Posts Tagged ‘NOVAHA’

NOVAHA ShmooCon Epilogue, Graph Theory, Attack Trees & Attack Graphs

February 25, 2012 Leave a comment

I have been interested in graph theory since I worked for the railroad back in the 90’s and even further back when I was working on my degree in the 80’s.  Last year, as a side project (we all seem to have them), I asked the question “Has graph theory been applied to cybersecurity”.  The answer was yes. I discovered 10’s of papers, some great and some not so good, but many more then I realized existed. I also found sample code, working templates and even two commercial products.

After my IPv6 presentation was not accepted for Schmoocon 2012, I decided to present my attack graph findings at the NOVAHA ShmooCon Epilogue event. The event was great, I learned things from all of the speakers, and had many good side discussions.

Here is the video, if you are interested.

Slides are available from this link.

Other videos from the event can be found here:

Special thanks to Georgia for video taping the conference!


NOVA-HA | Game Theory Applied to Vulnerability Disclosure

August 11, 2010 Leave a comment

After reading the book “The Predictioneer’s Game : Using the Logic of Brazen Self-Interest to See and Shape the Future” by Bruce Bueno de Mesquita, I began to get interested in game theory. More specifically I wondered if it could be applied an unspoken problem that exists, that is how do we provide more secure systems to end users, while leveraging the creativity of the security researcher community.

So for two months, I read, watched and listened to every thing by Bruce Bueno de Mesquita, along with everything I could find on game theory. I realized as I was approaching the one month mark, that I began seeing everything around me as a game, in which there were winners, losers, detractors and supporters. I reviewed all 31 games I had found which were published, the whole time thinking about my goal.

One of my major problems when starting to model this was the number of players at all levels of the game. I finally settled on 8 major players in the game, each having two or more subgames taking place at any one time. An example of a subgame was a vender who had Internal staff such as Software Developers, PM‘s, Executives, Marketing/Sales, and external interfaces to Lawyers, PR, Board, Stock Holder, and Government. Each subgame had influences, positions they needed to hold, Salience, a measure of flexibility, the ability to veto others in the subgame and fixed positions which they were never going to change.

The results of generating a spreadsheet of interactions, then having access to Bruce Bueno de Mesquita’s online system used to teach students, was that in the current game the vendors, followed closely by the government and law enforcement controlled the majority of the game. End users of computer systems and networks finished last, when modeling the existing system. In short, end users will always be hacked!

While researching this problem, it occurred to me that all of the vendors’ responses to disclosure of vulnerabilities fell into one of 5 categories, each reducing the risk to the vendor, but not improving the position of the computer users.

Added to this, I was thinking about the great talk Matt Blaze and Mouse gave at the Last Hope, where they discussed the changes in physical security, specifically locksmiths as disclosure of methods to pick locks. Thinking about it, I also noticed a pattern about the way businesses responded to this new threat of disclosure on their bottom line. In both the locksmith and the security world, disclosure and experimentation with the technology was considered honorable; but that flipped when the business felt threatened to “Disclosure is not honorable”. In the current vernacular, this method of withholding the disclosure of a vulnerability to the public is called “Responsible Disclosure”. This last position always protects the company while leaving the customer of these products at great risk from criminals.

Anyway, my findings are in slide format, download them and if you have questions contact me.

Interesting note, I think I stunned everyone when for a change I was not speaking on IPv6.