Proceedings of the 40th Hawaii International Conference on System Sciences - 2007
Understanding Hidden Information Security Threats: The Vulnerability Black Market Jaziar Radianti (
[email protected]) Jose. J. Gonzalez (
[email protected]) Research Cell “Security and Quality in Organizations”, Faculty of Engineering and Science, Agder University College, Serviceboks 509 NO-4898 Grimstad, Norway
Abstract It has been discovered recently that there is a “black market” for software vulnerabilities. Criminals and terrorists can launch exploits toward organizations before system administrators have had a chance to apply a corrective patch. To counteract this threat, software vendors and security companies have been establishing a legitimate market for software vulnerabilities; they offer rewards for software bugs reported. To explain the basic traits of this phenomenon, we develop a system dynamics model showing the growth of the vulnerability black market. A simple conceptual model is developed and some simulations using the model are implemented to learn whether the attempt to legalize the vulnerability market helps to reduce the vulnerability information circulating in the black market. Key Words: Information Security, Software Vulnerability, System Dynamics, Vulnerability Black Market, Integrated Operations.
1. Introduction: Critical Infrastructure and Securing the Network The recent discovery that there is a “black market” for software vulnerabilities adds a new and worrying dimension to the protection of key economic sectors and critical infrastructure. These sectors depend crucially on information security for their performance; for some sectors, good information security is tantamount to satisfactory performance with regard to health, safety and environment. Particularly, in the oil and gas industry, the increasing use of remote operations using computer networks (eOperations,
now increasingly called Integrated Operations) implies that information security failures can severely impact Health, Safety and Environment (HSE) aspects. Our interest in the vulnerability problem developed from our work with client companies that are transitioning from traditional operations on offshore fields to the new mode of Integrated Operations.1 Hence, for specificity we use the case of Integrated Operations to highlight some relevant aspects of the vulnerability problem. This said, we have to safeguard the interest of our clients, implying that we do not disclose any kind of sensitive information. The sources of threat to the security of Integrated Operations are basically the same as for other critical infrastructure: from external organized groups, such as organized crime, terrorists, corporate intelligence, political activists, etc; from internal sources, such as disaffected staff and contractors, malicious insiders; general hacker threat. The risk of cyber attack to the business include failure of control systems, loss of integrity or control of systems, loss of process monitoring and visibility of plant. This may lead to injuries or loss of life, loss of production, environmental damage, damage to reputation, loss of licence to operate, etc. An overview of the implication of known security failures upon HSE aspects has been presented in a recent paper by Johnsen et al. [1]. Broadly speaking, threats to computer systems today have the following characteristics: automated attacks leveraging known and unknown vulnerabilities, collaboration of social engineering and automated attacks, multiple attack vectors and active payloads. There are indications for a growing number of vulnerabilities in software and operating systems that are only known to so-called “black-hat hackers” and for which there is no patch yet available. Black-hat 1
For a short overview of Integrated Operations, see the Appendix.
Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS'07) 0-7695-2755-8/07 $20.00 © 2007 1530-1605/07 $20.00 © 2007 IEEE
1
Proceedings of the 40th Hawaii International Conference on System Sciences - 2007
hackers seek to discover software vulnerabilities for malicious purposes. They often share their information with like-minded individuals. There are even indications of a growing black-market for vulnerabilities2 (hackers selling secret information about software vulnerabilities in COTS3 software to criminals or even terrorists groups). To minimize risks that may jeopardize the future of Integrated Operations, multiple defence solutions have been proposed: from security monitoring, password protection, secure segregation; to security culture, such as improved communication about security incidents, and user awareness and education. Since software vulnerabilities are constantly being discovered, administrators need to patch the network using new patches that remove the exploitable bug in the software. The situation is complex, though, due to trade-offs of risk of patching vs. risk of not patching, as well as planned vs. unplanned downtime (Figure 1).
Unplanned downtime from known vulnerability exploits
Unplanned downtime from patching failures
Unplanned downtime from unknown vulnerability exploits
Risk
Integrated Operations
Planned downtime for patching
increase of the black-hat hacker’s activities.5 Further resuls from the Honeynet project [17-18], describe security tools, tactics and motives of the black-hat community. Black hat hackers aggressively scan the Internet for hosts vulnerable to a single “unknown vulnerabilities,” exploiting as many systems as possible. The issue of unknown attacks and the circulation of vulnerabilities in a ‘black market’ has been getting increasing attention recently. This paper discusses vulnerability exploits and the importance of patching vulnerabilities in the context described in Figure 1. We develop a simple model about the likely growth of the vulnerability black market. In the last section, we discuss the shifting trend toward a “legal” vulnerability market and its implications. Finally, we return to the security policy in Integrated Operations and we discuss related topics for the general software end-user. A note on terminology: We use “hacker” in the sense of a “black hat hacker” – a person who is able to exploit a system or gain unauthorized access through skill and tactics.6 By “malicious agents” we refer to other actors having malicious motives to compromise security, but without skill for doing so; they could be criminals, terrorist groups or just “script kiddies”.
