Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Date: Tue Dec 09 2008 - 20:19:11 CST
(moderator: retry from subscribed account)
I have been thinking about a potential futures market model to hedge the risk
of software vulnerabilities. Perhaps a modified Black-Scholes-Merton model that
could be tied into Microsoft's exploitability index to determine the premium on
the future contract ? Hedgers (companies, govermantal institutions, military
etc.) could than purchase these contracts from speculators (these could be us)
to tie their risk into a dollar amount. On the other hand researchers can sell
these contracts if they feel strongly about a software or inversely, buy these
contracts to cash in their 0day when it hits the public domain. We need a fair
market place for 0day (outside of the 2 known players whose model benefits no
one) and I believe futures market model is the way to go. After all if you can
hedge your exposure to weather, why can't you hedge it against 0day ? It is not
as crazy as it sounds ....
I would appreciate ideas to tie the value of a vulnerability to a premium, any
quants who do security as well ?
On Tue, 9 Dec 2008, Dave Aitel wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> One technique we're doing this week with a client is taking an attack
> tree and marking it up with dollar values. I.E. if you wanted to buy
> an 0day in X component, how much would it cost?
> This then is a simple summation to produce a "how much is it to get
> into the internal network from the internet" which the business can
> use to help them decide yay/nay on the project as a whole depending on
> their own view of the threat and the value of the information they are
> Halvar Flake wrote:
> > Hey all,
> > It seems that discussions in ITsec are periodic -- the same
> > discussions and same arguments come up again and again.
> > 1. Of course attackers use new vulnerabilities. It is the nature of
> > offense. Defense is done "to the maximum of current knowledge".
> > Offense, by it's nature, has to expand on the status quo.
> > 2. How do you simulate an attack with a new vulnerability if you
> > don't have one ?
> > Well, military folks do wargames all the time without actually
> > using up the arsenal they have on the shelves. Network attacks
> > should probably be done in a similar manner -- have an umpire, and
> > give the attacking team a few "0day cards". With these cards they
> > get high-probability code execution for a piece of software of
> > their choice.
> > The pentest then proceeds like a game, but can be conducted on the
> > real network, too.
> > But I am repeating myself ...
> > Cheers, Halvar _______________________________________________
> > Dailydave mailing list Dailydavelists.immunitysec.com
> > http://lists.immunitysec.com/mailman/listinfo/dailydave
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> -----END PGP SIGNATURE-----
> Dailydave mailing list
Dailydave mailing list