Thursday, August 14, 2008

More Threat Reduction, Not Just Vulnerability Reduction

Recently I attended a briefing were a computer crimes agent from the FBI made the following point:

Your job is vulnerability reduction. Our job is threat reduction.

In other words, it is beyond the legal or practical capability of most computer crime victims to investigate, prosecute, and incarcerate threats. Therefore, we cannot independently influence the threat portion of the risk equation. We can play with the asset and vulnerability aspects, but that leaves the adversary free to continue attacking until they succeed.

Given that, it is disappointing to read State AGs Fail to Adequately Protect Online Consumers. I recommend reading that press release from the Center for American Progress and Center for Democracy and Technology for details.

I found this recommendation on p 25 interesting:

Consumers are paying a steep price for online fraud and abuse. They need aggressive law enforcement to punish perpetrators and deter others from committing Internet crime. A number of leading attorneys general have shown they can make a powerful difference. But others must step up as well. To protect consumers and secure the future of the Internet, we recommend that state attorneys general take the following steps...

Develop computer forensic capabilities. Purveyors of online fraud and abuse — and the methods they use — are often extremely difficult to detect. Computer forensics are thus needed to trace and catch Internet fraudsters. Attorneys general in Washington and New York invested in computer forensics and, as a result, were able to prosecute successful cases against spyware. Most states, however, have little in the way of computer forensic capability.

Developing this capability may not require substantial new funds. Rather, most important are human and intellectual resources. Even New York’s more intensive adware investigations, for instance, were done with free or low-cost software, which, among other things, captured screenshots, wiped hard drives, and tracked IP addresses and installation information through “packet sniffing” tools. Attorneys general must make investments in human capital so that such software can be harnessed and put to use.


When I teach, there are a lot of military people in my classes. The rest come from private companies. I do not see many law enforcement or other legal types. I'm guessing they do not have the funds or the interest?

3 comments:

Selil said...

Purdue trains several classes of law enforcement from all levels every year. They get taught commercial packages, testimony, etc.. Eastern Kentucky University (EKU) also does this.

jbmoore said...

Or they are intimidated. Computer related courses are seen as geeky. There's still an undercurrent of anti-intellectualism in the country. If it were not so, then why are athletes lauded and geeks derided. Only extremely wealthy geeks are shown in a positive light, but those people are quite rare. Most of us didn't pursue intellectual professions mainly for the money. We pursue it for the love of it.

Ben said...

I agree with this... up to a point. In dayes of yore, we used to talk about threat frequency (an estimated probability), which really translates into guesstimating how desirable a target you might be. From that perspective, if you can produce content that isn't particularly desirable to an attacker, then in theory you're reducing that threat factor. Otherwise, if you're just asking the question "are there threats?" then of course this will just be a 1.0 probability, which then doesn't serve much purpose, right?

Now, where I agree, of course, is with targeted attacks where specific threats learn your environment very, very well and get into a cat-n-mouse game where they hack something, you fix it, they hack somewhere else, you fix that, and so on. You're always in a reactive, catch-up mode (been there, done that), burning so many resources on clean-up and monitoring that it's very difficult to be proactive. That's where you need LE to help eliminate the specific (antagonistic) threat altogether.