Malware and System Security
Operating system
• A process is a instantiation of a program, when
you run program it becomes a process.
• Operating system keep track of these processes.
– Process state (Memory, registers, process control
block, file handles).
– Save / restore / kill process
– Pass messages between processes
– Administrative processes (timesharing etc.)
Virtual Memory
• Virtual memory provides a virtual address space
for each process, each process own entire
address space.
• Virtual memory is larger than physical memory,
paging and swapping memory pages in and out
of disk.
• Virtual memory provides separation between
processes, they can not access each others
memory.
• Translation look aside buffers (TLB) is a CPU
cache that memory management hardware uses
to improve virtual address translation.
Software / System security flaws
• Buffer overruns
• Incomplete mediation
• TOCTTOU Vulnerability (Time of check to time of use)
• Format string vulnerability
• Integer overflow
• Severity in increasing order
– Software attacks
– Human attacks (weak passwords, social engineering)
– Network attacks
– Physical attacks
– Cryptographic attacks
• Even if software has no flaws:
– Attack on OS, attack on executable disk, attack on memory (DMA,
Swap).
Buffer overruns
• Buffer is a contiguous storage of multiple
elements of one data type.
– Example char buff[10] allocates 10 elements
– Can access from buff[0],buff[1] …
– What happens if we write buff[10]
• C and C++ are inherently unsafe:
– No boundary checks on array or pointer references.
– Strings are NULL terminated (not storing length).
– No length information in dynamic allotted memory.
– Unsafe APIs in standard C library (strcpy, strcat,
sprintf, scanf, gets).
Analyze this code
Stack
• Stores local variables, arguments to functions, return
addresses, old stack pointer.
– Stack grows “downwards” from high memory to low memory.
• Every time a function is called:
– Push arguments to stack
– Push return address
– Jump to function
– Store old base pointer, initialize base pointer
– Allocates space for local variables
– Start executing the code.
• For returning, control of called function:
– Prepare return value
– Un-allocate local variables
– Restore base pointer
– Jump to return address
More on stack
Smashing stack
• Find a buffer that is allocated on a stack and that is at
lower address than return address.
• Inject malicious code
– Typically spawns a shell
• Overwrite return address on stack with address of
malicious code
• On return malicious code will invoke instead of returning
to called function.
– How to determine how much buffer to overflow?
• Other forms of attack include function pointers,
environment variable manipulation (getenv), longjmp
buffers.
Defensive & countermeasures
• Whether to use C & C++ ?
• Avoid risky programming constructs
– Use fgets instead of gets
– Use strn* API instead of str* API
– Use snprintf instead of sprintf
– Use format strings
– Do not assume anything about inputs.
• Non executable buffers
• Array bounds checking
• Libsafe – Safe guard library
• StackGuard (canary word), StackShield (duplicate
address)
Format string
• Allows attacker to peep into memory by printing
out values stored in the stack.
• Allows an arbitrary value to be written into
memory of running program using (%n) format
specifier.
• Example printf(“%s”,str) vs printf(str)
– Buffer is interpreted by printf function as format string.
– Buffer is scanned for special formats, as formats
encountered argument values are retrieved from
stack.
Reverse Engineering
Disassembly
Tasks on hand, objective
• Debugger – Windows & Linux
• Objective
– Finding the shell
– Static analysis
• Data flow
• Control flow
• Taint analysis
– Buffer overrun, format string, and integer over run.
• Kali operating system (https://www.kali.org/)
URLs
1. https://www.owasp.org/index.php/Static_C
ode_Analysis
2. https://msdn.microsoft.com/en-us/library/wi
ndows/hardware/ff551063(v=vs.85).aspx
3. http://www.gnu.org/software/gdb/
Malware
• Malicious Software designed to secretly
access a computer system without owners
informed consent.
• Security: Its secure if system behaves as it
is intended.
– Viruses, Worms, Trojan Horses, Rootkits,
Backdoors, Keystroke loggers, Spyware,
Spammers
Current threats
• Social Engineering
• Malware via phishing
• Distributed Denial of Service
attacks
• Time bombs
• Web browser security
• Covert channels
• Laptop theft
• Secure file deletion
• Data leakage
• Friend knows password
• Contractors
• Viruses
• Physical threats
• Extrusion – Copy & paste
• Root Kits
Challenges
Recognize known
attacks.
