The formula here attempts to explain a paradox in security analysis:
If it is true that security is only as strong as its weakest link, why are not those who use insecure passwords, skip installing security patches, avoid updating or using antivirus software, and in general act insecure – not hacked and exploited continuously?
Because they do not!
A thought-provoking attempt to explain this puzzle, is presented in by Dinei Florêncio and Cormac Herley from Microsoft Research in the paper "Where Do All The Attacks Go?". The formula above is from this paper.
The paper attempts to demonstrate why the weakest-link model cannot be used for the most common type of Internet attacks.
One crucial point that the study makes is to point out the difference between targeted attacks and mass attacks. The former is focused on a known (potential) victim or victims, while the latter type of attack knows nothing about its (potential) victims. A targeted attacker may know her target and may thus exploit the weakest link. However, since the number of potential victims (all Internet users – around two billion) far outnumbers potential attackers the average Internet user’s weakest link is unknown to attackers. And most importantly, it may not even be feasible for the attacker to look for.
The study shows – reasonably – that an attacker will try to maximize her potential revenue when she plans a mass attack. This means that the attack method any attacker chooses may not correspond to an individual user’s weakest link. If there is another (even less severe) weakness in a sufficiently large part of the target population, it may be rational for the attacker to select that attack, as the expected revenue is larger, while the attacker’s cost may be more or less the same.
From this another interesting observation can be made: Other persons’ security behavior influence the security of an individual’s security. Let us assume that lots of people have very weak passwords; which makes an attack exploiting weak passwords among that target group feasible seen from the attacker’s point of view. However, if all people except one strengthen their passwords, the attack may no longer be the type of attack with the greatest expected economic gain, and the attacker will choose another type of attack. The one person who did not change his password benefits from others’ secure behavior – he gets a free ride, as the other users’ behavior protects the whole group.
The study makes to other points that further weaken the argument for using the weakest-link model for mass attacks where the potential victims and the attacker are unknown to each other:
- The potential victim may be protected by "exogenous events" (e.g. security competent third parties).
Typically is a bank, which stops fraudulent attempt to transfer money from a compromised user.
- Several attackers may target the same victim.
Each attacker’s average revenue is thereby smaller, as it seems fair to assume that the total potential for exploiting a victim is a rather constant value.
Reading the study is highly recommended for an in-depth analysis of rational behavior for the attacker and for the end user. If both act rationally, they will maximize their expected gain/loss relative to the effort (cost) invested.
Leave a reply