpatchable (2014).
  33. 33.
    Shah, S., Mehtre, B.: An overview of vulnerability assessment and penetration testing techniques. J. Comput. Virol. Hacking Tech. 11, 1–23 (2014)Google Scholar
  34. 34.
    Snort (2014).
  35. 35.
    Sommestad, T., Ekstedt, M., Holm, H.: The cyber security modeling language: a tool for assessing the vulnerability of enterprise system architectures. IEEE Syst. J. 7(3), 363–373 (2013)CrossRefGoogle Scholar
  36. 36.
    Bad USB (2014).
  37. 37.
    Szwed, P., Skrzyński, P.: A new lightweight method for security risk assessment based on fuzzy cognitive maps. Int. J. Appl. Math. Comput. Sci. 24(1), 213–225 (2014)CrossRefzbMATHGoogle Scholar
  38. 38.
    Tenable Network Security Nessus (2014).
  39. 39.
    Thompson, K.: Reflections on trusting trust. Commun. ACM 27(8), 761–763 (1984)CrossRefGoogle Scholar
  40. 40.
    Tupper, M., Zincir-Heywood, A.N.: VEA-bility security metric: A network security analysis tool. In: Third International Conference on Availability, Reliability and Security (ARES), pp. 950–957. IEEE (2008)Google Scholar
  41. 41.
    Valli, C., Woodward, A., Hannay, P., Johnstone, M.: Why penetration testing is a limited use choice for sound cyber security practice. In: Proceedings of the Conference on Digital Forensics, Security and Law, pp. 35–40 (2014)Google Scholar
  42. 42.
    Vieira, M., Antunes, N., Madeira, H.: Using web security scanners to detect vulnerabilities in web services. In: International Conference on Dependable Systems & Networks (DSN), IEEE/IFIP, pp. 566–571. IEEE (2009)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.Cyber Security CentreUniversity of OxfordOxfordUK

Personalised recommendations