Recognize
unknown attacks.
Prevent attack
Recognition
Other
Challenges?
Defenses
Containment Systems
Defense Systems
Prevention Systems
Traceback Systems
Virus
• Program that infects itself by infecting an
executable file and making copies of itself.
– Propagation mechanism
• Sharing infected file with other computers
– USB, infected attachment, etc.
• Executing a infected file.
• Infect other computers and spread infection.
– Trigger
• Time or condition when payload is activated.
– Payload
• Damage existing files
• Extort sensitive information
• Consume computer resources.
How does it work?
Defense is
sound if reported
vulnerabilities
Defense is
complete if
reported all
vulnerabilities
Propagation
• Virus replicates itself when infected file is
executed.
• This task is not entirely automated:
– User makes first step
– Virus copies malicious code to other files.
– Jump instruction to malicious code is added.
• Why windows based viruses most prolific?
– Largest population
– Why write a virus if only a few people are infected?
Detection
• Virus has signature
– Same structure and bit
pattern present in all its
copies.
– This pattern uniquely
identifies a virus.
– It is a simple pattern
matching.
– Optimizations
• Scan first and last 4K of
file.
• More advanced viruses
– Encrypted viruses
– Polymorphic viruses
Detection challenges
• A different encryption key is generated for each
new infection.
• Therefore, encrypted virus body appears
different in each infected file.
• Anti virus can no longer parse virus body for the
virus signatures.
• Good news:
– Still pattern matching because its based on decryption
code.
– Very short pattern, attempt simple decryption to look
at underlying code.
Polymorphic viruses
• They are advanced encrypted viruses
formerly constant decryption routing.
– Now mutable decryption routine
– No more signatures in code.
• Good news:
– Let virus do work for you.
– Emulate code in controlled environment.
– Periodically scan virtual memory for virus
signatures.
Behavior blocking software
• Monitor actions
– Open, read, delete, modify files
– Perform unrecoverable disk operations
– Initiate network communications.
• Raised alarms can annoy users.
Worms
• Self replicating network program
– Exploit vulnerabilities to infect remote machines.
– Victim machines continue to propagate infection.
• Three main stages:
– Detect new targets
– Attempt to infect new targets
– Activate code on victim machines.
• Difference between computer virus?
– No human intervention required
– Email virus: Human still needed.
Why worry about worms?
• Speed
– Much faster than viruses
• CRv2 (14 hours for 359 victims)
• Slammer (10 minutes for 75 victims)
– Faster than human reaction
• Highly malicious payloads
– (DDoS, Data Corruption)
Target Discovery
• Localized scanning
• Multi vector scanning
• Hit-list scanning
• Permutation scanning
• Topology scanning
Major Worms
• Slammer worm
– 90 % Victims in 10 mins
– Buffer overrun in microsoft SQL Server
• Patch released but no one ever installed.
– Vulnerability identified by port 1434
– Scan rate 55,000,000 per second.
– Infected population doubled every 8.5
seconds
– Worm generated packets saturated carrying
capacity of internet infrastructure
State of the Art: Worms
• Multiplatform (windows, unix)
• Multi exploit
• Very fast spreading
• Polymorphic
• Zero day exploit
– http://www.symantec.com/connect/blogs/guide-zero-day-exploits
• Cyber to physical – Stuxnex, Flame
• Government funded spying
• Exploiting p2p applications
– Large number of users use same applications
• Single vulnerability needed, large peer numbers, large file transfer,
not mainstream protocols, execute on desktops not servers.
– Potential huge size.
Worm Defense
• Eliminate security holes from software.
• Software updates on vulnerable hosts.
• Signature based worm scan filtering.
Other Malware
• Grayware
– Spyware
– Adware
• Data stealing malware
• Botnets
– Rootkits
• Usermode ,Kernel mode, firmware.
• Backdoors
Trusted Computing Group (TCG)
1. Untrusted booting
2. Secure boot
3. Trusted boot
Economics of Information Security
By Manjunath M
Email: manjunath@msitprogram.net
Skype: manjunath
Phone: 7799834582.
Vulnerabilities
What happened after all these losses?
Why is security difficult?
1. Internet was not designed for security
2. 70% of incidents exploit software flaws.
3. Complex systems likely to have more
vulnerabilities.
