9

I've seen data on the cost of a breach including lot of surveys and research by Verizon and the Ponemon Institute. But in terms of an actual vulnerability, what are the factors to consider to determine the cost?

Few things I had in mind are:

  1. Risk factor: SQL Injection vs Reflected XSS
  2. Cost to detect manually or by automated scanners
  3. Cost to fix in terms of developer hours
  4. Costs associated with vulnerability leading to failing a compliance audit

How do you security and risk management professionals determine the cost of a vulnerability?

TildalWave
  • 10,801
  • 11
  • 45
  • 84
Epoch Win
  • 922
  • 2
  • 7
  • 14

4 Answers4

10

The cost is not from the vulnerability but from the risk. Namely:

  • A vulnerability is that which can potentially be exploited to put at risk your information assets (e.g. a buffer overflow).
  • A threat is a context element which will try to snoop on or damage your information assets (e.g. an existing group of attackers who would benefit from such actions in some way).
  • A risk is when a threat meets a vulnerability, and they get along well, and marry, and have offspring.

The cost is something applied to whatever you do with the risk. For instance, the cost of ignoring the risk is, roughly, the cost of the damage resulting from the actualization of the risk. On the other hand, the cost of fixing a buffer overflow is purely development & deployment cost, since it removes the vulnerability. The art of risk management is to strike the right balance between corrective actions and acceptance (the "right balance" being relative to the risk management goals, which depend on the organization).

Bottom-line: cost is about what you do, and depends on a lot of contextual elements, in particular threats. You cannot estimate any meaningful notion of cost without taking the context into account. You cannot attach a cost to a vulnerability, or even to a risk; the cost is a property of a set of actions (since "doing nothing" is such a set, some cost is always incurred).

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
1

I know this is old, but I still found it on Google while searching, so here is my opinion: Today there's multiple bug bounty programs, in which, for obvious reasons, they need to measure the weight of the information and data that they receive from the ethical hackers and provide to their customers.

As we all know, information is a difficult asset to measure, as it's abstract; however, we normally pay more for professionals with more information, or more experience, than less experienced professionals, as they have more experience, or more training on the specific subject.

In order to estimate the cost or price of a security flaw, you need to consider a few different aspects. Which I'll try to describe:

1) I don't think it doesn't really matter if you find it using or not using an automated tool. By nature, the kind of security flaws that you will be able to find using an automated tool, will have impact, either because the platform or the impact surface will be smaller and limited, compared with those that are harder to find and identify.

2) The security flaws that are better paid are usually flaws or vulnerabilities that do expose or compromise a big surface, ie: vulnerabilities that do expose a lot of users, or vulnerabilities that do expose a lot of data.

3) There's no way to exactly determine this, as it's as well ruled by supply and demand, but generally speaking, we could conclude that:

3.1) the more users that are affected, the more expensive the vulnerability will be.

3.2) the more information exposed, as well, the more expensive the vulnerability will be.

By contrast; we can say that finding low-risk-low-impact security flaw in a software which no one is using, has no value $0 usd.

And, a vulnerability which compromises a lot of information, from a lot of users, will generally be rewarded with +$100,000 usd price tags.

Same applies for vulnerabilities that represent a direct business continuity risk for a big company, as they are generally very well rewarded, or very well paid.

This is nothing else than my personal opinion, as an ethical hacker, with experience with big organizations, and black markets.

Take a look at this chart for some references:

- $2,000,000 - Apple iOS remote jailbreak (Zero Click) with persistence (previously: $1,500,000)
- $1,500,000 - Apple iOS remote jailbreak (One Click) with persistence (previously: $1,000,000)
- $1,000,000 - WhatsApp, iMessage, or SMS/MMS remote code execution (previously: $500,000)
- $500,000 - Chrome RCE + LPE (Android) including a sandbox escape (previously: $200,000)
- $500,000 - Safari + LPE (iOS) including a sandbox escape (previously: $200,000)
- $200,000 - Local privilege escalation to either kernel or root for Android or iOS (previously: $100,000)
- $100,000 - Local pin/passcode or Touch ID bypass for Android or iOS (previously: $15,000)

