research-article

Windows of Vulnerability: A Case Study Analysis

Authors:

William A. Arbaugh,

William L. Fithen, and

John McHughAuthors Info & Claims

Computer, Volume 33, Issue 12

Pages 52 - 59

https://doi.org/10.1109/2.889093

Published: 01 December 2000 Publication History

Publisher Site

Abstract

The authors propose a life-cycle model for system vulnerabilities, applying to three case studies to show how systems remain vulnerable long after security fixes are available. Complex information and communication systems give rise to design, implementation, and management errors, leading to a vulnerability in an information technology product that can allow security policy violations.Using their vulnerability life-cycle model, the authors present a case study analysis of specific computer vulnerabilities. For each case, the authors provide background information about the vulnerability, such as how attackers exploited it and which systems were affected. They tie the case to the life-cycle model by identifying the dates for each state within the model. Finally, they use a histogram of reported intrusions to show the life of the vulnerability and conclude with an analysis specific to the particular vulnerability.

References

[1]

J.D. Howard, "An Analysis of Security Incidents on the Internet," Engineering and Public Policy, Carnegie Mellon Univ., Pittsburgh, 1997.

Crossref

Google Scholar

[2]

Government Accounting Office, Information Security: Computer Attacks at Department of Defense Pose Increasing Risks, Washington, D.C., 1996.

Google Scholar

[3]

B. Schneier, Closing the Window of Exposure: Reflections on the Future of Security, Securityfocus.com, 2000, http://www.securityfocus.com/templates/forum_message.html?forum=2&head=3384&id=3384.

Google Scholar

[4]

K. Kendall, "A Database of Computer Attacks for the Evaluation of Intrusion Detection Systems," BS/MS thesis, June 1999.

Google Scholar

[5]

J. Myers, "CGI Security: Escape Newlines," Bugtraq, 1996, http://www.securityfocus.com/archive/1/4262.

Google Scholar

[6]

M. Crispin, "RFC206—Internet Message Protocol" —version 4, revision 1, Internet Engineering Task Force, 1996.

Google Scholar

[7]

D. Sacerdote, "imapd and ipop3d hole," 1997, Bugtraq, http://www.securityfocus.com/archive/1/6370.

Google Scholar

[8]

CERT Coordination Center, CERT Advisory CA-1997-09: "Vulnerability in IMAP and POP," http://www.cert.org/advisories/CA-1997-09.html, Pittsburgh, 1997.

Google Scholar

[9]

T. Gray, "Attention: Please Update Your Imapd," pine-announce, 1998, http://www.washington.edu/pine/pine-info/1998.07/msg00062.html

Google Scholar

[10]

Anonymous, "EMERGENCY: New Remote Root Exploit in UW imapd," 1998, Bugtraq, http://www.securityfocus.com/archive/1/9929.

Google Scholar

[11]

CERT Coordination Center, CERT Advisory CA-1998-.09.imapd: "Buffer Overflow in Some Implementations of IMAP Servers," http://www.cert.org/advisories/CA-1998.09.imapd.html, 1998.

Google Scholar

[12]

CERT Coordination Center, CERT Advisory CA-98.05.bind_problems, "Multiple Vulnerabilities in BIND," http://www.cert.org/advisories/CA-1998.05.bind_problems.html, 1998.

Google Scholar

Cited By

View all

Zhu YYu L(2023)Key Node Identification Based on Vulnerability Life Cycle and the Importance of Network TopologyInternational Journal of Digital Crime and Forensics10.4018/IJDCF.31710015:1(1-16)Online publication date: 20-Jan-2023
https://dl.acm.org/doi/10.4018/IJDCF.317100
Pauley EBarford PMcDaniel PMontpetit MLeivadeas AUhlig SJaved M(2023)The CVE Wayback Machine: Measuring Coordinated Disclosure from Exploits against Two Years of Zero-DaysProceedings of the 2023 ACM on Internet Measurement Conference10.1145/3618257.3624810(236-252)Online publication date: 24-Oct-2023
https://dl.acm.org/doi/10.1145/3618257.3624810
Mohd Kassim SLi SArief B(2023)Understanding How National CSIRTs Evaluate Cyber Incident Response Tools and Data: Findings from Focus Group DiscussionsDigital Threats: Research and Practice10.1145/36092304:3(1-24)Online publication date: 6-Oct-2023
https://dl.acm.org/doi/10.1145/3609230
Show More Cited By

Index Terms

Windows of Vulnerability: A Case Study Analysis
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime
  2. Professional topics
    1. Management of computing and information systems
      1. File systems management
      2. System management

Recommendations

Side-channel vulnerability factor: a metric for measuring information leakage
ISCA '12