4. If 100 vulnerabilities, each having 1% chance of
being exploited then probability of success is
1-(0.99)100 = 0.63 is like 2/3 chances.
5. Incentives for sys admin to record and report vs.
record and report for bad people.
6. Economic model for information security is
flawed.
Flawed economic model?
• Perfect security is mirage, even well
designed systems will be insecure.
• Focus is on preventing attacks not on
managing the risks.
– Not enough attention on mitigating risks.
• Security has costs.
• Best practices are not always correct
solutions. Same case as pesticides.
• How much security is enough?
How much security is enough?
• Unless risks are
described in terms
that business people
and decision makers
understand, they will
not likely be
addressed.
Management vs. Security personal
Hey Boss, we need
more security. I think
we need new Acme
2010 Hacker
Abolishers
We always seem to
need more security.
Don’t we have enough?
Trust me sir, we
will be more
secure.
What are my
alternatives?
What is it going
to cost?
What is
the added
value?
Problem: We don’t even have a unit to measure effectiveness.
Terminology
• Expected loss: How much you loose on average.
• Variance: How much higher or lower than
expected loss → This is measure of uncertainty.
• Risk: How much you care about variance.
• Risk is often used in everyday language the
sense of “How bad can it get and how likely is
the scenario”
– Initial focus is on expected loss.
– Later on to accommodate variance.
Components of risk management
• Investing in counter measure to reduce expected loss
efficiently.
• Investing to improve realistic “worst case scenario”
measured (VaR)
• Example:
– Security system in place frequency is 0.4 and investment 15$
– No security in place frequency 0.5 and investment 0$
– Security breach happens it is 100$, no breach 0$.
– Should we invest?
• 40+15 = 55$, or 50$. No security better, because lower loss.
• How much to spend = Loss + Cost
• Spent amount = (F1L1 + F2L2 + …….+FnLn) + I
How to justify security investments?
Role of time
• Reduce costs, and increase benefits that
might take place in future.
– V = benefit = avoided losses.
– C = ongoing implementation costs.
– r = cost of capital.
• Net Present value:
• Internal Rate of Return:
Return of Investment (ROI)
• Return of investment:
– ROI = (Net Benefit –Investment) / Investment.
• Scenarios:
– Investment 10$, Net benefit 20$
– Investment 20$, Net benefit 35$
– ROI = (20-10)/10 = 100% ROI = (35-20)/20 =
75%
– NPV (Benefit – Cost) = 10 vs. 15
• Which is better? ROI or NPV
ROI vs. NPV
• ROI should not be used for choosing among projects.
• ROI can not adjust to time profile of costs and benefits.
• ROI is very sensitive to large investments.
• ROI is beneficial when you have fixed budget.
– Technology Investments + Investments on people and process.
– What % should go for Technology, and people and process.
• Last dollar spent on technology should produce same
reduction in expected loss as loss dollar spent on people
and processes.
• What actually
happens if system is
breached?
– Data loss is different
from data loss +
system down.
Vulnerability disclosure
• Significant economic costs due to exploitation of
software vulnerabilities.
• Once vulnerabilities are found: what can happen? Good
vs. Bad.
– Full disclosure: good or bad
– Who owns the vulnerability information?
• Vendors want users to wait for the patch.
– Cost for creating patch, loss of customers due to exploits.
• Markets for vulnerabilities? TippingPoint, iDefense.
The Evolution of Security: Nature
• Markets fail because of Monopoly.
• Competitive markets does welfare maximizing.
• Microsoft (mono culture in desktops): Larger the market share,
target for hackers.
– Great concern for many governments.
– Support other applications like Linux office, standardize exchange
protocols. Or else market failure.
• Is it limited to Microsoft? BGP, DNS, Cisco, Google, Symantec &
Mcafee
• Software diversification is strategy to reduce risk.
Failure MUST be an option.
Natural Law
Information Asymmetry
• I know security of my product (and I can not
inform my users). Trust us.
– Markets also fail because of information asymmetry.
• If consumers have no way to measure. Two
vendors: CH>CL – Do you think higher security will be provided will lower
costs?
• Why higher costs? Reputation , Warranty.
– Vendor has to compensate user losses?
• Inform consumer about quality, third party
certificates (CC Certification).
Cyber-insurance
• Risk is expected loss. If losses are uncertain and expect
loss is large.
