frequency of security violations

frequency of security violations

Post by Jeph Herri » Fri, 06 Nov 1998 04:00:00



for some research on the security of web-based
medical databases, i'm trying to find some estimates of
the likelihood of successful attacks (as a percentage
of all attacks) by crackers (aka hackers) on various
Internet technologies: firewalls, Unix (one or more
flavors), SSL, etc.

ideally i'll end up with some assertions like "of all
attacks on firewalls last year, between 1%-20% were
successful". i doubt there's any accurate measure of
these things, but some authoritative [*sic*] guesses
would be useful.

to help avoid redundancy i'll note that my one lead so
far is an unpublished dissertation:
<http://www.cert.org/research/JHThesis/index.html>.

thanks,
jeph

--
Jeph Herrin, Ph.D.
Emory University

404.727.1173

 
 
 

frequency of security violations

Post by Nick Maclar » Fri, 06 Nov 1998 04:00:00




Quote:

>for some research on the security of web-based
>medical databases, i'm trying to find some estimates of
>the likelihood of successful attacks (as a percentage
>of all attacks) by crackers (aka hackers) on various
>Internet technologies: firewalls, Unix (one or more
>flavors), SSL, etc.

>ideally i'll end up with some assertions like "of all
>attacks on firewalls last year, between 1%-20% were
>successful". i doubt there's any accurate measure of
>these things, but some authoritative [*sic*] guesses
>would be useful.

If you find any documents with statements like that, treat them as
unreliable :-(

The statistical analysis of such things is not simple, and is
usually mishandled.  This leads to bullshitters, er, politicians
persuading their constituency that they are doing something useful
when they aren't.  And politicians aren't just elected - many or
most CEOs are politicians.

A simple example of this is that a lot of 'attacks' are the result
of running copies of a single packaged toolkit.  Should each be
counted as one attack or each toolkit counted once?

Another is whether to count unauthorised accesses as attacks, when
they may be simple mistakes or Microsoftisms.  A LOT of apparent
attacks on Web servers are like that.

Regards,
Nick Maclaren,
University of Cambridge Computing Service,
New Museums Site, Pembroke Street, Cambridge CB2 3QG, England.

Tel.:  +44 1223 334761    Fax:  +44 1223 334679

 
 
 

frequency of security violations

Post by Jim Meri » Fri, 06 Nov 1998 04:00:00



Quote:>ideally i'll end up with some assertions like "of all
>attacks on firewalls last year, between 1%-20% were
>successful". i doubt there's any accurate measure of
>these things, but some authoritative [*sic*] guesses
>would be useful.

Try Information Week October 1996 and InfoSecurity News May 1997.

--
James W. Meritt, CISSP
Senior Security Systems Engineer employeed by Wang Global
The opinions expressed above are my own.  The facts simply are and belong to
none.

 
 
 

frequency of security violations

Post by Thad Humphri » Sat, 07 Nov 1998 04:00:00



> for some research on the security of web-based
> medical databases, i'm trying to find some estimates of
> the likelihood of successful attacks (as a percentage
> of all attacks) by crackers (aka hackers) on various
> Internet technologies: firewalls, Unix (one or more
> flavors), SSL, etc.

> ideally i'll end up with some assertions like "of all
> attacks on firewalls last year, between 1%-20% were
> successful". i doubt there's any accurate measure of
> these things, but some authoritative [*sic*] guesses
> would be useful.

I wouldn't hold out any hope of an accurate estimate.  Many companies do
not make this sort of info public--bad press, black eye to stockholders,
gives the competition ammo, etc.  Many many not even know they've been
hacked.  Others, like the NSA and Defense Dept, overstate the case for
their own purposes.

--------------------------------------------------------------------
Thad Humphries                  "'Open Systems' means no fences. And
Software Engineer (aka, Nerd)    no fences means no use for Gates."
Phone: 540/675-3015, ext. 225                     - Sun Microsystems

 
 
 

frequency of security violations

Post by Bennett To » Sat, 07 Nov 1998 04:00:00


Jeph Herrin:

Quote:>for some research on the security of web-based medical databases, i'm
>trying to find some estimates of the likelihood of successful attacks (as
>a percentage of all attacks) by crackers (aka hackers) on various Internet
>technologies: firewalls, Unix (one or more flavors), SSL, etc.

I doubt you're goint to find much useful out there. There are enough good
tools available that intrinsically bad tools are flushed out fast, with one
gigantic and hideous counterexample of course:-).

I'd hazard a guess that most web site burglaries come from a few common
categories of error:

        - using old versions of daemons, with well-known security holes that
          are fixed in newer versions;

        - supporting services with poor security on servers that need better
          security;

        - configuration errors, e.g. allowing access to system security files
          via un- or poorly-authenticated network protocols;

        - programming errors, esp. CGIs doing inadequate parameter checking;

        - poor design; e.g. placing something like a commercial relational
          database with poor access control out directly visible to the
          internet.

