Evaluation of the most preferred operating systems on computers in terms of vulnerabilities<p>Bilgisayarlarda en çok tercih edilen işletim sistemlerinin güvenlik açıklıkları açısından değerlendirilmesi
Keywords:
Cyber security, information security, vulnerability, zero day vulnerability, operating system, critical infrastructure, exploit, Siber güvenlik, bilgi güvenliği, açıklık, sıfırıncı gün açıklığı, işletim sistemi, kritik altyapı, istismarAbstract
Because it is one of the most fundamental programsrunning on the computer, operating systems, are known to provide security infrastructure for other programs and services that run on computer. Unless any precautions are taken against vulnerabilities on the operating system, the system becomes eligible to be exploited, it paves the way to achieve the target of attackers. Hence, remediation of vulnerabilities on the operating system is evaluated to be extremely significant. In this study,a new database was created by questioning vulnerabilities existing in the most widely used operating systems on desktop and laptop computers from National Vulnerability Database of the US and CVEDETAILS databases. With regard to these vulnerabilities, CVSS scoring system which is used for scoring them created by FIRST was examined, in the light of the of re-scoring of identified vulnerabilities, the analysis of security of the operating systems was done with quantitative methods. One of the most important element of cyber security, fundementals of vulnerabilities, and role in the exploitation of the vulnerabilities of the computers were explained. In this study recently occured cyber security incidents because of vulnerabilities were also examined, and information about vulnerabilities allowing attack in these events was collected. Consequently, considering hosting the vulnerabilities, it is aimed to assess the availability of the operating systems in terms of security.
Özet
Bilgisayar üzerinde çalışan en temel programlardan biri olması sebebiyle işletim sistemlerinin bilgisayar üzerinde çalışan diğer programlara ve servislere güvenlik altyapısı sağladığı bilinmektedir. İşletim sistemi üzerindeki güvenlik açıklıklarına karşı gereken önlemler alınmaz ise, sistem istismar edilmeye uygun hale gelmekte, bu durum saldırganların hedeflerine ulaşması için zemin hazırlamaktadır. Bu sebeple, işletim sistemlerinin üzerindeki güvenlik açıklıklarının kapatılmasının son derece önemli olduğu değerlendirilmektedir. Bu çalışmada bilgisayarlarda en çok kullanılan işletim sistemlerinde var olan güvenlik açıklıkları ABD’nin Ulusal Açıklık Veritabanı ve CVEDETAILS veritabanlarından sorgulanarak yeni bir veritabanı oluşturulmuştur. Toplanan açıklıklarla ilgili olarak FIRST tarafından oluşturulmuş CVSS puanlama sistemiyle yapılan puanlamalar incelenmiş, tespit edilen açıklıkların yeniden puanlamaları yapılarak çıkan sonuçlar ışığında işletim sistemlerinin güvenlik açısından analizi nicel yöntemlerle yapılmıştır. Siber güvenliğin en önemli unsurlarından birisi olan güvenlik açıklıklarıyla ilgili temel hususlar ile açıklıkların bilgisayarların istismar edilmesindeki rolü ortaya konulmuştur. Çalışmada ayrıca; yakın geçmişte açıklıklar kullanılarak gerçekleştirilen siber güvenlik olayları incelenmiş, bu olaylarda saldırıya imkan sağlayan açıklıklarla ilgili bilgiler toplanmıştır. Sonuçta, barındırdığı açıklıklar dikkate alındığında, işletim sistemlerinin kullanılabilirliğinin güvenlik açısından değerlendirmesi hedeflenmektedir.
Downloads
Metrics
References
Al-Zadjali, B., M. (2015, November). A Critical Evaluation of Vulnerabilities in Android OS: (Forensic Approach). International Journal of Computer Applications, 130(5), 0975-8887.
Alhazmi, O. H., and Malaiya, Y. K. (January, 2005). Quantitative Vulnerability Assessment of Systems Software. Paper presented at Annual Reliability and Maintainability Symposium, Virginia, USA.
