Feeds

Trusted computing a shield against worst attacks?

The case for identifiable devices

SANS - Survey on application security programs

In many cases, however, trusted computing hardware could be overkill.

Even if companies accept that device identification could stymie 84 per cent of the most damaging attacks, that does not necessarily mean that trusted computing is the only way to go, said Seth Schoen, staff technologist at the Electronic Frontier Foundation, who has researched the potential societal effects of trusted computing in the past.

"In some cases, there may be cheaper and simple ways to defend against some of the attacks," he said in an email interview with SecurityFocus. "For example, IP addresses could be used to authenticate some machines - and are probably sufficient under some threat models and policies to make the distinction between 'sanctioned' and 'unsanctioned' machines."

Moreover, Schoen still has questions about the methodology of the report, because the version of the report available online does not provide much detail about the data set. The study found that the industries hardest hit by attacks were government, retail and high-tech, and that 78 per cent of attackers used a home computer to do the deed, but that leaves a lot of questions unanswered, Schoen said.

Companies should ask whether they can reliably distinguish between sanctioned and unsanctioned computers on the network, whether employees working from home on unsanctioned computers would be allowed to access the network, and whether the technology could be deployed pervasively enough to matter.

"We would need to know that the unsanctioned computers were actually necessary to the commission of these crimes, and that the crimes could not have been committed without using the unsanctioned computers," he said. "Here, especially, we have no evidence whatsoever."

The report accounts for most of those questions, said Bill Bosen, founding partner of Trusted Strategies, the firm that researched and created the report.

The analyst trimmed down the data set to only those cases that included information on damages, where the computers used to stage the attack was located, and the relationship of the defendant to the organisation hit. Home computers used by someone unrelated to the company were considered 'unsanctioned' while computers located on the company premises were 'sanctioned', Bosen said.

"We think the margin of error was small. Device authentication would not have stopped all crimes. For example, there were a number of cases were the individual had valid credentials and was on a company machine but overstepped their authorisation."

The study found that an attacker with valid credential could do far more damage than a program that exploited some other flaw to gain control of a system. The average cost of a virus attack to any single company was about $2,400, far lower than the $1.5m caused by attackers armed with a valid username and password, Bosen said.

Perhaps a larger question regarding the report is whether a study funded by a company benefiting from the conclusions should be taken seriously. While the report takes the form of a whitepaper supporting Phoenix Technologies security product, that should not take away from the validity of it, said Suzy Bauter, a spokesperson for the company.

"We originally did the research to make sure that we were going down the right path and make sure that we were solving the right problem," she said. "Sure, it's self serving, but it is what it is. We didn't create the common denominators found by the report."

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.