computer security
play

Computer Security David Wagner, C79, 4/4/2013 Thursday, April 4, 13 - PowerPoint PPT Presentation

Computer Security David Wagner, C79, 4/4/2013 Thursday, April 4, 13 themes so far: - measuring risk - cognitive biases - probability reduction (e.g., vaccines) - harm reduction (e.g., treatment) Thursday, April 4, 13 themes so far: -


  1. Computer Security David Wagner, C79, 4/4/2013 Thursday, April 4, 13

  2. themes so far: - measuring risk - cognitive biases - probability reduction (e.g., vaccines) - harm reduction (e.g., treatment) Thursday, April 4, 13

  3. themes so far: - measuring risk - cognitive biases - probability reduction (e.g., vaccines) - harm reduction (e.g., treatment) today: dealing with uncertain risks Thursday, April 4, 13

  4. computer security is immature Thursday, April 4, 13

  5. Thursday, April 4, 13

  6. traditional view: computer security is risk management Thursday, April 4, 13

  7. Thursday, April 4, 13

  8. Thursday, April 4, 13

  9. Thursday, April 4, 13

  10. Thursday, April 4, 13

  11. Thursday, April 4, 13

  12. Thursday, April 4, 13

  13. traditional view: computer security is risk management Thursday, April 4, 13

  14. risk = E[loss] = P(breach) × cost(breach) Thursday, April 4, 13

  15. risk = E[loss] = P(breach) × cost(breach) often not known Thursday, April 4, 13

  16. risk = E[loss] = P(breach) × cost(breach) often not known does the system have a vulnerability? Thursday, April 4, 13

  17. risk = E[loss] = P(breach) × cost(breach) often not known does the system have a vulnerability? will attackers exploit it? Thursday, April 4, 13

  18. 1 million lines of code Thursday, April 4, 13

  19. 1 million lines of code × 1 bug / thousand lines of code Thursday, April 4, 13

  20. 1 million lines of code × 1 bug / thousand lines of code = 1000 bugs Thursday, April 4, 13

  21. 1 million lines of code × 1 bug / thousand lines of code = 1000 bugs attacker only needs to find 1 bug; defender must find all of them Thursday, April 4, 13

  22. 1 million lines of code × 1 bug / thousand lines of code = 1000 bugs attacker only needs to find 1 bug; defender must find all of them don’t know whether system is vulnerable Thursday, April 4, 13

  23. attackers choose how and whether to attack Thursday, April 4, 13

  24. attackers choose how and whether to attack attacks change rapidly Thursday, April 4, 13

  25. attackers choose how and whether to attack attacks change rapidly no good data about prob. of breach Thursday, April 4, 13

  26. risk = E[loss] = P(breach) × cost(breach) often not known Thursday, April 4, 13

  27. implications Thursday, April 4, 13

  28. security market is sometimes dysfunctional Thursday, April 4, 13

  29. market for lemons Thursday, April 4, 13

  30. thinking about risks, when there are multiple players Thursday, April 4, 13

  31. Thursday, April 4, 13

  32. US banks spent less on security but fraud rates higher in UK Thursday, April 4, 13

  33. UK: US: US banks spent less on security but fraud rates higher in UK Thursday, April 4, 13

  34. UK: liability for fraud on customer US: US banks spent less on security but fraud rates higher in UK Thursday, April 4, 13

  35. UK: liability for fraud on customer US: liability for fraud on bank US banks spent less on security but fraud rates higher in UK Thursday, April 4, 13

  36. UK: liability for fraud on customer US: liability for fraud on bank huh? US banks spent less on security but fraud rates higher in UK Thursday, April 4, 13

  37. UK: US: Thursday, April 4, 13

  38. UK: fraud? you must have been careless. tough luck, sucks to be you US: Thursday, April 4, 13

  39. UK: fraud? you must have been careless. tough luck, sucks to be you US: fraud? no problem, we’ll reimburse you Thursday, April 4, 13

  40. UK: fraud? you must have been careless. tough luck, sucks to be you US: fraud? no problem, we’ll reimburse you good for customers, but also good for banks Thursday, April 4, 13

  41. moral hazard UK banks got lazy and careless, leading to an epidemic of fraud Thursday, April 4, 13

  42. lesson: align incentives Thursday, April 4, 13

  43. rule of thumb: place liability on whoever is in the best position to do something about it Thursday, April 4, 13

  44. externalities Thursday, April 4, 13

  45. spam Thursday, April 4, 13

  46. spam ~ 90% of all email is spam Thursday, April 4, 13

  47. spam ~ 90% of all email is spam costs US $20 billion per year, in lost productivity Thursday, April 4, 13

  48. costs recipient: costs sender: Thursday, April 4, 13

  49. costs recipient: 10 ¢ per spam costs sender: < 0.001 ¢ per spam Thursday, April 4, 13

  50. Viagra spams → 1 sale 10 million $3.5 million in revenue per year, for one botnet Thursday, April 4, 13

  51. why is this possible? Thursday, April 4, 13

  52. why is this possible? bots Thursday, April 4, 13

  53. cost of spam not born by those enabling it (an externality) Thursday, April 4, 13

  54. solution? Thursday, April 4, 13

  55. • regulation: prohibit the harmful activity • taxation: tax the harmful activity, so market price reflects the true cost to society • liability: make those causing harm liable for end effects • mitigation: develop solutions so others are harmed less Thursday, April 4, 13

  56. Thursday, April 4, 13

  57. let’s count the externalities: Thursday, April 4, 13

  58. let’s count the externalities: 1. attackers used bots to send lots of traffic Thursday, April 4, 13

  59. let’s count the externalities: 1. attackers used bots to send lots of traffic 2. attackers exploited open DNS relays to boost amount of traffic Thursday, April 4, 13

  60. let’s count the externalities: 1. attackers used bots to send lots of traffic 2. attackers exploited open DNS relays to boost amount of traffic 3. ISPs don’t block outgoing traffic with obviously spoofed source address Thursday, April 4, 13

  61. externalities make risks harder to manage Thursday, April 4, 13

  62. cyberwar cyberespionage cybercrime Thursday, April 4, 13

  63. Thursday, April 4, 13

  64. Thursday, April 4, 13

  65. Thursday, April 4, 13

  66. Thursday, April 4, 13

  67. Thursday, April 4, 13

  68. Thursday, April 4, 13

  69. Thursday, April 4, 13

  70. Thursday, April 4, 13

  71. Thursday, April 4, 13

  72. Thursday, April 4, 13

  73. Thursday, April 4, 13

  74. Thursday, April 4, 13

  75. Thursday, April 4, 13

  76. cyberwar cyberespionage cybercrime Thursday, April 4, 13

  77. cyberwar cyberespionage cybercrime exercise: name some externalities Thursday, April 4, 13

  78. general strategies for dealing with risk: • prevention: reduce probability of bad thing • mitigation: reduce cost of bad thing • risk transfer: shift cost to someone else (insurance, taxation, liability, ...) Thursday, April 4, 13

Recommend


More recommend