Security

Why these cybersecurity researchers are automating vulnerability assessments

System complexity is preventing humans alone from finding vulnerabilities, so researchers in the UK and at CMU are working to automate an online cybersecurity system support service to help analysts.

There is an axiom that cuts to the chase when it comes to crime, digital or otherwise: The bad guys only need one way to break in, whereas the good guys must find and fix every possible vulnerability. Stated that way, it is easy to understand why the bad guys seem to be winning.

Lack of qualified help

Something else is helping cybercriminals: There is a worldwide shortage of qualified cybersecurity professionals. "The lack of sufficient access to highly trained and experienced cyber security experts is a key challenge for the UK," says Dr. Christian Wagner, from the School of Computer Science at the University of Nottingham, to Lindsay Brooke in this university press release. "It prevents a range of users from establishing and maintaining continuously adequate levels of protection of their assets in a rapidly changing security landscape."

Leveling the playing field

Thankfully, scientists and engineers working in the cybersecurity realm are not discouraged and continue to invent new ways to thwart cybercriminals. For example, Dr. Wagner, along with co-investigators Jon Garibaldi and Derek McAuley, both professors at the University of Nottingham, have developed a new cybersecurity system they claim is unique in that the program specifically takes into account the complexity of cyberattacks and the multi stakeholder nature of cybersecurity.

From the University of Nottingham press release: "The aim is to support organisations of all sizes in maintaining adequate levels of cyber security through a semi-automatic, regularly updated, organisation-tailored security assessment of their digital infrastructures."

SEE: Information security incident reporting policy (Tech Pro Research)

The researchers' goal has translated into what they are calling the Online CYber Security System (OCYSS) support service. OCYSS is an interdisciplinary project employing academics with backgrounds in cybersecurity and information integration. The end game is to rapidly compile information on system vulnerabilities and alert organizations that may be affected by the newly-discerned weaknesses.

"While the UK has access to some of the world's leading experts in cyber security, the scale and variety of systems in UK organisations, both public and private, make it extremely challenging to flag potential system threats in a timely fashion," mentions Wagner. "This international collaborative project targets a novel approach to semi-automatically identify system vulnerabilities, thus greatly increasing the efficiency and capacity to respond to emerging threats."

SEE: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic)

How the OCYSS service works

As to why that is, the researchers suggest it is currently problematic to ascertain the security of an organization's digital infrastructure due mainly to the difficulty in pulling together the needed information. Another discouraging fact is that cybercriminals can react to new vulnerabilities much faster than those assigned to protect an organization's digital assets.

"The proposed approach is designed to capture and integrate security assessments, including associated uncertainty, from a number of sources, including government services such as the NCSC [National Cyber Security Centre] and third-party security providers," writes Brooke. "The key challenge here is to develop ways to gather and model this often complex information effectively, while also dealing systematically with discord in the security assessments provided by individual sources."

To overcome the above challenge, OCYSS will employ an ever-evolving database of system vulnerabilities, which allows up-to-date threat assessment information to be compiled and forwarded to member organizations.

Dr. Wagner tells Brooke the team is working on a functional prototype that will conduct evaluations mimicking real-world security challenges under the auspices of the UK's NCSC, adding, "The idea is to deliver both internationally published novel science and re-usable open source software, thus facilitating the reproduction of results, as well as substantially boosting the potential of commercial uptake of the project outcomes."

SEE: 2017's biggest hacks, leaks, and data breaches — so far (ZDNet)

Final thoughts

Dr. Travis Breaux, a professor at Carnegie Mellon University's School of Computer Science, who is supporting the OCYSS project, told Brooke in the press release that he has a specific concern. Today's digital infrastructure requires multiple hardware and software systems to interact, and that increased complexity wreaks havoc on overall security.

"To improve security, system analysts must pay special attention to how these components interact, and they must place these interactions in the context of specific threats," explains Breaux. "The number of configurations and possible cyber threats is simply insurmountable for human analysts to effectively comprehend and evaluate on their own, which necessitates a semi-automatic approach that can stay ahead of emerging technology."

"Our goal is to empower these analysts to comprehend a larger attack surface without being overwhelmed by increasingly complex systems," concludes Breaux. An appropriate goal, especially since there is a significant lack of cybersecurity experts.

Also see

lockiot.jpg
Image: LeoWolfert, Getty Images/iStockphoto

About Michael Kassner

Information is my field...Writing is my passion...Coupling the two is my mission.

Editor's Picks

Free Newsletters, In your Inbox