Feeds

Laptop losses and phishing fruit salad

The need for accurate risk assessment

The Essential Guide to IT Transformation

Dr Neal Krawetz takes a look at the numbers behind reports of laptop thefts and phishing attacks, showing inconsistent metrics and the difficulty in using numbers to determine the real level of threat.

Security is about evaluating risks. And who knows more about evaluating risks than insurance companies? For example, the automobile insurance industry invests in studies about driver safety, likelihood of an accident, estimated amount of damage, and the average cost of repair. This is how they measure risk.

In the computer field, risk is based on attributes such as ease of exploitation, required skillset to conduct the exploit, number of impacted systems, estimated loss, and amount of damage. It doesn't make sense to spend $10,000 on a high-end firewall to protect a $2,000 computer containing little intellectual property.

Whether it is car, medical, or liability coverage, insurance companies have very specific metrics. My insurance agent can quickly look up my chances of being in a serious auto accident based on my occupation, distance from work, number of miles driven per year, and type of car - and that's before adding in my driving history. Banks have similar metrics and in-depth understandings of their risks.

However, few computer organisations have equivalent metrics. What are your odds of being attacked? What is the likelihood of a successful attack? What is the estimated loss from an attack? Many of the metrics we use today are based on half-truths and floating numbers - random statistics without context. When we hear that a laptop was stolen and that it contained thousands of pieces of personal information, should we be worried? What is the likelihood of the compromised information actually being used?

Just as fear, uncertainty, and doubt (FUD) can sway opinions about our security, these random statistics also influence our opinion about how safe we are online. But exactly how safe are we?

Playing with numbers

In September 2006, the Washington Post reported that 1,137 government laptops had been stolen since 2001 from the Commerce Department. That's a big number...However, it is a number without context. How many laptops has the Commerce Department had since 2001?

The US Commerce Department employs about 36,000 people. So if we assume that they all have laptops, then 1,137 lost laptops becomes three per cent of their workforce. Now we have context - and it seems like a high number. The percentage increases if we assume that only 10 per cent of the people have laptops (30 per cent lost), and decreases if we count replacement laptops.

For example, few people use laptops longer than three years. Between dead batteries, damage from long-term use, and an inability to run the latest-and-greatest software, laptops get replaced. If we assume a replacement every three years, then every laptop at the Commerce Department would have been replaced twice, tripling the number of laptops that could be stolen. That initial assumption of a three per cent loss rate suddenly drops to one per cent, and the 30 per cent assumption drops to 10 per cent.

Now, 10 per cent (and even one per cent) sounds like a lot, and it accounts for a significant amount of lost personal information. However, I don't know anyone with a laptop who doesn't have some kind of personal or sensitive information on the hard drive. If a laptop is stolen, then personal or sensitive information will be stolen. The only real question is whether the information is useful to the thief. If the data is obscured or encrypted, then the answer is "maybe not". Remember: most laptops are believed to be stolen for the hardware and not the data.

Retailers, big companies, universities, and non-profit organisations expect "shrinkage" - they know that a percentage of merchandise and equipment will be lost, stolen, or broken. Knowing that every missing laptop contains something of importance, we can then start asking: Is "one per cent" an unexpected loss rate?

Unfortunately, I cannot find any laptop-loss statistics for any big companies - we hear about individual laptop losses, but not the total percentage. However, I have worked for a couple of Fortune 500 companies and universities. Every few years (or every year, depending of the company), they do an inventory of equipment (PDF). The inventory is almost always followed by an obligatory email saying, "Does anyone know where the <equipment name> is? We're looking for the one with <tracking number>. We're also looking for <long list>."

Shrinkage. It always seems worse after a large round of layoffs. Some of the missing equipment can be physically big, like computers the size of Volvos - these are usually found. However, many items are small, such as laptops, cameras, projectors, and other portable devices. These small items rarely turn up. And remember: every missing computer contains some kind of sensitive information - the only question is whether the data is valuable to the thief. Yet, these data losses are rarely reported, even in publicly traded companies.

All of this loss adds to the amount of information potentially compromised. However, the general public does not know these numbers and cannot measure this risk.

By the way, according to law enforcement officers at JustStolen.net, one in ten laptops will be stolen. That is 10 per cent, so the Commerce Department doesn't look that bad by comparison.

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.