– Insurance is aimed at shifting some of these large losses to
insurers, in exchange for monetary premiums.
• What is large, the uncertain loss? Or premium. Worst
case scenario.
– First party business interruption.
– First party electronic data damage.
– First party extortion.
– Third party network security liability.
• Down stream
– Third party media liability.
– Loss of corruption of data
– Business Interruption
– Liability
Insurance works on
risk pooling
Externalities
• When consequences of your actions are felt by others
and there is no compensation.
– Leads to tragedy of commons (SPAM).
– Leads to failure of insurance markets.
• Should governments intervene?
– Subsidy, Standards, Taxes, Property rights (pollution,
spectrum)
– Liability for computer viruses & worms?
• Hackers, ISPs, Users, Software vendors.
– Who takes liability for children, students, employees, citizens.
• Microsoft – (mono culture)
– Genuine program initially provided patches to genuine software.
– Later issued to all, because un-patched systems can cause
externatilities for other Microsoft users. And loss for microsoft.
• Is liability a solution?
*
Law is About Policy
Knowledge disparity
Sophistication
Low cost avoider
Externalities
Crushing liability
Unforeseeable damages
Monopoly/ (inability to bargain for)
Genetic
variation Perverse incentives
(underreporting)
Perverse incentives:
moral hazard
Stifling innovation/
Features vs. Defects
Third party actors: ISPs, Security
software vendors, interoperability
Pirated copies
Notification/Patch
Requirements
EULA/Contractual
Limitation
“Standards Orgs”
Insurance
HCI: Information Security
• How users view security?
– Security is barrierthat “keeps things out”
– Attitudes: Frustration, Pragmatism, Futility
– Practice: delegation
• Creating HCI for security application is different from creating HCI
for other applications. Agree or disagree?
• Security software is usable if people who us it are: aware of security
tasks to perform, figure out how to perform tasks, do not make
errors, comfortable with interface to continue using it.
• How do you design for security?
– Think like a user
– Stop thinking like yourself
– User test, User test, User test
• Common mistakes:
– Thinking like a engineer
– Focusing on tasks, and features not on goals.
Thank you
• A process is a instantiation of a program, when
you run program it becomes a process.
• Operating system keep track of these processes.
– Process state (Memory, registers, process control
block, file handles).
– Save / restore / kill process
– Pass messages between processes
– Administrative processes (timesharing etc.)
Virtual Memory
• Virtual memory provides a virtual address space
for each process, each process own entire
address space.
• Virtual memory is larger than physical memory,
paging and swapping memory pages in and out
of disk.
• Virtual memory provides separation between
processes, they can not access each others
memory.
• Translation look aside buffers (TLB) is a CPU
cache that memory management hardware uses
to improve virtual address translation.
Software / System security flaws
• Buffer overruns
• Incomplete mediation
• TOCTTOU Vulnerability (Time of check to time of use)
• Format string vulnerability
• Integer overflow
• Severity in increasing order
– Software attacks
– Human attacks (weak passwords, social engineering)
– Network attacks
– Physical attacks
– Cryptographic attacks
• Even if software has no flaws:
– Attack on OS, attack on executable disk, attack on memory (DMA,
Swap).
Buffer overruns
• Buffer is a contiguous storage of multiple
elements of one data type.
– Example char buff[10] allocates 10 elements
– Can access from buff[0],buff[1] …
– What happens if we write buff[10]
• C and C++ are inherently unsafe:
– No boundary checks on array or pointer references.
– Strings are NULL terminated (not storing length).
– No length information in dynamic allotted memory.
– Unsafe APIs in standard C library (strcpy, strcat,
sprintf, scanf, gets).
Analyze this code
Stack
• Stores local variables, arguments to functions, return
addresses, old stack pointer.
– Stack grows “downwards” from high memory to low memory.
• Every time a function is called:
– Push arguments to stack
– Push return address
– Jump to function
– Store old base pointer, initialize base pointer
– Allocates space for local variables
– Start executing the code.
• For returning, control of called function:
– Prepare return value
– Un-allocate local variables
– Restore base pointer
– Jump to return address
More on stack
Smashing stack
• Find a buffer that is allocated on a stack and that is at
lower address than return address.
• Inject malicious code
– Typically spawns a shell
• Overwrite return address on stack with address of
malicious code
• On return malicious code will invoke instead of returning
to called function.
