Team 1 Sec4
Feasibility and cost of defending against such attacks.
For each class of target (home, corporate, financial), teams should
1) identify existing financial and non-financial incentives for
installing defenses,
2) evaluate the adequacy of these incentives,
3) discuss whether additional protection would be cost-effective,
4) identify the lowest cost provider for upgrading protection
(e.g., Microsoft, Norton, AOL, Corporate IT networks,
computer owners), and
5) list and evaluate possible policy levers for government
intervention (e.g., tax incentives, legal liability, insurance).
back to Team_1_Main
--Hema 08:48, 21 October 2005 (PDT)
Buffer flow attacks can use the vulnerability in IIS to gain control of a target machine. Once in control, it can set the computer to scan for other computers with the same vulnerability, and infect them. It can flood corporates or homes or financials with false data or make it inaccessible on prearranged dates. Because it can scan for vulnerable computers all across the Internet it can have a huge impact. It can be even more dangerous because it can create a back door into the computer, allowing unauthorized parties to control an infected computer. The back door can go unnoticed by the user for long extents of time. However infected computers broadcast the fact that they had been back doored by scanning for additional vulnerable computers. Individuals capable of receiving and identifying scans could use that information to break into the infected computers that had scanned them. Malicious users who prepare to identify scans, would receive lists of computers that could be taken over with trivial effort. And so infected computers could then be used to facilitate further attacks on still other computers. Such programs will greatly damage the state of Internet security for some time to come causing huge losses.
--Hema 08:55, 22 October 2005 (PDT)
Contents
Home
Identify existing financial and non-financial incentives for installing defenses,
Financial Incentives
The incentives are roughly numbered based on their importance - (1)being the highest.
1. To prevent exposure of sensitive or personal information/Identity Thefts - Unauthorized people may be able to access your financial or medical data, personal documents or other personal information. The availability of this information may increase your risk of identity theft
2. To prevent cost to replace or repair – Sometimes attacks can totally destroy their machine making it unusable. They would have to get it replaced or spend money to get it repaired.
3. To prevent financial losses when their home based business is crippled. Most home based business owners use their personal computer for also storing information required for their business
4. To Prevent Loss of Communication – they would not be able to do their day to day operations on the computer or internet. This would result in delays in bill payments etc therefore resulting in fines.
Home: Non-Financial Incentives:
1. To prevent Denial of service – Such attacks can cause a significant amount of traffic over the network and relies on certain processes on your computer. This activity may reduce the availability of certain programs on your computer or may limit your access to the internet. What would normally take a couple of minutes to do will now take 10 minutes or more for them to finish.
2. To prevent Loss of Communication – they would be cut off from communicating from their friends or family
3. To prevent the hassle of getting their computer fixed and the inconvenience.
4. To prevent loss of credibility – if the user unknowingly infects other friends then they will be wary in trusting the e-mails from the user in future resulting in loss of credibility
5. To prevent frustration in being unable to complete their work.
6. To prevent unnecessary spamming. This might also make parents restrict their children from accessing the computer
Adequecy of Incentives:
For home computer users I should say that that the incentives are not adequate enough. For computer educated users the above incentives are good enough to protect their machines. For the common users, they don't realize the magnitude of damage their negligence to protect their machine could cause them or to others if their machines is used as part of the rogue network. Several seniors for whom being able to use the computer is an achievement in itself are not confident in ensuring that their computer is update with the patches and security updates. Home Sector could benefit from enticing benefits from Government or Corporate which would in the very least motivate people to keep their machines upto date.
Will additional protection be cost-effective
There are several free security products and upgrades that available in the market. Also these days the Internet service providers bundle basic security services into their products. Most OS come with security features such as firewall. Ofcourse what you pay for is what you get. But even the products that you have to spend extra money is a cheap price to pay for the benefits that come along. But there is the overhead of upgrading the products constantly. For home users it more about the awareness than about the costs.
Lowest Cost Providers for Home:
There are several free options for protecting home computers: ZoneAlarm firewall, Ad Blocker(WebWasher Classic), Anti-Sypware (Spybot, Ad-aware), anti-virus (AVG Antivirus), E-mail Encryption (Pretty Good Privacy). Norton Security Suites is a good paid option which offers most of the above as a package.
Free Computer Security Check: Many computer security vendors offer free computer security checks for users to check for known viruses, spyware, and discover if their computer is vulnerable to cyber attacks.
--Hema 19:45, 21 October 2005 (PDT)
Corporate
Financial Incentives:
The financial incentives are roughly numbered based on their importance - (1)being the highest.
1. To retain Customers
2. To retain business partners
3. To prevent loss of brand name popularity/credibility
4. To prevent undue advantage to competitors during downtime
5. To prevent tampering of data
6. To Prevent Exposure of sensitive or personal information - unauthorized people or competitors may be able to access your financial data or sensitive corporate information.
7. To prevent stock market loses
8. To avoid losses incurred due to data lost beyond replacement
9. To avoid dealing with lawsuits on compromise of customers and partners information
10. To prevent Denial of service within corporate networks – Such attacks can cause a significant amount of traffic over the corporate network. This activity may reduce the availability of certain programs on your computer or may limit your access to the internet.
11. To prevent Denial of service of Company websites – DOS attacks of Company websites can result in loss of business especially if the companies are web based.
12. To avoid losses incurred to repair
13. To prevent loss of employees productivity
Non-Financial Incentives:
All incentives for corporate are directly or indirectly financial incentives
Adequecy of the incentives
The motivations for a truly secure IT infrastructure and Internet, go beyond just maintaining trust and systems integrity. Security, from the technology provider’s perspective, is becoming more of a contra expense than a revenue opportunity. Security is a way for companies to save money by lowering operating costs. – Everytime corporates such as Microsoft release security patches it costs a lot of money. Security is necessary to maintain companies franchise - For Microsoft, which has witnessed more than 80 million Firefox downloads and the emergence of countless papers arguing that open source is more secure than Windows, security isn’t going to be a way to make more money—instead, it will be a way to protect the company’s core franchise. Companies these days see security as a way to better their current offerings and enhance their core offerings. Internet service providers these days offer their users basic security bundled. By doing that they benefit from less support call costs and unwanted or malicious traffic on their networks saves them money by keeping bandwidth available for legitimate use. Happier customers should lead to at least reduced churn if not increases in subscriptions. For web based businesses, competition is so fierce that they need to keep offering something better to the customers. Customers are clever to choose web sites which are known for their secureness. Big Corporates such as Walmart which are very dependent on Computers will also force IT infrastructure providers to give secure products. So for corporates all the incentives above are more than adequate for them to invest in security if they want to continue running their business.
Will the additional protection be cost-effective
The cost effectiveness for Corporate depends hugely on how big or small the firm is. Few firms seem willing to incur the additional costs. For users, these costs include fewer features, inconvenience and increased purchase price. For software producers, adding security means higher development costs and delayed time to market. For huge firms such as Walmart or Microsoft being secure is the way to survive in the market and so for them any additional protection is cost effective. The losses due to negligence is fatal for their business. Whereas for smaller business it is not cost-effective. The software department of such firms is a small/minor/non-profitable component of the firm. The costs of maintaining a software department with the overhead of regular maintenance and upgrades is not something that they would be willing to spend on unless something drastic happens.
Lowest Cost Providers for Corporate:
Prices vary widely depending on the size and needs of businesses. The free app Spybot Search and Destroy is an excellent way to keep your desktops free of spyware. Good antivirus apps (Norton, McAfee, e-trust) run about $40 per head, while Internet security suites cost about $70 per copy. Utility software[Norton GoBack 3.0] runs the gamut, but prices tend to hover in the $50 to $100 range per license.
Most antivirus apps now require annual subscription fees for updated antivirus signature files to block the newest threats. Suites such as Norton Internet Security also require annual subscriptions that include software updates. Subscriptions run from $20 to $40 per year. Live technical-support fees for security software can also be very expensive. Symantec, McAfee, and ZoneAlarm each charge $2.95 a minute.
Policy Levers for Home and Corporates:
1) Give tax breaks to companies that develop use security technologies. To be useful, it would have to lead to lower prices for the right kinds of security products, or better performance at the same price.
2) Give tax breaks to people and organizations that use networked computers in a properly secure way or to obtain cyber-security insurance. In practice, of course, we can’t afford to do a security evaluation on each taxpayer to see whether he deserves a tax break, so we would instead give the break to those who meet some formalized criteria that serve as a proxy for good security. Designing these criteria so that they correlate well with the right kind of security, and so that they can’t be gamed, is the toughest part of designing the program.
3) Government could invest in basic research in cybersecurity. This would result in more capable security products in the long run.
4) Increase the exposure of software and system vendors and system operators to liability for system breaches and mandated reporting of security breaches that could threaten critical societal functions. This might indirectly lead to more cyber crimes with perpetrators targeting companies for easy money.
5) Shifting liability to another party that has the capability to prevent computer security breaches or mitigate the harm caused. This strategy places liability on actors with indirect control over Internet security; computer owners can secure their computers. But then the strategy would assign liability to computer owners whose negligently insecure property serves as an attractive intermediary for computer criminals.
6) Another proposal is to place liability on Internet service providers that permit their users to attack computer security elsewhere. The efficiency of forcing Internet service providers to exercise control over their users is questionable it would likely be extremely costly and intrude on the privacy of the internet users.
7) Mandatory disclosure law requiring companies holding computerized personal information of users to take steps either to encrypt this personal information. Non compliant companies should be subject to civil suits, including class actions, for damages.
8) Stricter punishment for perpetrators of computer crime. Unfortunately they are not only difficult to identify; they are difficult to apprehend and prosecute or sue.
9) Requiring distribution of computer software and hardware with the most secure default settings activated. Several companies already do that. But for non-savvy users it will be difficult to customize their machines according to their requirements.
10) Mandatory Basic Computer Security course educating users on the vulnerability and various available options of protecting themselves for all fields of study.
