[ISN] Advice sought in survey about vulnerability lifecycle, hacker ability

From: InfoSec News (isnat_private)
Date: Mon Jan 28 2002 - 00:37:40 PST

  • Next message: InfoSec News: "[ISN] Set a hacker to catch a hacker"

    Forwarded from: Daniel Bilar <bilarat_private>
    
    I am a PhD student at Dartmouth (www.ists.dartmouth.edu) and
    working on risk analysis of computer networks. I was researching
    empirical data on the time distributions in the lifecycles of a
    vulnerability and the hacker ability to exploit vulnerabilities at
    points in time in these cycles.
    
    I wrote a survey for this, & it would be nice to have at least twenty
    to thirty respondents to have a meaningful statistical result.
    
    Thanks!
    Daniel Bilar
    bilarat_private
    
    
    Daniel Bilar
    45 Lyme Road
    Suite 104
    Hanover, NH 03755
    bilarat_private
    
    
    
    Survey: Vulnerability event times and hacker ability
    ---------------------------------------------------------------
    
    Overview
    ---------
    
    This survey would like to gather data on two questions: The first one 
    is concerned with the time distribution between events in the 
    lifecycle of a vulnerability. The second one is concerned with the 
    ability, in percentage of the general hacker population, to launch a 
    succesful exploit at each of these points in time in the lifecyle of a 
    vulnerability.
    
    +++++++++++++++++++++++++++++++++++++++++++++++++++++++
    
    Question 1)
    
    I have identified 4 events of interests in the lifecycle of a 
    vulnerability:
    
    a) Theoretical description vulnerability (e.g. the discovery of the
    vulnerability, not widely known but to either vendor or elite hacker 
    or security experts)
    
    b) Proof of concept of vulnerability (e.g. an exploit has been
    written, but is not widely available because it is not widely posted
    or the vulnerability's exploit is an old technique (like cross
    scripting, etc )
    
    c) Popularization of vulnerability (e.g. the exploit is posted and as
    such widely available)
    
    d) Countermeasure of vulnerability (e.g. patch/method is posted and
    widely available)
    
    
    A possible time line of events (other sequences are 
    possible/probable):
    
     |
    ---  a)
     |
     | t(a,b)
     |
    --- b)
     |
     | t(b,c)
     |
    --- c)
     |
     |  t(c,d)
     |
    --- d)
     |
     |
    \/
    future
    
    
    **** Question Section (Answer section below) ******
    
    i. Can you give an estimate of the time between events a and b, b and 
    c and c and d? 
    
    ii. In your opinion, for each of these times, how much influence do 
    the following factors have? (on a scale from 1 to 5, 5 being the most 
    influence)
    	
    - type of vulnerability (such as buffer, race condition, etc)
    - open vs closed source (independent of vendor)
    - popularity of vulnerable software 
    - vendor of software
    - other (please specify)	
    
    **** Answer Section ******
    
    Please specify the times in days (d) or hours (h).
    
    i. Time Estimate for t(a,b):
    
    ii. FACTORS
    -----------
    type of vulnerability:
    
    open vs closed source
    
    popularity of vulnerable software
    
    vendor of software
    
    other:
    
    ---------------------------------------
    
    i. Time estimate for t(b,c):
    
    
    ii. FACTORS
    -----------
    type of vulnerability:
    
    open vs closed source
    
    popularity of vulnerable software
    
    vendor of software
    
    other:
    
    ----------------------------------------
    
    i. Time Estimate for t(c,d):
    
    
    ii. FACTORS
    -----------
    type of vulnerability:
    
    open vs closed source
    
    popularity of vulnerable software
    
    vendor of software
    
    other:
    
    +++++++++++++++++++++++++++++++++++++++++++++++++++++
    
    Question 2)
    
    At each of point in times of these events, a particular skill level is 
    required to take advantage of the vulnerability. Only very skilled 
    hackers can take advantage of a buffer overflow condition at time a), 
    for instance.
    
    **** Question Section (Answer section below) *******
    
    What percentage of the general hacker population has the skills to
    exploit a vulnerability at each of these time a), b), c) and d) ?
    
    
    **** Answer Section ******
    
    Please specify exploit ability in percentage of general hacker 
    population, from 0-100 %.
    
    Percentage at time at event a): 
    Percentage at time at event b):
    Percentage at time at event c):
    Percentage at time at event d):
    
    
    +++++++++++++++++++++++++++++++++++++++++++++++++++
    
    Please send your answers to bilarat_private, along with any other 
    comments you may have.
    
    Thank you for much for your valuable time and expertise. It is very 
    much appreciated.
    
    Daniel Bilar
    ISTS, Dartmouth College
    Hanover NH 03755
    bilarat_private
    603 646 0745
    www.ists.dartmouth.edu
     
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Jan 28 2002 - 04:06:45 PST