Xconomist of the Week: Stefan Savage on Computer Security
(Page 4 of 4)
manipulate social media sites?
SS: I think fake identities are part and parcel of undercover investigations and so I’m not fundamentally concerned that this capability exists. It’s a bit more interesting when you consider that this capability might be scaled to create millions of fake identities that interact automatically, i.e., social-bots. This potential for scale, combined with our increasing trust in online identities does create interesting new security issues.
X: Where do you think the biggest opportunities are for improving security?
SS: I think in order to best address cyber-attacks we really need to understand the attacker’s world better. While we’re used to thinking about cyber-attacks as technical endeavors, that’s only part of the picture.
For example, most large-scale attacks today are commercial in nature—the attacker is profit-seeking. While we invest a great deal of money and effort (rightly so) in trying to technically harden our systems against attack, it is rare for us to consider how these defenses actually impact the attacker’s bottom line. In most cases, the underlying business model has already “priced in” the impact of defenses, and the end-system is not in fact the most critical part of the attacker’s value chain. In fact, compromised U.S. hosts are available in bulk for $100 per thousand, Asian hosts for a tenth less.
When you invest the time to understand how the attacker’s value chain works this provides pointers to where their true weak points are. In our examination of the spam ecosystem it became clear that there was just no way that spam filtering, blacklistings, or takedowns were ever going to cause enough financial drag to undermine the spam advertising channel. However, it turns out that the payment systems by which advertised goods and services accept consumer credit cards is a huge weak link that has no cheap substitute. That is going to be a far more effective place to intervene. This kind of analysis is appropriate for a wide variety of security situations, but it’s rarely undertaken because it requires considerable time and effort, and it doesn’t necessarily lend itself to selling a product.