Sunday, April 09, 2006

the difference between security and risk

the concepts of security and risk are often used interchangably, in part because risk is often thought of as a security-related concept, but they are in fact very different things and using one to mean the other often leads to confusion and ultimately dilution of the terms themselves...

to start off with, security is a property of a system (and i mean system in the most general sense, not just a computer system or operating system)... some people will tell you security is a process and i myself have used that phrase, but that phrase is actually meant to convey the fact that achieving and maintaining a reasonable level of security is a (never ending) process...

security can be thought of as the relative absense of serious vulnerabilities... the fewer vulnerabilities there are and the less serious they are the more secure the system is... now it's important to realize that we don't and can't know all the vulnerabilities of any system so security is fundamentally unmeasurable and unquantifiable... instead we have to estimate, we have to make our best guess based on the number and severity of known vulnerabilities of the system, and by severity i mean the extent to which the value of the system is lost if the vulnerability in question is exploited... the more insecurities there are and/or the more severe they are, the less secure the system is believed to be... of course, as it is ultimately just a guess - arguments over which browser or which operating system is more secure is about as meaningful as arguing over which flavour of icecream is best...

risk, on the other hand, is the chance of a bad thing (or any one of a class of bad things) happening - in this context, the chance of a vulnerability getting exploited... unlike security which depends solely on the system, risk depends on the the time and effort available to mount an attack... time comes from the window of exposure - the longer that window is open the more time the attacker community has to find a workable exploit and to find YOU, and so the greater the chance they'll do both... effort comes from the attackers themselves... the risk of a security breach is directly affected by the value of that breach, not to the victim, but to the attacker community... even a low impact vulnerability can have a high risk of being found and exploited if it's a desirable target... the more desirable the breach, the more people there will be looking at it, the more man-hours worth of effort will go into trying to find a successful attack, the higher the chance of finding a successful attack while the target is still interesting and the wider the attack is likely to be deployed... what does the the attacker community value? they want the biggest bang (figuratively) for the buck they can get - the more popular the system, the more overall impact they can have with a given unit of effort...

now, while security and risk are quite different, they do tend to interact with one another... low risk, for example, can obscure the presence of insecurities from the public... the lower the risk, the less likely a real exploit will ever see the light of day, regardless of the severity of any vulnerabilities that may be present... sometimes obscurity is used to try to affect lower risk - this is where the myth of security through obscurity comes from... clearly obscurity can't do anything about the presence of vulnerabilities except make them less likely to be found... that's not to say it can actually prevent the attacker community from discovering and exploiting the vulnerabilities because it can't... obscurity is just a way of managing risk, however correcting the vulnerability (when possible) is by far a more effective means of managing that risk and should be the preferred method... unfortunately some vulnerabilities are not correctable, either by virtue of being inherent in the fundamental building blocks of the system (such as virus infectability being inherent to the general purpose computing platform) or the result of some social rather than technical problem, so sometimes alternative risk management techniques like obscurity are reasonable... i know some people don't want to hear that, some people worship at the altar of full-disclosure, but to them all i can say is that a foolish consistency is the hobgoblin of little minds... if the risk can't be managed by eliminating the vulnerability then another method has to be used...

high risk obviously can be very good at revealing the presence of insecurities (usually to the detriment of the victim) - as more new vulnerabilities are found in the system, the total number of known vulnerabilities goes up and the security estimate for that system goes down... the security estimate can go back up when those vulnerabilities are corrected, but it doesn't go all the way back since each new vulnerability reflects more and more poorly on the underlying quality of the system... it isn't until a highly attractive target endures long periods without a breach that significant improvements in the security estimate are made... high risk can also magnify the public perception of insecurities, even when they're low severity ones... because of the confusion between risk and security, the higher the rate and wider the deployment of attacks makes the severity of the vulnerability seem worse even though the number of attacks isn't really related to the number of vulnerabilities or their severity... this translates into a lower confidence in the security of the system, however our security estimates are not based on public opinion and therefore may not be significantly changed... take, for example, the LSASS vulnerability in windows - with each new piece of malware written to exploit it the security of windows remains the same and the severity of the vulnerability remains unchanged, but the chance of a windows system that exposes that vulnerability to the internet getting breached goes up...

low security can increase the risk of a breach dramatically when combined with popularity... the attacker community is made up of humans after all, and humans are essentially lazy creatures so a widely deployed (popular) highly insecure system represents exactly the kind of low-hanging fruit that is most attractive to them... the fact that a system is highly insecure often means there are a wide variety of vulnerabilities for the attacker to choose from and so it's easier to find one that suits his/her needs and the fact that the system is popular makes it more worth the effort to look for one... when not combined with populatity, low security can languish in obscurity never knowing a successful exploit... low security always increases overall risk to some extent, but how much is determined by other things...

as you'd expect, high security lowers the overall risk of a breach... as vulnerabilities are eliminated the total number of remaining vulnerabilities goes down and so does the remaining avenues of attack... the fewer of those there are, the harder it is to find one and thus the lower the chances that one will be found... the risks of finding any particular remaining remaining vulnerability doesn't necessarily change that much, of course, but the chances of finding one that is no longer there obviously drops to zero... it's important to note that this is only true for instances of the system that are up-to-date - after a vulnerability has been found and publicized through the availability of a security update it becomes quite easy for the attacker community to use it against those instances of a system which haven't yet eliminated it through updating/upgrading...

while it may seem at first glance that there's a relationship between a high number of attacks and low security, that's a correlation rather than a causal relationship... the fact that low security but unpopular (and therefore low risk) systems generally receive few attacks indicates that attacks are related more closely to high risk than to low security...

so now that you know all this, what can you do with it? well for one you can better evaluate claims of high/low security (we'll never really know which operating system or which browser is more secure)... you should also be able to recognize which issues actually pertain to risk and why/how they're important to you and/or your organization... clearly you want high security, you want there to be as few potential avenues for attack as possible, but you also want low risk - there can be no perfect security, there will always be a few avenues for attack and having a low number of them doesn't help much if those avenues are being used frequently...

0 comments: