Forwarded from: Daniel Bilar <bilarat_private> I am a PhD student at Dartmouth (www.ists.dartmouth.edu) and working on risk analysis of computer networks. I was researching empirical data on the time distributions in the lifecycles of a vulnerability and the hacker ability to exploit vulnerabilities at points in time in these cycles. I wrote a survey for this, & it would be nice to have at least twenty to thirty respondents to have a meaningful statistical result. Thanks! Daniel Bilar bilarat_private Daniel Bilar 45 Lyme Road Suite 104 Hanover, NH 03755 bilarat_private Survey: Vulnerability event times and hacker ability --------------------------------------------------------------- Overview --------- This survey would like to gather data on two questions: The first one is concerned with the time distribution between events in the lifecycle of a vulnerability. The second one is concerned with the ability, in percentage of the general hacker population, to launch a succesful exploit at each of these points in time in the lifecyle of a vulnerability. +++++++++++++++++++++++++++++++++++++++++++++++++++++++ Question 1) I have identified 4 events of interests in the lifecycle of a vulnerability: a) Theoretical description vulnerability (e.g. the discovery of the vulnerability, not widely known but to either vendor or elite hacker or security experts) b) Proof of concept of vulnerability (e.g. an exploit has been written, but is not widely available because it is not widely posted or the vulnerability's exploit is an old technique (like cross scripting, etc ) c) Popularization of vulnerability (e.g. the exploit is posted and as such widely available) d) Countermeasure of vulnerability (e.g. patch/method is posted and widely available) A possible time line of events (other sequences are possible/probable): | --- a) | | t(a,b) | --- b) | | t(b,c) | --- c) | | t(c,d) | --- d) | | \/ future **** Question Section (Answer section below) ****** i. Can you give an estimate of the time between events a and b, b and c and c and d? ii. In your opinion, for each of these times, how much influence do the following factors have? (on a scale from 1 to 5, 5 being the most influence) - type of vulnerability (such as buffer, race condition, etc) - open vs closed source (independent of vendor) - popularity of vulnerable software - vendor of software - other (please specify) **** Answer Section ****** Please specify the times in days (d) or hours (h). i. Time Estimate for t(a,b): ii. FACTORS ----------- type of vulnerability: open vs closed source popularity of vulnerable software vendor of software other: --------------------------------------- i. Time estimate for t(b,c): ii. FACTORS ----------- type of vulnerability: open vs closed source popularity of vulnerable software vendor of software other: ---------------------------------------- i. Time Estimate for t(c,d): ii. FACTORS ----------- type of vulnerability: open vs closed source popularity of vulnerable software vendor of software other: +++++++++++++++++++++++++++++++++++++++++++++++++++++ Question 2) At each of point in times of these events, a particular skill level is required to take advantage of the vulnerability. Only very skilled hackers can take advantage of a buffer overflow condition at time a), for instance. **** Question Section (Answer section below) ******* What percentage of the general hacker population has the skills to exploit a vulnerability at each of these time a), b), c) and d) ? **** Answer Section ****** Please specify exploit ability in percentage of general hacker population, from 0-100 %. Percentage at time at event a): Percentage at time at event b): Percentage at time at event c): Percentage at time at event d): +++++++++++++++++++++++++++++++++++++++++++++++++++ Please send your answers to bilarat_private, along with any other comments you may have. Thank you for much for your valuable time and expertise. It is very much appreciated. Daniel Bilar ISTS, Dartmouth College Hanover NH 03755 bilarat_private 603 646 0745 www.ists.dartmouth.edu - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Jan 28 2002 - 04:06:45 PST