– How to determine how much buffer to overflow?
• Other forms of attack include function pointers,
environment variable manipulation (getenv), longjmp
buffers.
Defensive & countermeasures
• Whether to use C & C++ ?
• Avoid risky programming constructs
– Use fgets instead of gets
– Use strn* API instead of str* API
– Use snprintf instead of sprintf
– Use format strings
– Do not assume anything about inputs.
• Non executable buffers
• Array bounds checking
• Libsafe – Safe guard library
• StackGuard (canary word), StackShield (duplicate
address)
Format string
• Allows attacker to peep into memory by printing
out values stored in the stack.
• Allows an arbitrary value to be written into
memory of running program using (%n) format
specifier.
• Example printf(“%s”,str) vs printf(str)
– Buffer is interpreted by printf function as format string.
– Buffer is scanned for special formats, as formats
encountered argument values are retrieved from
stack.
Reverse Engineering
Disassembly
Tasks on hand, objective
• Debugger – Windows & Linux
• Objective
– Finding the shell
– Static analysis
• Data flow
• Control flow
• Taint analysis
– Buffer overrun, format string, and integer over run.
• Kali operating system (https://www.kali.org/)
URLs
1. https://www.owasp.org/index.php/Static_C
ode_Analysis
2. https://msdn.microsoft.com/en-us/library/wi
ndows/hardware/ff551063(v=vs.85).aspx
3. http://www.gnu.org/software/gdb/
Malware
• Malicious Software designed to secretly
access a computer system without owners
informed consent.
• Security: Its secure if system behaves as it
is intended.
– Viruses, Worms, Trojan Horses, Rootkits,
Backdoors, Keystroke loggers, Spyware,
Spammers
Current threats
• Social Engineering
• Malware via phishing
• Distributed Denial of Service
attacks
• Time bombs
• Web browser security
• Covert channels
• Laptop theft
• Secure file deletion
• Data leakage
• Friend knows password
• Contractors
• Viruses
• Physical threats
• Extrusion – Copy & paste
• Root Kits
Challenges
Recognize known
attacks.
Recognize
unknown attacks.
Prevent attack
Recognition
Other
Challenges?
Defenses
Containment Systems
Defense Systems
Prevention Systems
Traceback Systems
Virus
• Program that infects itself by infecting an
executable file and making copies of itself.
– Propagation mechanism
• Sharing infected file with other computers
– USB, infected attachment, etc.
• Executing a infected file.
• Infect other computers and spread infection.
– Trigger
• Time or condition when payload is activated.
– Payload
• Damage existing files
• Extort sensitive information
• Consume computer resources.
How does it work?
Defense is
sound if reported
vulnerabilities
Defense is
complete if
reported all
vulnerabilities
Propagation
• Virus replicates itself when infected file is
executed.
• This task is not entirely automated:
– User makes first step
– Virus copies malicious code to other files.
– Jump instruction to malicious code is added.
• Why windows based viruses most prolific?
– Largest population
– Why write a virus if only a few people are infected?
Detection
• Virus has signature
– Same structure and bit
pattern present in all its
copies.
– This pattern uniquely
identifies a virus.
– It is a simple pattern
matching.
– Optimizations
• Scan first and last 4K of
file.
• More advanced viruses
– Encrypted viruses
– Polymorphic viruses
Detection challenges
• A different encryption key is generated for each
new infection.
• Therefore, encrypted virus body appears
different in each infected file.
• Anti virus can no longer parse virus body for the
virus signatures.
• Good news:
– Still pattern matching because its based on decryption
code.
– Very short pattern, attempt simple decryption to look
at underlying code.
Polymorphic viruses
• They are advanced encrypted viruses
formerly constant decryption routing.
– Now mutable decryption routine
– No more signatures in code.
• Good news:
– Let virus do work for you.
– Emulate code in controlled environment.
– Periodically scan virtual memory for virus
signatures.
Behavior blocking software
• Monitor actions
– Open, read, delete, modify files
– Perform unrecoverable disk operations
– Initiate network communications.
• Raised alarms can annoy users.
Worms
• Self replicating network program
– Exploit vulnerabilities to infect remote machines.
– Victim machines continue to propagate infection.
• Three main stages:
– Detect new targets
– Attempt to infect new targets
– Activate code on victim machines.