- $1,000,000 - Windows RCE (Zero Click) e.g. via SMB or RDP packets (previously: $500,000)
- $500,000 - Chrome RCE + SBX (Windows) including a sandbox escape (previously: $250,000)
- $500,000 - Apache or MS IIS RCE i.e. remote exploits via HTTP(S) requests (previously: $250,000)
- $250,000 - Outlook RCE i.e. remote exploits via a malicious email (previously: $150,000)
- $250,000 - PHP or OpenSSL RCE (previously: $150,000)
- $250,000 - MS Exchange Server RCE (previously: $150,000)
- $200,000 - VMWare ESXi VM Escape i.e. guest-to-host escape (previously: $100,000)
- $80,000 - Windows local privilege escalation or sandbox escape (previously: $50,000)

So, what does the cheapest and the most expensive have in common? attack surface, potential information exposed, and assosiated risks.

Chris Russo
  • 121
  • 1
  • The problem with using bug bounties as a metric for determining the cost of a vulnerability is that you price the bounty based on a completely different set of risk metrics. To have a "major" vulnerability and not know about it is a problem. If you have high confidence that you have a "major" vulnerability covered, then you can set the "likelihood" of having to pay out very low, so you can set the price very high. – schroeder Feb 18 '19 at 14:02
  • 1
    Once you remove all the details of bug bounty programs out of your answer, you are left with the factors of "impact" and "likelihood" to determine cost. Which is simply a very basic risk calculation. – schroeder Feb 18 '19 at 14:04
  • so, what's your personal opinion on how to defining a price or value for a bug? – Chris Russo Feb 18 '19 at 16:46
  • I actually provided an answer to that. Impact and likelihood. You can quantify the impact using many of the factors you outline (exposure, value at risk, etc.) and modify by likelihood. – schroeder Feb 18 '19 at 17:14
  • I agree with you, I think the thread was about web application mostly, as he mentions web security issues... in that case, it would only rely on the impact related value? ps: I'm asking as I'm doing a presentation about this matter. – Chris Russo Feb 19 '19 at 01:15
1

Pinning a cost on an exploit is usually going to involve (many) meetings with business users and in the end it's just an educated guess. You might be able to estimate the cost of a 4 hour business disruption due to a denial of service attack however for something like a website defacement you would have to have a chat with management and/or public relations people to determine the damage done to the reputation and the cost of fixing it. Another thing to look at is not only the cost of the attack but the frequency. If it's an easy attack it could happen every day or every hour so you would have to multiply the cost of the attack by the frequency to get a real cost.

I would not include the cost of detecting a vulnerability as a cost of a breach. You should be actively searching for security holes regardless so that should be in a different money bucket like IT or one specifically for Information Security

Four_0h_Three
  • 1,225
  • 2
  • 8
  • 13
0

Depends on who is doing the estimating.

If you're the software producer, the cost is the cost to fix the vulnerability. If you're striving for a mature risk management practice, add in the cost of lost business if the vulnerability is going to damage your sales. Ignore the costs in the next paragraph unless there is some insurance or regulatory regime that will assign those costs to you.

If you're the consumer then a standard, simplistic probability x impact may be adequate (albeit coarse and inelegant, but adequate). Figure out the cost of the breach - what would happen if the vulnerability were to be exploited by the adversary (this will be a range, depending on worst case and most likely case). Then the probability that the adversary will be able to take advantage of the vulnerability. For example, even the worst vulnerability is of limited impact if it only occurs on one airgapped server. Multiply the dollar value x probability to calculate a range of risk exposure.

If you're striving for a mature risk management practice, then you should have (or be actively collecting) data to support the analysis in the prior paragraph.

If you're in the health or safety community, you should already have established methods to calculate this.

Scott Pack
  • 15,167
  • 5
  • 61
  • 91
MCW
  • 2,572
  • 1
  • 15
  • 26