Cybersecurity, Data Analytics, and Vulnerability
There are a number of “V’s” that are associated with big data; they include volume, variety, variability, and verification, but one that is often missing despite it being a major part of cybersecurity is vulnerability. It would seem that this “v” is the missing link between data analytics and cybersecurity. Why would cybersecurity professionals care about data analytics when their primary responsibility is preventing unwanted access to systems they supervise? Let’s see what we can discover.
The question of vulnerability has plagued cybersecurity specialists since the mainframe era. How can you determine the vulnerability of a system while simultaneously determining the risk of using the system? Lucky for us cybersecurity geeks, the National Institute of Standards and Technology (NIST) has developed the National Vulnerability Database (NVD), which contains various tools for determining vulnerability.
One of the more useful NVD tools is the Common Vulnerability Scoring System (CVSS), which employs a series of formulary evaluations, including a calculator that rates vulnerability on a scale of zero to ten, with ten being the most vulnerable. CVSS provides standards related to low, medium, high, or critical scores. As the score increases, so do the vulnerability risks. Although IT professionals enjoy scoring their systems, the true benefit is that the resulting scores are used by the NVD to determine the sensitivity to vulnerabilities for some of the most critical systems. This data can also be used to determine historical system vulnerability.
The NIST’s Common Platform Enumeration (CPE) identifies systems undergoing evaluation and publishes related data so that analysts can see growth. But more than that, NIST’s National Vulnerability Database contains searchable product vulnerability data that can be used for elemental, statistical, advanced, regression, and time-series analyses.
Fortunately, data visualizations you may be looking for have already been developed by previous users. For example, when I searched for “trojan” statistics, the results revealed the following charts that illustrate how often “trojan” has been matched with vulnerabilities.
Search Term: Trojan
The chart on the left shows that the number of trojan-related vulnerabilities increased in 2010, 2012, and 2017 and decreased in subsequent years. The chart on the right shows the percentage of trojan-related vulnerabilities per year. Although it does not show causation, this visualization does suggest that trojans are no longer the tool of choice to exploit vulnerabilities.
Search Term: Password
Now, let’s search for “password.” As expected, the charts show that the prevalence of “password” vulnerabilities is far more than “trojan.”
The real value of these statistics is the percentage of match for each term. In both cases, word choice analysis helped to determine the value of each search term. We can discern trends by just glancing at the data visualizations. And both sets of charts show how useful data analysis can be to cybersecurity professionals. In fact, I dare say that data analytics is as valuable to cybersecurity as project management and finance.
Chris Greco, PMP, PMI-ACP, ASEP, CISSP is the owner of GRECTECH and an instructor and subject matter expert for Management Concepts. Having more than 40 years of public, private, and academic project management experience, Chris enjoys teaching data analytics, project management, and systems engineering courses as well as contributing to the development of analytics curriculum.
Chris holds a Bachelor of Arts degree in Sociology from Grove City College, a Master of Science degree in Management Science from Troy University, and a Graduate Certificate in Applied Statistics from Penn State University in addition to certifications in project management (PMP, PMI-ACP) and systems engineering (ASEP). In 2017, Chris received the (ISC)² Americas Information Security Leadership Awards for his program of cybersecurity classes to senior citizens and, in 2016 he received the Mullen Award for his technical excellence and engaging cybersecurity presentation at the Computer Measurement Group’s IMPACT conference.