Alhazmi, O. H., Malaiya, Y. K. and Ray, I. (2007). Measuring, Analyzing and Predicting Security Vulnerabilities in Software Systems. Computers and Security, 26(3), 219-228.
Allodi, L., and Massacci, F. (October, 2012). A Preliminary Analysis of Vulnerability Scores for Attacks in Wild the EKITS and SYM Datasets. Paper presented at Proceedings of the 2012 ACM Workshop on Building Analysis Datasets and Gathering Experience Returns for Security Conference, North Carolina, USA.
Ashton, K. That 'Internet of Things' Thing. RFID Journal. URL: http://www.rfidjournal.com/articles/view?4986, Son Erişim Tarihi: 02.10.2016.
Bozogri, M., Saul, L., K., Savage, S., and Voelker, G., M. (2010, 25-28 July). Beyond Heuristics: Learning to Classify Vulnerabilities and Predict Exploits. Paper presented at the Proceedings of the 16th SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD’10), Washington DC, USA.
Bozoklu, O., Çil, C., Z., Sağıroğlu, Ş. (2013, 20-21 Eylül). Yazılım Güvenlik Açıklıklarının Analizi İle Olası Zafiyet Öngörüsü. 6. Uluslararası Bilgi Güvenliği ve Kriptoloji Konferansında Sunuldu, Ankara.
Brookshear, G. J. (2012). Computer Science An Overview(Eleventh Edition). New York: Pearson Addison-Wesley, 124.
Caballero, A. (2009). Information Security Essentials for IT Managers: Protecting Mission-Critical Systems. John R. Vacca (Editor). Computer and Information Security Handbook. First Edition. Burlington, USA. Morgan Kaufmann Publishers. pp.231-232.
CipAlert. (Ocak, 2016). Ukrayna’daki Elektrik Kesintisinin Nedeni Koordineli Siber Saldırı. CipAlert. URL: http://www.cipalert.com/ukraynadaki-elektrik-kesintisinin-nedeni-koordineli-siber-saldiri/, Son Erişim Tarihi: 31.03.2016.
Clarke, R. E., and Knake, R. K. (2011). Siber Savaş, (Çev. Erduran, M.). İstanbul Kültür Üniversitesi Yayınları. (Eserin orijinali 2010’da yayımlandı), 48-51, 60.
CVE (Common Vulnerabilities and Exposures). (2016). Terminology. Vulnerability. URL: http://cve.mitre.org/about/terminology.html, Son Erişim Tarihi: 15.04.2016.
CVEDETAILS. (2016a). Top 50 Products By Total Number Of "Distinct" Vulnerabilities in 2015. CVEDETAILS. URL: http://www.cvedetails.com/top-50-products.php?year=2015, Son Erişim Tarihi:13.09.2016.
CyberMag. (2016). Ukrayna’daki Siber Saldırıdan Sonraki Elektrik Kesintisi 225.000 Müşteriyi Etkiledi. CyberMag. URL: http://www.cybermagonline.com/ukraynadaki-siber-saldiridan-sonraki-elektrik-kesintisi-225-000-musteriyi-etkiledi/, Son Erişim Tarihi: 31.03.2016.
Çifci, H. (2013). Her Yönüyle Siber Savaş (Birinci Baskı). Ankara: TUBİTAK Popüler Bilim Kitapları, 3-184.
Durmaz, Ş. (2014). Elektronik Verilerin Değerlendirilmesi. H. Çakır, M.S. Kılıç (Editörler). Adli Bilişim ve Elektronik Deliller. Birinci Baskı. Ankara. Seçkin Yayıncılık, s.273.
Edkrantz, M. (2015). Predicting Exploit Likelihood for Cyber Vulnerabilities with Machine Learning. Unpublished Master’s Thesis, Chalmers Unıversıty of Technology Department of Computer Science and Engineering, Gothenburg, Sweden.
FIRST. (2015). Common Vulnerability Scoring System v3.0: Specification Document; FIRST, USA, 1-21.
Garcia, M., Bessani, A., Gashi, I., Neves, N., and Obelheiro, R. (2014). Analysis of Operating System Diversity for Intrusion Tolerance. Software: Practice and Experience, 44(6), 735-770.
Ghani, H., Luna, J., and Suri, N. (2013, 23-25 October). Quantitative Assessment of Software Vulnerabilities Based on Economic-Driven Security Metrics. Paper presented at the International Conference on Risks and Security of Internet and Systems, La Rochelle, France.
GREAT(Kaspersky Lab's Global Research & Analysis Team). (2013). The “Red October” Campaign–An Advanced Cyber Espionage Network Targeting Diplomatic and Government Agencies. Kaspersky. URL: https://securelist.com/blog/incidents/57647/the-red-october-campaign/, Son Erişim Tarihi:03.05.2016.
Güllüce, Y. Z., Benzer, R. (2015). Hard disk failure and data recovery methods in computer forensic. International Journal of Human Sciences, 12(1), 206-225.
Kara, M. (2011). Zararlı Yazılımların Yeni Hedefi Hangi Kritik Altyapı Sistemleri Olacak?. TUBİTAK BİLGEM Ulusal Bilgi Güvenliği Kapısı. URL: http://www.bilgiguvenligi.gov.tr/zararli-yazilimlar/zararli-yazilimlarin-yeni-hedefi-hangi-kritik-altyapi-sistemleri-olacak.html, Son Erişim Tarihi: 30.03.2016.
Kushner, D. (2013). The Real Story of Stuxnet. IEEE Spectrum. URL: http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet, Son Erişim Tarihi: 30.03.2016.
Langner, R. (2011). Stuxnet decoder Ralph Langner speaks about Stuxnet. Youtube. 2011. URL: https://www.youtube.com/watch?v=n7UVyVSDSxY, Son Erişim Tarihi: 01.05.2016.
Luo, J., Lo, K., and Qu, H. (2014). A Software Vulnerability Rating Approach Based on the Vulnerability Database. Journal of Applied Mathematics, 2014(932397).
Manes, C. (2016). 2015’s MVPs – The most vulnerable player. GFI Lan Guard. URL: http://www.gfi.com/blog/2015s-mvps-the-most-vulnerable-players/, Son Erişim Tarihi: 18.09.2016.
Marconato, G. V., Nicomette, V., and Kaaniche, M. (2012, October). Security-Related Vulnerability Life Cycle Analysis. Paper presented at the 7th International Conference on Risk and Security of Internet and Systems, Cork, Ireland.
McAfee. (2011). Global Energy Cyberattacks:“Night Dragon”; McAfee White Paper, California, USA, 3.
McQueen, M. A., McQueen, T. A., Boyer, W. F., and Chaffin, M. R. (2009, January). Empirical Estimates and Observations of 0 Day Vulnerabilities. Paper presented at the Hawaii International Conference on System Sciences, Hawaii.
Mell, P., Scarfone, K., Romanosky, S. (2007). A Complete Guide to the Common Vulnerability Scoring System Version 2.0; FIRST, USA, 1-23.
Messmer, E. (2009). Downadup/Conflicker worm: When will the next shoe fall?. Network World. URL: http://www.networkworld.com/article/2273085/lan-wan/downadup-conflicker-worm--when-will-the-next-shoe-fall-.html, Son Erişim Tarihi:03.05.2016.
Moore, D., Shannon, C., and Brown, J. (2002, November). Code-Red: a case study on the spread and victims of an Internet worm. Paper presented at the Internet Measurement Workshop, San Diego, USA.
NIAC. (2004). Vulnerability Disclosure Framework Final Report And Recommendations By The Council; NIAC, USA, 7-13.
National Vulnerablity Database (NVD). (2016). NVD Common Vulnerability Scoring System Support v2. National Vulnerability Database. URL: https://nvd.nist.gov/cvss.cfm, Son Erişim Tarihi: 10.06.2016.
