Abstract
Assessing the vulnerability of an enterprise’s infrastructure is an important step in judging the security of its network and the trustworthiness and quality of the information that flows through it. Currently, low-level infrastructure vulnerability is often judged in an ad hoc manner, based on the criteria and experience of the assessors. While methodological approaches to assessing an organisation’s vulnerability exist, they are often targeted at higher-level threats, and can fail to accurately represent risk. Our aim in this paper therefore, is to explore a novel, structured approach to assessing low-level infrastructure vulnerability. We do this by placing the emphasis on a controls-based evaluation over a vulnerability-based evaluation. This work aims to investigate a framework for the pragmatic approach that organisations currently use for assessing low-level vulnerability. Instead of attempting to find vulnerabilities in infrastructure, we instead assume the network is insecure, and measure its vulnerability based on the controls that have (and have not) been put in place. We consider different control schemes for addressing vulnerability, and show how one of them, namely the Council on Cyber Security’s Top 20 Critical Security Controls, can be applied.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
MS08-067 is a low-level vulnerability in the Windows Server Service that allows remote code execution when sent a specially crafted RPC request.
References
Ahmed, M.S., Al-Shaer, E., Khan, L.: A novel quantitative approachfor measuring network security. In: INFOCOM 27th Conference onComputer Communications. IEEE (2008)
Allan, C., Annear, J., Beck, E., Van Beveren, J.: A framework for the adoption of ICT and security technologies by SMEs. In: 16th Annual Conference of Small Enterprise Association of Australia and New Zealand, vol. 28, pp. 65–81 (2003)
Austrailian Signals Directorate - Strategies to Mitigate TargettedCyber Intrusions (2014). www.asd.gov.au/infosec/top35mitigatestrategies.htm
Austrailian Signals Directorate - Top 4 Strategies to MitigateTargetted CyberIntrusions (2014). www.asd.gov.au/infosec/top-mitigations/top-4-strategies-explained.htm
Bhattacharjee, J., Sengupta, A., Mazumdar, C.: A formal methodology for enterprise information security risk assessment. In: International Conference on Risks and Security of Internet and Systems (CRiSIS), pp. 1–9. IEEE (2013)
Boyer, W., McQueen, M.: Ideal based cyber security technical metrics for control systems. In: Lopez, J., Hämmerli, B.M. (eds.) CRITIS 2007. LNCS, vol. 5141, pp. 246–260. Springer, Heidelberg (2008)
Chakrabarti, A., Manimaran, G.: Internet infrastructure security: a taxonomy. IEEE Netw. 16(6), 13–21 (2002)
Chen, H., Chen, Y., Summerville, D.H.: A survey on the application of FPGAs for network infrastructure security. IEEE Commun. Surv. Tutorials 13(4), 541–561 (2011)
Penetration Testing with Core Impact Pro (2014). http://www.coresecurity.com/core-impact-pro
Council on Cybersecurity (2014). www.counciloncybersecurity.org
Council on Cybersecurity: The ASD 35 and the Council on CyberSecurity Critical Security Controls (2014). http://www.counciloncybersecurity.org/bcms-media/Files/Download?id=a681a325-e26c-40f4-ad6e-a34200f79084
Council on Cybersecurity: The Critical Security Controls for Effective Cyber Defence, version 5.1 (2015). http://www.counciloncybersecurity.org/bcms-media/Files/Download?id=a52977d7-a0e7-462e-a4c0-a3bd01512144
CPNI: Critical Security Controls Guidance (2014). www.cpni.gov.uk/advice/cyber/Critical-controls
CVE Details The ultimate security vulnerability datasource (2014). www.cvedetails.com
Feng, N., Wang, H.J., Li, M.: A security risk analysis model for information systems: causal relationships of risk factors and vulnerability propagation analysis. Inf. Sci. 256, 57–73 (2014)
Geers, K.: Live fire exercise: preparing for cyber war. J. Homel. Secur. Emerg. Manage. 7(1), 1–6 (2010)
The Heartbleed Bug (2014). http://heartbleed.com
Holm, H., Ekstedt, M., Andersson, D.: Empirical analysis of system-level vulnerability metrics through actual attacks. IEEE Trans. Dependable Secure Comput. 9(6), 825–837 (2012)
COBIT 4.1: Framework for IT Governance and Control (2014). www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx
ISO/IEC 27001 Information security management (2014). www.iso.org/iso/home/standards/management-standards/iso27001.htm
Jajodia, S., Noel, S.: Topological vulnerability analysis. In: Jajodia, S., Liu, P., Swarup, V., Wang, C. (eds.) Cyber Situational Awareness, pp. 139–154. Springer, New York (2010)
Karger, P.A., Schell, R.R.: Multics Security Evaluation Volume II. Vulnerability Analysis. Technical report, DTIC Document (1974)
Karger, P.A., Schell, R.R.: Multics security evaluation: vulnerability analysis. In: 18th Annual Computer Security Applications Conference, pp. 127–146. IEEE (2002)
Will vulnerabiliy assessments and penetration testing find all the security vulnerabilities in your systems? (2014). http://www.krypsys.com/news/will-vulnerability-assessments-and-penetration-testing-find-all-the-security-vulnerabilities-in-your-systems
Lai, Y.P., Hsia, P.L.: Using the vulnerability information of computer systems to improve the network security. Comput. Commun. 30(9), 2032–2047 (2007)
Liu, S., Kuhn, R., Rossman, H.: Surviving insecure IT: effective patch management. IT Prof. 11(2), 49–51 (2009)
McQueen, M.A., Boyer, W.F., Flynn, M.A., Beitel, G.A.: Time-to-compromise model for cyber risk reduction estimation. Quality of Protection, pp. 49–64. Springer, New York (2006)
NIST: National vulnerability database (2014). http://nvd.nist.gov
OpenVAS Open Vulnerability Assessment System (2014). http://www.openvas.org
SANS: 90% of SANS Survey Respondents Are Adopting, or Plan toAdopt, the Critical Security Controls (2014). http://www.counciloncybersecurity.org/articles/90-of-sans-survey-respondents-are-adopting-or-plan-to-adopt-the-critical-security-controls-2
SANS Critical Security Controls for Effective Cyber Defence (2014). http://www.sans.org/critical-security-controls
Schneier, B.: Schneier on Security: The Internet of Things is Wildly Insecure and Often Unpatchable (2014). http://www.schneier.com/essays/archives/2014/01/the_internet_of_thin.html
Shah, S., Mehtre, B.: An overview of vulnerability assessment and penetration testing techniques. J. Comput. Virol. Hacking Tech. 11, 1–23 (2014)
Snort (2014). http://www.snort.org
Sommestad, T., Ekstedt, M., Holm, H.: The cyber security modeling language: a tool for assessing the vulnerability of enterprise system architectures. IEEE Syst. J. 7(3), 363–373 (2013)
Bad USB (2014). http://srlabs.de/badusb/
Szwed, P., Skrzyński, P.: A new lightweight method for security risk assessment based on fuzzy cognitive maps. Int. J. Appl. Math. Comput. Sci. 24(1), 213–225 (2014)
Tenable Network Security Nessus (2014). http://www.tenable.com
Thompson, K.: Reflections on trusting trust. Commun. ACM 27(8), 761–763 (1984)
Tupper, M., Zincir-Heywood, A.N.: VEA-bility security metric: A network security analysis tool. In: Third International Conference on Availability, Reliability and Security (ARES), pp. 950–957. IEEE (2008)
Valli, C., Woodward, A., Hannay, P., Johnstone, M.: Why penetration testing is a limited use choice for sound cyber security practice. In: Proceedings of the Conference on Digital Forensics, Security and Law, pp. 35–40 (2014)
Vieira, M., Antunes, N., Madeira, H.: Using web security scanners to detect vulnerabilities in web services. In: International Conference on Dependable Systems & Networks (DSN), IEEE/IFIP, pp. 566–571. IEEE (2009)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Farnan, O.J., Nurse, J.R.C. (2016). Exploring a Controls-Based Assessment of Infrastructure Vulnerability. In: Lambrinoudakis, C., Gabillon, A. (eds) Risks and Security of Internet and Systems. CRiSIS 2015. Lecture Notes in Computer Science(), vol 9572. Springer, Cham. https://doi.org/10.1007/978-3-319-31811-0_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-31811-0_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-31810-3
Online ISBN: 978-3-319-31811-0
eBook Packages: Computer ScienceComputer Science (R0)