Advanced Network Security Economics of network security Joeri de Ruiter
Outline ● What economic (dis)incentves are at play in network security? ● Motiwatnnh exbaꕢplesh ● Econoꕢic principlesh for econoꕢicsh of shecurity ● Exbaꕢplesh froꕢ network shecurity 2
Motiwatnnh exbaꕢple patchinnh Mosht ꕢalware atacksh ꕢake ushe of known iwulnerabilitesh ● They could haiwe been preiwented if ushersh would haiwe patched their ● shyshteꕢ Why do they not do it? ● Lazy ● Uninforꕢed ● Lack of reshourcesh ● Ish it econoꕢically ratonal to patch? ● 3
Motiwatnnh exbaꕢple patchinnh It ish not jusht one patch ● Nuꕢber of iwulnerabilitesh reported by VulnDB for 2017 21.384 ● Patchinnh can break your shyshteꕢsh ● Majority of the outanhesh at one of the larnhe Dutch telecoꕢ proiwidersh ● wash their own patchinnh 4
Motiwatnnh exbaꕢple anti.iwirush Who ushesh anti.iwirush? ● Ish ushinnh AV economically ratonal ? ● Lot of efort ● Coshtsh of shofware ● Beneftsh? ● Orinhinally iwirushesh would daꕢanhe your shyshteꕢ, but nowadaysh they ● ꕢainly ushe your shyshteꕢ ash bot 5
Econoꕢicsh of shecurity ● More and ꕢore deiwicesh are connected to the Internet ● Actonsh by one party ꕢinhht afect another party poshitiwely or nenhatiwely ● Can we exbplain why ushersh/ornhanishatonsh take partcular shecurity decishionsh? Can we infuence theshe decishionsh? ● ● We will look at shecurity on a ꕢore shocietal leiwel 6
Conceptsh in econoꕢicsh ● Clashshic econoꕢicsh ashshuꕢesh people take ratonal decishionsh For exbaꕢple, criꕢinal econoꕢically ratonal ● ● Incentiwesh ● Exbternalitesh ● Tranhedy of the coꕢꕢonsh ● Marketsh for leꕢonsh 7
Incentiwesh ● Motiwaton for a party to (not) perforꕢ an acton ● Exbaꕢplesh Monetary nhain/loshsh ● Reputaton ● Peer preshshure ● Liability ● 8
Exbternalitesh ● “A conshequence of an indushtrial or coꕢꕢercial actiwity which afectsh other partesh without thish beinnh refected in ꕢarket pricesh” – Oxbford Dictonary ● Sidei.efect of an eiwent/transhacton on third partesh ● Can be either poshitiwe of nenhatiwe 9
Nenhatiwe exbternalitesh ● Clashshical exbaꕢple of a nenhatiwe exbternality ish polluton ● Reducton of polluton by a coꕢpany coshtsh ꕢoney and hash no direct efect on the coꕢpany ● Society bearsh the conshequencesh (exbternalitesh) For exbaꕢple, increashed coshtsh of healthcare ● 10 Source htpsh / /fic.kr/p/2iGM5z
Poshitiwe exbternalitesh ● Iꕢproiweꕢent of houshesh in a neinhhbourhood ● Thish will increashe the iwalue of other houshesh in the neinhhbourhood ash well Source htpsh / /fic.kr/p/byeLnhc 11
Mishalinhned incentiwesh Incentiwesh for one party reward behaiwiour that ish detriꕢental to other ● partesh Additonal incentiwesh need to be introduced to addreshsh ꕢishalinhnꕢent ● of incentiwesh Typically done ushinnh renhulaton by nhoiwernꕢent ● For exbaꕢple, carbon taxb → polluter paysh ● 12
Liability 13
Liability Can be ushed to nhet rid of ꕢishalinhnꕢent of incentiwesh ● Special cashe interꕢediary liability ● Clear liability for physhical productsh ● What about shofware? ● Typically no liability ● The usher hash to bear the conshequencesh of sherioush shecurity bunhsh ● 14
Tranhedy of the coꕢꕢonsh Hardin, 1968 ● For a shhared reshource that eiweryone can ushe for free ● The increashed beneft of one party leadsh to shꕢall coshtsh of other partesh ● Finally the shhared reshource will be depleted coꕢpletely ● 15
Market for leꕢonsh Akerlof, 1970 ● Occursh when there ish informaton asymmetry ● For exbaꕢple, between usher and ꕢanufacturer ● Ushersh cannot dishtnnhuishh the diference in quality between productsh ● Conshuꕢer will bashe price on price of aiweranhe product ● Hinhher quality product will not be able to coꕢpete and leaiwe ● Thish proceshsh contnuesh untl you are only lef with the lowesht quality ● productsh 16