Paganini, P. (2016). Apple fixed Zero-Day flaws exploited by nation-state spyware. Cyber Defense Magazine. URL: http://www.cyberdefensemagazine.com/apple-fixed-zero-day-flaws-exploited-by-nation-state-spyware/, Son Erişim Tarihi: 10.09.2016.
Pamuk, O. (2010). Stuxnet'i özel yapan ne?. TUBİTAK BİLGEM Ulusal Bilgi Güvenliği Kapısı. URL: http://www.bilgiguvenligi.gov.tr/zararli-yazilimlar/stuxneti-ozel-yapan-ne.html, Son Erişim Tarihi:30.04.2016.
Piscitello, D. (2010). Conficker Summary and Review. ICANN. URL: https://www.icann.org/en/system/files/files/conficker-summary-review-07may10-en.pdf, Son Erişim Tarihi:03.05.2016.
Rao, U. H., and Nayak, U. (2014). The infosec handbook an introduction to information security, New York: Apress Media, 79.
Schneider, F. B. (1999). (Editor). Trust in Cyberspace. Washington D.C.: National Academy Press, 13.
Schryen, G. (2009, 06-09 August). Security of open source and closed source software: An empirical comparison of published vulnerabilities. Paper presented at the Proceedings of the Fifteenth Americas Conference on Information Systems (AMCIS), San Francisco, California.
Schultz, E. E., Brown, D., S., and Longstaff, T. A. (1990). Responding to Computer Security Incidents; Guidelines for Incident Handling, United States, 55.
Shepherd, S. A. (2003). How do we define Responsible Disclosure?; SANS Institute InfoSec Reading Room, SANS, USA, 4.
StatCounter. (2016a). Global Stats. Top 7 Desktop OSs in Turkey from June 2015 to June 2016. URL: http://gs.statcounter.com/#desktop-os-TR-monthly-201506-201606-bar, Son Erişim Tarihi: 27.07.2016.
StatCounter. (2016b). Global Stats. Top 7 Desktop OSs from June 2015 to June 2016. URL: http://gs.statcounter.com/#desktop-os-ww-monthly-201506-201606-bar, Son Erişim Tarihi: 27.07.2016.
Symantec. (April, 2016). Internet Security Threat Report. Volume:21, 1-119. https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf? aid=elq_&om_sem_kw=elq_11125457&om_ext_cid=biz_email_elq_&elqTrackId=283a3acdb3ff42f4a70ab5a9f236eb71&elqaid=2902&elqat=2, Son Erişim Tarihi: 02.10.2016.
Symantec. (2016). Internet Security Threat Report; Symantec, Volume:20, California, USA, 1- 119.
TSE (Türk Standartları Enstitüsü). (2015). TSE Açıklık Bildirim Programı. Ankara:TSE, 1-7.
Wang, R., Gao, L., Sun, Q., and Sun, D. (2011, November). An Improved CVSS-Based Vulnerability Scoring Mechanism. Paper presented at the Third International Conference on Multimedia Information Networking and Security, Shanghai, China.
Weber, S., Karger, P.A., and Paradkar, A. (2005). A Software Flaw Taxonomy:Aiming Tools at Security. Paper presented at the Conference on Software Engineering for Secure Systems (SESS’05), Missouri, USA.
Wikipedia. (2016). OS X. Wikipedia. URL: https://en.wikipedia.org/wiki/Mac_OS-X_v10.0, Son Erişim Tarihi: 30.07.2016.
Zhang, S., Caragea, D., and Ou, X. (2011). An Empirical Study on Using the National Vulnerability Database to Predict Software Vulnerabilities. Paper presented at the 22nd International Conference on Database and Expert Systems Applications (DEXA), Heidelberg, Germany.
Downloads
Published
How to Cite
Issue
Section
License
Authors can retain copyright, while granting the journal right of first publication. Alternatively, authors can transfer copyright to the journal, which then permits authors non-commercial use of the work, including the right to place it in an open access archive. In addition, Creative Commons can be consulted for flexible copyright licenses.
©1999 Creative Commons Attribution-ShareAlike 4.0 International License.
