Critical Analysis of Software Vulnerabilities through Data...

Proceedings of the International Conference on Industrial Engineering and Operations Management

Dubai, UAE, March 10-12, 2020

© IEOM Society International

Critical Analysis of Software Vulnerabilities through Data Analytics

Mastan Rao Parimi

Research Associate

Amrita Vishwa Vidyapeetham

Bengaluru, India

[email protected]

Prof. Shekar Babu PhD

Professor & Founding Head

Amrita Vishwa Vidyapeetham

Bengaluru, India

[email protected]

Abstract

One of the main security risks in information technology (IT) is software vulnerability. The vulnerability when

exploited by attacks, can cause catastrophic losses to the system. A lot vulnerabilities are explored and discovered in

the computing system and these vulnerabilities have also increased multifold. The security vulnerabilities span across

entire networks, large organisations and have to mitigated by information security engineers on a regular routine basis.

One of the key challenges for Information Technology (IT) system administrators is how to tackle these vulnerabilities

and more specifically which vulnerability to prioritize. All companies recognize the importance and need to prioritize

these vulnerabilities. It is not only important to prioritize the vulnerabilities; it is imperative to utilize a vulnerability

evaluation system. The significant role of the vulnerability evaluation system is to separate these vulnerabilities from

each other through quantitative and qualitative methods. In this paper, we first review through both qualitatively and

quantitatively the various vulnerabilities within an existing large global multinational company. We explore and

analyze 30,000 various vulnerabilities across a 3-month time period. The 30,000 vulnerabilities are captured using an

automated software from individual systems and the the network within the company. The software detects the

vulnerabilities and the various characteristics associated with these vulnerabilities and assigns severity levels based

on the severity of the vulnerability. The severity is assigned a score from 1 to 5, with 1 being least. The vulnerabilities

captured span across 20 different lab environments, across different operating systems and these vulnerabilities are

with various severity levels. The CVSS vulnerability scoring system was utilized for data from one of the biggest

multinational company from within their environment. The researchers analyzed the various vulnerabilities using the

various parameters of these vulnerabilities. The researchers analyzed and studied the various inherent patterns within

the environment. Various variables were analyzed critically as part of the descriptive analytics. The vulnerabilities

were analyzed across the labs. Then each lab was analyzed using variables like OS, various severity levels, IDs, status

of vulnerabilities, CVSS scores, Access Vector, Attack Complexity, Confidentiality, Integrity, Availability,

Exploitability, Systems, categories of systems, Ports, PCI,

Keywords

Vulnerability, CVSS, Qualys

1. Introduction

Vulnerability Management is the process within Information/Cyber Security or Network Security where any

923

mailto:[email protected]

mailto:[email protected]




vulnerabilities within the system will be identified by the organization. Organizations handle Vulnerability

Management in various ways. It ranges from training to dealing with filtering out all the dangerous threats. With

Vulnerability Management companies are able reduce the security breaches. Some may not be threats, so it is hard for

the companies to figure out which to address and in what order. Especially for large network.

Vulnerabilities are hard to be found, and if vulnerabilities exist there are chances for breaches. Cyber Security deals

with patching those vulnerabilities even before breaches can get into the system. The major issue in Cyber Security is

that there can exists a lot of vulnerabilities. Vulnerabilities can become liabilities to the entire Network if not taken

care of. Old version software’s or not updated OSs can also cause vulnerabilities within the system. Sometimes users

can also become vulnerabilities, especially phishing.

Competitive landscape in Cyber Security Since the Information Technology is advancing day by day, the chances of cyber-attacks are increasing day by day.

Companies in Cyber Security prepare themselves to put them out of danger zone. As per Gartner’s prediction, in

2018 the security spending will sharply rise globally reaching around $93 Billion. Also means there is a rapid

increase of job opportunities in cyber security industry. Cyber Security Venture Report predicts that by 2021 there

will 3.5 Million cybersecurity job opening out of which all of the will be unfulfilled. Funds used to prevent cyber-

attacks will be distributed to detect security threats and to remain operational during attacks.