--Hema 09:24, 22 October 2005 (PDT)
Financial
Current protection incentives
While many of the existing incentives to provide defenses for home and corporate systems also apply to financial systems, such as a trading system at an investment bank which is connected to a stock exchange, there are also unique or amplified incentives to protect these systems. The far greater financial liability from damages caused by an attack is a leading incentive for protecting these systems. The financial liability is composed not only of the trades lost due to an attack, but any fraudulent trades executed by the attacker and financial judgments brought under applicable laws, such as contract law.
Regulations by both government and stock exchange, although not directly regulating defenses of systems, are also significant incentives to protect systems. An attack, attempted attack, or even a disclosed vulnerability exposes the financial firm to sanctions, and even expulsion, under the stock exchanges rules governing member company responsibilities and requirements in financial transactions. Similarly government regulations such as the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act establish protection requirements for data indirectly are incentives for upgraded defenses because failure to upgrade could be seen as failure to adequately protect the data.
Adequacy of incentives
Although these incentives appear significant, in reality they may not be as significant as they appear. This is because the damages from minor attacks can easily be absorbed by the financial corporation and the likelihood of major, or large scale, attacks is viewed as low enough that extra defenses are not required.
The damages from minor attacks can easily be absorbed by the corporation by write-offs, as are for example credit card fraud. The damages to the corporation are also limited by the difficulty of assigning cause to the corporation since courts general do not allow Tort Law actions to be brought when the damages are purely economical and thus customer harmed economically can not take the corporation to court. Although contract law is one viable option, it does not apply to cases where no contract, for example if an attack on company A opens the avenue for an attack (such as DDOS) on company B, company A would be protected from Contract law liability, and thus may not consider it necessary to provide defenses, if it has no contract with company B.
The ability to absorb minor damages and the unlikely occurrence of major attacks results in more reactive than proactive protection upgrades. For the incentives to be adequate, they should result in corporations looking out to new threats and protections rather than reactively patching/upgrading the system since at that point their system could have been compromised.
Cost efficiency of additional protection
There are at least two ways to look at cost efficiency of additional protection: 1) the cost efficiency of designing and implementing new defenses compared to the number of attacks prevented, and 2) the cost of acquiring these defenses by a corporation compared with the amount of direct damages prevented and legal and financial liability exposure reduced. We’ll concentrate on the latter as it is the most applicable to a financial corporation.
Although traditional the cost effectiveness has been determined by comparing the cost of protection to the level of potential damage multiplied by the likelihood of an attack this comparison breaks down at the level of a stock market trading system where a single attack, however unlikely, can cause immeasurable damage not only to the financial corporation attacked but the stock market and the economy in general as these systems are a critical part of the national infrastructure. This leads us to conclude that protection against nearly any attack with a likelihood of above zero that has the potential exposing the financial system to wide breach (such as gaining complete access to the system) should be considered cost efficient. The traditional analysis can be used when an attack can be shown to not be sustainable, for example a distributed denial service attack if the attack can be terminated in a reasonable amount of time through cooperation with other companies and agencies.
Lowest cost provider for protection
Financial systems are by their very nature vast and widely connected. Such an environment contains many points of vulnerability and thus it is impossible, or very near impossible, to determine a single lowest cost provider for upgraded defenses for the system. The lowest cost would be provided by all parties working together to provide the necessary multiple layers of protection. Each provider can address their areas of the system in the most efficient manner.
The difficulty of using a single provider of upgraded defenses is that in a large system a single component can not guarantee full protection for the entire system. Although all communications can be strongly encrypted, it does not provide any protection from an attacker attacking a router to which the computers are connected -- such an attack could at minimum result in denial of service at critical time periods thus exposing the financial institution to liability.
Policy levers
Several policy levers are available to the government that would provide additional incentives for financial corporations to upgrade IT protection and to do so proactively. Such levers are: mandatory cyber attack insurance; disclosure requirements for both current levels of protection and of any successful attacks; tort law reform allowing for financial corporations to be held accountable for economical damages caused by attacks; establishment of industry wide regularly updated minimum standards for cyber protection.
Mandatory cyber attack insurance would be a strong financial incentive to upgrade and maintain protections because insurance would not be available at reasonable prices, if at all, for corporations that do not have top notch protection in place. Requiring corporations to disclose summary information on protections employed allows the public to make better decisions regarding the safety of the corporation’s systems. Along with mandatory disclosure of all penetrations the summary information would result in public pressure to maintain protections similar to the effects of California’s mandatory disclosure when private information is exposed.
Tort law currently does not generally apply to economic damages and thus is generally not applicable to cyber attacks on financial corporations. Changing the law in this respect and also making cyber protection a legal obligation for companies would increase the financial incentives to avoid court actions by maintaining proper protection. Establishment of industry wide regularly updated standards has a similar effect in that a corporation that does not meet these standards exposes itself to claims of negligence.
Many of these incentives reinforce each other. Exposing a corporation to legal action as a result of attacks will likely increase the pressure from insurance providers for greater levels of protection in order to keep premiums reasonable due to the greater risk of claims with increase legal liability.
