Team 1 Sec4
Feasibility and cost of defending against such attacks.
For each class of target (home, corporate, financial), teams should
1) identify existing financial and non-financial incentives for
installing defenses,
2) evaluate the adequacy of these incentives,
3) discuss whether additional protection would be cost-effective,
4) identify the lowest cost provider for upgrading protection
(e.g., Microsoft, Norton, AOL, Corporate IT networks,
computer owners), and
5) list and evaluate possible policy levers for government
intervention (e.g., tax incentives, legal liability, insurance).
back to Team_1_Main
--Hema 08:48, 21 October 2005 (PDT)
Buffer flow attacks can use the vulnerability in IIS to gain control of a target machine. Once in control, it can set the computer to scan for other computers with the same vulnerability, and infect them. It can flood corporates or homes or financials with false data or make it inaccessible on prearranged dates. Because it can scan for vulnerable computers all across the Internet it can have a huge impact. It can be even more dangerous because it can create a back door into the computer, allowing unauthorized parties to control an infected computer. The back door can go unnoticed by the user for long extents of time. However infected computers broadcast the fact that they had been back doored by scanning for additional vulnerable computers. Individuals capable of receiving and identifying scans could use that information to break into the infected computers that had scanned them. Malicious users who prepare to identify scans, would receive lists of computers that could be taken over with trivial effort. And so infected computers could then be used to facilitate further attacks on still other computers. Such programs will greatly damage the state of Internet security for some time to come causing huge losses.
--Hema 08:55, 22 October 2005 (PDT)
Home
Identify existing financial and non-financial incentives for installing defenses,
Financial Incentives
The incentives are roughly numbered based on their importance - (1)being the highest.
1. To prevent exposure of sensitive or personal information/Identity Thefts - Unauthorized people may be able to access your financial or medical data, personal documents or other personal information. The availability of this information may increase your risk of identity theft
2. To prevent cost to replace or repair – Sometimes attacks can totally destroy their machine making it unusable. They would have to get it replaced or spend money to get it repaired.
3. To prevent financial losses when their home based business is crippled. Most home based business owners use their personal computer for also storing information required for their business
4. To Prevent Loss of Communication – they would not be able to do their day to day operations on the computer or internet. This would result in delays in bill payments etc therefore resulting in fines.
Non-Financial Incentives
1. To prevent Denial of service – Such attacks can cause a significant amount of traffic over the network and relies on certain processes on your computer. This activity may reduce the availability of certain programs on your computer or may limit your access to the internet. What would normally take a couple of minutes to do will now take 10 minutes or more for them to finish.
2. To prevent Loss of Communication – they would be cut off from communicating from their friends or family
3. To prevent the hassle of getting their computer fixed and the inconvenience.
4. To prevent loss of credibility – if the user unknowingly infects other friends then they will be wary in trusting the e-mails from the user in future resulting in loss of credibility
5. To prevent frustration in being unable to complete their work.
6. To prevent unnecessary spamming. This might also make parents restrict their children from accessing the computer
Adequecy of Incentives
For home computer users I should say that that the incentives are not adequate enough. For computer educated users the above incentives are good enough to protect their machines. For the common users, they don't realize the magnitude of damage their negligence to protect their machine could cause them or to others if their machines is used as part of the rogue network. Several seniors for whom being able to use the computer is an achievement in itself are not confident in ensuring that their computer is update with the patches and security updates. Home Sector could benefit from enticing benefits from Government or Corporate which would in the very least motivate people to keep their machines upto date.
Will additional protection be cost-effective
There are several free security products and upgrades that available in the market. Also these days the Internet service providers bundle basic security services into their products. Most OS come with security features such as firewall. Ofcourse what you pay for is what you get. But even the products that you have to spend extra money is a cheap price to pay for the benefits that come along. But there is the overhead of upgrading the products constantly. For home users it more about the awareness than about the costs.
Lowest Cost Providers
There are several free options for protecting home computers: ZoneAlarm firewall, Ad Blocker(WebWasher Classic), Anti-Sypware (Spybot, Ad-aware), anti-virus (AVG Antivirus), E-mail Encryption (Pretty Good Privacy). Norton Security Suites is a good paid option which offers most of the above as a package.
Free Computer Security Check: Many computer security vendors offer free computer security checks for users to check for known viruses, spyware, and discover if their computer is vulnerable to cyber attacks.
--Hema 19:45, 21 October 2005 (PDT)
Corporate
Financial Incentives
The financial incentives are roughly numbered based on their importance - (1)being the highest.
