Very Computer

for some research on the security of web-based
medical databases, i'm trying to find some estimates of
the likelihood of successful attacks (as a percentage
of all attacks) by crackers (aka hackers) on various
Internet technologies: firewalls, Unix (one or more
flavors), SSL, etc.

ideally i'll end up with some assertions like "of all
attacks on firewalls last year, between 1%-20% were
successful". i doubt there's any accurate measure of
these things, but some authoritative [*sic*] guesses
would be useful.

to help avoid redundancy i'll note that my one lead so
far is an unpublished dissertation:
<http://www.cert.org/research/JHThesis/index.html>.

thanks,
jeph

--
Jeph Herrin, Ph.D.
Emory University

404.727.1173

Quote:

>for some research on the security of web-based
>medical databases, i'm trying to find some estimates of
>the likelihood of successful attacks (as a percentage
>of all attacks) by crackers (aka hackers) on various
>Internet technologies: firewalls, Unix (one or more
>flavors), SSL, etc.

>ideally i'll end up with some assertions like "of all
>attacks on firewalls last year, between 1%-20% were
>successful". i doubt there's any accurate measure of
>these things, but some authoritative [*sic*] guesses
>would be useful.

The statistical analysis of such things is not simple, and is
usually mishandled.  This leads to bullshitters, er, politicians
persuading their constituency that they are doing something useful
when they aren't.  And politicians aren't just elected - many or
most CEOs are politicians.

A simple example of this is that a lot of 'attacks' are the result
of running copies of a single packaged toolkit.  Should each be
counted as one attack or each toolkit counted once?

Another is whether to count unauthorised accesses as attacks, when
they may be simple mistakes or Microsoftisms.  A LOT of apparent
attacks on Web servers are like that.

Regards,
Nick Maclaren,
University of Cambridge Computing Service,
New Museums Site, Pembroke Street, Cambridge CB2 3QG, England.

Tel.:  +44 1223 334761    Fax:  +44 1223 334679

Quote:>ideally i'll end up with some assertions like "of all
>attacks on firewalls last year, between 1%-20% were
>successful". i doubt there's any accurate measure of
>these things, but some authoritative [*sic*] guesses
>would be useful.

--
James W. Meritt, CISSP
Senior Security Systems Engineer employeed by Wang Global
The opinions expressed above are my own.  The facts simply are and belong to
none.

--------------------------------------------------------------------
Thad Humphries                  "'Open Systems' means no fences. And
Software Engineer (aka, Nerd)    no fences means no use for Gates."
Phone: 540/675-3015, ext. 225                     - Sun Microsystems

Quote:>for some research on the security of web-based medical databases, i'm
>trying to find some estimates of the likelihood of successful attacks (as
>a percentage of all attacks) by crackers (aka hackers) on various Internet
>technologies: firewalls, Unix (one or more flavors), SSL, etc.

I'd hazard a guess that most web site burglaries come from a few common
categories of error:

        - using old versions of daemons, with well-known security holes that
          are fixed in newer versions;

        - supporting services with poor security on servers that need better
          security;

        - configuration errors, e.g. allowing access to system security files
          via un- or poorly-authenticated network protocols;

        - programming errors, esp. CGIs doing inadequate parameter checking;

        - poor design; e.g. placing something like a commercial relational
          database with poor access control out directly visible to the
          internet.

By and large, you can construct a site that will not be burgled by a fairly
direct a approach. (1) Be paranoid; always assume that attackers are smarter
and more knowledgeable than people publishing exploits. (2) Leave out all
services that aren't absolutely mandatory, and make sure that the mandatory
services really are. (3) If you have a mandatory service that can't be well
secured, shove it off onto a separate, sacrificial box, behind a firewall. (4)
Design your site architecture with security as the primary goal.

My favourite example of conservative web-site design in the public literature
is, interestingly enough, a medical database. Hmm. Coincidence? :-) Take a
looksie at PCASSO[1].

-Bennett

[1] <URL:http://medicine.ucsd.edu/pcasso/index.html>

Regards,

NetAdmin/Security  - Insync Internet Services
Free UNIX advocate - "I hack, therefore I am."

Quote:>The Computer Security Institute does a study every year with the FBI that
>might be of some help.  It should be available on their website.  The URL
>is http://www.gocsi.org

--

Trinity Hall              Excession: http://excession.ucam.org
"For every complex problem, there is a solution that is simple,
neat, and wrong."  (H. L. Mencken)

Regards,

NetAdmin/Security  - Insync Internet Services
Free UNIX advocate - "I hack, therefore I am."

Jeph