Cyber-security's dirty little secret: It's not as bad as you think

Saturday 18th July 2015 14:41 GMT Ole Juul

It's not a dirty secret

It's a dubious assumption based on dirty logic.

8 0 Reply
1. Saturday 18th July 2015 15:21 GMT asdf
  
  Re: It's not a dirty secret
  
  Yep funny how volume goes down when things start becoming more targeted. 1000 DDOS attacks against government web sites doesn't come close to the damage caused by a handful of attacks gaining security clearance application data.
  
  3 0 Reply
Saturday 18th July 2015 15:47 GMT Doctor Syntax

If I follow this correctly (and it's possible I didn't because my eyes glazed over almost immediately) he's saying that if, for instance, the number of zero day vulnerabilities in a piece of software increases by 10% but the number of users doubles then on the whole things have got safer. He normalises the defects as being per user so instead of saying faults are now 110% of what they were they're actually 55% because you have to divide the number of faults by the increased number of users. Hmm. But if each of those users have copies of the same software the faults out there are now 220% of what they were - twice the number of users with S/W with 110% of the faults.

9 0 Reply
1. Saturday 18th July 2015 16:16 GMT Anonymous Coward
  
  calling all Mathematicians
  
  Can someone explain how 10 out of 1000 is equal to 100 out of 10,000,000.
  
  I'd like to know before I continue reading the article.
  
  2 2 Reply
  1. Saturday 18th July 2015 19:59 GMT David Pollard
    
    Re: calling all Mathematicians
    
    "... explain how 10 out of 1000 is equal to 100 out of 10,000,000."
    
    You need to compare blogs.
    
    1 0 Reply
  2. Saturday 18th July 2015 23:11 GMT Tony Haines
    
    Re: calling all Mathematicians
    
    It isn't.
    
    I think you're referring to this:
    
    "while 10 homicides in a small town of 1,000 is terrifying, 100 in a city of 10 million would be considered low. The second is still 10 times the first."
    
    It might have been altered since your comment, I suppose.
    
    0 0 Reply
Saturday 18th July 2015 16:24 GMT Ken Moorhouse

Compare...

Consider a zero day vulnerability afflicting 1 million websites that have small traffic

Now compare that with a zero day vulnerability that has found itself onto a site such as google.

The number of websites does not matter, it is the number of distinct visitors to those websites which is of importance.

5 0 Reply
Saturday 18th July 2015 17:13 GMT K

Logic is flawed

Rather than number of zero day vulnerabilities, it should be based on number of sites and applications affected by those vulnerabilities. That will give a clearer picture of the potential damage!

4 0 Reply
1. Saturday 18th July 2015 21:57 GMT ecofeco
  
  Re: Logic is flawed
  
  ...and people.
  
  I can think of several 100 million who have been affected in the last couple of years and 22 million just recently.
  
  Not to mention ransomware is still very popular. Got an outbreak going around right now.
  
  1 0 Reply
Saturday 18th July 2015 17:15 GMT Will Godfrey

Tricky stuff

Statistics.

3 0 Reply
1. Saturday 18th July 2015 17:48 GMT Mark 85
  
  Re: Tricky stuff
  
  Indeed, it is tricky. The paper's author seems to be juggling things to produce a pre-determined result, in my opinion. He's doing number juggling and not real world metrics to produce a warm, fuzzy result of "we're all safer now".
  
  6 0 Reply
  1. Sunday 19th July 2015 00:45 GMT Anonymous Coward
    
    Re: Tricky stuff
    
    "juggling things to produce a pre-determined result, in my opinion. He's doing number juggling and not real world metrics to produce a warm, fuzzy result of "we're all safer now".
    
    And why might that be?
    
    0 0 Reply
    1. Sunday 19th July 2015 13:34 GMT Doctor Syntax
      
      Re: Tricky stuff
      
      "And why might that be?"
      
      Maybe that's what he's paid to do.
      
      1 0 Reply
Saturday 18th July 2015 18:00 GMT Barbarian At the Gates

Correlation, causation, and conclusions

While it isn't a bad thing, in and of itself, to attempt to collect data, and make sense of it, there's bit of a problem with collecting data, finding that it is inadequate to draw conclusions from, and then...draw conclusions from it.

Botnets are decreasing in abolute terms? Interesting. Botnets decreasing in relationship to aggregating personal computers numbers with devices/platforms that may, or may not have relevance to botnets? What does that mean? Anything?

