The usual framework is to use quantitative risk analysis and calculate
exposure factor (the amount that will be lost in an attack, up to the
value of the asset) separately from the (annualized) rate of
occurrence. It would be interesting to see someone actually document
the relationship between target value and rate of occurrence, but most
of the material about quantitative risk analysis in the context of
information assurance has been complete handwaving, or else too
complicated for anyone to actually use in practice, but existing
frameworks look a little like doi:10.1016/j.cose.2010.02.002
<http://dx.doi.org/10.1016/j.cose.2010.02.002>: a lengthy list of
essentially unknowable contingent probabilities based on incomplete
information.
Thinking about QRA I'd have to say that the desirability of a target for
an attacker must factor into the periodic rate of occurrence, but I
don't actually know anyone who is doing that as an established,
documented practice (alas). I think this remains an unsolved problem.
How would you quantify the valence of lulz? Attackers aren't uniform in
their goals either, and external events can affect valence. Lastpass is
interesting because it seems to be useful to basically any attacker, but
this is true of surprisingly few targets. Maybe that is a good place to
start?
In a QRA framework, competent coding serves mainly to reduce the rate of
occurrence of attacks.
--Falcon
On 2016-07-27 12:41, David Fetter wrote:
On Wed, Jul 27, 2016 at 09:57:14AM -0700, travis+ml-lang...@subspacefield.org
wrote:
https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/
Something about FSRs and parsing.
This brings up something that isn't actually in the realm of langsec,
but since it came up here, I'll set out a few thoughts here.
Even given supremely competent coding, which is not in evidence in
lastpass, does the act of creating a target with that high a value
/ipso facto/ make it more likely to be attacked successfully? There's
some game theory and non-equilibrium economics here that I'm really
not competent to address.
Are there any formal ways to address such questions? Obviously,
they're not strictly langsec, but since I'm such a n00b at matters
security, I just don't know even what keywords to start my search
with.
Help!
Best,
David.
_______________________________________________
langsec-discuss mailing list
langsec-discuss@mail.langsec.org
https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
