Skip to main content
SpringerLink
Log in
Book cover

International Conference on Risks and Security of Internet and Systems

CRiSIS 2015: Risks and Security of Internet and Systems pp 144–159Cite as

Exploring a Controls-Based Assessment of Infrastructure Vulnerability

  • Conference paper
  • First Online:

  • 1086 Accesses

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 9572))

Abstract

Assessing the vulnerability of an enterprise’s infrastructure is an important step in judging the security of its network and the trustworthiness and quality of the information that flows through it. Currently, low-level infrastructure vulnerability is often judged in an ad hoc manner, based on the criteria and experience of the assessors. While methodological approaches to assessing an organisation’s vulnerability exist, they are often targeted at higher-level threats, and can fail to accurately represent risk. Our aim in this paper therefore, is to explore a novel, structured approach to assessing low-level infrastructure vulnerability. We do this by placing the emphasis on a controls-based evaluation over a vulnerability-based evaluation. This work aims to investigate a framework for the pragmatic approach that organisations currently use for assessing low-level vulnerability. Instead of attempting to find vulnerabilities in infrastructure, we instead assume the network is insecure, and measure its vulnerability based on the controls that have (and have not) been put in place. We consider different control schemes for addressing vulnerability, and show how one of them, namely the Council on Cyber Security’s Top 20 Critical Security Controls, can be applied.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    MS08-067 is a low-level vulnerability in the Windows Server Service that allows remote code execution when sent a specially crafted RPC request.

References

  1. Ahmed, M.S., Al-Shaer, E., Khan, L.: A novel quantitative approachfor measuring network security. In: INFOCOM 27th Conference onComputer Communications. IEEE (2008)

    Google Scholar 

  2. Allan, C., Annear, J., Beck, E., Van Beveren, J.: A framework for the adoption of ICT and security technologies by SMEs. In: 16th Annual Conference of Small Enterprise Association of Australia and New Zealand, vol. 28, pp. 65–81 (2003)

    Google Scholar 

  3. Austrailian Signals Directorate - Strategies to Mitigate TargettedCyber Intrusions (2014). www.asd.gov.au/infosec/top35mitigatestrategies.htm

  4. Austrailian Signals Directorate - Top 4 Strategies to MitigateTargetted CyberIntrusions (2014). www.asd.gov.au/infosec/top-mitigations/top-4-strategies-explained.htm

  5. Bhattacharjee, J., Sengupta, A., Mazumdar, C.: A formal methodology for enterprise information security risk assessment. In: International Conference on Risks and Security of Internet and Systems (CRiSIS), pp. 1–9. IEEE (2013)

    Google Scholar 

  6. Boyer, W., McQueen, M.: Ideal based cyber security technical metrics for control systems. In: Lopez, J., Hämmerli, B.M. (eds.) CRITIS 2007. LNCS, vol. 5141, pp. 246–260. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  7. Chakrabarti, A., Manimaran, G.: Internet infrastructure security: a taxonomy. IEEE Netw. 16(6), 13–21 (2002)

    Article  Google Scholar 

  8. Chen, H., Chen, Y., Summerville, D.H.: A survey on the application of FPGAs for network infrastructure security. IEEE Commun. Surv. Tutorials 13(4), 541–561 (2011)

    Article  Google Scholar 

  9. Penetration Testing with Core Impact Pro (2014). http://www.coresecurity.com/core-impact-pro

  10. Council on Cybersecurity (2014). www.counciloncybersecurity.org

  11. Council on Cybersecurity: The ASD 35 and the Council on CyberSecurity Critical Security Controls (2014). http://www.counciloncybersecurity.org/bcms-media/Files/Download?id=a681a325-e26c-40f4-ad6e-a34200f79084

  12. Council on Cybersecurity: The Critical Security Controls for Effective Cyber Defence, version 5.1 (2015). http://www.counciloncybersecurity.org/bcms-media/Files/Download?id=a52977d7-a0e7-462e-a4c0-a3bd01512144

  13. CPNI: Critical Security Controls Guidance (2014). www.cpni.gov.uk/advice/cyber/Critical-controls

  14. CVE Details The ultimate security vulnerability datasource (2014). www.cvedetails.com

  15. Feng, N., Wang, H.J., Li, M.: A security risk analysis model for information systems: causal relationships of risk factors and vulnerability propagation analysis. Inf. Sci. 256, 57–73 (2014)

    Article  Google Scholar 

  16. Geers, K.: Live fire exercise: preparing for cyber war. J. Homel. Secur. Emerg. Manage. 7(1), 1–6 (2010)

    Google Scholar 

  17. The Heartbleed Bug (2014). http://heartbleed.com

  18. Holm, H., Ekstedt, M., Andersson, D.: Empirical analysis of system-level vulnerability metrics through actual attacks. IEEE Trans. Dependable Secure Comput. 9(6), 825–837 (2012)

    Article  Google Scholar 

  19. COBIT 4.1: Framework for IT Governance and Control (2014). www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx

  20. ISO/IEC 27001 Information security management (2014). www.iso.org/iso/home/standards/management-standards/iso27001.htm

  21. Jajodia, S., Noel, S.: Topological vulnerability analysis. In: Jajodia, S., Liu, P., Swarup, V., Wang, C. (eds.) Cyber Situational Awareness, pp. 139–154. Springer, New York (2010)

    Chapter  Google Scholar 

  22. Karger, P.A., Schell, R.R.: Multics Security Evaluation Volume II. Vulnerability Analysis. Technical report, DTIC Document (1974)

    Google Scholar 

  23. Karger, P.A., Schell, R.R.: Multics security evaluation: vulnerability analysis. In: 18th Annual Computer Security Applications Conference, pp. 127–146. IEEE (2002)

    Google Scholar 

  24. Will vulnerabiliy assessments and penetration testing find all the security vulnerabilities in your systems? (2014). http://www.krypsys.com/news/will-vulnerability-assessments-and-penetration-testing-find-all-the-security-vulnerabilities-in-your-systems

  25. Lai, Y.P., Hsia, P.L.: Using the vulnerability information of computer systems to improve the network security. Comput. Commun. 30(9), 2032–2047 (2007)

    Article  Google Scholar 

  26. Liu, S., Kuhn, R., Rossman, H.: Surviving insecure IT: effective patch management. IT Prof. 11(2), 49–51 (2009)

    Article  Google Scholar 

  27. McQueen, M.A., Boyer, W.F., Flynn, M.A., Beitel, G.A.: Time-to-compromise model for cyber risk reduction estimation. Quality of Protection, pp. 49–64. Springer, New York (2006)

    Chapter  Google Scholar 

  28. NIST: National vulnerability database (2014). http://nvd.nist.gov

  29. OpenVAS Open Vulnerability Assessment System (2014). http://www.openvas.org

  30. SANS: 90% of SANS Survey Respondents Are Adopting, or Plan toAdopt, the Critical Security Controls (2014). http://www.counciloncybersecurity.org/articles/90-of-sans-survey-respondents-are-adopting-or-plan-to-adopt-the-critical-security-controls-2

  31. SANS Critical Security Controls for Effective Cyber Defence (2014). http://www.sans.org/critical-security-controls

  32. Schneier, B.: Schneier on Security: The Internet of Things is Wildly Insecure and Often Unpatchable (2014). http://www.schneier.com/essays/archives/2014/01/the_internet_of_thin.html

  33. Shah, S., Mehtre, B.: An overview of vulnerability assessment and penetration testing techniques. J. Comput. Virol. Hacking Tech. 11, 1–23 (2014)

    Google Scholar 

  34. Snort (2014). http://www.snort.org

  35. Sommestad, T., Ekstedt, M., Holm, H.: The cyber security modeling language: a tool for assessing the vulnerability of enterprise system architectures. IEEE Syst. J. 7(3), 363–373 (2013)

    Article  Google Scholar 

  36. Bad USB (2014). http://srlabs.de/badusb/

  37. Szwed, P., Skrzyński, P.: A new lightweight method for security risk assessment based on fuzzy cognitive maps. Int. J. Appl. Math. Comput. Sci. 24(1), 213–225 (2014)

    Article  MATH  Google Scholar 

  38. Tenable Network Security Nessus (2014). http://www.tenable.com

  39. Thompson, K.: Reflections on trusting trust. Commun. ACM 27(8), 761–763 (1984)

    Article  Google Scholar 

  40. Tupper, M., Zincir-Heywood, A.N.: VEA-bility security metric: A network security analysis tool. In: Third International Conference on Availability, Reliability and Security (ARES), pp. 950–957. IEEE (2008)

    Google Scholar 

  41. Valli, C., Woodward, A., Hannay, P., Johnstone, M.: Why penetration testing is a limited use choice for sound cyber security practice. In: Proceedings of the Conference on Digital Forensics, Security and Law, pp. 35–40 (2014)

    Google Scholar 

  42. Vieira, M., Antunes, N., Madeira, H.: Using web security scanners to detect vulnerabilities in web services. In: International Conference on Dependable Systems & Networks (DSN), IEEE/IFIP, pp. 566–571. IEEE (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Cyber Security Centre, University of Oxford, Oxford, UK

    Oliver J. Farnan & Jason R. C. Nurse

Authors
  1. Oliver J. Farnan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jason R. C. Nurse
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Oliver J. Farnan .

Editor information

Editors and Affiliations

  1. University of Piraeus, Piraeus, Greece

    Costas Lambrinoudakis

  2. Université de la Polynésie Française, Faa'a, French Polynesia

    Alban Gabillon

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Farnan, O.J., Nurse, J.R.C. (2016). Exploring a Controls-Based Assessment of Infrastructure Vulnerability. In: Lambrinoudakis, C., Gabillon, A. (eds) Risks and Security of Internet and Systems. CRiSIS 2015. Lecture Notes in Computer Science(), vol 9572. Springer, Cham. https://doi.org/10.1007/978-3-319-31811-0_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-31811-0_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-31810-3

  • Online ISBN: 978-3-319-31811-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation