Improving distributed vulnerability assessment model of cybersecurity

Authors:
Kálmán Hadarics, University of Dunaújváros
Ferenc Leitold, Secudit Ltd.

Abstract:

In the digital age more and more services and data are available over the Internet. Companies and public organizations becoming increasingly vulnerable related to hacks and cyberattacks. In order to provide successful online services, effective security initiatives and targeted protections are necessary to mitigate security risks. Effective cybersecurity more than deploying firewalls and other security software (e.g. antivirus, intrusion detection/prevention systems.). Through risk assessment and risk management practices we can identify critical parts of information systems and can transform them into security tactics. Furthermore in the Distributed Vulnerability Assessment (DVA) model three factors are identified: (1) characteristics and prevalence of cyber-threats, (2) vulnerabilities of IT infrastructure and its components and processes, (3) vulnerabilities deriving from users’ behavior. In this paper, we examine and improve our mathematical model of Distributed Vulnerability Assessment. This model can be extended for using additional information and considerations. This paper also presents a practical method which can be applied to eGovernment infrastructure and services also to reduce the impact of malware attacks of the information system.

References:

[1] HADARICS, K., K. Győrffy, B. Nagy, L. Bognár. A. Arrott. F. Leitold (2017): Mathematical Model of Distributed Vulnerability Assessment, 9th International Scientific Conference, Security and Protection of Information, 2017, Brno, Czech Republic [2] LEITOLD, F., A. Arrott, K. Hadarics: Quantifying cyber-threat vulnerability by combining threat intelligence, IT infrastructure weakness, and user susceptibility 24th Annual EICAR Conference, Nuremberg, Germany, 2016 [3] International Organization for Standardization (ISO), ISO/IEC 27005: Information technology – Security techniques – Information security risk management (2008) [4] National Institute of Standards and Technology (NIST), Special Publication 800-30r1: Guide for Conducting Risk Assessments (2012), http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf [5] LEITOLD, F., A. Arrott, and K. Hadarics, "Automating visibility into user behavior vulnerabilities to malware attack" Proceedings of the 26th Virus Bulletin International Conference (VB2016), pp. 16-24, Denver, USA, 2016. [6] ENISA: Ad-hoc & sensor networking for M2M Communications - Threat Landscape and Good Practice Guide 2017 https://www.enisa.europa.eu/publications/m2m-communications-threat-landscape/at_download/fullReport [7] VAVOULAS, N., Xenakis C. (2011) A Quantitative Risk Analysis Approach for Deliberate Threats. In: Xenakis C., Wolthusen S. (eds) Critical Information Infrastructures Security. CRITIS 2010. Lecture Notes in Computer Science, vol 6712. Springer, Berlin, Heidelberg [8] ONWUBIKO, C. (2016) Understanding Cyber Situation Awareness, International Journal on Cyber Situational Awareness [9] LEITOLD, F. and Hadarics, K., "Measuring security risk in the cloud-enabled enterprise." Malicious and Unwanted Software (MALWARE), 7th International Conference on Malicious and Unwanted Software, pp: 62-66, ISBN: 978-1-4673-4880-5. 2012.

Publication:

Central and Eastern European e|Dem and e|Gov Days 2018

Including a Workshop on Smart Cities organized by the Congress of Local and Regional Authorities of the Council of Europe
Proceedings of the Central and Eastern European E|Dem and E|Gov Days, May 3-4, 2018, Budapest
Facultas, 1. Ed. (14 May 2018), 506 p.
ISBN-10: 9783708917375,
ISBN-13: 978-3708917375,
ASIN: 3708917375506

Editors: Hendrik Hansen, Robert Müller-Török, András Nemeslaki, Alexander Prosser, Dona Scola, Tamás Szádeczky