Firewall Wizards mailing list archives
RE: Broken Analogies (was: Transitive Trust)
From: "Ben Nagy" <ben () iagu net>
Date: Tue, 21 Jun 2005 15:09:05 +0200
-----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Eugene Kuznetsov
[...]
There's an interesting thought here, one that really takes us into the realm of epidemiology or toxicology. Bears aside, what is the expected, normal rate of such incidents? Is it getting worse? Better? Risk factors? Correlation? Anyone know of any papers that try to think of computer security incidents like "[awful-disease] clusters"?
I was thinking of using something like this in a paper, but I concluded that it doesn't really work out. It's very exciting when you look at the spread of network worms - they make a S-shaped curve called a sigmoid, which comes straight out of epidemiology. The trouble is that's about where the usefulness stops. I don't mean this to be a put-down, because it certainly is an interesting train of thought. There are some important differences, especially when applied to things like self-propagating malware like worms or user-propagated ones like viruses. 1. With diseases you stop becoming an infection vector (you die, or you get better). This would leave organisations with the option of doing nothing, which they don't have. 2. With diseases you get really sick. This one might take some explaining - 99% of computer viruses and worms don't have any real effect on the host that is infected, which is why thousands of people still have Blaster and haven't really noticed. Sure they swamp networks, and OK, maybe they make things crash sometimes, but that's really not _all_ that bad. People's mentality will never change while this is the case, because all of the cures are worse than the diseases. Take any aggressive quarantine style system and apply it enterprise-wide and people will start to bitch. They will bitch even worse when there is a false positive because the perceived usability cost is too high for them. When we start getting more malware that trashes the host then I think all of these discussions might become more useful. I'm going to leave aside things like acquired immunity, re-infection, and avoidance (people don't tend to kiss those suffering from cold sores). Current worms may _spread_ like diseases, but that's pretty much where the useful similarities end, in my opinion. Oh, and targeted incidents are not like diseases at all - they probably are, actually, more like bears. Or maybe weasels. I actually think you might be better looking at it from an economic modelling approach with supply and demand of exploits and risk / reward of targets. There's probably some game theory in there too. Anyway, enough ramble. ben _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Transitive Trust: 40 million credit cards hack'd, (continued)
- Message not available
- RE: Transitive Trust: 40 million credit cards hack'd Marcus J. Ranum (Jun 20)
- Re: Transitive Trust: 40 million credit cards hack'd Adam Shostack (Jun 20)
- RE: Transitive Trust: 40 million credit cards hack'd Bill Sharrock (Jun 29)
- Message not available
- RE: Transitive Trust: 40 million credit cards hack'd Paul D. Robertson (Jun 20)
- Re: Transitive Trust: 40 million credit cards hack'd Kevin (Jun 20)
- RE: Transitive Trust: 40 million credit cards hack'd Brian Loe (Jun 21)
- Re: Transitive Trust: 40 million credit cards hack'd Kevin (Jun 21)
- Re: Transitive Trust: 40 million credit cards hack'd Kevin (Jun 20)
- RE: Transitive Trust: 40 million credit cards hack'd Eugene Kuznetsov (Jun 20)
- RE: Broken Analogies (was: Transitive Trust) Ben Nagy (Jun 21)
- RE: Broken Analogies (was: Transitive Trust) Brian Loe (Jun 21)
- RE: Transitive Trust: 40 million credit cards hack'd Paul Melson (Jun 21)
- Re: Transitive Trust: 40 million credit cards hack'd Kevin Sheldrake (Jun 30)