tag:blogger.com,1999:blog-5766614972114406938.post3913703118037491092..comments2014-09-09T19:26:34.901+10:00Comments on Cracked, inSecure and Generally Broken: Modelling RiskCraig Wrighthttps://plus.google.com/117910648569393591305noreply@blogger.comBlogger9125tag:blogger.com,1999:blog-5766614972114406938.post-84060184421825346872010-02-17T18:20:08.925+11:002010-02-17T18:20:08.925+11:00"What makes you believe that your original in..."What makes you believe that your original integral for P(E|n) holds?"<br /><br />The integral is not a stationary process and if you check game theoretic models they are mathematical.<br /><br />You should note that I have been using game theoretic models.<br /><br />What matters is fit to the real world and this occurs.Craig S Wrighthttp://www.blogger.com/profile/08415993939211056384noreply@blogger.comtag:blogger.com,1999:blog-5766614972114406938.post-28604048810514425912010-02-17T11:25:50.758+11:002010-02-17T11:25:50.758+11:00What makes you believe that your original integral...What makes you believe that your original integral for P(E|n) holds? This is not a stationary process. I think this original assumption is mistaken. Furthermore, you are assuming that the your actions will not affect the environment. This is not true in security. Game theory is probably a better model here. You don't have to outrun the bear, just the guy next to you.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5766614972114406938.post-1914919803435585402010-02-17T05:53:15.629+11:002010-02-17T05:53:15.629+11:00Please go to the followup at:
http://gse-complianc...Please go to the followup at:<br />http://gse-compliance.blogspot.com/2010/02/response-to-modeling-risk.html<br /><br />I have answered these responses here.Craig S Wrighthttp://www.blogger.com/profile/08415993939211056384noreply@blogger.comtag:blogger.com,1999:blog-5766614972114406938.post-59902235807029026562010-02-17T04:58:16.126+11:002010-02-17T04:58:16.126+11:00Rereading this post, I realized that I made a mist...Rereading this post, I realized that I made a mistake in my previous response (although that response is not posted -- maybe because of this error).<br /><br />P(compromise) already has the possibility of a vulnerability and the possibility of it being attacked by someone with sufficient motivation and resources built in, doesn't it?<br /><br />I missed this because the work I've done generally requires me to split these things out. And we split them out because they're not well modeled where I work. I've seen some approaches that use a Gaussian curve for parts of this, but I don't generally agree with that approach.<br /><br />I agree with your statement that the probability of compromise increases generally. There's a great deal of evidence to support the statement and it's not hard to see why.<br /><br />There are two problems with your approach that I think I would encounter while trying to use it. First, my company does a lot of in-house development. When a new web application is deployed, assuming we've tested thoroughly and remediated the vulnerabilities we've found, it would appear that the number of vulnerabilities is zero. This is false, of course.<br /><br />So, the very beginning of the modeling exercise must start from an unknown number of possibly theoretical vulnerabilities. It may turn out that the vendor for the application container has a protocol flaw, or the operating system services have some flaw, or the application itself has some non-obvious behaviour defects under unusual circumstances. I expect some of these will be found over time and increase the probability of compromise.<br /><br />What I don't know is the density function to apply when estimating (since I have no historical data at time zero). In addition to this, I may not have a detailed understanding of my user base to factor into the chance of vulnerability.<br /><br />I can choose a standard density function, like the Gaussian for example, but I believe there will be cases where it's difficult to predict with certainty what the risk will be, due to not knowing what key factors will push a particular population of users to produce even one attacker, especially when the population is smaller and more restricted than the Internet at large.<br /><br />And I won't be surprised if you say I simply don't understand statistics well enough in this case to know how to approach the problem. Without question, you understand it better than I do. My reason for pointing to Taleb's work is that he has substantial data indicating that the choice of density function can mask the fact that we don't know something and then the rest of our calculation, while precise, will not be accurate.<br /><br />I believe that better models might be produced with more data, but I also believe those models will be influenced by observation. Risk modeling in the financial sector has to be a sure sign of this. Taleb predicted in 1997 that the model being used wouldn't be accurate and he had analysis to back that position up.Handshttp://www.blogger.com/profile/07147955711209986896noreply@blogger.comtag:blogger.com,1999:blog-5766614972114406938.post-60834277826495430192010-02-14T21:07:52.310+11:002010-02-14T21:07:52.310+11:00PPPS
"not actually random"
SO? You do n...PPPS<br />"not actually random"<br /><br />SO? You do not require randomness for modeling a probabilistic function.<br /><br />I could point out some good introductory probability and stats texts?Craig S Wrighthttp://www.blogger.com/profile/08415993939211056384noreply@blogger.comtag:blogger.com,1999:blog-5766614972114406938.post-70836990588357300702010-02-14T21:06:28.506+11:002010-02-14T21:06:28.506+11:00PPS
As the Pin function is related to other applic...PPS<br />As the Pin function is related to other applications (and not just the SMS one), the SMS function makes the Pin function LESS secure.<br /><br />That is, compromising the SMS feature also compromises the Pin with a high probability.<br /><br />The Pin alone does not necessarily lead to the SMS function being compromised.<br /><br />Hence, adding SMS and PIN is worse than Pin alone. <br /><br />SMS as a separate function to the Pin cannot lead to a pin compromise, so this is (slightly) better than the combination.<br /><br />The simple answer, do not deploy the SMS feature. If you have to, use an external auth method (independent). that does not use the same compromise vector as SMS.Craig S Wrighthttp://www.blogger.com/profile/08415993939211056384noreply@blogger.comtag:blogger.com,1999:blog-5766614972114406938.post-76338336968143349052010-02-14T20:59:14.732+11:002010-02-14T20:59:14.732+11:00PS Scudette,
You have confused dependence and in...PS Scudette, <br /><br />You have confused dependence and independence. <br /><br />SMS and PIN in the example are dependent. The PIN is sent over SMS and hence you can not multiple as you have and assume independence.<br /><br />If you compromise the SMS function, you also can compromise the PIN function.Craig S Wrighthttp://www.blogger.com/profile/08415993939211056384noreply@blogger.comtag:blogger.com,1999:blog-5766614972114406938.post-470866629118263092010-02-14T20:54:04.059+11:002010-02-14T20:54:04.059+11:00Probability is of course reliant to risk and secur...Probability is of course reliant to risk and security.<br /><br />"Your basic assumption by using probability theory is that the probability of failure is constant for all attackers - and the event happens randomly."<br /><br />Not at all. You have missed the point here totally.<br /><br />In fact, I have stated that the SMS only application is "inherently" insecure. This is, it will start with a given failure rate that will, over time, increase. <br /><br />So the longer the application runs, the less secure it becomes. <br /><br />"Security is really simple"<br />Security is a trade off. It is an economic function. There is no such thing as perfect security.<br /><br />"Support you have a service exposed to the world - the probability of compromise is not constant and has nothing to do with the length of time the service is exposed - either its vulnerable or not."<br /><br />No, it is a function of the time and the number of users. This is both malicious and real users. <br /><br />These functions can be modeled, this is simple. The fact that some people do not understand this is not the point.Craig S Wrighthttp://www.blogger.com/profile/08415993939211056384noreply@blogger.comtag:blogger.com,1999:blog-5766614972114406938.post-8888176594848906332010-02-14T20:28:47.239+11:002010-02-14T20:28:47.239+11:00Craig,
This post is rather confused. You state ...Craig,<br /> This post is rather confused. You state that:<br /><br />The probability that an SMS only system can be cracked is simply the P(C.SMS) function and this is far lower than a system that deploys multiple methods.<br /><br />From a simple arithmetic pov its clear that multiplying 2 probabilities results in smaller probability (as both numbers are less than 1) so P(C.SMS) * P(C.PIN) < P(C.SMS)<br /><br />unless of course the pin is automatically compromised.<br /><br />Neglecting that it is rather dangerous of you to take about the statistics and probability of security vulnerabilities when these event are not actually random. While probability theory might be acceptable for dice rolling when the outcome is random it is entirely not applicable for a security system where the likelyhood of the event occurance does not depend on chance, rather on the attacker knowing a vulnerability in your system.<br /><br />Support you have a service exposed to the world - the probability of compromise is not constant and has nothing to do with the length of time the service is exposed - either its vulnerable or not. If its not vulnrable you can leave it there for an infinite length of time before its compromised. If its vulnerable, and you are aware of it, it will get hacked quickly. If it is vulneable with a zero day and you dont know about it - you are not in a position to estimate the risk.<br /><br />Security is really simple - dont make it too complex by throwing numbers around - it just confuses people. Your basic assumption by using probability theory is that the probability of failure is constant for all attackers - and the event happens randomly.<br /><br />Probability theory is not applicable to security. You are better off designing a system which is as secure as you possibly can make it rather than knowingly leaving a system vulnerable just because your math tells you there is a mean time before failure of 20 years.Scudettehttp://www.blogger.com/profile/00290957716409467236noreply@blogger.com