computer security -...
TRANSCRIPT
Computer SecurityDavid Wagner, C79, 4/4/2013
Thursday, April 4, 13
themes so far:
- measuring risk
- cognitive biases
- probability reduction (e.g., vaccines)
- harm reduction (e.g., treatment)
Thursday, April 4, 13
themes so far:
- measuring risk
- cognitive biases
- probability reduction (e.g., vaccines)
- harm reduction (e.g., treatment)
today: dealing with uncertain risks
Thursday, April 4, 13
computer security is immature
Thursday, April 4, 13
Thursday, April 4, 13
computer security is risk management
traditional view:
Thursday, April 4, 13
Thursday, April 4, 13
Thursday, April 4, 13
Thursday, April 4, 13
Thursday, April 4, 13
Thursday, April 4, 13
Thursday, April 4, 13
computer security is risk management
traditional view:
Thursday, April 4, 13
risk = E[loss] = P(breach) × cost(breach)
Thursday, April 4, 13
risk = E[loss] = P(breach) × cost(breach)
often not known
Thursday, April 4, 13
risk = E[loss] = P(breach) × cost(breach)
often not known
does the system have a vulnerability?
Thursday, April 4, 13
risk = E[loss] = P(breach) × cost(breach)
often not known
does the system have a vulnerability?
will attackers exploit it?
Thursday, April 4, 13
1 million lines of code
Thursday, April 4, 13
1 million lines of code× 1 bug / thousand lines of code
Thursday, April 4, 13
1 million lines of code× 1 bug / thousand lines of code
= 1000 bugs
Thursday, April 4, 13
1 million lines of code× 1 bug / thousand lines of code
= 1000 bugs
attacker only needs to find 1 bug;defender must find all of them
Thursday, April 4, 13
1 million lines of code× 1 bug / thousand lines of code
= 1000 bugs
attacker only needs to find 1 bug;defender must find all of them
don’t know whether system is vulnerable
Thursday, April 4, 13
attackers choose how and whether to attack
Thursday, April 4, 13
attackers choose how and whether to attack
attacks change rapidly
Thursday, April 4, 13
attackers choose how and whether to attack
attacks change rapidly
no good data about prob. of breach
Thursday, April 4, 13
risk = E[loss] = P(breach) × cost(breach)
often not known
Thursday, April 4, 13
implications
Thursday, April 4, 13
security market is sometimes dysfunctional
Thursday, April 4, 13
market for lemons
Thursday, April 4, 13
thinking about risks,when there are multiple players
Thursday, April 4, 13
Thursday, April 4, 13
but fraud rates higher in UKUS banks spent less on security
Thursday, April 4, 13
UK:
US:
but fraud rates higher in UKUS banks spent less on security
Thursday, April 4, 13
UK:
US:
liability for fraud on customer
but fraud rates higher in UKUS banks spent less on security
Thursday, April 4, 13
UK:
US:
liability for fraud on customer
liability for fraud on bank
but fraud rates higher in UKUS banks spent less on security
Thursday, April 4, 13
UK:
US:
liability for fraud on customer
liability for fraud on bank
but fraud rates higher in UK
huh?
US banks spent less on security
Thursday, April 4, 13
UK:
US:
Thursday, April 4, 13
UK:
US:
fraud? you must have been careless.tough luck, sucks to be you
Thursday, April 4, 13
UK:
US:
fraud? you must have been careless.tough luck, sucks to be you
fraud? no problem, we’ll reimburse you
Thursday, April 4, 13
UK:
US:
fraud? you must have been careless.tough luck, sucks to be you
fraud? no problem, we’ll reimburse you
good for customers, but alsogood for banks
Thursday, April 4, 13
moral hazard
UK banks got lazy and careless,leading to an epidemic of fraud
Thursday, April 4, 13
lesson:align incentives
Thursday, April 4, 13
rule of thumb:place liability on whoever is in the
best position to do something about it
Thursday, April 4, 13
externalities
Thursday, April 4, 13
spam
Thursday, April 4, 13
spam
~ 90% of all email is spam
Thursday, April 4, 13
spam
~ 90% of all email is spam
costs US $20 billion per year,in lost productivity
Thursday, April 4, 13
costs recipient:
costs sender:
Thursday, April 4, 13
costs recipient:
costs sender:
10 ¢ per spam
< 0.001 ¢ per spam
Thursday, April 4, 13
10 million Viagra spams → 1 sale
$3.5 million in revenue per year, for one botnet
Thursday, April 4, 13
why is this possible?
Thursday, April 4, 13
why is this possible?
bots
Thursday, April 4, 13
cost of spam not born by those enabling it
(an externality)
Thursday, April 4, 13
solution?
Thursday, April 4, 13
• regulation: prohibit the harmful activity
• taxation: tax the harmful activity, so marketprice reflects the true cost to society
• liability: make those causing harm liable for end effects
• mitigation: develop solutions so others are harmed less
Thursday, April 4, 13
Thursday, April 4, 13
let’s count the externalities:
Thursday, April 4, 13
let’s count the externalities:
1. attackers used bots to send lots of traffic
Thursday, April 4, 13
let’s count the externalities:
1. attackers used bots to send lots of traffic
2. attackers exploited open DNS relays to boost amount of traffic
Thursday, April 4, 13
let’s count the externalities:
1. attackers used bots to send lots of traffic
2. attackers exploited open DNS relays to boost amount of traffic
3. ISPs don’t block outgoing traffic with obviously spoofed source address
Thursday, April 4, 13
externalities make risks harder to manage
Thursday, April 4, 13
cyberwar
cyberespionage
cybercrime
Thursday, April 4, 13
Thursday, April 4, 13
Thursday, April 4, 13
Thursday, April 4, 13
Thursday, April 4, 13
Thursday, April 4, 13
Thursday, April 4, 13
Thursday, April 4, 13
Thursday, April 4, 13
Thursday, April 4, 13
Thursday, April 4, 13
Thursday, April 4, 13
Thursday, April 4, 13
Thursday, April 4, 13
cyberwar
cyberespionage
cybercrime
Thursday, April 4, 13
cyberwar
cyberespionage
cybercrime
exercise: name some externalities
Thursday, April 4, 13
• prevention: reduce probability of bad thing
• mitigation: reduce cost of bad thing
• risk transfer: shift cost to someone else(insurance, taxation, liability, ...)
general strategies for dealing with risk:
Thursday, April 4, 13