2. Software Products in the Market
The number of “unknown attacks”4 exploiting software vulnerabilities is still growing. The potential security impact of unknown attacks is also increasing [2]. However, evidence is mostly anecdotal and circumstantial; good data is scarce. This fact restrains insights, making it difficult to learn from the root causes. Nevertheless, research proceeding from Honeynet project has provided interesting information about the occurrence of unknown attacks and the
When software is purchased, costumers trust that their software providers have thoroughly identified the potential security vulnerabilities, and that they offer protection against the security flaws. The truth is less flattering. Anderson [3], Schechter [4], Ozment [5] and Böhme [6, 20] called the software market a ‘market for lemons’, a term introduced by Akerlof [7]. Akerlof describes how the interaction between quality heterogeneity and asymmetry of information can lead to the disappearance of a market where guarantees are indefinite. He also noticed that when quality is unascertainable beforehand by the buyer (due to the asymmetry of information) incentives exist for the seller to pass off a low-quality good as a higher-quality one. The buyer, however, makes allowance for this incentive and takes the quality of the goods to be uncertain. Only the average quality of the goods will be considered, which in turn will have the side effect that goods of superior quality will be driven out of the market.
2 See http://www.pcpro.co.uk/news/84523/black-market-thrives-onvulnerability-trading.html, quoted 13 June 2006 3 Commercial-off-the-shelf 4 Unknown attack is defined as an attack against a vulnerability nobody has heard of.
5 See for example http://www.honeynet.org/papers/stats/ about attack by black hat community, quoted 13 June 2006 6 Indeed, the term of hacker also has a positive connotation as a person who breaks security for altruistic or non-malicious reason (white hat hackers). He has a clearly defined code of ethics and sometimes cooperates with manufacturer to disclose security weaknesses.
Figure 1. Risk, patching and downtime: Exploits can occur from known and unknown vulnerabilities; exploits can cause unplanned downtime; planned downtime is necessary for testing and application of patches.
Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS'07) 0-7695-2755-8/07 $20.00 © 2007
2
Proceedings of the 40th Hawaii International Conference on System Sciences - 2007
In the software market case, the buyer is indeed unable to distinguish between secure and insecure products. Hence the vendor has little incentive to develop a sound security technology. As Schechter says [2, p. 1]: “A market for lemons is one in which the consumer cannot determine products of quality from defective goods.” The association of a software market with a ‘market for lemons’ makes sense, since there are always bugs in the software and most of them are exploitable. Sellers sometimes tend to use the ‘penetrate and patch’ principle when they release new software. And customers cannot entirely judge the security of the software.
