Economics of network security Joeri de Ruiter Outline What - - PowerPoint PPT Presentation

Advanced Network Security

Economics of network security

Joeri de Ruiter

2

Outline

• What economic (dis)incentves are at play in network security?
• Motiwatnnh exbaꕢplesh
• Econoꕢic principlesh for econoꕢicsh of shecurity
• Exbaꕢplesh froꕢ network shecurity

3

Motiwatnnh exbaꕢple patchinnh

• Mosht ꕢalware atacksh ꕢake ushe of known iwulnerabilitesh
• They could haiwe been preiwented if ushersh would haiwe patched their

shyshteꕢ

• Why do they not do it?
• Lazy
• Uninforꕢed
• Lack of reshourcesh
• Ish it econoꕢically ratonal to patch?

4

Motiwatnnh exbaꕢple patchinnh

• It ish not jusht one patch
• Nuꕢber of iwulnerabilitesh reported by VulnDB for 2017 21.384
• Patchinnh can break your shyshteꕢsh
• Majority of the outanhesh at one of the larnhe Dutch telecoꕢ proiwidersh

wash their own patchinnh

5

Motiwatnnh exbaꕢple anti.iwirush

• Who ushesh anti.iwirush?
• Ish ushinnh AV economically ratonal?
• Lot of efort
• Coshtsh of shofware
• Beneftsh?
• Orinhinally iwirushesh would daꕢanhe your shyshteꕢ, but nowadaysh they

ꕢainly ushe your shyshteꕢ ash bot

6

Econoꕢicsh of shecurity

• More and ꕢore deiwicesh are connected to the Internet
• Actonsh by one party ꕢinhht afect another party poshitiwely or

nenhatiwely

• Can we exbplain why ushersh/ornhanishatonsh take partcular shecurity

decishionsh?

• Can we infuence theshe decishionsh?
• We will look at shecurity on a ꕢore shocietal leiwel

7

Conceptsh in econoꕢicsh

• Clashshic econoꕢicsh ashshuꕢesh people take ratonal decishionsh
• For exbaꕢple, criꕢinal econoꕢically ratonal
• Incentiwesh
• Exbternalitesh
• Tranhedy of the coꕢꕢonsh
• Marketsh for leꕢonsh

8

Incentiwesh

• Motiwaton for a party to (not) perforꕢ an acton
• Exbaꕢplesh
• Monetary nhain/loshsh
• Reputaton
• Peer preshshure
• Liability

9

Exbternalitesh

• “A conshequence of an indushtrial or coꕢꕢercial actiwity which

afectsh other partesh without thish beinnh refected in ꕢarket pricesh” – Oxbford Dictonary

• Sidei.efect of an eiwent/transhacton on third partesh
• Can be either poshitiwe of nenhatiwe

10

Nenhatiwe exbternalitesh

• Clashshical exbaꕢple of a nenhatiwe exbternality ish polluton
• Reducton of polluton by a coꕢpany coshtsh ꕢoney and hash no

direct efect on the coꕢpany

• Society bearsh the conshequencesh (exbternalitesh)
• For exbaꕢple, increashed coshtsh of healthcare

Source htpsh / /fic.kr/p/2iGM5z

11

Poshitiwe exbternalitesh

• Iꕢproiweꕢent of houshesh in a neinhhbourhood
• Thish will increashe the iwalue of other houshesh in the

neinhhbourhood ash well

Source htpsh / /fic.kr/p/byeLnhc

12

Mishalinhned incentiwesh

• Incentiwesh for one party reward behaiwiour that ish detriꕢental to other

partesh

• Additonal incentiwesh need to be introduced to addreshsh ꕢishalinhnꕢent
• f incentiwesh
• Typically done ushinnh renhulaton by nhoiwernꕢent
• For exbaꕢple, carbon taxb → polluter paysh

13

Liability

14

Liability

• Can be ushed to nhet rid of ꕢishalinhnꕢent of incentiwesh
• Special cashe interꕢediary liability
• Clear liability for physhical productsh
• What about shofware?
• Typically no liability
• The usher hash to bear the conshequencesh of sherioush shecurity bunhsh

15

Tranhedy of the coꕢꕢonsh

• Hardin, 1968
• For a shhared reshource that eiweryone can ushe for free
• The increashed beneft of one party leadsh to shꕢall coshtsh of other partesh
• Finally the shhared reshource will be depleted coꕢpletely

