February 07, 2006

The Market Price of a Vulnerability

More on threats. A paper Paul sent to me mentions that:

Stuart Schechter’s thesis [11] on vulnerability markets actually discusses bug challenges in great detail and he coined the term market price of vulnerability (MPV) as a metric for security strength.

A good observation - if we can price the value of a vulnerability then we can use that as a proxy for the strength of security. What luck then that this week, we found out that the price of the Windows Metafile (WMF) bug was ... $4000!.

The Windows Metafile (WMF) bug that caused users -- and Microsoft -- so much grief in December and January spread like it did because Russian hackers sold an exploit to anyone who had the cash, a security researcher said Friday.

The bug in Windows' rendering of WMF images was serious enough that Microsoft issued an out-of-cycle patch for the problem in early January, in part because scores of different exploits lurked on thousands of Web sites, including many compromised legitimate sites. At one point, Microsoft was even accused of purposefully creating the vulnerability as a "back door" into Windows.

Alexander Gostev, a senior virus analyst for Moscow-based Kaspersky Labs, recently published research that claimed the WMF exploits could be traced back to an unnamed person who, around Dec. 1, 2005, found the vulnerability.

"It took a few days for exploit-enabling code to be developed," wrote Gostev in the paper published online, but by the middle of the month, that chore was completed. And then exploit went up for sale.

"It seems that two or three competing hacker groups from Russian were selling this exploit for $4,000," said Gostev.

(That's a good article, jam-packed with good info.) Back to the paper. Rainer Bohme surveys 5 different vulnerability markets. Here's one:

Vulnerability brokers are often referred to as “vulnerability sharing circles”. These clubs are built around independent organizations (mostly private companies) who offer money for new vulnerability reports, which they circulate within a closed group of subscribers to their security alert service. In the standard model, only good guys are allowed to join the club. The customer bases are said to consist of both vendors, who thus learn about bugs to fix, and corporate users, who want to protect their systems even before a patch becomes available. With annual subscription fees of more than ten times the reward for a vulnerability report, the business model seems so profitable that there are multiple players in the market: iDefense, TippingPoint, Digital Armaments, just to name a few.

OK! He also considers Bug Challenges, Bug Auctions, Exploit derivatives, and insurance. Conclusion?

It appears that exploit derivatives and cyber-insurance are both acceptable, with exploit derivatives having an advantage as timely indicator whereas cyber-insurance gets adeduction in efficiency due to the presumably high transaction costs. What’s more, both concepts complement one another. Please note the limitations of this qualitative assessment, which should be regarded as a starting point for discussion and exchange of views.
Posted by iang at February 7, 2006 10:52 AM | TrackBack

How does insurance complement derivatives? Isn't an insurance policy more restrictive (in that it is not tradeable), but otherwise equivalent?
Please lighten me up.

Posted by: Daniel A. Nagy at February 7, 2006 11:38 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.