[thelist] Surprising Results

Joshua Olson joshua at waetech.com
Sat Feb 21 20:48:15 CST 2004


> -----Original Message-----
> From: Alvaro Medina
> Sent: Saturday, February 21, 2004 4:04 PM
>
> As the comments on the post say, "after discarding all evidence to the
> contrary, the hypotesis was proven". If its true they not considered worms
> attacks, this study is very biased.

Alvaro,

First off, thank you for your response.  I'd like to make a couple of
observations about worm attacks that may explain (at least in part) why they
decided to exclude them from the study:

1.  A good majority of worms these days are targeted at the client, not the
server.  There are a couple reasons why it's easier to build something to
attack clients--A. in general, client users are more naive than system
administrators and are more likely to be tricked, B. the most popular email
client, Outlook, has some glaringly terrible security wholes and while
patches exist, many clients are not savvy enough to install them.
Basically, clients are an easier, and dare I say unfair, target.

2.  Worms are not particularly cunnings... they perform only what they were
initially scoped to do and rely on propagation speed to maximize the impact.
They also tend to have a terrible impact initially but die out once AV
filters are updated on the mail servers (all platforms of mail servers, btw,
not just MS, Linux, or whatever).

3.  They may be assuming that people try harder to break into high-profile
targets such as government, education, and research facilities--and thusly a
successful breach into one would be considered a bigger victory in the "big
picture.:  A general email worm would not fit this bill as it does
necessarily (with some notable exceptions) principally target a single
system or organization but instead is designed to cause as much havoc as
possible.

In a nutshell, worms typically propagate because of lack of prudent care on
the part of clients and systems administrators and only occasionally because
of fundamental system flaws.  A hacker, on the other hand, has the
additional option of systematically searching out and exploiting fundamental
system flaws.  So, being hacked by a person is much more telling about
system security, IMO, than being slammed by a worm because clients failed to
update their Outlooks or because the system administrator didn't install the
patch that the software vendor put out a few months prior (eg Slammer).

> Also, they take the numbers as absolute
> amounts in a total of succesful attacks; I think it would have been better
> to see what proportion there is between successful attacks and
> failed ones.

I like what you are thinking here and this is a very good point.  I'd
venture to guess, however, that measuring the number of failed attacks is
very hard to measure and record.  A correctly implemented defense-in-depth
security architecture will stop the assailant as far towards the outer
threshold as possible and might even cause the failed attack to be
impossible to record.

Another statistic that is missing is the proportionate number of Windows,
Linux, Mac, and BSD servers that they consider important enough to include
in the results.

<><><><><><><><><><>
Joshua Olson
Web Application Engineer
WAE Tech Inc.
http://www.waetech.com/service_areas/
706.210.0168




More information about the thelist mailing list