Trusted computing a shield against worst attacks?
The case for identifiable devices
In many cases, however, trusted computing hardware could be overkill.
Even if companies accept that device identification could stymie 84 per cent of the most damaging attacks, that does not necessarily mean that trusted computing is the only way to go, said Seth Schoen, staff technologist at the Electronic Frontier Foundation, who has researched the potential societal effects of trusted computing in the past.
"In some cases, there may be cheaper and simple ways to defend against some of the attacks," he said in an email interview with SecurityFocus. "For example, IP addresses could be used to authenticate some machines - and are probably sufficient under some threat models and policies to make the distinction between 'sanctioned' and 'unsanctioned' machines."
Moreover, Schoen still has questions about the methodology of the report, because the version of the report available online does not provide much detail about the data set. The study found that the industries hardest hit by attacks were government, retail and high-tech, and that 78 per cent of attackers used a home computer to do the deed, but that leaves a lot of questions unanswered, Schoen said.
Companies should ask whether they can reliably distinguish between sanctioned and unsanctioned computers on the network, whether employees working from home on unsanctioned computers would be allowed to access the network, and whether the technology could be deployed pervasively enough to matter.
"We would need to know that the unsanctioned computers were actually necessary to the commission of these crimes, and that the crimes could not have been committed without using the unsanctioned computers," he said. "Here, especially, we have no evidence whatsoever."
The report accounts for most of those questions, said Bill Bosen, founding partner of Trusted Strategies, the firm that researched and created the report.
The analyst trimmed down the data set to only those cases that included information on damages, where the computers used to stage the attack was located, and the relationship of the defendant to the organisation hit. Home computers used by someone unrelated to the company were considered 'unsanctioned' while computers located on the company premises were 'sanctioned', Bosen said.
"We think the margin of error was small. Device authentication would not have stopped all crimes. For example, there were a number of cases were the individual had valid credentials and was on a company machine but overstepped their authorisation."
The study found that an attacker with valid credential could do far more damage than a program that exploited some other flaw to gain control of a system. The average cost of a virus attack to any single company was about $2,400, far lower than the $1.5m caused by attackers armed with a valid username and password, Bosen said.
Perhaps a larger question regarding the report is whether a study funded by a company benefiting from the conclusions should be taken seriously. While the report takes the form of a whitepaper supporting Phoenix Technologies security product, that should not take away from the validity of it, said Suzy Bauter, a spokesperson for the company.
"We originally did the research to make sure that we were going down the right path and make sure that we were solving the right problem," she said. "Sure, it's self serving, but it is what it is. We didn't create the common denominators found by the report."
This article originally appeared in Security Focus.
Copyright © 2006, SecurityFocus