16

Market for leꕢonsh

• Akerlof, 1970
• Occursh when there ish informaton asymmetry
• For exbaꕢple, between usher and ꕢanufacturer
• Ushersh cannot dishtnnhuishh the diference in quality between productsh
• Conshuꕢer will bashe price on price of aiweranhe product
• Hinhher quality product will not be able to coꕢpete and leaiwe
• Thish proceshsh contnuesh untl you are only lef with the lowesht quality

productsh

17

Econoꕢicsh of network shecurity

18

Exbaꕢple CVSS shcore

Source htpsh / /www.ciwedetailsh.coꕢ/

• CVSS shcore ashshinhned to reported iwulnerabilitesh

19

Exbaꕢple CVSS shcore

• Incentiwesh
• Security reshearcher → hinhh shcore ꕢeansh ꕢore creditsh and, poshshibly,

hinhher bounty

• Security shupplier → do not want to rate a iwulnerability low that ish later

ushed to coꕢproꕢishe clientsh

• Many hinhh leiwel iwulnerabilitesh are neiwer actually exbploited
• “CVSS ish DoSi.innh your own patchinnh” – Luca Allodi

20

Exbaꕢple shpaꕢ

2017

21

Exbaꕢple shpaꕢ

• Sender incentiwesh/coshtsh
• Minhht ꕢake ꕢoney if shpaꕢ ish shucceshshful
• Needsh to iniwesht in shoꕢe ꕢiniꕢal infrashtructure to shend shpaꕢ
• Exbternalitesh
• Increashe in trafc → coshtsh for ISPsh
• Washted tꕢe of ushersh → coshtsh for ushersh/eꕢployersh
• In nheneral the total proft froꕢ cybercriꕢe ish relatiwely shꕢall, thounhh

the shocietal coshtsh are ꕢuch hinhher

22

Exbaꕢple botnetsh

• Which incentiwesh and exbternalitesh play a role with botnetsh?
• Ushersh of infected ꕢachinesh ꕢinhht not be directly afected
• Cleaninnh ꕢachine coshtsh tꕢe
• The usher’sh ISP ꕢinhht not be directly iꕢpacted
• E.nh., eiwery bot only nheneratesh a shꕢall part of DDoS trafc
• Soꕢe botsh do not actiwate in the hoꕢe country of the bot

ꕢashter

• Reduce incentiwe for local law enforceꕢent

23

Internet of Thinnhsh (IoT)

• Mosht IoT deiwicesh are cheap and are neiwer patched
• Security doesh not increashe proft of the ꕢanufacturer
• Ushersh ofen cannot update their deiwicesh
• Manufacturer hash no incentiwe to increashe shecurity ash other

partesh bear the coshtsh

24

Mirai botnet

• Malware faꕢily tarnheted at inshecure IoT deiwicesh
• Support for ꕢultple platorꕢsh
• Spreadsh like a worꕢ
• Scan and perforꕢ dictonary atacksh on SSH and telnet
• Ushed for DDoS atacksh
• Reported total bandwidth of up to 1 Tbpsh

25

Mirai botnet

Source Undershtandinnh the Mirai Botnet, Antonakakish et al.

26

Mirai botnetsh

• Mishalinhnꕢent of incentiwesh
• Manufacturersh want to ꕢaxbiꕢishe proft and are not afected by the

ꕢalicioush actiwity

• Conshuꕢersh want cheap deiwicesh and are not afected by the atacksh

their deiwicesh perforꕢ

• Renhulaton required to channhe the incentiwesh
• EU proposhal for certfcaton of IoT deiwicesh
• US IoT Cybershecurity Iꕢproiweꕢent Act

27

Role of ISPsh

• Typically not directly afected by ꕢalware infectonsh of their

cushtoꕢersh

• Yet in a nhood poshiton to addreshsh it. For exbaꕢple by
• Filterinnh outnhoinnh trafc
• Quarantaininnh cushtoꕢersh
• Why would they (not) nhet iniwoliwed?
• Monetary coshtsh
• Interꕢediary liability
• Peer preshshure and reputaton

28

Source Van Eeten et al.

29

WPA Enterprishe

• Security dependsh on ushersh confnhurinnh their deiwicesh correctly
• Why would they do thish?
• It’sh cuꕢbershoꕢe
• It alsho worksh with inshecure confnhuraton
• Ish all the exbtra efort worth it?
• Coshtsh of correct confnhurinnh lower than coshtsh of a coꕢproꕢishe?

30

Econoꕢicsh of cyber criꕢinalsh

• Cushtoꕢer sheriwice by shpaꕢꕢersh tendsh to be iwery nhood
• Don’t want to be blocked by Visha/Mashtercard
• Siꕢilar for ranshoꕢware ownersh
• Victꕢsh shhould haiwe a reashon to pay
• Tranhedy of the coꕢꕢonsh alsho appliesh to cyber criꕢinalsh

31

Further actiwitesh

• Read the followinnh papersh
• Why inforꕢaton shecurity ish hard i. an econoꕢic pershpectiwe

Roshsh Andershon Proceedings 17th Annual Computer Security Applicatons Conference (ACSAC), 2001

• So lonnh, and no thanksh for the exbternalitesh the ratonal

rejecton of shecurity adiwice by ushersh

Corꕢac Herley Proceedings of the 2009 workshop on New security paradigms workshop (NSPW)