1. To retain Customers
2. To retain business partners
3. To prevent loss of brand name popularity/credibility
4. To prevent undue advantage to competitors during downtime
5. To prevent tampering of data
6. To Prevent Exposure of sensitive or personal information - unauthorized people or competitors may be able to access your financial data or sensitive corporate information.
7. To prevent stock market loses
8. To avoid losses incurred due to data lost beyond replacement
9. To avoid dealing with lawsuits on compromise of customers and partners information
10. To prevent Denial of service within corporate networks – Such attacks can cause a significant amount of traffic over the corporate network. This activity may reduce the availability of certain programs on your computer or may limit your access to the internet.
11. To prevent Denial of service of Company websites – DOS attacks of Company websites can result in loss of business especially if the companies are web based.
12. To avoid losses incurred to repair
13. To prevent loss of employees productivity
Non-Financial Incentives
All incentives for corporate are directly or indirectly financial incentives
Adequecy of Incentives
The motivations for a truly secure IT infrastructure and Internet, go beyond just maintaining trust and systems integrity. Security, from the technology provider’s perspective, is becoming more of a contra expense than a revenue opportunity. Security is a way for companies to save money by lowering operating costs. – Everytime corporates such as Microsoft release security patches it costs a lot of money. Security is necessary to maintain companies franchise - For Microsoft, which has witnessed more than 80 million Firefox downloads and the emergence of countless papers arguing that open source is more secure than Windows, security isn’t going to be a way to make more money—instead, it will be a way to protect the company’s core franchise. Companies these days see security as a way to better their current offerings and enhance their core offerings. Internet service providers these days offer their users basic security bundled. By doing that they benefit from less support call costs and unwanted or malicious traffic on their networks saves them money by keeping bandwidth available for legitimate use. Happier customers should lead to at least reduced churn if not increases in subscriptions. For web based businesses, competition is so fierce that they need to keep offering something better to the customers. Customers are clever to choose web sites which are known for their secureness. Big Corporates such as Walmart which are very dependent on Computers will also force IT infrastructure providers to give secure products. So for corporates all the incentives above are more than adequate for them to invest in security if they want to continue running their business.
Will additional protection be cost-effective
The cost effectiveness for Corporate depends hugely on how big or small the firm is. Few firms seem willing to incur the additional costs. For users, these costs include fewer features, inconvenience and increased purchase price. For software producers, adding security means higher development costs and delayed time to market. For huge firms such as Walmart or Microsoft being secure is the way to survive in the market and so for them any additional protection is cost effective. The losses due to negligence is fatal for their business. Whereas for smaller business it is not cost-effective. The software department of such firms is a small/minor/non-profitable component of the firm. The costs of maintaining a software department with the overhead of regular maintenance and upgrades is not something that they would be willing to spend on unless something drastic happens.
Lowest Cost Providers
Prices vary widely depending on the size and needs of businesses. The free app Spybot Search and Destroy is an excellent way to keep your desktops free of spyware. Good antivirus apps (Norton, McAfee, e-trust) run about $40 per head, while Internet security suites cost about $70 per copy. Utility software[Norton GoBack 3.0] runs the gamut, but prices tend to hover in the $50 to $100 range per license.
Most antivirus apps now require annual subscription fees for updated antivirus signature files to block the newest threats. Suites such as Norton Internet Security also require annual subscriptions that include software updates. Subscriptions run from $20 to $40 per year. Live technical-support fees for security software can also be very expensive. Symantec, McAfee, and ZoneAlarm each charge $2.95 a minute.
--Hema 22:04, 22 October 2005 (PDT)
Policy Levers for Home and Corporates
1) Give tax breaks to companies that develop use security technologies. To be useful, it would have to lead to lower prices for the right kinds of security products, or better performance at the same price.
2) Give tax breaks to people and organizations that use networked computers in a properly secure way or to obtain cyber-security insurance. In practice, of course, we can’t afford to do a security evaluation on each taxpayer to see whether he deserves a tax break, so we would instead give the break to those who meet some formalized criteria that serve as a proxy for good security. Designing these criteria so that they correlate well with the right kind of security, and so that they can’t be gamed, is the toughest part of designing the program.
3) Government could invest in basic research in cybersecurity. This would result in more capable security products in the long run.
4) Increase the exposure of software and system vendors and system operators to liability for system breaches and mandated reporting of security breaches that could threaten critical societal functions. This might indirectly lead to more cyber crimes with perpetrators targeting companies for easy money.
5) Shifting liability to another party that has the capability to prevent computer security breaches or mitigate the harm caused. This strategy places liability on actors with indirect control over Internet security; computer owners can secure their computers. But then the strategy would assign liability to computer owners whose negligently insecure property serves as an attractive intermediary for computer criminals.
6) Another proposal is to place liability on Internet service providers that permit their users to attack computer security elsewhere. The efficiency of forcing Internet service providers to exercise control over their users is questionable it would likely be extremely costly and intrude on the privacy of the internet users.
7) Mandatory disclosure law requiring companies holding computerized personal information of users to take steps either to encrypt this personal information. Non compliant companies should be subject to civil suits, including class actions, for damages.
8) Stricter punishment for perpetrators of computer crime. Unfortunately they are not only difficult to identify; they are difficult to apprehend and prosecute or sue.
9) Requiring distribution of computer software and hardware with the most secure default settings activated. Several companies already do that. But for non-savvy users it will be difficult to customize their machines according to their requirements.
10) Mandatory Basic Computer Security course educating users on the vulnerability and various available options of protecting themselves for all fields of study.
Financial
Current protection incentives
While many of the existing incentives to provide defenses for home and corporate systems also apply to financial systems, unique or amplified incentives also apply to them. A leading incentive is the far greater financial liability from damages caused by an attack, which are composed not only of the trades lost due to an attack, but any fraudulent trades executed by the attacker and financial judgments brought under applicable laws.
Both government and stock exchange regulation, although not directly directed at protection levels, are also significant incentives. An attack or even a disclosed vulnerability exposes the financial firm to sanctions, and even expulsion, under the stock exchanges rules governing responsibilities and requirements in financial transactions. Similarly government regulations establishing protection requirements for data such as the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act are incentives for upgrading defenses.
Adequacy of incentives
In reality these incentives may not be as significant as they appear, because damages from minor attacks can easily be absorbed by the financial corporation. Additionally, the likelihood of large scale attacks is low enough that extra defenses are not viewed as cost effective. Corporations can easily absorb minor damages through write-offs or passing the cost to customers. Damages are also limited by the difficulty of assigning cause to the corporation; courts generally do not allow customers to bring Tort Law actions when the damages are purely economical. Although Contract Law is one viable option, it does not apply to cases where no contract exists.
The ability to absorb minor damages combined with the unlikely occurrence of major attacks results in more reactive than proactive upgrade behavior. For the incentives to be adequate, they should result in corporations looking at defenses for emerging threats a couple years ahead.
Cost efficiency of additional protection
The cost efficiency of acquiring additional defenses is determined by comparing amount of direct damages prevented to legal and financial liability exposure reduced. Traditionally, this has been determined by comparing the cost of protection to the level of potential damage multiplied by the likelihood of an attack. This comparison breaks down at the level of a stock market trading system. A single attack, however unlikely, can cause immeasurable damage not only to the financial corporation attacked but also to the stock market and the economy in general. This leads us to conclude that protection against nearly any full breach attack whose likelihood is above zero should be considered cost efficient. The traditional analysis should be used for attacks that can not cause fundamental damage – a denial of service attack will cripple the system for a given period but does not affect the system at its roots.
Lowest cost provider for protection
Financial systems are by their very nature vast and widely connected. Such an environment contains many points of vulnerability, making it very nearly impossible to determine a single lowest cost provider for upgraded defenses for the system. The lowest cost would exist in all parties working together to provide the necessary multiple layers of protection. Each can address its areas of the system in the most efficient manner. The difficulty of using a single provider is that in a large system a single component can not guarantee full protection for the entire system. Strong encryption can protect communications but the encryption keys need also be protected and encryption can not protect against router based attacks.
Policy levers
Several policy levers are available to the government that would provide additional incentives for financial corporations to proactively upgrade IT protection. Mandatory cyber attack insurance would be a strong financial incentive for proactive protections because insurance would not be available at reasonable prices, if at all, for corporations without top notch protection in place. Public disclosure of protection activity and penetrations would result in public pressure to maintain protections. This is similar to California’s public disclosure requirements when private information is disclosed.. Changing Tort law to apply to cyber attacks in addition to making cyber protection a legal obligation for companies would increase the financial incentives to avoid court actions by maintaining proper protection. Establishment of regularly updated industry-wide standards has a similar effect; a corporation not meeting those standards exposes itself to claims of negligence.
These incentives reinforce each other. Exposing a corporation to legal action will likely increase the pressure from insurance providers for corporations to provide greater levels of protection in order to keep premiums reasonable due to the greater risk of claims.