3. Software Vulnerabilities: Discovery, Life Cycle and Exploitation A software vulnerability is a “bug”, that is, a flaw/ weakness/defect in the code of any program (e.g. application, operating system) that can be exploited by malicious agents; a successful attack forces the program or its underlying system to conduct unintended, often malicious operations. This may lead to the failure of the confidentiality, integrity or availability of an information system. A patch is a piece of code added to the software in order to fix a vulnerability or a bug, especially as a temporary correction between two releases. Schneier [8] distinguishes five phases in the life cycle of vulnerabilities: 1) Before the vulnerability is discovered; 2) after the vulnerability is discovered but before it is announced; 3) after the vulnerability is announced; 4) an automatic attack tool to exploit the vulnerability is published and 5) the vendor issues a patch that corrects the vulnerability. In the last phase, as people install the patch and harden the system, the risk of exploit shrinks nearly to zero. Hackers target their exploits based on their knowledge about the vulnerability life cycle. For example, Arora, Krishnan, Nandkumar, Telang and Yang [9] find empirical evidence that a vulnerability disclosure increases attacks (per host) and patching decreases the number of attacks (per host). It means that hackers try to use the limited time to launch attacks between vulnerability disclosure and patch availability. But we know still little about what happens before a vulnerability is publicly known. Studies at Carnegie Mellon University (CMU) find that there are between five and fifteen ‘bugs’ per one thousand lines of code in released software [10]. These vulnerabilities may result from mistakes when writing software, whether a math error, incomplete logic or incorrect use of a function or command. Most such bugs
are “exploitable” by malicious agents. It has been known that the time between the disclosure of a new vulnerability and the emergence of an “exploit” is shrinking all the time. There is a long “window of vulnerability”—the time between the discovery of the vulnerability and the implementation of a patch or sufficient work-around. Moreover the exploitation cycles of various vulnerabilities may overlap so that several vulnerabilities may exist and be exploited simultaneously. In addition, for some vulnerabilities there may be a reincarnation in a previously eliminated flaw [11] in a later software version or a resurgence in its exploitation [12]. Before analyzing the black market vulnerability problem, we summarize how vulnerabilities could be discovered [5, 13]. First, through testing by producers (in-house testing) before the product is released. Second, “philanthropist security researchers”7 identify vulnerabilities after the product is in production and available to consumers. Third, from full-disclosure environments, such as mailing lists, newsgroups or any kind of forum where individuals or organizations post information about vulnerabilities. The producer can learn about the vulnerability at the same time as the general public. Fourth, the producer can learn when it is exploited. For example, an exploit circulating in the black market might be detected when it is used against a system. The fourth point becomes the focus of this paper.
4. Black Market Vulnerability Problems Summarizing, vulnerabilities might be discovered by people with an interest in exploiting it. Instead of notifying the vendor, they take themselves advantage of the vulnerability and possibly inform some of their associates. The information about the existence of the vulnerability circulates in the hacker community. While vendors as well as users are unaware of the threat contacts can be formed between parties interested in launching unknown attacks and owners of the relevant information. In any market, there are sellers and buyers. They are the fundament of trade, along with the actual exchange of goods and services and the associated transaction. If the number of buyers increases, the number of sellers tends to increase as well. In particular cases, e.g. when there are incentives for criminal activities, a black or underground market tends to appear.
7 They are individuals or organizations such as government, academic and non profit organization that identify vulnerabilities for non malicious purposes.
Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS'07) 0-7695-2755-8/07 $20.00 © 2007
3
Proceedings of the 40th Hawaii International Conference on System Sciences - 2007
vulnerability, he creates an exploit and sells it to the malicious actors. Sutton and Nagel [19, p.10-11] emphasize that all parties have to broker the deal, involving some potentially risky contacts, while making sure that that they are not caught by law enforcement. The model developed for this paper is an idealized version of the purchase model.
It has been suggested (see footnote 2) that there is a massive underground trade in software vulnerabilities, particularly during the period of private disclosure. Organized crime pays high prices for information that helps to break into corporate databases for identity theft and other lucrative criminal activities. Hackers tended to search for vulnerabilities for the thrill of the attack experience or to improve their opportunity for financial gain through successful exploitation. But recently this phenomenon has been shifting character. Hackers find unknown vulnerabilities and sell them to the highest bidder. Hackers use the Internet as the main channel for sharing information about exploiting software vulnerabilities and exposures. Since the number of Internet users grows and intruder tools become more sophisticated and easy to use, more people can become “successful intruders”. An effort to explain how the underground vulnerability market mechanism (“the black market”) works is found in a paper from Sutton and Nagle [19]. They introduce the contracted model and the purchase model. In the former model the malicious actor hires a hacker to find a vulnerability in a specific target. The latter model is done in reverse from the contracted model. In the latter model the hacker finds a
+
Potential Buyers Contacts
We develop a system dynamics model [14, 15] to capture the basic structure of the problem. System dynamics is becoming a popular method to model information system security owing to its ability to «…, provide[s] a foundation for developing methods and tools that help engineers understand, characterize, and communicate the impact of a malicious threat environment on organizational and system operations and their respective missions. Large-scale, inter-networked information systems are subject to volatility, nonlinearity, uncertainty, and time delays that add to their dynamic complexity and make assuring their security or survivability so difficult.» [16, p. 38ff] The Vulnerability Black Market does work as a market since there is a supply side, namely hackers, and a demand side, viz. malicious agents or criminals.