In times of Technological advancements especially IoT (Internet of Things), protecting customer data is more

important. Vulnerabilities that expose customer data which are sensitive can cause serious consequences for the

companies. Companies will be responsible for the personal data in future. So, it is so important for technological

companies to make sure a degree of security for their users. As cyber-attacks increase day by day, companies need to

come up with strategies to minimize the rate of security risk or data breach. New Technological innovations aids cyber

criminals use sophisticated to breach in through the vulnerabilities. The same technology can be used to build and

strengthen defense system against hackers. Artificial Intelligence even though is used to detect potential risk factors

it will turn out to be a major threat. However, data gained through internet-based platforms will help in detecting

breaches early.

Vulnerability Management in Context of Cyber Security Cyber Security refers to set of techniques, processes and practices, which are employed to protect computers, networks

and programs from unauthorized access, attack or damage. The security also involves tracking and stopping

malpractice by operators inside as well as outside the company. Cyber security is now considered one of the important

functions of the organization due to high reliance on computers, internet, wireless network and smart devices. Lapses

in cyber security leaves the organization vulnerable to data loss, legal issues and depreciation in brand Image. Hence,

companies take measures for vulnerability management.

Vulnerability management is a cyclical process of identifying, analyzing, modelling, simulating the potential impact

and risk. This evaluation creates a plan to remediate threats and weaknesses. Vulnerability management is needed

because we need to identify and manage vulnerabilities, only through this exercise an organization can prevent

attackers from penetrating their network and stealing

924




The structure of vulnerability management system consists of database management block, vulnerability selection

block, patch management block, security enhancement block and vulnerability assessment block. DB database has

function of constructing and managing vulnerability database. There are two types of vulnerability database, they are

public and private database. The vulnerability selection block selects most destructing vulnerabilities among the

vulnerabilities found too work first with. The patch management block checks for vulnerabilities with patch or if not

present, it works out a patch of software by connection with patch management software. The security enhancement

blocks analyses which security solution is needed to secure the vulnerability and the level of security enhancement

degree while applying solution. The vulnerability assessment block assesses the vulnerability severity and existence

of security solutions. (Kim, Oh et al., 2013) Vulnerability management’s five primary objectives has been defined by

core security in their white paper Discover and Categorize your assets Maintain database of all IP devices attached and scan by focusing on particular IP or range of address. Identify assets

based on business risk. In this step isolate critical assets that have high value and an adverse effect on business process

Scan for Vulnerabilities The network is scanned for vulnerabilities and results are normalized and consolidated. Prioritize Vulnerabilities Pre define what type of threats are considered high risk and manage to reduce overload in “high severity”

vulnerabilities. Generate attack paths to high-risk assets. Attack paths show the critical assets and their topography.

This will help to lockdown essential areas in network that could lead an adversary to critical data

Remediate. Patch. Monitor Vulnerable data found through scanning and consolidation should be translated into remediation action through patch

or service tools

Validate Validate the remediation to see if the new results have addressed the vulnerabilities (Core Security, 2016)

Traditionally, Competitive intelligence is the action of gathering, defining, sorting and analyzing information

regarding the environment the company operates in, the products in the environment and the competitors in the market

place to form a business strategy. Jason Polancich founder and Chief Architect at Surf Watch labs says competitive

intelligence is another name for cyber intelligence. According to him, cyber security is to be and treated like all

important business problems which uses intelligence gathering, tools and analysis to provide solutions (Polancich,

2015). The cyber security market is growing in a rapid phase and becoming highly competitive due to existence of

prominent players in the market. These players are become increasing vigilant due to increased cyber threat landscape.

Hence, they have increased their service lines to even accommodate unforeseen cyber-attack. The competitive

advantage for these companies is achieved through “Trust” in the company’s service, the three core tenets use for

providing security to their customers are through detection, prevention and reaction. In addition, they also differentiate

themselves in solutions provides. For example, Symantec corporation offers unified security analytics to its clients to

access big data analytics and also real time global threats. Few notable players are Symantec Corporation, Cisco

Systems Inc., Checkpoint Software Technologies Ltd, Fortinet Inc., IBM security and Herjavec group (Grand View

Research, 2018). In addition, to some companies are also focusing on training their employees in security. KnowBe4,

a fast-growing security awareness training provider has signed a deal with a famous hacker “Kevin Mitnick” to

925




productive Mitnick’s know-how into a series of program to train the students/users on how to detect malware and

phishing attacks (Morgan, 2016).

Anomaly detection emerges as an important approach to vulnerability management. Many security processes are built

on identifying malicious activity through monitoring pattern and stopping before damages are caused. The common

form of identifying is through fingerprint matching. But fingerprint tracking has its drawbacks, Anomaly detection

has been promising in vulnerability management. Anomaly detection recognizes unusual activity from normal patter,

and raises signal for investigation. Anomaly detection should be managed and updated as baseline changes overtime

(Alert Logic,2012)

2. Literature Review

The authors have done extensive literature review. This different literature reviews indicate the vast studies across the

areas of tools and the various security mechanisms. Security approach are used like mechanisms which are combined

during a secure web application development using a well-defined or systematic method such as run time analysis,

code analysis, comparison methods, MITRE/CVSS scoring etc. The authors observed common methodology across

some of the reviews which included quantitative evaluation and code testing.

It can be seen that E-Voting mechanism was utilized using a model-oriented security in (P.Saini et al. 2012). Different

vulnerability management tools have been studied as per (Ashika Pandey et al. 2014, Mattia Monga et al. 2008, Lwin

Khin Shar et al. 2012, Davide Balzarotti et al. 2008, Viktoria Felmetsger et al. 2010, Trevor Jim et al. 2007, Iván

Arce. 2008). Some of these tools are Run-time mechanism used in H2S framework, Safer XSS, Saner, Waler’s

architecture, Browser-Enforced Embedded Policies (BEEP). Code Analysis mechanism, Input Parameter Analysis,

MiMoSA, were studied by authors (Romaric Ludinard et a. 2012, Theodoor Scholte et al. 2013, Lie et al. 2010,

Abdelkader Lahmadiet al. 2012, Michael D. Bond et al. 2010, Santa Barbara 2007, Yao-Wen Huang et al. 2004, Yao-

Wen Huang et al. 2003). Taint analysis using Web Application Protection (WAP) tool was studied by (Ibéria Medeiros

et al. 2013). Comparison method for Vulnerabilities catalogued by CERT was studied by (Dr Maria Papadaki and

Prof Steven Furnell). MITRE and CVSS scoring mechanism using Analysis of the global public vulnerability research

market studied in (Frost and Sullivan. 2017). SVIDT method, scenario analysis BEPA data used in analysis of Digital

Threat and Vulnerability Management seen in (Roland W. Scholz, 2017).

3. Analysis

Descriptive analysis of 32,164 vulnerabilities over 11,353 systems/devices of 20 network Labs. From figure 1, Linux,

Cisco and VMware has highest number of vulnerabilities with 50% of the data. In top 10 operating systems various

types of Linux (such as Ubuntu, Fedora) has highest number of vulnerabilities. From figure 2, the severity level 4 and

level 5 vulnerabilities are more with Linux and VMware. Linux is prone to Vulnerabilities.

Figure 1. Vulnerabilities across various Operating Systems.

926




Figure 2. Vulnerabilities across various operating systems with severity level 4 and level 5.

From figure 3, the general remote services have highest number of vulnerabilities. Second to general remote services

is VMware.

Figure 3. Vulnerabilities across various categories of systems/devices.

From figure 4 and table 1, 82% of vulnerabilities are active and 11% of vulnerabilities are new. Vulnerabilities with

severity level 3 are most like to re-open.

02000400060008000

100001200014000160001800020000

Practice

Vuln

927




Figure 4. Status of vulnerabilities.

Table 1. Status summary of Vulnerabilities

From figure 5, the vulnerabilities which can exploit through the network are high in number.

Figure 5. Access Vector; A – Adjacent, L – Local, N – Network.

0

1000

2000

3000

4000

5000

6000

7000

8000

9000

Active Fixed New Re-Opened

Vuln - 1

Vuln - 2

Vuln - 3

Vuln - 4

Vuln - 5

Count of IP Masked Type

Vuln Vuln Total Grand Total

Vuln Status 1 2 3 4 5

Active 474 6512 7992 8193 3817 26988 26988

Fixed 72 942 799 747 845 3405 3405

New 20 313 523 160 133 1149 1149

Re-Opened 13 154 271 77 107 622 622

Grand Total 579 7921 9585 9177 4902 32164 32164

928




Figure 6. Attack Complexity; H – High, L – Low, M – Medium.

From figure 6, Vulnerabilities which can be exploit with low and medium attack complexity are high in number. 58

% are with low attack complexity. Vulnerabilities with severity level 3 with medium complexity are 32% of data.

From figure 7, 8% of vulnerabilities are with Partial impact on confidentiality of data. Severity 4 and 5 are high in

number with complete impact on confidentiality.

Figure 7. Confidentiality; C – Complete, N – None, P – Partial

929




Figure 8. Integrity; C – Complete, N – None, P – Partial

From figure 8, majority of the vulnerabilities are with Partial and no impact on Integrity of the system. But, Severity

5 vulnerabilities are high in number with complete impact on Integrity of System.

Figure 9. Availability, C – Complete, N – None, P – Partial

Majority of the vulnerabilities are with Partial and no impact on Integrity of the system. But, Severity 5 vulnerabilities

are high in number with complete impact on Integrity of System.

930




Figure 10. CVSS score distribution across various severity levels.

Figure 11. CVSS3 score distribution across severity levels.

From figure 10 and figure 11, the distribution of CVSS scores across the severity levels is uniform. Severity level 1

has range of 0.0 to 3.8, severity level 2 has range of 0.0 to 6.8, severity level 3 range of 1.3 to 9.0, severity level 4 has

range of 1.9 to 9.0 and severity level 5 has range of 1.6 to 10.0. The distribution of CVSS3 scores across the severity

931




similar pattern and most vulnerabilities doesn’t have the CVSS3 scores. From 12, the correlation between CVSS and

severity is 0.5, which is not related each other. Similarly, the correlation between severity and CVSS3 is 0.51.

Figure 12. Correlation between CVSS and Severity

4. Conclusions

The authors explored and analyzed the various vulnerabilities within a large enterprise that has multiple systems, OS’s

labs, networks, devices. They explored and analyzed the different criticalities of vulnerabilities across time, across

multiple organizations and across various severity levels. The authors also observed to see the correlation between the

vulnerability scores and its severity levels, only to note that there us very little correlation.

5. References

Ge, X., Paige, R.F., Polack, F.A., Chivers, H. and Brooke, P.J. (2006) Agile Development of Secure Web Applications.

Proceedings of the 6th International Conference on Web Engineering. Palo Alto, 11-14 July 2006, 305-312.

Norwawi, N.M. and Selamat, M.H. (2011) Secure E-Commerce Web Development Framework. Information

Technol- ogy Journal, 10, 769-778.

McGraw, G. and Viega, J. (2002) Building Secure Software. In RTO/NATO Real-Time Intrusion Detection Symp.

Mouratidis, H., Jürjens, J. and Fox, J. (2006) Towards a Comprehensive Framework for Secure Systems

Development. Advanced Information Systems Engineering. Springer, Berlin Heidelberg, 48-62.

http://dx.doi.org/10.1007/11767138_5

Keele, S. (2007) Guidelines for Performing Systematic Literature Reviews in Software Engineering. Technical

Report, EBSE Technical Report EBSE-2007-01, 1-57.

Cachia, E. and Micallef, M. (2007) A Multi-Tier, Multi-Role Security Framework for E-Commerce Systems. 14th

An- nual IEEE International Conference and Workshops on the Engineering of Computer-Based Systems,

932

http://dx.doi.org/10.1007/11767138_5




Tucson, 26-29 March 2007, 422-432.

Lipner, S. (2004) The Trustworthy Computing Security Development Lifecycle. 20th Annual Computer Security

Ap- plications Conference, Washington, 6-10 December 2004, 2-13. http://dx.doi.org/10.1109/csac.2004.41

Sulayman, M. and Mendes, E. (2009) A Systematic Literature Review of Software Process Improvement in Small

and Medium Web Companies. Advances in Software Engineering. Springer, Berlin Heidelberg, 1-8.

http://dx.doi.org/10.1007/978-3-642-10619-4_1

Shar, L.K. and Tan, H.B.K. (2012) Automated Removal of Cross Site Scripting Vulnerabilities in Web Applications.

Information and Software Technology, 54, 467-478. http://dx.doi.org/10.1016/j.infsof.2011.12.006

Avancini, A. and Ceccato, M. (2013) Comparison and Integration of Genetic Algorithms and Dynamic Symbolic

Ex- ecution for Security Testing of Cross-Site Scripting Vulnerabilities. Information and Software

Technology, 55, 2209- 2222. http://dx.doi.org/10.1016/j.infsof.2013.08.001

Jang, Y.S. and Choi, J.Y. (2014) Detecting SQL Injection Attacks Using Query Result Size. Computers & Security,

44, 104-118. http://dx.doi.org/10.1016/j.cose.2014.04.007

Goseva-Popstojanova, K., Anastasovski, G., Dimitrijevikj, A., Pantev, R. and Miller, B. (2014) Characterization and

Classification of Malicious Web Traffic. Computers & Security, 42, 92-115.

http://dx.doi.org/10.1016/j.cose.2014.01.006

Shahriar, H., Weldemariam, K., Zulkernine, M. and Lutellier, T. (2014) Effective Detection of Vulnerable and Mali-

cious Browser Extensions. Computers & Security, 47, 66-84. http://dx.doi.org/10.1016/j.cose.2014.06.005

Scholte, T., Balzarotti, D. and Kirda, E. (2012) Have Things Changed Now? An Empirical Study on Input Validation

Vulnerabilities in Web Applications. Computers & Security, 31, 344-356.


Woo, S.W., Joh, H., Alhazmi, O.H. and Malaiya, Y.K. (2011) Modeling Vulnerability Discovery Process in Apache

and IIS HTTP Servers. Computers & Security, 30, 50-62. http://dx.doi.org/10.1016/j.cose.2010.10.007

Awoleye, O.M., Ojuloge, B. and Ilori, M.O. (2014) Web Application Vulnerability Assessment and Policy Direction

towards a Secure Smart Government. Government Information Quarterly, 31, S118-S125.

http://dx.doi.org/10.1016/j.giq.2014.01.012

Buja, G., Bin Abd Jalil, K., Bt Hj Mohd Ali, F. and Rahman, T.F.A. (2014) Detection Model for SQL Injection

Attack: An Approach for Preventing a Web Application from the SQL Injection Attack. Proceedings of the

2014 IEEE Sympo- sium on Computer Applications and Industrial Electronics (ISCAIE), Penang, 7-8 April

2014, 60-64.

Ge, X., Paige, R.F., Polack, F.A., Chivers, H. and Brooke, P.J. (2006) Agile Development of Secure Web Applications.

Proceedings of the 6th International Conference on Web Engineering. Palo Alto, 11-14 July 2006, 305-312.

Norwawi, N.M. and Selamat, M.H. (2011) Secure E-Commerce Web Development Framework. Information

Technol- ogy Journal, 10, 769-778.

McGraw, G. and Viega, J. (2002) Building Secure Software. In RTO/NATO Real-Time Intrusion Detection Symp.

Mouratidis, H., Jürjens, J. and Fox, J. (2006) Towards a Comprehensive Framework for Secure Systems

Development. Advanced Information Systems Engineering. Springer, Berlin Heidelberg, 48-62.

http://dx.doi.org/10.1007/11767138_5

Keele, S. (2007) Guidelines for Performing Systematic Literature Reviews in Software Engineering. Technical

Report, EBSE Technical Report EBSE-2007-01, 1-57.

Cachia, E. and Micallef, M. (2007) A Multi-Tier, Multi-Role Security Framework for E-Commerce Systems. 14th

An- nual IEEE International Conference and Workshops on the Engineering of Computer-Based Systems,

Tucson, 26-29 March 2007, 422-432.

Lipner, S. (2004) The Trustworthy Computing Security Development Lifecycle. 20th Annual Computer Security

Ap- plications Conference, Washington, 6-10 December 2004, 2-13.

http://dx.doi.org/10.1109/csac.2004.41

Sulayman, M. and Mendes, E. (2009) A Systematic Literature Review of Software Process Improvement in Small

and Medium Web Companies. Advances in Software Engineering. Springer, Berlin Heidelberg, 1-8.

http://dx.doi.org/10.1007/978-3-642-10619-4_1

933


http://dx.doi.org/10.1007/978-3-642-10619-4_1

http://dx.doi.org/10.1016/j.infsof.2011.12.006








http://dx.doi.org/10.1007/11767138_5


http://dx.doi.org/10.1007/978-3-642-10619-4_1




Shar, L.K. and Tan, H.B.K. (2012) Automated Removal of Cross Site Scripting Vulnerabilities in Web

Applications.Information and Software Technology, 54, 467-478.


Avancini, A. and Ceccato, M. (2013) Comparison and Integration of Genetic Algorithms and Dynamic Symbolic

Ex- ecution for Security Testing of Cross-Site Scripting Vulnerabilities. Information and Software

Technology, 55, 2209- 2222. http://dx.doi.org/10.1016/j.infsof.2013.08.001

Jang, Y.S. and Choi, J.Y. (2014) Detecting SQL Injection Attacks Using Query Result Size. Computers & Security,

44, 104-118. http://dx.doi.org/10.1016/j.cose.2014.04.007

Goseva-Popstojanova, K., Anastasovski, G., Dimitrijevikj, A., Pantev, R. and Miller, B. (2014) Characterization and

Classification of Malicious Web Traffic. Computers & Security, 42, 92-115.


Shahriar, H., Weldemariam, K., Zulkernine, M. and Lutellier, T. (2014) Effective Detection of Vulnerable and Mali-

cious Browser Extensions. Computers & Security, 47, 66-84. http://dx.doi.org/10.1016/j.cose.2014.06.005

Scholte, T., Balzarotti, D. and Kirda, E. (2012) Have Things Changed Now? An Empirical Study on Input Validation

Vulnerabilities in Web Applications. Computers & Security, 31, 344-356.


Woo, S.W., Joh, H., Alhazmi, O.H. and Malaiya, Y.K. (2011) Modeling Vulnerability Discovery Process in Apache

and IIS HTTP Servers. Computers & Security, 30, 50-62. http://dx.doi.org/10.1016/j.cose.2010.10.007

Awoleye, O.M., Ojuloge, B. and Ilori, M.O. (2014) Web Application Vulnerability Assessment and Policy Direction

towards a Secure Smart Government. Government Information Quarterly, 31, S118-S125.


Buja, G., Bin Abd Jalil, K., Bt Hj Mohd Ali, F. and Rahman, T.F.A. (2014) Detection Model for SQL Injection

Attack: An Approach for Preventing a Web Application from the SQL Injection Attack. Proceedings of the

2014 IEEE Sympo- sium on Computer Applications and Industrial Electronics (ISCAIE), Penang, 7-8 April

2014, 60-64.

Biographies

Parimi Mastan Rao is a research associate at “Amrita Center for Responsible Innovations and Sustainable

Enterprises”,“ARISE” Labs within Amrita Vishwa Vidyapeetham, Bangalore campus. Mr. Rao holds a Bachelor of

Technology in Electronics and Communication Engineering from Vignan’s Foundation for Science, Technology &

Research (VFSTR) University, Master of Business Administration (MBA) in Marketing Management from Amrita

Vishwa Vidyapeetham and Master of Science (MS) in Business Analytics and Systems from The State University of

New York (SUNY) at Buffalo. He also holds Postgraduate Diploma (PGD) in Data Science from Manipal Academy

of Higher Education (Manipal University). His research interests include Business Analytics, Data driven business

Solutions, Artificial Intelligence.

Shekar Babu Ph.D. is the Professor and Director of “AMRITA Center for Responsible Innovations and Sustainable

Enterprises”, “ARISE” Labs. He is also the Founding Head, Department of Management (DoM), Bangalore Campus,

AMRITA Vishwa Vidyapeetham University, Bangalore, India. Dr. Shekar holds a Bachelor of Engineering (BE)

degree in Electronics and Communications from Bangalore University and a Master of Science (MS) degree in

Electrical and Computer Science from California State University, Los Angeles and a Doctoral Degree in Strategic

Management from Amrita University. He is a Management Consultant with over 25 years of experience in working

at Price Waterhouse, Hewlett-Packard Co and AMRITA University. His research areas are Corporate Social

Responsibility (CSR), Corporate Governance (CG), Strategy and Social Development and Sustainable Goals (SDG).

He has taught courses in Marketing, Leadership, Management Consulting and Business Ethics and Values.

934









Critical Analysis of Software Vulnerabilities through Data...

Documents

Transcript of Critical Analysis of Software Vulnerabilities through Data...