At a recent Dagstuhl seminar on web application security, I spoke with Jasvir Nagra (one of the people at Google working on Caja) about the best way to run a public security contest. The goal of the contest would be to encourage people to find as many bugs as possible, with additional rewards for more severe security vulnerabilities. As a starting point, we discussed the ongoing Google Native Client (NaCl) security contest. For this contest, the top five bug-finders over a ten-week period receive recognition and cash prizes of $8192, $4096, $2048, $1024, and $1024. While this model has a few strong points, it also is problematic in the way that it incentivizes security research. This article discusses how to more effectively design a security contest.

(more…)

David Lie from the University of Toronto gave a very provocative talk today at HotSec about an infrastructure for quantifying system security. The basic idea is that a central organization runs reward-based challenges for testing system security, and then publishes certificates stating how long attackers had to break a system and the size of the reward. This information allows one to make more intelligent decisions about protecting valuable resources. (more…)

In the last article in this series, we took a look at the benefits of hacking. However, not very many home computers are hit with sophisticated targeted attacks. The reason is that those attacks simply cost too much. The hacker’s time is the most obvious cost, but the risk of getting caught may also be serious in some cases. This article will attempt to quantify the costs of hacking and compare them to the benefits from the previous article in order to construct a reasonable model of attacks that are likely on your network. (more…)

The best way to determine what threatens systems in your network is to construct a cost-benefit model for hackers. This can be challenging because the cost of hacking is mostly time (often that of a clever but unpaid teenager) and the risk of fines or imprisonment. The benefits can be monetary, but are likely to be other things like entertainment, fame, or damaging an enemy. This article takes a general look at what a hacker has to gain from breaking into your network, taking all of these factors into account. (more…)

The first step in assessing a system’s security is asking yourself, and answering, some difficult questions:

1. How much is control over my system’s digital resources worth to a hacker?
2. Based on (1), who has sufficient incentive to attack me and what are their capabilities?
3. How much do I stand to lose from an attack?
4. How much will it cost me to prevent or reduce the risk of an attack?

The answers to these questions dictate your threat model, or, more simply, the level of risk you are willing to accept for different attacks on your system. For most, this risk level is as low as possible for rampant scriptkiddie hacks targeted at anything and everything with an IP address. However, only organizations with a lot to lose may find it economical to conduct employee background checks in order to combat theft by an insider. The following series of articles explore a methodology for answering the above questions and building a threat model that is appropriate for your organization.