Abstract
The fact that a majority of Internet users appear unharmed each year is difficult to reconcile with a weakest-link analysis. We seek to explain this enormous gap between potential and actual harm. The answer, we find, lies in the fact that an Internet attacker, who attacks en masse, faces a sum-of-effort rather than a weakest-link defense. Large-scale attacks must be profitable in expectation, not merely in particular scenarios. For example, knowing the dog’s name may open an occasional bank account, but the cost of determining one million users’ dogs’ names is far greater than that information is worth. The strategy that appears simple in isolation leads to bankruptcy in expectation. Many attacks cannot be made profitable, even when many profitable targets exist. We give several examples of insecure practices which should be exploited by a weakest-link attacker but are extremely difficult to turn into profitable attacks.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
http://pr.webroot.com/threat-research/cons/protect-your-computer-from-hackers-101210.html
http://www.trusteer.com/files/Flash_Security_Hole_Advisory.pdf
http://www.schneier.com/blog/archives/2010/01/32_million_jewe.html
Anderson R (2001) Why information security is hard. In: Proceedings of ACSAC
Bond CM, Danezis G (2006) A pact with the devil
Barth A, Rubinstein BIP, Sundararajan M, Mitchell JC, Song D, Bartlett PL (2010) A learning-based approach to reactive security. Financial Crypto
Boehme R, Moore T (2009) The iterated weakest-link: a model of adaptive security investment. WEIS
Dhamija R, Tygar JD, Hearst M (2006) Why phishing works. CHI
Egelman S, Cranor LF, Hong J (2008) You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings. CHI
Enright B, Voelker G, Savage S, Kanich C, Levhchenko K (2008) Storm: when researchers collide. login
Florêncio D and Herley C (2007) A large-scale study of web password habits. WWW 2007, Banff
Franklin J, Paxson V, Perrig A, Savage S (2007) An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants. In: Proceedings of CCS
Federal Trade Commission (2007) Identity theft survey report. www.ftc.gov/os/2007/11/SynovateFinalReportIDTheft2006pdf
Fultz N, Grossklags J (2009) Blue versus red: toward a model of distributed security attacks. Financial Crypto
Gartner (2007) Phishing survey. http://www.gartner.com/it/page.jsp?id=565125
Geer D, Bace R, Gutmann P, Metzger P, Pfleeger C, Quarterman J, Schneier B (2003) Cyber insecurity: the cost of monopoly. Computer and Communications Industry Association (CCIA), Sep, 24
Gordon LA, Loeb MP (2002) The economics of information security investment. ACM Trans Inform Syst Secur
Grossklags J, Christin N, Chuang J (2008) Secure or insure?: a game-theoretic analysis of information security games. WWW
Herley C, Florêncio D A profitless endeavor: phishing as tragedy of the commons. NSPW 2008, Lake Tahoe, CA
Herley C (2009) So long, and no thanks for the externalities: the rational rejection of security advice by users. In: NSPW 2009, Oxford
Herley C (2010) The plight of the targeted attacker in a world of scale. In: WEIS 2010, Boston
Imperva. Consumer password worst practices
Ives B, Walsh KR, Schneider H (2004) The domino effect of password re-use. In: CACM
Kaminsky D (2008) Its the end of the cache as we know it. Black Hat Briefings
Kanich C, Kreibich C, Levchenko K, Enright B, Voelker GM, Paxson V, Savage S (2008) Spamalytics: an empirical analysis of spam marketing conversion. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, Alexandria, Virginia, USA, October, pp 3–14
Klein DV (1990) Foiling the cracker: a survey of, and improvements to, password security. Usenix Security Workshop
Mankiw NG (2007) Principles of economics, 4th edn
Murdoch SJ, Drimer S, Anderson R, Bond M (2010) Chip and pin is broken. In: IEEE Security&Privacy, Oakland
Odlyzko A (2003) Internet traffic growth: sources and implications. In: Proceedings of SPIE
Odlyzko A (2010) Providing security with insecure systems. WiSec
Rescorla E (2003) Security holes... who cares? Usenix Security Symp
Schechter S, Herley C, Mitzenmacher M (2010) Popularity is everything: a new approach to protecting passwords from statistical-guessing attacks. In: Proceedings of HotSec, 2010
Saroiu S, Gribble SD, Levy HM (2004) Measurement and analysis of spyware in a university environment. In: Proceedings of NSDI
Saroiu S, Gribble S, Levy H (2004) Measurement and analysis of spywave in a university environment. In: Proceedings of the 1st conference on symposium on networked systems design and implementation-volume 1, p 11. USENIX Association
Schechter S, Smith M (2003) How much security is enough to stop a thief? In: Financial cryptography. Springer, Berlin, pp 122–137
Stone-Gross B, Cova M, Cavallaro L, Gilbert B, Szydlowski M, Kemmerer R, Kruegel C, Vigna G (2009) Your botnet is my botnet: analysis of a botnet takeover. CCS
Varian HR (2001) Sytem reliability and free riding. WEIS
Varian HR (2004) System reliability and free riding. Economics of information security
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer Science+Business Media New York
About this paper
Cite this paper
Florêncio, D., Herley, C. (2013). Where Do All the Attacks Go?. In: Schneier, B. (eds) Economics of Information Security and Privacy III. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-1981-5_2
Download citation
DOI: https://doi.org/10.1007/978-1-4614-1981-5_2
Published:
Publisher Name: Springer, New York, NY
Print ISBN: 978-1-4614-1980-8
Online ISBN: 978-1-4614-1981-5
eBook Packages: Computer ScienceComputer Science (R0)