Experience Sharing Rate
Information Sharing Rate +
5. Black Market Vulnerability Model
+ Information Sharing between Buyers with Potential Buyers
Vulnerabilities Buyers Prevalence
+ + Experience Black Market + Sharing Buyers Contacts
+
+
Succesful Attacker Prevalence +
+ Potential Vulnerabilities Black Market Buyers
+
Vulnerabilities Black Market Buyers
Potential Buyers Moving Into Buyers -
+ Unknown Vulnerabilities Exploitation Rate -
Adoption Time +
Duration of Unknown Vulnerabilities Circulation
-
Average Time to Discover Vulnerabilities Unknown Vulnerabilities
Unknown Vulnerabilities Discovery Rate +
Black Market Buyers Successfully Using Exploit
-
+ Vulnerabilities Discovered by Black Hat Hackers
Vulnerabilities Traded in Black Market
Vulnerabilities Trading Rates in Black Market + +
Vulnerabilities Known Publicly -
+
Incentives for Selling Vulnerabilities to Black Market Trading Rate in Buyers Legal Market + Incentives for Average Time to Selling to Vendors Change the Market Structure Vulnerabilities Traded in Legal Market
+
Average Time to Trade Vulnerabilities
Average Time to Disclose Vulnerabilities by Others
Figure 2. The black market vulnerability growth model
Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS'07) 0-7695-2755-8/07 $20.00 © 2007
4
Proceedings of the 40th Hawaii International Conference on System Sciences - 2007
Our simple model explains the growth of the vulnerability black market: On the demand side, there are a group of people who are willing to pay for secret knowledge about new vulnerabilities; on the supply side, hackers develop scripts of malicious code after they discover vulnerabilities. Hackers are finding new vulnerabilities and developing exploits, and then selling the whole package to the highest bidder—who most likely are criminal groups. It is assumed that hackers do not want to execute the exploits themselves out of concern for their own safety.8 The main structure of the model (Fig. 2) consists of two connected aging chains (“co-flows”). The aging chain in the bottom part depicts three stages of unknown vulnerabilities: before they are discovered until they are traded in the black market. The aging chain in the upper part shows three stages of black market buyers: from potential vulnerability black market buyers until they become successful intruders. The discovery rate of unknown vulnerabilities depends on the speed of disclosure. Once the vulnerabilities are discovered, they will be traded in black market; this is described in the model by the causal links connecting the vulnerability aging chain with the buyers co-flow structure. The circulation of such vulnerabilities will shrink after the vulnerabilities become publicly known. The model assumes that the rate of finding the unknown vulnerability by hackers is much faster than by other parties (vendors, philanthropists or security researchers). Are criminals or terrorist organizations the only potential buyers of yet unreported vulnerabilities? There are other actors, namely the vendors of software and security companies, and there are recent indications that they offer rewards on reports about yet unknown vulnerabilities. We capture this by the rate Vulnerability Traded to Vendors flowing from the stock Vulnerability Discovered by Black Hat Hackers to the stock Vulnerabilities Traded in Legal Market. Assume that there is a potential group of criminals who are willing to pay a higher price for secret vulnerabilities. In the model this group is represented by the stock Potential Vulnerabilities Black Market Buyers. It takes some time until potential buyers get information about new vulnerabilities and they form a decision to buy it. Contact or information sharing between potential buyers and criminals who have already bought the vulnerabilities will increase the stock Vulnerabilities Black Market Buyers.9 8
Because hackers more and more frequently are being prosecuted, as the appropriate legislation is being implemented. 9 This become more possible since there are forum such as mailing lists discuss about vulnerabilities finding and attack experiences. Or hackers
Vulnerabilities Buyers Prevalence is the percentage of the buyers population who shares information with similar minded people. Information sharing even reinforces potential buyers to “purchase” vulnerabilities. Once purchased, the vulnerabilities lead to exploits; criminals who carry out successful attacks tend to share their experiences. In turn this will increase the rate of exploits (Unknown Vulnerabilities Exploitation Rate). Why would black-hat hackers prefer to sell their findings to criminals? The likely answer is that the reward offered by criminals is higher than the rewards offered by vendors. In other words, black hat hackers will sell their findings to the highest “bidder”. In our model, hackers are assumed to be rational actors and they will sell their finding to the parties offering the highest price. (In our model we just consider the financial gain as a reason for hackers to perform underground trading and we don’t take into account the riskier environment for the black market activities, e.g. going to jail). We capture this by the parameters Incentives for Selling to Vendors and Incentives for Selling to Black Market Buyers. Incentives for Selling to Black Market Buyers is modelled as a constant and Incentives for Selling to Vendors is defined as (1Incentives for Selling to Black Market Buyers). They describe the fraction of hackers’ findings that will be sold to the black market and the legal market, respectively. The initial model assumes that hackers sell all their findings to the black market, since the reward is bigger than for the legal market. The reducing process in vulnerability discovery takes place because of two factors: 1) vendors find a patch to fix vulnerabilities or 2) post-depreciation phase, when the producer is no longer interested in actively improving the product or its security, usually because a successor product has become available. In this model this is captured by the outflow Vulnerabilities Known Publicly. It means that the time to exploit vulnerabilities becomes shorter and affects unknown vulnerabilities exploitation rate. In other words, how long vulnerabilities can be traded in the black market is limited by public awareness of the existence of a new vulnerability.
