Computer Security David Wagner, C79, 4/4/2013 Thursday, April 4, 13 - - PowerPoint PPT Presentation

Computer Security

David Wagner, C79, 4/4/2013

Thursday, April 4, 13

themes so far:

• measuring risk
• cognitive biases
• probability reduction (e.g., vaccines)
• harm reduction (e.g., treatment)

Thursday, April 4, 13

themes so far:

• measuring risk
• cognitive biases
• probability reduction (e.g., vaccines)
• harm reduction (e.g., treatment)

today: dealing with uncertain risks

Thursday, April 4, 13

computer security is immature

Thursday, April 4, 13

Thursday, April 4, 13

computer security is risk management traditional view:

Thursday, April 4, 13

Thursday, April 4, 13

Thursday, April 4, 13

Thursday, April 4, 13

Thursday, April 4, 13

Thursday, April 4, 13

Thursday, April 4, 13

computer security is risk management traditional view:

Thursday, April 4, 13

risk = E[loss] = P(breach) × cost(breach)

Thursday, April 4, 13

risk = E[loss] = P(breach) × cost(breach)

• ften not known

Thursday, April 4, 13

risk = E[loss] = P(breach) × cost(breach)

• ften not known

does the system have a vulnerability?

Thursday, April 4, 13

risk = E[loss] = P(breach) × cost(breach)

• ften not known

does the system have a vulnerability? will attackers exploit it?

Thursday, April 4, 13

1 million lines of code

Thursday, April 4, 13

1 million lines of code × 1 bug / thousand lines of code

Thursday, April 4, 13

1 million lines of code × 1 bug / thousand lines of code = 1000 bugs

Thursday, April 4, 13

1 million lines of code × 1 bug / thousand lines of code = 1000 bugs attacker only needs to find 1 bug; defender must find all of them

Thursday, April 4, 13

1 million lines of code × 1 bug / thousand lines of code = 1000 bugs attacker only needs to find 1 bug; defender must find all of them don’t know whether system is vulnerable

Thursday, April 4, 13

attackers choose how and whether to attack

Thursday, April 4, 13

attackers choose how and whether to attack attacks change rapidly

Thursday, April 4, 13

attackers choose how and whether to attack attacks change rapidly no good data about prob. of breach

Thursday, April 4, 13

risk = E[loss] = P(breach) × cost(breach)

• ften not known

Thursday, April 4, 13

implications

Thursday, April 4, 13

security market is sometimes dysfunctional

Thursday, April 4, 13

market for lemons

Thursday, April 4, 13

thinking about risks, when there are multiple players

Thursday, April 4, 13

Thursday, April 4, 13

but fraud rates higher in UK US banks spent less on security

Thursday, April 4, 13

UK: US: but fraud rates higher in UK US banks spent less on security

Thursday, April 4, 13

UK: US: liability for fraud on customer but fraud rates higher in UK US banks spent less on security

Thursday, April 4, 13

UK: US: liability for fraud on customer liability for fraud on bank but fraud rates higher in UK US banks spent less on security

Thursday, April 4, 13

UK: US: liability for fraud on customer liability for fraud on bank but fraud rates higher in UK huh? US banks spent less on security

Thursday, April 4, 13

UK: US:

Thursday, April 4, 13

UK: US: fraud? you must have been careless. tough luck, sucks to be you

Thursday, April 4, 13

UK: US: fraud? you must have been careless. tough luck, sucks to be you fraud? no problem, we’ll reimburse you

Thursday, April 4, 13

UK: US: fraud? you must have been careless. tough luck, sucks to be you fraud? no problem, we’ll reimburse you good for customers, but also good for banks

Thursday, April 4, 13

moral hazard UK banks got lazy and careless, leading to an epidemic of fraud

Thursday, April 4, 13

lesson: align incentives

Thursday, April 4, 13

rule of thumb: place liability on whoever is in the best position to do something about it

Thursday, April 4, 13

externalities

Thursday, April 4, 13

spam

Thursday, April 4, 13

spam ~ 90% of all email is spam

Thursday, April 4, 13

spam ~ 90% of all email is spam costs US $20 billion per year, in lost productivity

Thursday, April 4, 13

costs recipient: costs sender:

Thursday, April 4, 13

costs recipient: costs sender: 10 ¢ per spam < 0.001 ¢ per spam

Thursday, April 4, 13

10 million Viagra spams → 1 sale $3.5 million in revenue per year, for one botnet

Thursday, April 4, 13

why is this possible?

Thursday, April 4, 13

why is this possible? bots

Thursday, April 4, 13

cost of spam not born by those enabling it (an externality)

Thursday, April 4, 13

solution?

Thursday, April 4, 13

• regulation: prohibit the harmful activity
• taxation: tax the harmful activity, so market

price reflects the true cost to society

• liability: make those causing harm liable for

end effects

• mitigation: develop solutions so others are

harmed less

Thursday, April 4, 13

Thursday, April 4, 13

let’s count the externalities:

Thursday, April 4, 13

let’s count the externalities:

• 1. attackers used bots to send lots of traffic

Thursday, April 4, 13

let’s count the externalities:

• 1. attackers used bots to send lots of traffic
• 2. attackers exploited open DNS relays to

boost amount of traffic

Thursday, April 4, 13

let’s count the externalities:

• 1. attackers used bots to send lots of traffic
• 2. attackers exploited open DNS relays to

boost amount of traffic

• 3. ISPs don’t block outgoing traffic with obviously

spoofed source address

Thursday, April 4, 13

externalities make risks harder to manage

Thursday, April 4, 13

cyberwar cyberespionage cybercrime

Thursday, April 4, 13

Thursday, April 4, 13

Thursday, April 4, 13

Thursday, April 4, 13

Thursday, April 4, 13

Thursday, April 4, 13

Thursday, April 4, 13

Thursday, April 4, 13

Thursday, April 4, 13

Thursday, April 4, 13

Thursday, April 4, 13

Thursday, April 4, 13

Thursday, April 4, 13

Thursday, April 4, 13

cyberwar cyberespionage cybercrime

Thursday, April 4, 13

cyberwar cyberespionage cybercrime exercise: name some externalities

Thursday, April 4, 13

• prevention: reduce probability of bad thing
• mitigation: reduce cost of bad thing
• risk transfer: shift cost to someone else

(insurance, taxation, liability, ...) general strategies for dealing with risk:

Thursday, April 4, 13