Advice sought in survey about vulnerability lifecycle, hacker ability

[InfoSec News <isn () c4i org>]

Forwarded from: Daniel Bilar <bilar () Dartmouth EDU>

I am a PhD student at Dartmouth (www.ists.dartmouth.edu) and
working on risk analysis of computer networks. I was researching
empirical data on the time distributions in the lifecycles of a
vulnerability and the hacker ability to exploit vulnerabilities at
points in time in these cycles.

I wrote a survey for this, & it would be nice to have at least twenty
to thirty respondents to have a meaningful statistical result.

Thanks!
Daniel Bilar
bilar () dartmouth edu


Daniel Bilar
45 Lyme Road
Suite 104
Hanover, NH 03755
bilar () dartmouth edu



Survey: Vulnerability event times and hacker ability
---------------------------------------------------------------

Overview
---------

This survey would like to gather data on two questions: The first one 
is concerned with the time distribution between events in the 
lifecycle of a vulnerability. The second one is concerned with the 
ability, in percentage of the general hacker population, to launch a 
succesful exploit at each of these points in time in the lifecyle of a 
vulnerability.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++

Question 1)

I have identified 4 events of interests in the lifecycle of a 
vulnerability:

a) Theoretical description vulnerability (e.g. the discovery of the
vulnerability, not widely known but to either vendor or elite hacker 
or security experts)

b) Proof of concept of vulnerability (e.g. an exploit has been
written, but is not widely available because it is not widely posted
or the vulnerability's exploit is an old technique (like cross
scripting, etc )

c) Popularization of vulnerability (e.g. the exploit is posted and as
such widely available)

d) Countermeasure of vulnerability (e.g. patch/method is posted and
widely available)


A possible time line of events (other sequences are 
possible/probable):

 |
---  a)
 |
 | t(a,b)
 |
--- b)
 |
 | t(b,c)
 |
--- c)
 |
 |  t(c,d)
 |
--- d)
 |
 |
\/
future


**** Question Section (Answer section below) ******

i. Can you give an estimate of the time between events a and b, b and 
c and c and d? 

ii. In your opinion, for each of these times, how much influence do 
the following factors have? (on a scale from 1 to 5, 5 being the most 
influence)
        
- type of vulnerability (such as buffer, race condition, etc)
- open vs closed source (independent of vendor)
- popularity of vulnerable software 
- vendor of software
- other (please specify)        

**** Answer Section ******

Please specify the times in days (d) or hours (h).

i. Time Estimate for t(a,b):

ii. FACTORS
-----------
type of vulnerability:

open vs closed source

popularity of vulnerable software

vendor of software

other:

---------------------------------------

i. Time estimate for t(b,c):


ii. FACTORS
-----------
type of vulnerability:

open vs closed source

popularity of vulnerable software

vendor of software

other:

----------------------------------------

i. Time Estimate for t(c,d):


ii. FACTORS
-----------
type of vulnerability:

open vs closed source

popularity of vulnerable software

vendor of software

other:

+++++++++++++++++++++++++++++++++++++++++++++++++++++

Question 2)

At each of point in times of these events, a particular skill level is 
required to take advantage of the vulnerability. Only very skilled 
hackers can take advantage of a buffer overflow condition at time a), 
for instance.

**** Question Section (Answer section below) *******

What percentage of the general hacker population has the skills to
exploit a vulnerability at each of these time a), b), c) and d) ?


**** Answer Section ******

Please specify exploit ability in percentage of general hacker 
population, from 0-100 %.

Percentage at time at event a): 
Percentage at time at event b):
Percentage at time at event c):
Percentage at time at event d):


+++++++++++++++++++++++++++++++++++++++++++++++++++

Please send your answers to bilar () dartmouth edu, along with any other 
comments you may have.

Thank you for much for your valuable time and expertise. It is very 
much appreciated.

Daniel Bilar
ISTS, Dartmouth College
Hanover NH 03755
bilar () dartmouth edu
603 646 0745
www.ists.dartmouth.edu
 


-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.