By and large, you can construct a site that will not be burgled by a fairly
direct a approach. (1) Be paranoid; always assume that attackers are smarter
and more knowledgeable than people publishing exploits. (2) Leave out all
services that aren't absolutely mandatory, and make sure that the mandatory
services really are. (3) If you have a mandatory service that can't be well
secured, shove it off onto a separate, sacrificial box, behind a firewall. (4)
Design your site architecture with security as the primary goal.

My favourite example of conservative web-site design in the public literature
is, interestingly enough, a medical database. Hmm. Coincidence? :-) Take a
looksie at PCASSO[1].

-Bennett

[1] <URL:http://medicine.ucsd.edu/pcasso/index.html>

 
 
 

frequency of security violations

Post by Joe Sha » Mon, 09 Nov 1998 04:00:00


The Computer Security Institute does a study every year with the FBI that
might be of some help.  It should be available on their website.  The URL
is http://www.gocsi.org

Regards,

NetAdmin/Security  - Insync Internet Services
Free UNIX advocate - "I hack, therefore I am."


> for some research on the security of web-based
> medical databases, i'm trying to find some estimates of
> the likelihood of successful attacks (as a percentage
> of all attacks) by crackers (aka hackers) on various
> Internet technologies: firewalls, Unix (one or more
> flavors), SSL, etc.

> ideally i'll end up with some assertions like "of all
> attacks on firewalls last year, between 1%-20% were
> successful". i doubt there's any accurate measure of
> these things, but some authoritative [*sic*] guesses
> would be useful.

> to help avoid redundancy i'll note that my one lead so
> far is an unpublished dissertation:
> <http://www.cert.org/research/JHThesis/index.html>.

> thanks,
> jeph

> --
> Jeph Herrin, Ph.D.
> Emory University

> 404.727.1173

 
 
 

frequency of security violations

Post by J.T.J. Midgl » Mon, 09 Nov 1998 04:00:00




Quote:>The Computer Security Institute does a study every year with the FBI that
>might be of some help.  It should be available on their website.  The URL
>is http://www.gocsi.org

After trying various alternatives, ITYM http://www.gocsi.com

--

Trinity Hall              Excession: http://excession.ucam.org
"For every complex problem, there is a solution that is simple,
neat, and wrong."  (H. L. Mencken)

 
 
 

frequency of security violations

Post by Joe Sha » Mon, 09 Nov 1998 04:00:00



> >is http://www.gocsi.org

> After trying various alternatives, ITYM http://www.gocsi.com


> Trinity Hall              Excession: http://excession.ucam.org

Sorry, I forgot they aren't a non-profit.

Regards,

NetAdmin/Security  - Insync Internet Services
Free UNIX advocate - "I hack, therefore I am."

 
 
 

frequency of security violations

Post by Jeph Herri » Tue, 10 Nov 1998 04:00:00


Thanks for the replies. If anyone's interested in what (if anything)
else I turn up, drop me a line.

Jeph



> > >is http://www.gocsi.org

> > After trying various alternatives, ITYM http://www.gocsi.com


> > Trinity Hall              Excession: http://excession.ucam.org

> Sorry, I forgot they aren't a non-profit.

> Regards,

> NetAdmin/Security  - Insync Internet Services
> Free UNIX advocate - "I hack, therefore I am."

--
Jeph Herrin
Emory University

404.727.1173
 
 
 

1. security violation behind a firewal??

I have a linux 2.0.36 machine running behind a firewall here.  A short
time ago, the following message appeared on the console, repeated 12
times:

"Security Violation packet from 169.254.217.207 REJECTED"

That IP address doesn't resolve to a name... the message did not appear
in /var/log/messages, or in any other log that I can locate.  I can't
find this message in a google search.  

Can anyone tell me where this came from???  The machine that got it has a
non-routable address on a local network, so there's *two* mystery
questions here;

1. how did an outside address even get access to me??

2. what application generated this report??

I would be *very* grateful for any insights that anyone might have about
this...

TIA

        Dan Miller
______________________________________________________________________________
Posted Via Binaries.net = SPEED+RETENTION+COMPLETION = http://www.binaries.net

2. Anyone using a Toshiba SD-M1002 DVD player?

3. Need help: Security Violation!

4. I can't config the route?Why?Help!

5. security violations

6. Mem limit @16MB & RH 5.1

7. Security violation on my machine

8. [patch, 2.5] cs4232 doesn't kfree on error path

9. Smail - mailing list - Security Violations

10. chown and chmod u+s: Security Violation - why ?

11. is this a security violation or an NFS feature

12. What to do about small security violations???

13. X security violation logs