China
Africa
Explore chapters and articles related to this topic
Security: Basics and Security Analytics
Published in Rakesh M. Verma, David J. Marchette, Cybersecurity Analytics, 2019
Rakesh M. Verma, David J. Marchette
A different class of software attacks leveraging hardware vulnerabilities have also been found. These include: microarchitectural attacks using cache timing [279],attack!cache timing branch prediction history [2],attack!branch prediction history branch target buffers [264],attack!branch target buffer out-of-order execution [277] (Meltdown)attack!out-of-order execution (Meltdown) and speculative execution [244] (Spectre). attack!speculative execution (Spectre) Hence, it is a good idea to subscribe to US-cert advisories and be aware of the National Vulnerability Database https://nvd.nist.gov/. National Vulnerability Database
A systematic classification scheme for cyber-attack taxonomy
Published in Stein Haugen, Anne Barros, Coen van Gulijk, Trond Kongsvik, Jan Erik Vinnem, Safety and Reliability – Safe Societies in a Changing World, 2018
S. Kim, J. Shin, G. Heo, J.G. Song
The next classification is based on the vulnerability. With the development of information technology, the complexity of software has increased and vulnerabilities have also increased. Vulnerability is a flaw that can be security threat in hardware or software and can be exploited directly by a hacker or as a means of spreading a virus or malicious program [15]. As a result, some countries have databased vulnerabilities and have developed countermeasures against them. This enables early response to specific cyber-attack. This paper also considered vulnerability as one of the classification items, so that it can be used for early response by matching with vulnerability in case of specific cyber-attack. List the vulnerabilities of the software used in ICS and SCADA systems and investigate where the software is used to know anticipated cyber-attacks in the system and use them for countermeasures and mitigations in case of cyber-attack. In addition, the newly discovered vulnerabilities can be continuously matched and added to the cyberattack, which can effectively upgrade and supplement the system. Vulnerability databases include USA’s NVD (National Vulnerability Database), Japan’s JVN (Japan Vulnerability Notes) and CNVD (China National Vulnerability Database). In this paper, NVD based on NIST (National Institute of Standards and Technology), which is widely used, is selected and shown in Table 4 [15].
Technology
Published in Park Foreman, Vulnerability Management, 2019
There are some caveats to the CVE database. First, it is not a vulnerability database. It is a database of vulnerability references. Second, it does not include all known vulnerabilities. It only contains those that are publicly known. So, it is possible that a vulnerability exists of which a vendor or researcher is aware but it does not appear in the CVE list. In some cases, this is because the researcher has agreed with the maker of the software that he will not reveal the vulnerability until a public patch has been released. Naturally, the researcher will want credit for the discovery.
Overview and Recommendations for Cyber Risk Assessment in Nuclear Power Plants
Published in Nuclear Technology, 2023
The threat includes both an intentional or unintentional disruption or harm to the organization or system, the vulnerability is any weakness that an ICS has that can be exploited, and consequences are the successfully exploited vulnerability. Therefore, the risk assessment usually involves these three aspects along with the consideration of the architecture and expert knowledge of the specific ICS. Threats may come from both internal and external agents. A vulnerability assessment can be carried out by penetration tests or consultation of public vulnerability libraries such as MITRE’s Common Vulnerabilities and Exposures (CVE) or the NIST National Vulnerability Database. Differing from IT cybersecurity, where consequences are usually assessed by financial loss, the consequences in ICS cybersecurity depend on the physical system and are therefore hard to generalize across the industry. Metrics vary by source between financial loss, equipment damage, staff injuries, and environmental impact.
Least Privilege across People, Process, and Technology: Endpoint Security Framework
Published in Journal of Computer Information Systems, 2022
Miloslava Plachkinova, Kenneth Knapp
After the introductory meeting, the researcher leveraged two theories to help frame the conversations, mainly the principle of least privilege and the people, process, and technology triad. During the interviews, a new integrated theoretical framework emerged and was applied to help guide and further refine the list of features. These were finalized into an enumerated list of product features that effectively implement least privilege at the device level. In gathering potential capabilities, research was conducted using several industry sources notably the National Institute of Science and Technology’s National Vulnerability Database and its Common Vulnerability Scoring System. Once the initial product features were developed into an operational product, the development team refined its features list with feedback from its beta-version testers. This list answers in the affirmative our first research question related to this project.
Cyber Diversity Index for Sustainable Self-Control of Machines
Published in Cybernetics and Systems, 2022
Effectively managing known system vulnerabilities is not a small task, and managing unknown application vulnerabilities that are not visible to the defenders is especially difficult, particularly while these vulnerabilities are being actively exploited. Software patching is possibly one of the most important mitigation strategies available, however this process can be expensive and labor-intensive, especially within large enterprises that use a range of technologies and that experience Shadow IT (Cisco 2018). Most vulnerabilities are never actually exploited (Bullough et al. 2017). Enormous effort and resources have been expended on vulnerability management. Bullough et al. (2017) attempt to prioritize the remediation of vulnerabilities that are likely to be exploited by using ML and the National Vulnerability Database (NVD) produced by the National Institute of Standards and Technology (NIST). Bullough et al. (2017) unfortunately report that “while models based on the open source database information examined in this study led to poor prediction performance, more accurate predictions might be possible by exploiting better sources of data. We conclude that models of software vulnerability exploitation based on NVD database entries and social media alone are unlikely to have enough predictive power to be useful in practice” (Bullough et al. 2017).