CIS 4615 meeting -*- Outline -*- * Security Business Much of this unit is based on John Viega's book "the myths of security" (2009, O'Reilly). ------------------------------------------ FOLLOW THE MONEY! To understand threats to secruity and evaluate their likelihood, we should understand how people make money from security threats and security products/services. ------------------------------------------ ** bad actors ------------------------------------------ BAD ACTORS: WHO ARE THEY? Criminals - collecting credit card information - stealing from online banking - stealing industrial secrets - ransomware Botnet herders: - delivering spam - generating fradulent ad clicks - generating revenue for 1-900 numbers - protection rackets (DDOS) They don't want you to: ------------------------------------------ Other criminal activities: fake antivirus getting free use of online pay accounts scams (e.g., for getting bank information) ... - know their malware is on your machine - leave any evidence behind - know where they really live ------------------------------------------ GOOGLE AS A SOURCE OF MONEY John Viega in Chapter 7 of "the myths of security": Google ads pay for "clicks" Click fraud = clicks that are not from real customers Click fraud can earn money 20 clicks a day x $10/click = $73K/yr ------------------------------------------ Q: What security service does click fraud violate? integrity ------------------------------------------ ONLINE BANKING AS A SOURCE OF MONEY Banks don't want fraud, certainly. But they want customers! so just a password protects the account Standard tradeoff: ------------------------------------------ ... Security vs. Usability Q: What are other examples where we trade off usability and security? We connect our computers to networks... People use the same password for different services, accounts We want to use credit cards to pay for everything on the net... Q: Is it always the case the security implies no usability and vice versa? No. Examples include 2-factor authentication with cell phones... Don't give people extra decisions to make, use the secure ones! ** good actors ------------------------------------------ GOOD ACTORS: WHO ARE THEY? Government: Dept. of Homeland Security (www.dhs.gov/topic/cybersecurity) FBI Antivirus companies McAfee, Symantec, ... Other security companies Raytheon (and its subsidiary MITRE)... Baracuda Sophos Microsoft ------------------------------------------ ** absolute security doesn't exist ------------------------------------------ ALL SECURITY IS RELATIVE We can just make attacks more expensive. E.g., you can buy a safe, install it in the wall of your home put a fence around the home hire a security company to track it. Is that absolute security for the safe's contents? ------------------------------------------ .... no, criminals can still steal a bulldozer, break down the fence and the walls, and extract the safe... Q: So what are we trying to do in this class with software security? Make the attacker's job more expensive: hope they go elsewhere hope they decide to go out of business Defense is never cost effective: consider police work but we are willing to pay it to keep our sanity and some security...