Communications of the ACM

Home/Magazine Archive/September 2014 (Vol. 57, No. 9)/Security, Cybercrime, and Scale/Abstract

Contributed articles

Security, Cybercrime, and Scale

By Cormac Herley
Communications of the ACM, September 2014, Vol. 57 No. 9, Pages 64-71
10.1145/2654847
Comments (1)

View as: Print Mobile App ACM Digital Library In the Digital Edition Share: Send by email Share on reddit Share on StumbleUpon Share on Hacker News Share on Tweeter Share on Facebook

Security, Cybercrime, and Scale, illustration — Credit: Daniel Hertzberg

A traditional threat model has been with us since before the dawn of the Internet (see Figure 1). Alice seeks to protect her resources from Mallory, who has a suite of attacks, k = 0; 1, ..., Q – 1; now assume, for the moment, (unrealistically) that Q is finite and all attacks are known to both parties. What must Alice do to prevent Mallory gaining access? Clearly, it is sufficient for Alice to block all Q possible attacks. If she does, there is no risk. Further, assuming Mallory will keep trying until he exhausts his attacks (or succeeds), it is also necessary; that is, against a sufficiently motivated attacker, it is both necessary and sufficient that Alice defend against all possible attacks. For many, this is a starting point; for example, Schneider¹⁴ says, "A secure system must defend against all possible attacks, including those unknown to the defender." A popular textbook¹³ calls it the "principle of easiest penetration" whereby "An intruder must be expected to use any available means of penetration." An often-repeated quip from Schneier, "The only secure computer in the world is unplugged, encased in concrete, and buried underground," reinforces the view.

Key Insights

How did Mallory meet Alice? How does this scale? That is, how does this model fare if we use it for an Internet-scale population, where, instead of a single Alice, there are many? We might be tempted to say, by extension, that unless each Alice blocks all Q attacks, then some attacker would gain access. However, a moment's reflection shows this cannot always be true. If there are two billion users, it is numerically impossible that each would face the "sufficiently motivated" persistent attacker—our starting assumption; there simply are not two billion attackers or anything close to it. Indeed, if there were two million rather than two billion attackers (making cybercriminals approximately one-third as plentiful as software developers worldwide) users would still outnumber attackers 1,000 to one. Clearly, the threat model in Figure 1 does not scale.

Comments

CACM Administrator

February 03, 2015 04:26

The following letter was published in the Letters to the Editor of the November 2014 CACM (http://cacm.acm.org/magazines/2014/11/179829).
--CACM Administrator

Cormac Herley's article "Security, Cybercrime, and Scale" (Sept. 2014) focused on logical analysis of narrowly defined financial cybercrimes gainfully performed by untrusted remote perpetrators, not by embezzlers. The objective Herley specified in this logical model is improved security to reduce the risk of rational financially motivated untrusted perpetrators able to carry out all possible scaled attacks.

Having interviewed more than 200 cybercrime perpetrators over the past 40 years, I suggest reality is quite different. First, perpetrators possess only partial knowledge. They also cause errors that change their objectives, take less financial assets than are available, do not necessarily consider cost, perform copy-cat attacks, and act under many other personal irrational conditions and circumstances that were always present in all of the cases I studied.

Here is my threat model: Alice knows she cannot be sufficiently secure from attacks by Mallory and thus seeks to avoid negligence after Mallory (inevitably) attacks, successfully or not.

Herley correctly noted the limitations of successful risk reduction, but a different objective and strategy are more desirable for my model. The objective I advocate is security diligence, rather than risk reduction. It is a safer, more easily obtained and measured objective for the enterprise, more likely meets insurance requirements, and reduces a broader range of risk reduction that includes possibly reducing the risk of negligence on the part of the victim enterprise and the stakeholders within it. I have found (in practice) this is often more important than financial loss.

The diligence strategy is to implement security controls by engaging in benchmark studies, using standards, compliance, contracts, audits, good practices, available products, cost control, experts' opinions, and experimentation. The tough high-cost decisions are made by management fiat, not necessarily by risk reduction.

Donn B. Parker
Los Altos, CA

Displaying 1 comment

Log in to Read the Full Article

Sign In

Sign in using your ACM Web Account username and password to access premium content if you are an ACM member, Communications subscriber or Digital Library subscriber.

Need Access?

Please select one of the options below for access to premium content and features.

Create a Web Account

If you are already an ACM member, Communications subscriber, or Digital Library subscriber, please set up a web account to access premium content on this site.

Join the ACM

Become a member to take full advantage of ACM's outstanding computing information resources, networking opportunities, and other benefits.

Subscribe to Communications of the ACM Magazine

Get full access to 50+ years of CACM content and receive the print version of the magazine monthly.

Purchase the Article

Non-members can purchase this article or a copy of the magazine in which it appears.