• Difference between computer virus?
– No human intervention required
– Email virus: Human still needed.
Why worry about worms?
• Speed
– Much faster than viruses
• CRv2 (14 hours for 359 victims)
• Slammer (10 minutes for 75 victims)
– Faster than human reaction
• Highly malicious payloads
– (DDoS, Data Corruption)
Target Discovery
• Localized scanning
• Multi vector scanning
• Hit-list scanning
• Permutation scanning
• Topology scanning
Major Worms
• Slammer worm
– 90 % Victims in 10 mins
– Buffer overrun in microsoft SQL Server
• Patch released but no one ever installed.
– Vulnerability identified by port 1434
– Scan rate 55,000,000 per second.
– Infected population doubled every 8.5
seconds
– Worm generated packets saturated carrying
capacity of internet infrastructure
State of the Art: Worms
• Multiplatform (windows, unix)
• Multi exploit
• Very fast spreading
• Polymorphic
• Zero day exploit
– http://www.symantec.com/connect/blogs/guide-zero-day-exploits
• Cyber to physical – Stuxnex, Flame
• Government funded spying
• Exploiting p2p applications
– Large number of users use same applications
• Single vulnerability needed, large peer numbers, large file transfer,
not mainstream protocols, execute on desktops not servers.
– Potential huge size.
Worm Defense
• Eliminate security holes from software.
• Software updates on vulnerable hosts.
• Signature based worm scan filtering.
Other Malware
• Grayware
– Spyware
– Adware
• Data stealing malware
• Botnets
– Rootkits
• Usermode ,Kernel mode, firmware.
• Backdoors
Trusted Computing Group (TCG)
1. Untrusted booting
2. Secure boot
3. Trusted boot
Economics of Information Security
By Manjunath M
Email: manjunath@msitprogram.net
Skype: manjunath
Phone: 7799834582.
Vulnerabilities
What happened after all these losses?
Why is security difficult?
1. Internet was not designed for security
2. 70% of incidents exploit software flaws.
3. Complex systems likely to have more
vulnerabilities.
4. If 100 vulnerabilities, each having 1% chance of
being exploited then probability of success is
1-(0.99)100 = 0.63 is like 2/3 chances.
5. Incentives for sys admin to record and report vs.
record and report for bad people.
6. Economic model for information security is
flawed.
Flawed economic model?
• Perfect security is mirage, even well
designed systems will be insecure.
• Focus is on preventing attacks not on
managing the risks.
– Not enough attention on mitigating risks.
• Security has costs.
• Best practices are not always correct
solutions. Same case as pesticides.
• How much security is enough?
How much security is enough?
• Unless risks are
described in terms
that business people
and decision makers
understand, they will
not likely be
addressed.
Management vs. Security personal
Hey Boss, we need
more security. I think
we need new Acme
2010 Hacker
Abolishers
We always seem to
need more security.
Don’t we have enough?
Trust me sir, we
will be more
secure.
What are my
alternatives?
What is it going
to cost?
What is
the added
value?
Problem: We don’t even have a unit to measure effectiveness.
Terminology
• Expected loss: How much you loose on average.
• Variance: How much higher or lower than
expected loss → This is measure of uncertainty.
• Risk: How much you care about variance.
• Risk is often used in everyday language the
sense of “How bad can it get and how likely is
the scenario”
– Initial focus is on expected loss.
– Later on to accommodate variance.
Components of risk management
• Investing in counter measure to reduce expected loss
efficiently.
• Investing to improve realistic “worst case scenario”
measured (VaR)
• Example:
– Security system in place frequency is 0.4 and investment 15$
– No security in place frequency 0.5 and investment 0$
– Security breach happens it is 100$, no breach 0$.
– Should we invest?
• 40+15 = 55$, or 50$. No security better, because lower loss.
• How much to spend = Loss + Cost
• Spent amount = (F1L1 + F2L2 + …….+FnLn) + I
How to justify security investments?
Role of time
• Reduce costs, and increase benefits that
might take place in future.
– V = benefit = avoided losses.
– C = ongoing implementation costs.
– r = cost of capital.
• Net Present value:
• Internal Rate of Return:
Return of Investment (ROI)
• Return of investment:
– ROI = (Net Benefit –Investment) / Investment.