There have been many attacks that exploit side-effects of program execution to expose secret information and many proposed countermeasures to protect against these attacks. However there is currently no systematic, holistic methodology for understanding ...
Read More
Side-channel vulnerability factor: a metric for measuring information leakage
ISCA '12: Proceedings of the 39th Annual International Symposium on Computer Architecture

There have been many attacks that exploit side-effects of program execution to expose secret information and many proposed countermeasures to protect against these attacks. However there is currently no systematic, holistic methodology for understanding ...
Read More
Hacking Exposed Windows 2000: Network Security Secrets and Solutions
Read More

Comments

Information & Contributors

Information

Published In

Computer Volume 33, Issue 12

December 2000

98 pages

ISSN:0018-9162

Staff:
Computer Staff

Issue’s Table of Contents

Publisher

IEEE Computer Society Press

Washington, DC, United States

Publication History

Published: 01 December 2000

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

79
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Other Metrics

View Author Metrics

Citations

Cited By

View all

Zhu YYu L(2023)Key Node Identification Based on Vulnerability Life Cycle and the Importance of Network TopologyInternational Journal of Digital Crime and Forensics10.4018/IJDCF.31710015:1(1-16)Online publication date: 20-Jan-2023
https://dl.acm.org/doi/10.4018/IJDCF.317100
Pauley EBarford PMcDaniel PMontpetit MLeivadeas AUhlig SJaved M(2023)The CVE Wayback Machine: Measuring Coordinated Disclosure from Exploits against Two Years of Zero-DaysProceedings of the 2023 ACM on Internet Measurement Conference10.1145/3618257.3624810(236-252)Online publication date: 24-Oct-2023
https://dl.acm.org/doi/10.1145/3618257.3624810
Mohd Kassim SLi SArief B(2023)Understanding How National CSIRTs Evaluate Cyber Incident Response Tools and Data: Findings from Focus Group DiscussionsDigital Threats: Research and Practice10.1145/36092304:3(1-24)Online publication date: 6-Oct-2023
https://dl.acm.org/doi/10.1145/3609230
Okutan AMell PMirakhorli MKhokhlov ISantos JGonzalez DSimmons S(2023)Empirical Validation of Automated Vulnerability Curation and CharacterizationIEEE Transactions on Software Engineering10.1109/TSE.2023.325047949:5(3241-3260)Online publication date: 1-May-2023
https://dl.acm.org/doi/10.1109/TSE.2023.3250479
Guo JLong KYang KJiang KLu LWang C(2023)A novel prediction method for vulnerability outbreak trendComputers and Electrical Engineering10.1016/j.compeleceng.2023.108743108:COnline publication date: 1-May-2023
https://dl.acm.org/doi/10.1016/j.compeleceng.2023.108743
Prakash VXie SHuang DTorres-Arias SMelara MSimon L(2022)Inferring Software Update Practices on Smart Home IoT Devices Through User Agent AnalysisProceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3560835.3564551(93-103)Online publication date: 11-Nov-2022
https://dl.acm.org/doi/10.1145/3560835.3564551
Householder ASpring J(2022)Are We Skillful or Just Lucky? Interpreting the Possible Histories of Vulnerability DisclosuresDigital Threats: Research and Practice10.1145/34774313:4(1-28)Online publication date: 7-Feb-2022
https://dl.acm.org/doi/10.1145/3477431
Feng XLiao XWang XWang HLi QYang KZhu HSun LHeninger NTraynor P(2019)Understanding and securing device vulnerabilities through automated bug report analysisProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361400(887-903)Online publication date: 14-Aug-2019
https://dl.acm.org/doi/10.5555/3361338.3361400
Horawalavithana SBhattacharjee ALiu RChoudhury NO. Hall LIamnitchi A(2019)Mentions of Security Vulnerabilities on Reddit, Twitter and GitHubIEEE/WIC/ACM International Conference on Web Intelligence10.1145/3350546.3352519(200-207)Online publication date: 14-Oct-2019
https://dl.acm.org/doi/10.1145/3350546.3352519
Russo EDi Sorbo AVisaggio CCanfora G(2019)Summarizing vulnerabilities’ descriptions to support experts during vulnerability assessment activitiesJournal of Systems and Software10.1016/j.jss.2019.06.001156:C(84-99)Online publication date: 1-Oct-2019
https://dl.acm.org/doi/10.1016/j.jss.2019.06.001
Show More Cited By

Abstract

References

Cited By

Index Terms

Recommendations

Side-channel vulnerability factor: a metric for measuring information leakage

Side-channel vulnerability factor: a metric for measuring information leakage

Hacking Exposed Windows 2000: Network Security Secrets and Solutions

Comments

Information

Published In

Publisher

Publication History

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations