The success (or failure) of malware attacks depends upon both technological and human factors. The most security-conscious users are susceptible to unknown vulnerabilities, and even the best security mechanisms can be circumvented as a result of user actions. Although there has been significant research on the technical aspects of malware attacks and defense, there has been much less research on how users interact with both malware and current malware defenses. This paper describes a field study designed to examine the interactions between users, antivirus (AV) software, and malware as they occur on deployed systems. In a fashion similar to medical studies that evaluate the efficacy of a particular treatment, our experiment aimed to assess the performance of AV software and the human risk factors of malware attacks. The 4-month study involved 50 home users who agreed to use laptops that were instrumented to monitor for possible malware attacks and gather data on user behaviour. This study provided some very interesting, non-intuitive insights into the efficacy of AV software and human risk factors. AV performance was found to be lower under real-life conditions compared to tests conducted in controlled conditions. Moreover, computer expertise, volume of network usage, and peer-to-peer activity were found to be significant correlates of malware attacks. We assert that this work shows the viability and the merits of evaluating security products, techniques and strategies to protect systems through long-term field studies with greater ecological validity than can be achieved through other means.
Vulnerability remediation is a critical task in operational software and network security management. In this paper, an effective vulnerability management strategy, called VULCON (VULnerability CONtrol), is developed and evaluated. The strategy is based on two fundamental performance metrics: i). Time-to-Vulnerability Remediation (TVR) and; ii). Total Vulnerability Exposure (TVE). VULCON takes as input real vulnerability scan reports, metadata about the discovered vulnerabilities, asset criticality, and personnel resources. VULCON uses a mixed integer multi-objective optimization algorithm to prioritize vulnerabilities for patching, such that the above performance metrics are optimized subject to the given resource constraints. VULCON has been tested on multiple months of real scan data from a Cyber-Security Operations Center (CSOC). Results indicate an overall Total Vulnerability Exposure reduction of 8.97\% when VULCON optimizes a realistic security analyst workforce's effort. Additionally, we show how VULCON can determine monthly resources required to maintain a target TVE score. As such, VULCON provides valuable operational guidance for improving vulnerability response processes in CSOCs.
Virtualization-based memory isolation has been widely used as a security primitive in various proposed security systems. Driven by the prevalence of multicore platforms, we first conduct an in-depth analysis of the effectiveness of memory isolation in the multicore setting. Our study reveals that memory isolation by itself is inadequate for security since its design defects can be exploited by the malicious thread running in parallel with the protected thread. We then propose a new isolation approach. In our design, the hypervisor constructs a fully isolated micro-computing environment (FIMCE) that exposes a minimal attack surface to an untrusted OS on a multicore platform. By virtue of its architectural niche, FIMCE offers stronger security assurance and greater versatility than memory isolation. FIMCE features a flexible and composable environment and supports I/O operations, expanding the range of suitable applications. We have built a prototype of FIMCE with a bare-metal hypervisor. To show the benefits of using FIMCE as a building block, we have also implemented four applications which are difficult to construct with strong security by using the current virtualization-based isolation method.