Information Security Research

Research Interests

• This is the online home of results, observations and analysis of my research
carried out at ISS X-Force and at the Communication Systems Group at ETH Zurich.
• The focus of my research is in Security Econometrics and Vulnerability Analysis.

New Publications

• Find here my new paper: 0-Day Patch - Exposing Vendors (In)security Performance at BlackHat 2008 Europe

Introduction

Beside the technical details of security vulnerabilities, knowledge of the timing of the events in the lifecycle of a vulnerability is an interesting factor to measure the state and the evolution of our IT centric economy. We analyzed more than 26,000 vulnerabilities published since 1996 to reconstruct the dates of the vulnerability lifecycle. This database enables us to measure the evolution of and the dynamics of the vulnerability ecosystem and its processes. For the details of the research check out the publications section.

Motivation

• 10+ years of Internet security arms race, 26,000+ known vulnerabilities as of 2007.
• Understanding the complex nature of information risk and related attacks.
• What is the current state, trends and the evolution of the security ecosystem?
• What are key performance indicators?

Content

• Vulnerability Ecosystem
  
The ecosystem from vulnerability discovery to the implementation of a fix.

• Vulnerability Lifecycle
  
Defining the events of the lifecycle of a vulnerability.

• Risk Exposure
  
Indentification of different risk exposure phases based on the vulnerabilty lifecycle.

• Public Vulnerability Disclosure
  
Definition of the public vulnerability disclosure.

• Security Information Provider (SIP)
  
Analysis and identification viable information sources for the vulnerability disclosure date.

• Dynamics of (In)security
  
Empirical data and analysis of the dynamics of the vulnerability lifecycle.