6. Simulations We use the simulation software Vensim to develop and simulate the model. We run a simulation with three different scenarios to answer these ‘what-if’ questions: could just make an advertising to inform they sell vulnerabilities and the price.
Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS'07) 0-7695-2755-8/07 $20.00 © 2007
5
Proceedings of the 40th Hawaii International Conference on System Sciences - 2007
What happens if communication and technology available today allow the criminals and hackers to share information and share experience about unknown vulnerabilities and successful attacks? What occurs if vendors are able to develop patches faster in order to constrain the criminals’ opportunities to exploit unknown malicious code? What happens if vendors establish a legal market as a countermove against the black market?
Fig. 3 shows how our model answers these questions. The first plot (thick line, green) shows the base-run for the model simulation. The run represents the growth of the black market vulnerability over time (6 yr simulation period). Information and experience sharing between vulnerabilities buyers on how to attack computer networks facilitate the market expansion. The curve rises at the beginning as the malicious agents buy vulnerabilities in the absence of competition from vendors. As the pool of unknown vulnerabilities decreases, trading decreases too. Hence, the growth in Vulnerabilities Traded in Black Market flattens out over time and starts declining. This provides an answer to the first question. The second plot (medium thick line, red) shows the behaviour of Vulnerabilities Traded in Black Market when the vendor is able to discover the unknown vulnerabilities and to develop a corrective patch faster. 80,000 60,000 40,000 20,000
0 0
292
584
876
1168 Time (Day)
1460
Vulnerabilities Traded in Black Market : Legal Market Vulnerabilities Traded in Black Market : Public Disclosure Vulnerabilities Traded in Black Market : Base
1752
2044 Vulnerabilities Vulnerabilities Vulnerabilities
Figure 3. Simulation Results of ‘Vulnerabilities Traded in Black Market’ The simulation illustrates the growth trend at the beginning, but at a slower pace than the base-run, owing to the vendors’ activities. After a peak, which occurs earlier than in the base run, Vulnerabilities Traded in Black Market decays faster than in the base run. This is a tentative answer to the second question. However, this scenario might be too idealized: The security companies/ vendors might need some time to realize that their software products are experiencing
unknown attacks; and they might even need longer time to develop a corrective. The third plot (thin line, blue) represents the effort to transform the vulnerability market by offering rewards to hackers10 who find security holes in software products. The simulation is carried out by reducing the fraction in the parameter Incentives for Selling to Black Market Buyers. We assume that 30% of hackers’ findings are sold to the legal market. The simulation result shows that this scenario reduces the vulnerability traded in the black market since the simulation initial time. But the trend still grows before it flattens out over time and starts decaying. We explain this behaviour because some hackers still sell a certain amount of their findings to the black market. This provides an answer to the third question. To summarize, the main notion from the simulations is that the vendors and the security companies have very significant roles in combating or reducing the expansion of the vulnerability black market. End users buy, use and patch when necessary, but they cannot prevent incidents from unknown vulnerability exploits. Therefore, the discussion in the next section about the shift of the vulnerability market toward legality becomes relevant for how to contain the vulnerability black market expansion.
7. Toward a ‘Legal’ Vulnerability Market In the previous section, we simulated the vulnerability black market model using the ‘legal vulnerability market’ scenario. This scenario depicts a recent phenomenon: Computer security enterprises are creating legitimate markets for vulnerabilities. Security companies argue that this legal market approach will give them critical information so they can enhance their protection to the client.11 Since technological defenses alone cannot stop the rising flood of computer viruses, breaks in and fraud, companies start establishing relationships with the hacker community. In line with these current developments, some studies start viewing the software vulnerability problems in term of the vulnerability market [3-6]. Schechter [4] proposes that the firms create a vulnerability market to ascertain the cost of their 10
In this model we assume that the reward is only available for the first people who reports the bugs. 11 For instance, one security firm launches a market called “Zero Day Initiatives”. See http://www.businessweek.com /magazine/content/ 05_34/b3948022_mz011.htm; http://www.informationweek.com/ showArticle.jhtml?articleID=180204079, see also debate on this http://www.networkworld.com/columnists/2005/091205faceoffno.ht mlquoted on 13 June 2006.
Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS'07) 0-7695-2755-8/07 $20.00 © 2007
6
Proceedings of the 40th Hawaii International Conference on System Sciences - 2007
system. Schechter’s main proposal is to offer an economic approach to reward testers. Ozment [5] suggests a vulnerability market as ‘bug auctions.’ Sutton and Nagle [19] classify current vulnerability market discussion as government market, open market, underground market, auction market and vendor market. A different concept of the vulnerability market is introduced by Böhme [6, p. 2-4], [20, p.301306]. His main purpose in describing different concept of the vulnerability markets is to discuss their advantages and to identify the best market type where security-related information can be traded and to find which type serves best to counter security market failure. Originally Böhme proposed five kinds of vulnerability markets [6] but then Böhme revisited the literature and he proposed four market alternatives [20], namely: 1) Bug Challenges; 2) Vulnerability Brokers; 3) Exploit Derivatives; 4) Cyber-Insurance. To begin with, Böhme differentiated between Bug Challenges and Bug Auction, but now he merges them into one category (“Bug Challenges”). Basically, all proposals aim at motivating software developers to take security more seriously.
Bug Challenges Bug challenges are the simplest form of vulnerability markets, where the companies offer a monetary reward for reported bugs.12 Depending upon the value of the reward, the hackers would have an incentive to report the bug instead of exploiting it or selling it in the black market. Bug auctions offer a different theoretical framework for basically the same concept as bug challenges. Andy Ozment first formulated bug challenges from auction theory. However Böhme emphasizes that this type of market type still depends on the initiative of the vendor.
Vulnerability Brokers Vulnerability Brokers are groups that are built around independent organizations (mostly private companies). They offer monetary compensation for new vulnerability reports, which they circulate within a closed group of subscribers to their security alert service. The customers consist of vendors—to learn about bugs to fix it, and corporate users, who want to protect their systems even before a patch become available, using their Intrusion Detection Systems (IDS). Vulnerabilities brokers are referred by Böhme as “vulnerability sharing circles.” Sutton and Nagle 12
See for example in http://www.networkworld.com/collumnists/ 2005/091205faceoffno.html, quoted on 13 June 2006.
[19] describe the mechanism as an outsourcing model. They provide examples of companies: iDefense, a Verisign Company with “Vulnerability Contribution Program” and TippingPoint, A Division of 3Com (Zero Day Initiative).13 They identify three problems with the outsourcing model: how to convince owners of the pertinent information to trade vulnerabilities; how to gain acceptance for the vulnerability market concept within the industry; and how to develop a successful revenue model.
Exploit Derivatives In the exploit derivatives concept, instead of trading sensitive vulnerability information directly, the market mechanism is build around contracts with payout functions derived from security events. With this market types, software users would demand contracts paying on security breaches in order to hedge the risks they are exposed to their computer network.
Cyber-Insurance Cyber-Insurance is other proposal for market mechanisms to overcome the security market failure. End users require insurance against financial losses from information security breaches and insurance companies sell coverage for this type of risks after security audit. Böhme says that the premium is assumed to be adjusted by the individual risk, which depends on the IT systems in use and security mechanisms in place. But Böhme also mentions about the problem for this market type, especially in underwriting cyber-risk, because the losses from information security risks are highly correlated globally. Notes for ‘exploit derivative’ and ‘cyber insurance’ types: For these last two types of the vulnerability market the mechanism is not selling and buying vulnerabilities between companies and testers (including hackers) as we mean in this paper. The effort to stop ‘the lemons effect’ and to correct the market failure occurs between the vendors or security insurance company and the end-users. So these two type of markets focus on how end-users protect against exploits facilitated from insecure software.
8. Implications and Conclusions Referring to the case of an oil company which is transitioning to Integrated Operations, the company is conscious of the importance of patching (in addition to 13 Sutton & Nagle also explain how the two programs work and how they become a profitable business.
Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS'07) 0-7695-2755-8/07 $20.00 © 2007
7
Proceedings of the 40th Hawaii International Conference on System Sciences - 2007
14 Information function, incentive function, risk balancing function and efficiency.
solution for changing the market structure from the
Black Market Selling products and provide protection sevice
Clients Attacks
Security Firms/ Vendors
Hackers
Selling vulnerabilities
Malicious Agents
Legal Market
Selling vulnerabilities
Security Firms/ Vendors Rewards
other security measures). The company has to protect itself from all possibilities that may jeopardize their goal to shift toward a new way of operation. And if we talk about the risk of patching and not patching, Figure 1 shows the known risks: unplanned downtime from known exploits, unplanned downtime from patching failures and planned downtime for patching. But people sometimes neglect another possibility: unplanned downtime from unknown vulnerability exploits. Understanding the growth of Black Market Vulnerabilities is crucial to contain the threat to Integrated Operations. The expansion of a black market for software vulnerabilities might significantly increase the risk of unplanned downtime from unknown vulnerability exploits. From our simulations in previous section, we learn that ‘other parties’ (vendors, security companies, researchers) can play a significant role to shorten the duration of the number of vulnerabilities that circulate in the black market. But the problems with such solution are the speed of all ‘other parties’ to find vulnerabilities as compared with the speed of the hackers. The first group cannot dedicate all their time to find vulnerabilities; in contrast, hackers may use most of their time to find the security holes in the software. Now we shift our discussion to discuss the alternative to change the nature of the market. In our simulation, incentives to sell vulnerability findings to vendor shrink the vulnerability trading in the black market. The nature of such effort to make the vulnerability market legal is to change the structure depicted in Figure 4. The objective of the different concepts of the vulnerability markets is to create incentives to producers to release more secure products. From the market type elaborated in section 7, Böhme [6] mentions that bug challenges and vulnerability brokers are close to reality, but are not the best possible solution. Böhme concludes that such types cannot fulfil three of his four criteria of the vulnerability market function.14 Böhme argues that there is no risk balancing in the ‘bug challenges’ and the ‘vulnerability brokers’ markets, and information obtained from the market price may fail to be accurate (as indicators of security properties). The catch is that the vendor has to bear most of the burden, and the existence of a market depends on vendors’ cooperation. However, if we consider the black market expansion then we can see that ‘the close to reality’ solution may be the best
Hackers
Selling products and provide protection sevice Better Protection
Clients
Selling vulnerabilities
Malicious Agents
Figure 4 From Black Market to Legal Market black market vulnerability to a legal market. Such shifting may reduce the probability of attacks to end users from unknown vulnerabilities. The roles of vendors, security firms and other philanthropic organizations or individual researchers for changing the vulnerability market structure seems also more important to help reducing exploits targetting unknown vulnerabilities. Shifting towards a legal market has started—although there are pro’s and con’s too, including ethical issues. Nevertheless there is also a worst possible scenario, when this market structure changes: The hackers might sell the information to both parties: vendors and criminals. Our model so far neglects this issue and only considers the options of selling vulnerabilities to the vendors or selling them to malicious agents. But some ‘theoretical’ vulnerability market proposals [6] such as ‘exploit derivatives’ and ‘cyber insurance’ type mentioned in section 7 start becoming discussed Böhme considers that they are more promising or can complement one another [20] since these two market types fulfil almost all requirements for an ideal vulnerability market. But as we mention in section 7, these two type of markets focus on how end-users protect their security from buying insecure software, and to motivate vendors to release secure software.
Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS'07) 0-7695-2755-8/07 $20.00 © 2007
8
Proceedings of the 40th Hawaii International Conference on System Sciences - 2007
The expansion of the vulnerability black market is not addressed because hackers do not act in the ‘exploit derivatives’ and ‘cyber insurance’ type. For future research we mention the importance of considering the risk of unknown vulnerability attacks faced by the company transitioning to Integrated Operations: Such risk might become an unexpected threat to their security. In addition, understanding this hidden threat should also be relevant for any company relying on computer networks for their primary business. Owing to the conceptual nature of the model our assessment should be considered as starting point for discussion and exchange visions and opinions. References [1] Johnsen, S.O., M.B. Line, and A. Askildsen. Towards more secure virtual organizations by implementing a common scheme for incident response management. in Eight International Conference on Probabilistic Safety Assesment and Management (PSAM8). 2006. New Orleans. [2] Bouchard, M. Unknown Attacks: A Clear and Growing Danger. 2005 [cited; Available from: http://searchwindowssecurity.bitpipe.com/detail/RES/11369073 42_223.html.
