Centre International de Recherche

sur l’Environnement et le Développement


Nos tutelles

CNRS Ecole des Ponts CIRAD EHESS AgroParisTech

Nos partenaires

R2DS MPDD FUTURS URBAINS LCS-R Net

Rechercher




Accueil > Rubrique de services > Archive Equipe > Minh Ha Duong > Opinions

An economic perspective on Information warfare and security

Outline of a lesson to university IT students.

publié le , mis à jour le

Warning : these notes are very lightly edited slides, contain no original material, have not been peer-reviewed.

Here are the visual aids of a course given at the Carnegie Mellon University on February 11th, 2002. This lesson was organized in three parts.

  1. First, we examined in which ways Cyber security is a serious issue. We reviewed the old threats such as Fraud and Piracy , then we discussed the new threats such as viruses and other denial-of-services and finally I concluded that Cyber-war was not there yet.
  2. In the second part, I discussed Managing the risk within the institution. We mostly discussed about costing incidents at the company level, so that security engineers had a sense on what to say to defend the usefulness of their jobs. Then we briefly examined higher-level management : the notion of managing the expected risk and insurance.
  3. The third part of the lesson was about national aspects of cyber security. My goal was to show the canyon between serious methodologies and media hype.

I. A serious issue

Internet fraud

Every new technology is used for age-old dishonest money-making
techniques. The National
Consumers League Internet
fraud watch estimated the cost of Internet
fraud in 2001 in the US at 4,4 M$, up from 3,4 M$ in 2000. Here is how
they broke it up :

Top 6 2001 Trend
On-line auctions 63%
General merchandise sale 11% -
Nigerian money offers 9% +
Internet access services 3% =
Information adult services 3% +
Work-at-home 2% =

Intellectual Property thief

Information is a good that is difficult to protect and sell at the same
time. This lead to a new kind of issues related to intellectual
property.

The value of pirated software has been estimated between 3 bn $ (US,
2001 BSA) to 11 bn $ (worldwide, 1997 IPRC study). This is not
accounting for multimedia (music and movies) piracy, clothes and other
luxury goods.

There are big differences between countries. For example, it is
estimated that only 25% of software in USA is illegally acquired, versus
95% in China.

Code red

This famous worm exploits a buffer overflow in MS IIS. It was released
on June 18th, 2001.

Worm attacked various websites on July 12th and displayed the
"Hacked by Chinese" message. The attack on white house.gov was dodged by
changing the IP address of that website.

A version 2 appeared on July 19th. It was still memory only but had
an improved random infection list leading to infection of 359 000
machines in 14 hours.

  • CodeRedII, August 4th : installs backdoor on disk
  • No direct damage
  • Limited collateral network disruption (CodeRedII reboots)
  • About 1 000 000 infections

If it takes 1000 dollars to fix one Code red infected machine, then
this incident is in the billion-dollar impact category. What do you
think ?

More on the Red analysis can be found at <a
href="http://www.caida.org/analysis/security/code-red/coderedv2_analysis.xml">
CAIDA, including an animation showing its propagation speed.

Nimda

Nimda has been called a blended threat because it blends several
propagation modes :

  1. MIME exploit by email (opening or previewing)
  2. Embed itself in HTML pages + MIME exploit
  3. Exploits MS IIS bug ``Unicode Web Traversal’’
  4. Use CodeRed II backdoor
  5. Use network shares

However, Nimda real-world impact has been limited.

  • Network shares open to guest with Administrator rights
  • Collateral : Localized bandwidth DOS
  • No net-wide effect visible on September 18th
  • Two days after start : +2% unavailability (content error in web page), -20% web speed


Critical infrastructures attack : Over-hyped

Industrial supply chains, power, telcos, ATC... vulnerable BUT :

Hackers have not shown the intent

Terrorists lack capability

US Computer Network Defense (non DOD)

NIPC - National Infrastructure Protection Center
ISAC - Information Sharing and Analysis Center : private, economic sector
Update (3/3/03) : Now everything is under the umbrella of the Department
of Homeland Security’s Information Analysis and Infrastructure
Protection (<strong
style="font-weight: normal;">sIAIP
) Directorate.

caMuch remain to be done at the international level

II. Managing the risk within the institution

Evaluating the cost of an incident

Tangibles

  • Lost business due to resource unavailability
  • Productivity loss for all staff while systems degraded
  • IT staff labor and material to plug the leak
  • IT & legal staff : forensic analysis & prosecution
  • Public relation consulting & answering consumers
  • Increases in insurance premium
  • Liability suits

Intangibles

  • Customers’ loss of trust in the organization
  • Failure to win new accounts due to bad press
  • Competitor’s access to confidential or proprietary info


What is the order of magnitude of the cost of an incident ?

In an 1998 incident, the shutdown of the main data center for a day at
a PC wholesaler (Ingram Micro) resulted in lost sales and repairs
estimated to $ 3.2 million 
Here is another scenario, involving Code Red on 50 servers of a mobile
phone corporation with 16000 people and 500 Internet-facing devices :

  • 120 hours sysadmin = $ 4,179
  • 2 weeks of Marketing and communication, Business development, Customer service = $ 8,000
  • Travel expenses = $ 20,000
  • 40 annual subscribers lost = $ 24,000
  • External security audit with penetration testing = $ 50,000
  • 5% business loss for two weeks = $200,000


Information Security from a business perspective

Expected risk = probability x cost of incident

No budget can remove all risk

Security measures cost money. Incidents cost money.

Balanced choices requires knowledge. Visit the <a
href="http://rr.sans.org/index.php">SANS Institute information
security reading room to get some more.

Addressing risk

  • Too high risk, no good countermeasures —> eliminate the asset
  • If possible, mitigate the risk
  • Accept the risk as normal business cost
  • Transfer the risk by insuring the asset


Hacker insurance

New industry : Lloyd’s started in 2000

Partnership between insurance and security companies

Pricing : corp. with revenue < 1 G$ can expect to pay
25-125 K$ premium for 25 M$ coverage.

III. Surveys on national cyber security

Security is a Public Good

There is motive for public intervention in providing security because :

  • Everybody benefit uniformly from threat reduction
  • Ex-post public prosecution the ultimate security barrier

But many problems remain : it is an international network, fast
technical change, increasing systems complexity, vendors unliability

There is media hype...

Michael Erbschloe (Computer
Economics
) says :

Year Code name Worldwide impact (USD)
2001 Nimda 635 M$
2001 Code Red(s) 2.62 G$
2001 SirCam 1.15 G$
2000 ILOVEYOU 8.75 G$
1999 Melissa 1.10 G$
1999 Explorer 1.02 G$

About these numbers, Rob Rosenberger (<a
href="http://www.vmyths.com/">vMyths) says : ``No one else will
prostitute the dollar figures reporters and antivirus vendors so
desperately crave’’

... and there are serious security surveys

Such as :

  • The Computer Security Institute, home of the CSI/FBI survey
  • The UK <a href="http://www.dti.gov.uk/industries/information_security/">Communications and Information Industries Directorate security survey are available in for dowloading.

Of course these exercises do acknowledge the usual sources of
measurement errors :

  • Sampling bias : who did you ask ?
  • Self-selection bias : who replied ?
  • Cognitive bias : replies are best estimates, memories
  • Others : questionnaire language, presentation


Conclusions

Insecurity costs are significant, not measurable at the national scale
yet, but you should be able to evaluate some tangible and intangible
costs of incidents.
The take-home message is at the institutional level :

Expected Risk
=
Probability
x Cost of incident


Voir en ligne : Ross anderson’s page is a good starting point