• Scenarios:
– Investment 10$, Net benefit 20$
– Investment 20$, Net benefit 35$
– ROI = (20-10)/10 = 100% ROI = (35-20)/20 =
75%
– NPV (Benefit – Cost) = 10 vs. 15
• Which is better? ROI or NPV
ROI vs. NPV
• ROI should not be used for choosing among projects.
• ROI can not adjust to time profile of costs and benefits.
• ROI is very sensitive to large investments.
• ROI is beneficial when you have fixed budget.
– Technology Investments + Investments on people and process.
– What % should go for Technology, and people and process.
• Last dollar spent on technology should produce same
reduction in expected loss as loss dollar spent on people
and processes.
• What actually
happens if system is
breached?
– Data loss is different
from data loss +
system down.
Vulnerability disclosure
• Significant economic costs due to exploitation of
software vulnerabilities.
• Once vulnerabilities are found: what can happen? Good
vs. Bad.
– Full disclosure: good or bad
– Who owns the vulnerability information?
• Vendors want users to wait for the patch.
– Cost for creating patch, loss of customers due to exploits.
• Markets for vulnerabilities? TippingPoint, iDefense.
The Evolution of Security: Nature
• Markets fail because of Monopoly.
• Competitive markets does welfare maximizing.
• Microsoft (mono culture in desktops): Larger the market share,
target for hackers.
– Great concern for many governments.
– Support other applications like Linux office, standardize exchange
protocols. Or else market failure.
• Is it limited to Microsoft? BGP, DNS, Cisco, Google, Symantec &
Mcafee
• Software diversification is strategy to reduce risk.
Failure MUST be an option.
Natural Law
Information Asymmetry
• I know security of my product (and I can not
inform my users). Trust us.
– Markets also fail because of information asymmetry.
• If consumers have no way to measure. Two
vendors: CH>CL – Do you think higher security will be provided will lower
costs?
• Why higher costs? Reputation , Warranty.
– Vendor has to compensate user losses?
• Inform consumer about quality, third party
certificates (CC Certification).
Cyber-insurance
• Risk is expected loss. If losses are uncertain and expect
loss is large.
– Insurance is aimed at shifting some of these large losses to
insurers, in exchange for monetary premiums.
• What is large, the uncertain loss? Or premium. Worst
case scenario.
– First party business interruption.
– First party electronic data damage.
– First party extortion.
– Third party network security liability.
• Down stream
– Third party media liability.
– Loss of corruption of data
– Business Interruption
– Liability
Insurance works on
risk pooling
Externalities
• When consequences of your actions are felt by others
and there is no compensation.
– Leads to tragedy of commons (SPAM).
– Leads to failure of insurance markets.
• Should governments intervene?
– Subsidy, Standards, Taxes, Property rights (pollution,
spectrum)
– Liability for computer viruses & worms?
• Hackers, ISPs, Users, Software vendors.
– Who takes liability for children, students, employees, citizens.
• Microsoft – (mono culture)
– Genuine program initially provided patches to genuine software.
– Later issued to all, because un-patched systems can cause
externatilities for other Microsoft users. And loss for microsoft.
• Is liability a solution?
*
Law is About Policy
Knowledge disparity
Sophistication
Low cost avoider
Externalities
Crushing liability
Unforeseeable damages
Monopoly/ (inability to bargain for)
Genetic
variation Perverse incentives
(underreporting)
Perverse incentives:
moral hazard
Stifling innovation/
Features vs. Defects
Third party actors: ISPs, Security
software vendors, interoperability
Pirated copies
Notification/Patch
Requirements
EULA/Contractual
Limitation
“Standards Orgs”
Insurance
HCI: Information Security
• How users view security?
– Security is barrierthat “keeps things out”
– Attitudes: Frustration, Pragmatism, Futility
– Practice: delegation
• Creating HCI for security application is different from creating HCI
for other applications. Agree or disagree?
• Security software is usable if people who us it are: aware of security
tasks to perform, figure out how to perform tasks, do not make
errors, comfortable with interface to continue using it.
• How do you design for security?
– Think like a user
– Stop thinking like yourself
– User test, User test, User test
• Common mistakes:
– Thinking like a engineer
– Focusing on tasks, and features not on goals.
Thank you
Subscribe to:
Post Comments
(
Atom
)
good content!!!!!
ReplyDelete