Measuring the Size and Severity of the Integrated Cyber Attack Surface Across US County Governments
In this project, Dr. Harry, Dr. Sivan-Sevilla, Mr. McDermott, and Mr. Poudel are offering a novel methodology to map the attack surface exposed across US county governments. They argue that existing & limited methodologies to measure, enumerate, aggregate, and evaluate the cyber attack surface of US county governments prevent the full estimation of the importance of local government cybersecurity to national resilience. Their study aims to address this gap. They further develop existing OSINT-based methodologies to measure the attack surface and assess the size and vulnerability of publicly accessible county infrastructures. By collecting data on 42,735 Internet-facing devices across 3,095 US county governments they show, for the first time, variations in size and vulnerability of exposed county government attack surfaces. They develop and compare service- and Common Vulnerability Exposure (CVE)-based measures for attack surface severity, each showing different correlation trends with county population. They also highlight the lack of correlation between density of CVEs and likelihood of exploitation and develop measures to quantify the risk, revealing the impact of county government vulnerability on national cyber resilience. Previously studied as islands of insecurity, their novel empirical approach holistically estimates potential county vulnerability to common attack vectors upon service misconfiguration and aggregates CVEs, their severity, and probability of exploitation across county infrastructures, shedding light on the integrated and aggregated attack surface created across US county governments.