| 41. |
- Holm, Hannes, et al.
(författare)
-
CySeMoL : A tool for cyber security analysis of enterprises
- 2013
-
Ingår i: CIRED. - : Institution of Engineering and Technology.
-
Konferensbidrag (refereegranskat)abstract
- The Cyber Security ModellingLanguage (CySeMoL) is a tool for quantitative cyber security analyses of enterprise architectures. This paper describes the CySeMoL and illustrates its use through an example scenario involving cyber attacks against protection and control assets located inan electrical substation.
|
|
| 42. |
- Holm, Hannes, et al.
(författare)
-
Effort estimates on web application vulnerability discovery
- 2013
-
Konferensbidrag (refereegranskat)abstract
- Web application vulnerabilities are widely considered a serious concern. However, there are as of yet scarce data comparing the effectiveness of different security countermeasures or detailing the magnitude of the security issues associated with web applications. This paper studies the effort that is required by a professional penetration tester to find an input validation vulnerability in an enterprise web application that has been developed in the presence or absence of four security measures: (i) developer web application security training, (ii) type-safe API’s, (iii) black box testing tools, or (iv) static code analyzers. The judgments of 21 experts are collected and combined using Cooke’s classical method. The results show that 53 hours is enough to find a vulnerability with a certainty of 95% even though all measures have been employed during development. If no measure is employed 7 hours is enough to find a vulnerability with 95% certainty.
|
|
| 43. |
- Holm, Hannes, et al.
(författare)
-
Empirical Analysis of System-Level Vulnerability Metrics through Actual Attacks
- 2012
-
Ingår i: IEEE Transactions on Dependable and Secure Computing. - 1545-5971 .- 1941-0018. ; 9:6, s. 825-837
-
Tidskriftsartikel (refereegranskat)abstract
- The Common Vulnerability Scoring System (CVSS) is a widely used and well-established standard for classifying the severity of security vulnerabilities. For instance, all vulnerabilities in the US National Vulnerability Database (NVD) are scored according to this method. As computer systems typically have multiple vulnerabilities, it is often desirable to aggregate the score of individual vulnerabilities to a system level. Several such metrics have been proposed, but their quality has not been studied. This paper presents a statistical analysis of how 18 security estimation metrics based on CVSS data correlate with the time-to-compromise of 34 successful attacks. The empirical data originates from an international cyber defense exercise involving over 100 participants and were collected by studying network traffic logs, attacker logs, observer logs, and network vulnerabilities. The results suggest that security modeling with CVSS data alone does not accurately portray the time-to-compromise of a system. However, results also show that metrics employing more CVSS data are more correlated with time-to-compromise. As a consequence, models that only use the weakest link (most severe vulnerability) to compose a metric are less promising than those that consider all vulnerabilities.
|
|
| 44. |
- Holm, Hannes, et al.
(författare)
-
Estimates on the effectiveness of web application firewalls against targeted attacks
- 2013
-
Ingår i: Information Management & Computer Security. - 0968-5227 .- 1758-5805. ; 21:4, s. 250-265
-
Tidskriftsartikel (refereegranskat)abstract
- Purpose – The purpose of this paper is to estimate the effectiveness of web application firewalls (WAFs) at preventing injection attacks by professional penetration testers given presence or absence of four conditions: whether there is an experienced operator monitoring the WAF; whether an automated black box tool has been used when tuning the WAF; whether the individual tuning the WAF is an experienced professional; and whether significant effort has been spent tuning the WAF.Design/methodology/approach – Estimates on the effectiveness of WAFs are made for 16 operational scenarios utilizing judgments by 49 domain experts participating in a web survey. The judgments of these experts are pooled using Cooke's classical method.Findings – The results show that the median prevention rate of a WAF is 80 percent if all measures have been employed. If no measure is employed then its median prevention rate is 25 percent. Also, there are no strong dependencies between any of the studied measures.Research limitations/implications – The results are only valid for the attacker profile of a professional penetration tester who prepares one week for attacking a WA protected by a WAF.Practical implications – The competence of the individual(s) tuning a WAF, employment of an automated black box tool for tuning and the manual effort spent on tuning are of great importance for the effectiveness of a WAF. The presence of an operator monitoring it has minor positive influence on its effectiveness.Originality/value – WA vulnerabilities are widely considered a serious concern. To manage them in deployed software, many enterprises employ WAFs. However, the effectiveness of this type of countermeasure under different operational scenarios is largely unknown.
|
|
| 45. |
- Holm, Hannes, et al.
(författare)
-
Expert assessment on the probability of successful remote code execution attacks
- 2011
-
Ingår i: Proceedings of 8th International Workshop on Security in Information Systems - WOSIS 2011. - 9789898425614 ; , s. 49-58
-
Konferensbidrag (refereegranskat)abstract
- This paper describes a study on how cyber security experts assess the importance of three variables related to the probability of successful remote code execution attacks – presence of: (i) non-executable memory, (ii) access and (iii) exploits for High or Medium vulnerabilities as defined by the Common Vulnerability Scoring System. The rest of the relevant variables were fixed by the environment of a cyber defense exercise where the respondents participated. The questionnaire was fully completed by fifteen experts. These experts perceived access as the most important variable and availability of exploits for High vulnerabilities as more important than Medium vulnerabilities. Non-executable memory was not seen as significant, however, presumably due to lack of address space layout randomization and canaries in the network architecture of the cyber defense exercise scenario.
|
|
| 46. |
- Holm, Hannes, et al.
(författare)
-
Indicators of expert judgement and their significance : An empirical investigation in the area of cyber security
- 2014
-
Ingår i: Expert systems (Print). - : Wiley. - 0266-4720 .- 1468-0394. ; 3:4, s. 299-318
-
Tidskriftsartikel (refereegranskat)abstract
- In situations when data collection through observations is difficult to perform, the use of expert judgement can be justified. A challenge with this approach is, however, to value the credibility of different experts. A natural and state-of-the art approach is to weight the experts' judgements according to their calibration, that is, on the basis of how well their estimates of a studied event agree with actual observations of that event. However, when data collection through observations is difficult to perform, it is often also difficult to estimate the calibration of experts. As a consequence, variables thought to indicate calibration are generally used as a substitute of it in practice. This study evaluates the value of three such indicative variables: consensus, experience and self-proclamation. The significances of these variables are analysed in four surveys covering different domains in cyber security, involving a total of 271 subjects. Results show that consensus is a reasonable indicator of calibration. The mean Pearson correlation between these two variables across the four studies was 0.407. No significant correlations were found between calibration and experience or calibration and self-proclamation. However, as a side result, it was discovered that a subject that perceives itself as more knowledgeable than others likely also is more experienced.
|
|
| 47. |
- Holm, Hannes, et al.
(författare)
-
P2CySeMoL : Predictive, Probabilistic Cyber Security Modeling Language
- 2015
-
Ingår i: IEEE Transactions on Dependable and Secure Computing. - : IEEE Press. - 1545-5971 .- 1941-0018. ; 12:6, s. 626-639
-
Tidskriftsartikel (refereegranskat)abstract
- This paper presents the Predictive, Probabilistic Cyber Security Modeling Language ((PCySeMoL)-Cy-2), an attack graph tool that can be used to estimate the cyber security of enterprise architectures. (PCySeMoL)-Cy-2 includes theory on how attacks and defenses relate quantitatively; thus, users must only model their assets and how these are connected in order to enable calculations. The performance of (PCySeMoL)-Cy-2 enables quick calculations of large object models. It has been validated on both a component level and a system level using literature, domain experts, surveys, observations, experiments and case studies.
|
|
| 48. |
- Holm, Hannes, et al.
(författare)
-
Success Rate of Remote Code Execution Attacks : Expert Assessments and Observations
- 2012
-
Ingår i: Journal of universal computer science (Online). - : J.UCS consortium. - 0948-695X .- 0948-6968. ; 18:6, s. 732-749
-
Tidskriftsartikel (refereegranskat)abstract
- This paper describes a study on how cyber security experts assess the importance of three variables related to the probability of successful remote code execution attacks: (i) non-executable memory, (ii) access and (iii) exploits for High or Medium vulnerabilities as defined by the Common Vulnerability Scoring System. The rest of the relevant variables were fixed by the environment of a cyber defense exercise where the respondents participated. The questionnaire was fully completed by fifteen experts. These experts perceived access as the most important variable and availability of exploits for High vulnerabilities as more important than Medium vulnerabilities. Non-executable memory was not seen as significant. Estimates by the experts are compared to observations of actual attacks carried out during the cyber defense exercise. These comparisons show that experts' in general provide fairly inaccurate advice on an abstraction level such as in the present study. However, results also show a prediction model constructed through expert judgment likely is of better quality if the experts' estimates are weighted according to their expertise.
|
|
| 49. |
|
|
| 50. |
- Holm, Mathias, 1969, et al.
(författare)
-
Acute effects after occupational endotoxin exposure at a spa.
- 2009
-
Ingår i: Scandinavian journal of work, environment & health. - 0355-3140. ; 35:2, s. 153-5
-
Tidskriftsartikel (övrigt vetenskapligt/konstnärligt)abstract
- OBJECTIVES: Two spa workers reported such symptoms as fever, shivering, palpitation, arthralgia, and diarrhea after performing seaweed massages on clients at a spa center. This study was carried out to determine whether the symptoms were related to exposure to endotoxin. METHODS: Personal and stationary air sampling for the measurement of airborne endotoxin was carried out at the spa during the preparation of a bath and the following seaweed massage. In addition, the impact of storage time on the concentration of endotoxin in the seaweed was investigated. RESULTS: The measurements confirmed exposure to aerosolized endotoxin at the spa (11 ng/m (2)and 22 ng/m (3)). The endotoxin concentration in the stored seaweed increased as the storage time increased, from 360 ng/g seaweed for fresh seaweed to 33100 ng/g seaweed for seaweed stored for >20 weeks. CONCLUSIONS: Organic dust toxic syndrome was diagnosed for two workers who performed seaweed massages at a spa center at which aerosolized endotoxin was measured. In order to minimize entotoxin exposure during massages, it is important to use fresh seaweed or seaweed kept well cooled for no more than 2-3 weeks.
|
|
