A passion for information security
Projects | Publications | Presentations | Biography
|
Sasha Romanosky A passion for information security Projects | Publications | Presentations | Biography |
|
Greetings! I am a PhD student in the Heinz College at Carnegie Mellon University. My academic research interests intersect the fields of consumer privacy, information security, economics and public policy and my working thesis topic is:Measuring and Modeling Security and Privacy Laws
Many security and privacy laws appear to be implemented without the expectation of measurement or evaluation. This is one area where I hope to contribute. For example, I conducted a familiar public policy analysis of the treatment effect of law on crime: the effect of data breach disclosure laws on identity theft. By notifying consumers when their personal information has been lost or stolen, the hope is that consumers will take measures to prevent future harm. Also, the public disclosure (the “sunlight” effect) of a breach is expected to force firms to internalize more of the cost of data breaches, creating an incentive for them to improve their security practices, reducing future data breaches. We found that adoption of the laws reduced identity theft by about 2% on average. The paper can be found here: Do data breach disclosure laws reduce identity theft?
This research path has also fostered an interest in legal theory and the mechanisms that public policies (laws) employ in order to reduce the harm from a firm’s otherwise socially beneficial activity. Ex ante safety regulation, ex post liability and information disclosure are three such common instruments. And so, I am exploring economic social welfare analyses of such mechanisms to better understand how they should behave and under which circumstances.
My advisors are Rahul Telang and Alessandro Acquisti.
I am also engaged in a number of other industry-related information security projects that are described below.
Currently, corporate IT management must identify and assess vulnerabilities for many disparate hardware and software platforms. They need to prioritize these vulnerabilities and remediate those that pose the greatest risk. But when there are so many to fix, with each being scored differently across vendors, how can IT managers convert this mountain of vulnerability data into actionable information? The Common Vulnerability Scoring System (CVSS) is an open framework that addresses this issue. It offers the following benefits:
August 2007: NIST and SCAP: CVSS v2 has been republished as a NIST Interagency Report (NIST-IR7435). This publication discusses how Federal agencies can incorporate Federal Information Processing Standards (FIPS) 199 impact ratings into their CVSS scores and generate scores specifically tailored to Federal agency environments. This is part of NIST's recommendation of CVSS by Federal agencies as part of the U.S. government Security Content Automation Protocol (SCAP). The document is available Here.
June 2007: Version 2 of the Common Vulnerability Scoring System was published. It represents the collective efforts of industry professionals and academia researchers to improve the flexibility and usability of this IT vulnerability scoring system. http://www.first.org/cvss/
June 2007: CVSS and the Payment Card Industry (PCI): In order for private-sector firms to process credit cards, they need to comply with the Payment Card Industry Data Security Standards (PCI DSS). Effective June 2007, the PCI governing body is requiring firms use CVSS in order to determine how vulnerable are their IT systems. The PCI DSS is available Here.
|
CVSS was conceived by the National Infrastructure Assurance Council (NIAC),
as a response to the multitude of disparate computer vulnerability
scoring systems that are currently available through commercial and open-source organizations. It was accepted by the US Department of Homeland Security in 2004, and many infosec individuals and
vendors have been working to promote and improve this framework. For example, CVSS is currently supported by NIST's National Vulnerability Database (NVD), Tenable Security, Cisco, Oracle
and others. See a full list of adopters here
The CVSS score is a composite score derived from the following three categories:
|
|
|
IT organizations consume great resources in identifying and remediating computer vulnerabilities. Compound this with the reality that the group finding the vulnerabilities is generally not the group fixing them. This results in a resource-intensive and sometimes adversarial organizational dynamic.
Managing and Auditing IT Vulnerabilities is the 6th in a series of Global Technology Audit Guides (GTAGs) published by the Institute of Internal Auditors (the IIA). We discuss the steps of first identifying, assessing then prioritizing computer vulnerabilities. We differentiate many of the characteristics of low- with high-performing vulnerability management organizations and we include a number of metrics than an organization can use to establish a datum and track their progress. We recognize that immediate benefits are achieved by remediating individual, yet critical vulnerabilities. However, as shown in the diagram, effective vulnerability management means integrating and aligning IT Security with the organization's existing IT management processes (e.g. within an ITIL framework). |
|
