RE: Broken Analogies (was: Transitive Trust)

["Ben Nagy" <ben () iagu net>]

> -----Original Message-----
> From: firewall-wizards-admin () honor icsalabs com 
> [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf 
> Of Eugene Kuznetsov
[...]
> There's an interesting thought here, one that really takes us 
> into the realm
> of epidemiology or toxicology. Bears aside, what is the 
> expected, normal
> rate of such incidents? Is it getting worse? Better? Risk factors?
> Correlation? 
>
> Anyone know of any papers that try to think of computer 
> security incidents
> like "[awful-disease] clusters"? 

I was thinking of using something like this in a paper, but I concluded that
it doesn't really work out. It's very exciting when you look at the spread
of network worms - they make a S-shaped curve called a sigmoid, which comes
straight out of epidemiology. The trouble is that's about where the
usefulness stops. I don't mean this to be a put-down, because it certainly
is an interesting train of thought.

There are some important differences, especially when applied to things like
self-propagating malware like worms or user-propagated ones like viruses.

1. With diseases you stop becoming an infection vector (you die, or you get
better).

This would leave organisations with the option of doing nothing, which they
don't have.

2. With diseases you get really sick.

This one might take some explaining - 99% of computer viruses and worms
don't have any real effect on the host that is infected, which is why
thousands of people still have Blaster and haven't really noticed. Sure they
swamp networks, and OK, maybe they make things crash sometimes, but that's
really not _all_ that bad.

People's mentality will never change while this is the case, because all of
the cures are worse than the diseases. Take any aggressive quarantine style
system and apply it enterprise-wide and people will start to bitch. They
will bitch even worse when there is a false positive because the perceived
usability cost is too high for them. When we start getting more malware that
trashes the host then I think all of these discussions might become more
useful.

I'm going to leave aside things like acquired immunity, re-infection, and
avoidance (people don't tend to kiss those suffering from cold sores).

Current worms may _spread_ like diseases, but that's pretty much where the
useful similarities end, in my opinion. 

Oh, and targeted incidents are not like diseases at all - they probably are,
actually, more like bears. Or maybe weasels. I actually think you might be
better looking at it from an economic modelling approach with supply and
demand of exploits and risk / reward of targets. There's probably some game
theory in there too.

Anyway, enough ramble.

ben

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards