Scholarship & Research
Permanent URI for this communityhttps://scholarworks.montana.edu/handle/1/1
Browse
2 results
Search Results
Item A framework to assess bug-bounty platforms based on potential attack vectors(Montana State University - Bozeman, College of Engineering, 2022) McCartney, Susan Ann; Co-chairs, Graduate Committee: Clemente Izurieta and Mike WittieCorporate computer security is becoming increasingly important because the frequency and severity of cyberattacks on businesses is high and increasing. One way to improve the security of company software is for a company to hire a third party to identify and report vulnerabilities, blocks of code that can be exploited. A bug-bounty program incentivizes ethical hackers (herein, 'researchers') to find and fix vulnerabilities before they can be exploited. For this reason, bug-bounty programs have been increasing in popularity since their inception a decade ago. However, the increase in their use and popularity also increases the likelihood of the companies being targeted by malicious actors by using a bug-bounty programs as the medium. The literature review and investigation into the rules and requirements for bug-bounty platform revealed that though the bug-bounty programs can improve a vendor's security, the programs still contain a serious security flaw. The platforms are not required to scan reports for malware and there is no guidance requesting the vendors scan for malware. This means it is possible to perform a cyberattack using malware as a report attachment. Through data collection from 22 platforms, an observational case study, and analysis of different malware, I have created a tool to assist vendors in selecting the platform of best fit and characterize the possible attack surfaces presented from the file options allowed on the platform. The outcome from this research is evidence of the importance of understanding the malware files used as report attachments. However, more research is needed in the relationship between file extensions and malware in order to thoroughly comprehend the attack surface capabilities, and to understand the trade-offs between security and convenience.Item Staying Safe: Cyber Security for People and Organizations(Routledge, 2014-04) Arlitsch, Kenning; Edelman, AdamOur increasingly interconnected world creates threats of cybercrime that pervade our work and private lives. Some experts warn that fraud is inevitable, with “90 percent of businesses falling victim to at least one security breach [in the single year that was reviewed]. . . making the threat from cyber attacks a near certainty” (Summers, 2011). Identity theft is only one possible fallout of data theft, but it is a nuisance at the very least and potentially much more serious than that. At the least victims are forced to change passwords and get new credit cards. At worst, when an identity is truly stolen it can be difficult to prove identity, and it can take months or years to rebuild documentation and credit scores. For organizations, the direct cost associated with notifications, providing credit monitoring, and lost revenue due to reputational damage can be counted in millions of dollars.