[10] Schneier, B., Secrets and Lies: Digital Security in a Networked World. 2000, New York: John Wiley & Sons, Inc. [11] Browne, H.K., et al. A Trend Analysis of Exploitations. 2000 [cited 2006 13 June]; Available from: http://www.cs.umd.edu/~waa/pubs/CS-TR-4200.pdf. [12] CERT. CERT/CC Overview Incident and Vulnerability Trends. 2003 [cited 2006 13 June]; Available from: http://www.cert.org/present/cert-overview-trends/module-5.pdf. [13] Martin, R.A., Managing Vulnerabilities in Networked Systems. Computer, 2001(November 2001): p. 32-38. [14] Sterman, J.D., Business Dynamics: Systems Thinking and Modeling for a Complex World. 2000, Boston: Irwin/McGraw-Hill. xxvi, 982. [15] Richardson, G.P. and A.L.P. III, Introduction to System Dynamics Modeling. 1981: Productivity Press, Portland, Oregon. 404. [16] Ellison, R.J. and A. Moore. Trustworthy Refinement Through Intrusion-Aware Design (TRIAD). 2003 [cited 2003 September 10]; Available from: http://www.cert.org/archive/pdf/03tr002.pdf. [17] The Honeynet Project. Know Your Enemy: Learning About Security Threat. Addison-Wesley, Boston, 2004.
[3] Anderson, R. Why Information Security Is Hard, an Economic Perspective. in 17th Annual Computer Security Applications Conference. 2001.
[18] The Honeynet Project. Know Your Enemy: Revealing the Security Tools, Tactics, and Motives of the Blackhat Community. Addison-Wesley, Boston, 2002.
[4] Schechter, S. How to Buy Better Testing: Using Competition to Get The Most Security and Robustness for Your Dollar. in Infrastructures Security Conference. 2002.
[19] Sutton, M and F. Nagle. Emerging Economic Models for Vulnerability Research. in The Fifth Workshop on the Economics of Information Security (WEIS 2006). University of Cambridge, England.
[5] Ozment, A. Bugs Auctions: Vulnerability Market Reconsidered. in Workshop of Economics and Information Security (WEIS). 2004. Mineapolis, MN. [6] Böhme, R. Vulnerability Markets: What Is The Economic Value of a Zero-Day Exploit? In 22 C3. 2005. Berlin, Germany. [7] Akerlof, G.A., The Market for "Lemons": Quality Uncertainty and Market Mechanism. The Quarterly Journal of Economics, 1970. 84(3): p. 488-500. [8] Schneier, B. Full Disclosure and the Window of Exposure. Crypto-Gram Newsletter 2000 [cited 2006 March 10]; Available from: http://www.schneier.com/crypto-gram0009.html#1. [9] Arora, R., et al. Impact of Vulnerability Disclosure and Patch Availability: an Empirical Analysis. in Workshop of Economics and Information Security (WEIS). 2004. Minneapolis, MN.
[20] Böhme, R. A Comparison of Market Approaches to Software Vulnerability Disclosure. In Emerging Trends in Information and Communication Security, LNCS 3995. G. Müller (Ed.) Freiburg, Germany, Springer-Verlag, Berlin, 2006..
Appendix Integrated Operation works by transmitting “live” data from offshore to onshore “control rooms”, where the department onshore analyses data and collaborates with the same department offshore. Oil companies use these ‘control rooms’ onshore to run the work processes occurring offshore. An important goal of Integrated Operations is to safely access and support offshore processes and data from wherever the employees are located.
Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS'07) 0-7695-2755-8/07 $20.00 © 2007
9
Proceedings of the 40th Hawaii International Conference on System Sciences - 2007
Integrated Operations is a gradual process to transform traditional process with originally selfsustainable fields offshore to integrated centres and real time communication. Ultimately Integrated Operations will provide 24/7 virtual centres and digital services. Daily operational decisions that only obtain limited onshore support in traditional operations would be improved by collaborative decision-making of teams onshore and offshore. Offshore gets continuous support from onshore and in reverse onshore gets realtime information about operations offshore. As Integrated Operations matures, several work processes and decision are automated, and collaboration decision are made by people in operators onshore support centres and vendors as well as expert centres. The aim of Integrated Operations is to increase the production approximately by 10% and to reduce costs by 30%, and to improve the collaboration between offshore and land-based personnel. The important advantages of Integrated Operations concerning increase in safety are: x Faster detection of dangerous situations. x Reduce exposure to risks for offshore personnel. x Better use of competence. x Be able to draw up more oil x Faster access to expertise in relation to critical events. x Improved integrations across: - Trade - Location - Organization
Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS'07) 0-7695-2755-8/07 $20.00 © 2007
10