Economics of Web Security

Transcript

1. You can be too careful The economics of web security

2. 1. We all want to write secure software.

3. 1. We all want to write secure software. 2. We

   don’t all know where to start.

4. 1. We all want to write secure software. 2. We

   don’t all know where to start. 3. We’re all bad at thinking about risk, uncertainty, and probability.

5. 1. We all want to write secure software. 2. We

   don’t all know where to start. 3. We’re all bad at thinking about risk, uncertainty, and probability. 4. We should all think like economists!

6. Utility

7. Utility

8. Utility

9. Utility

10. Utility

11. Utility

12. Utility

13. Utility Security

14. You can be too careful. Think about costs and trade-offs.

15. “The Plight of the Targeted Attacker in a World of

    Scale” (Herley 2010)

16. “Despite neglecting even basic security measures, close to two billion

    people use the Internet, and only a small fraction appear to be victimized each year…”

17. “This paper suggests that an explanation lies in the economics

    of attacks. We distinguish between scalable attacks, where costs are almost independent of the number of users attacked, and non-scalable (or targeted) attacks, which involve per-user effort.”
18. None
19. None
20. None

21. “In the model where Charles exploits any vulnerability, the worst-case

    is to be expected if any defence is neglected. This leads to the following puzzling fact: the idea that worst-case outcomes become actual is not supported by evidence.”

22. “How can it be that huge numbers of internet users

    ignore most security advice, and yet do not suffer the worst-case outcomes predicted by this threat model?”
23. None
24. None
25. None

26. Scalable Cheap Broadcast Nonadaptive like nmap

27. Scalable Cheap Broadcast Nonadaptive like nmap Non-scalable Expensive Targeted Adaptive

    like spear phishing

28. Average Cost Users Attacked

29. Average Cost Users Attacked Karl

30. Average Cost Users Attacked Klara Karl

31. “Scalable attacks reach orders of magnitude more users. To compensate

    for her disadvantage in terms of reach the targeted attacker must target users with higher than average value.”
32. None
33. None
34. None

35. Value

36. Value

37. Value Average value

38. Value Average value

39. Value Average value Klara

40. Value Average value Klara Karl

41. “…Protect against scalable attacks first. Compromise is almost certain if

    Alice fails to address the scalable attacks that reach everyone. After this, Alice’s strategy depends on which, if any, of her assets are valuable enough and visible enough to place her in the top few percent of available targets.”

42. OWASP Top Ten Injection Broken Authentication Cross-Site Scripting Insecure Object

    References Misconfiguration Sensitive Data Exposure Function Level Controls Cross Site Request Forgery Known Vulnerabilities Unvalidated Redirects https://www.owasp.org/

43. OWASP Top Ten Injection Broken Authentication Cross-Site Scripting Insecure Object

    References Misconfiguration Sensitive Data Exposure Function Level Controls Cross Site Request Forgery Known Vulnerabilities Unvalidated Redirects 0% 10% 20% 30%

44. OWASP Top Ten - Cumulative Distribution 0 0.25 0.5 0.75

    1 Injection Broken Authentication Cross-Site Scripting Insecure Object References Misconfiguration Sensitive Data Exposure Function Level Controls Cross Site Request Forgery Known Vulnerabilities Unvalidated Redirects

45. Think about costs and trade-offs. Consider the value of your

    users and the costs of attacks. Defend against Karl first.

46. Resources The Web Application Hacker’s Handbook OWASP Top Ten OWASP

    Development guides Economics and Security Resource Page