Team 1 Sec3.2

From CyberSecurity
Revision as of 04:30, 23 October 2005 by Yi-Kai (talk | contribs) (Add to Section 3.2)

Jump to: navigation, search

3.2. Feasibility of acquiring the required technical and financial resources

I'm still working on the details, but here is an outline. I know, it includes topics from the other sections, but when I write this up, I'm just going to focus on the technical requirements. Question: Any suggestions about the amount of effort needed for these attacks? I gave some estimates, but they're just random guesses. I'm going to look for case studies of past attacks. --Yi-Kai


In general, there are significant technical requirements, but financial requirements are minimal. Note that computer security is a rapidly developing field, so attackers must work to "stay current." Software vulnerabilities last 2-3 years.


  • Low-end targets: PC's w/ well-known vulnerabilities, no defenses. These are very common, and will likely remain so (see Section 4). Usual approach is to spread a worm, or assemble a botnet and use it to do a distributed denial-of-service attack.

Technical requirements are minimal: vulnerabilities are well-documented, and network scanners, exploit code and automated attack tools are freely available (some of these tools are dual-use). Estimate: takes 5 moderately skilled programmers, a few weeks? Alternatively, a botnet can be bought for ? price.

Note that emphasis is on massively scalable attacks. A terrorist group may need to mount an exceptionally large attack, to distinguish itself from common criminal activity. This is much more technically challenging.

Examples: Code Red worm, DDoS attacks.


  • High-end targets: PC's that have been patched to fix known vulnerabilities, w/ network defenses. These are typical in high-value business/government applications. Attacker may seek to destroy data, disrupt operations, or gather intelligence.

Technical requirements are substantial: need to find new vulnerabilities and develop new exploits; attacks are more complicated, and one has to worry about detection. Some information is available from hackers, but each attack must be tailored to a specific target. Insider information is helpful. Could be done by a software engineer, w/ experience in systems and network programming; substantial investment of effort (5 people, a few months?).

Examples: return-to-libc attack, getting around intrusion detection systems.


  • Specialized targets: Uncommon, one-of-a-kind systems, like routers, mainframes, embedded control systems, SCADA. These may be found in critical infrastructure.

These can be very different from conventional PC's. Few sources of information about these systems--insider information is very helpful. May require special compilers, SDK's, hardware for testing--availability of special tools can help a lot. Developing an attack requires technical expertise, creativity, sustained effort (hard to predict?). However, many of these systems were not designed for security, and a successful attack can have catastrophic consequences.

Examples: Cisco routers, sewage control system, electric grid.


Note that states such as the US and China are developing technologies for information warfare; state sponsorship is a possibility.

Retrieved from "http://cubist.cs.washington.edu/CyberSecurity/index.php?title=Team_1_Sec3.2&oldid=2090"