The zero day conclusions: I don't have complete data, yeah, there's a bunch of scary zero day things, and I don't have any way to figure out how "dangerous" they are or how exposed people are to them, but hey, if I increase the pool of potentially impacted people, the ratio goes down. Yay, we're safer?

If we add in the human population to the bird population, and then calculate the ratio of creatures dying from avian flu on an annual basis...are humans getting safer? Or is the question so unrelated to the available data that attempting to answer the question with the data silly?

4 0 Reply
1. Sunday 19th July 2015 14:30 GMT Ben Tasker
  
  Re: Correlation, causation, and conclusions
  
  Botnets are decreasing in abolute terms? Interesting. Botnets decreasing in relationship to aggregating personal computers numbers with devices/platforms that may, or may not have relevance to botnets? What does that mean? Anything?
  
  It also appears to ignore the fact that higher value targets are seemingly being preferred when building/adding to a botnet.
  
  Commandeering a few crappy PCs on crappy DSL connections vs commandeering a single server on a high-quality 10/100/1000 connection..... statistically, the botnet is smaller if you do the latter, but it's also far more capable for certain tasks.
  
  0 0 Reply
Saturday 18th July 2015 18:18 GMT VeganVegan

Good one.

The OPM hack potentially affected 1 in 15 U.S. residents. The Target attack potentially affected 40 million. At this rate, almost everyone in the U.S. will have been potentially attacked (to say nothing of the letter agencies' spying), at which point we might as well call it a day and stop worrying about malware at all, because they would be the normalized norm by then.

7 0 Reply
1. Saturday 18th July 2015 21:59 GMT ecofeco
  
  Re: Good one.
  
  Ah, I see someone else sees the flaw in his thinking.
  
  Exactly veganvegan.
  
  0 0 Reply
Saturday 18th July 2015 20:35 GMT jonathanb

Not a fair comparison

One homicide has exactly one victim plus family friends etc who are impacted by it. One botnet or one security vulnerability can have many victims, and the potential number of victims per incident grows with the population.

3 0 Reply
Saturday 18th July 2015 22:50 GMT Anonymous Coward

More noobs with more devices, VPSes, and wordpress sites, with more plugins and cloud services ... does not dilute the level of vulnerability.

1 0 Reply
Monday 20th July 2015 02:50 GMT veti

I've often thought that all the usual suspects we see talking about security - are people who have a vested interest in talking up the danger. I've often wanted to see some counterpoint to the general wails of buy-me-buy-me-now alarmism.

But this? This is very disappointing material. Can't we do better?

0 0 Reply
1. Tuesday 21st July 2015 12:27 GMT Anonymous Coward
  
  Snake oil salesmen have always sold false cures for real diseases.
  
  If they were honestly trying to fix things, they'd push execs to prioritize security. Or find a way to make consumers all paranoid about slick software that's rotten on the inside. Good luck with that though.
  
  1 0 Reply
Monday 20th July 2015 17:38 GMT Former Spook

Figures never lie but liars figure.

0 0 Reply
Tuesday 21st July 2015 21:31 GMT Md_pepa

Equality in a population of inequality

The key mistake I see is that the population of cyberspace does not poses an equal probability of being hit by malicious actors, so safety is not a function of size.

If 1/10 people are criminals, and the population increases from 100 to 1000, then the proportion and probability is the same if each citizen had an equal chance of being robbed, and robberies happened 1 per month per criminal, etc.

It's however less likely to rob other criminals, police, soldiers, bigger people or babies, and you don't have an equal distribution across all physical locations. The population of criminals is supported by the more prosperous local economy and those criminals target either vulnerabilities (people/things) or known valuable targets/areas.

Collections of criminals maybe able to target higher value businesses with more security hitting the news, others may go undetected such as cyber shoplifting or pickpockets. With losses either unattributed or taken as an operational risk and not reported.

That said, the recent investment increase private/public sector and focus/competition within the security industry, coupled with the relative maturity of technology may mean that defence is starting to erode criminal returns.

As we white list the IPV6 range, apply better heuristics, cryptography and increase awareness, the widow of opportunity will narrow as the attack becomes more sophisticated and cannot be rolled out in a timely or resource efficient manner. The threat will then shift to underdeveloped physical regions or areas of technology. The unknown nature of surveillance and high tariffs when caught will also reduce the population of occasional criminals.

Cloud, IPv6 and firmware will be the growth sectors in my opinion, internal threat will continue as focus turns inward to the unpredictable through the fog of BAU; increasing statistics due to that focus, not the risk.

0 0 Reply