Feeds

Laptop losses and phishing fruit salad

The need for accurate risk assessment

Seven Steps to Software Security

Dr Neal Krawetz takes a look at the numbers behind reports of laptop thefts and phishing attacks, showing inconsistent metrics and the difficulty in using numbers to determine the real level of threat.

Security is about evaluating risks. And who knows more about evaluating risks than insurance companies? For example, the automobile insurance industry invests in studies about driver safety, likelihood of an accident, estimated amount of damage, and the average cost of repair. This is how they measure risk.

In the computer field, risk is based on attributes such as ease of exploitation, required skillset to conduct the exploit, number of impacted systems, estimated loss, and amount of damage. It doesn't make sense to spend $10,000 on a high-end firewall to protect a $2,000 computer containing little intellectual property.

Whether it is car, medical, or liability coverage, insurance companies have very specific metrics. My insurance agent can quickly look up my chances of being in a serious auto accident based on my occupation, distance from work, number of miles driven per year, and type of car - and that's before adding in my driving history. Banks have similar metrics and in-depth understandings of their risks.

However, few computer organisations have equivalent metrics. What are your odds of being attacked? What is the likelihood of a successful attack? What is the estimated loss from an attack? Many of the metrics we use today are based on half-truths and floating numbers - random statistics without context. When we hear that a laptop was stolen and that it contained thousands of pieces of personal information, should we be worried? What is the likelihood of the compromised information actually being used?

Just as fear, uncertainty, and doubt (FUD) can sway opinions about our security, these random statistics also influence our opinion about how safe we are online. But exactly how safe are we?

Playing with numbers

In September 2006, the Washington Post reported that 1,137 government laptops had been stolen since 2001 from the Commerce Department. That's a big number...However, it is a number without context. How many laptops has the Commerce Department had since 2001?

The US Commerce Department employs about 36,000 people. So if we assume that they all have laptops, then 1,137 lost laptops becomes three per cent of their workforce. Now we have context - and it seems like a high number. The percentage increases if we assume that only 10 per cent of the people have laptops (30 per cent lost), and decreases if we count replacement laptops.

For example, few people use laptops longer than three years. Between dead batteries, damage from long-term use, and an inability to run the latest-and-greatest software, laptops get replaced. If we assume a replacement every three years, then every laptop at the Commerce Department would have been replaced twice, tripling the number of laptops that could be stolen. That initial assumption of a three per cent loss rate suddenly drops to one per cent, and the 30 per cent assumption drops to 10 per cent.

Now, 10 per cent (and even one per cent) sounds like a lot, and it accounts for a significant amount of lost personal information. However, I don't know anyone with a laptop who doesn't have some kind of personal or sensitive information on the hard drive. If a laptop is stolen, then personal or sensitive information will be stolen. The only real question is whether the information is useful to the thief. If the data is obscured or encrypted, then the answer is "maybe not". Remember: most laptops are believed to be stolen for the hardware and not the data.

Retailers, big companies, universities, and non-profit organisations expect "shrinkage" - they know that a percentage of merchandise and equipment will be lost, stolen, or broken. Knowing that every missing laptop contains something of importance, we can then start asking: Is "one per cent" an unexpected loss rate?

Unfortunately, I cannot find any laptop-loss statistics for any big companies - we hear about individual laptop losses, but not the total percentage. However, I have worked for a couple of Fortune 500 companies and universities. Every few years (or every year, depending of the company), they do an inventory of equipment (PDF). The inventory is almost always followed by an obligatory email saying, "Does anyone know where the <equipment name> is? We're looking for the one with <tracking number>. We're also looking for <long list>."

Shrinkage. It always seems worse after a large round of layoffs. Some of the missing equipment can be physically big, like computers the size of Volvos - these are usually found. However, many items are small, such as laptops, cameras, projectors, and other portable devices. These small items rarely turn up. And remember: every missing computer contains some kind of sensitive information - the only question is whether the data is valuable to the thief. Yet, these data losses are rarely reported, even in publicly traded companies.

All of this loss adds to the amount of information potentially compromised. However, the general public does not know these numbers and cannot measure this risk.

By the way, according to law enforcement officers at JustStolen.net, one in ten laptops will be stolen. That is 10 per cent, so the Commerce Department doesn't look that bad by comparison.

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.