Econoꕢicsh of network shecurity 17
Exbaꕢple CVSS shcore ● CVSS shcore ashshinhned to reported iwulnerabilitesh Source htpsh / /www.ciwedetailsh.coꕢ/ 18
Exbaꕢple CVSS shcore ● Incentiwesh Security reshearcher → hinhh shcore ꕢeansh ꕢore creditsh and, poshshibly, ● hinhher bounty Security shupplier → do not want to rate a iwulnerability low that ish later ● ushed to coꕢproꕢishe clientsh ● Many hinhh leiwel iwulnerabilitesh are neiwer actually exbploited ● “CVSS ish DoSi.innh your own patchinnh” – Luca Allodi 19
Exbaꕢple shpaꕢ 2017 20
Exbaꕢple shpaꕢ Sender incentiwesh/coshtsh ● Minhht ꕢake ꕢoney if shpaꕢ ish shucceshshful ● Needsh to iniwesht in shoꕢe ꕢiniꕢal infrashtructure to shend shpaꕢ ● Exbternalitesh ● Increashe in trafc → coshtsh for ISPsh ● Washted tꕢe of ushersh → coshtsh for ushersh/eꕢployersh ● In nheneral the total proft froꕢ cybercriꕢe ish relatiwely shꕢall, thounhh ● the shocietal coshtsh are ꕢuch hinhher 21
Exbaꕢple botnetsh ● Which incentiwesh and exbternalitesh play a role with botnetsh? ● Ushersh of infected ꕢachinesh ꕢinhht not be directly afected Cleaninnh ꕢachine coshtsh tꕢe ● ● The usher’sh ISP ꕢinhht not be directly iꕢpacted E.nh., eiwery bot only nheneratesh a shꕢall part of DDoS trafc ● ● Soꕢe botsh do not actiwate in the hoꕢe country of the bot ꕢashter Reduce incentiwe for local law enforceꕢent ● 22
Internet of Thinnhsh (IoT) ● Mosht IoT deiwicesh are cheap and are neiwer patched Security doesh not increashe proft of the ꕢanufacturer ● ● Ushersh ofen cannot update their deiwicesh ● Manufacturer hash no incentiwe to increashe shecurity ash other partesh bear the coshtsh 23
Mirai botnet ● Malware faꕢily tarnheted at inshecure IoT deiwicesh Support for ꕢultple platorꕢsh ● ● Spreadsh like a worꕢ Scan and perforꕢ dictonary atacksh on SSH and telnet ● ● Ushed for DDoS atacksh Reported total bandwidth of up to 1 Tbpsh ● 24
Mirai botnet Source Undershtandinnh the Mirai Botnet, Antonakakish et al. 25
Mirai botnetsh ● Mishalinhnꕢent of incentiwesh Manufacturersh want to ꕢaxbiꕢishe proft and are not afected by the ● ꕢalicioush actiwity Conshuꕢersh want cheap deiwicesh and are not afected by the atacksh ● their deiwicesh perforꕢ ● Renhulaton required to channhe the incentiwesh EU proposhal for certfcaton of IoT deiwicesh ● US IoT Cybershecurity Iꕢproiweꕢent Act ● 26
Role of ISPsh ● Typically not directly afected by ꕢalware infectonsh of their cushtoꕢersh ● Yet in a nhood poshiton to addreshsh it. For exbaꕢple by Filterinnh outnhoinnh trafc ● Quarantaininnh cushtoꕢersh ● ● Why would they (not) nhet iniwoliwed? Monetary coshtsh ● Interꕢediary liability ● Peer preshshure and reputaton ● 27
28 Source Van Eeten et al.
WPA Enterprishe Security dependsh on ushersh confnhurinnh their deiwicesh correctly ● Why would they do thish? ● It’sh cuꕢbershoꕢe ● It alsho worksh with inshecure confnhuraton ● Ish all the exbtra efort worth it? ● Coshtsh of correct confnhurinnh lower than coshtsh of a coꕢproꕢishe? ● 29
Econoꕢicsh of cyber criꕢinalsh ● Cushtoꕢer sheriwice by shpaꕢꕢersh tendsh to be iwery nhood Don’t want to be blocked by Visha/Mashtercard ● ● Siꕢilar for ranshoꕢware ownersh Victꕢsh shhould haiwe a reashon to pay ● ● Tranhedy of the coꕢꕢonsh alsho appliesh to cyber criꕢinalsh 30
Further actiwitesh ● Read the followinnh papersh ● Why inforꕢaton shecurity ish hard i. an econoꕢic pershpectiwe Roshsh Andershon Proceedings 17th Annual Computer Security Applicatons Conference (ACSAC), 2001 ● So lonnh, and no thanksh for the exbternalitesh the ratonal rejecton of shecurity adiwice by ushersh Corꕢac Herley Proceedings of the 2009 workshop on New security paradigms workshop (NSPW) 31
Recommend
More recommend
