When Does Targeting Make Sense for an Attacker?

Cormac Herley
2013 IEEE Security and Privacy  
How do so many Internet users escape harm? The range of attacks is enormous and growing; we know that most users neglect even very basic defense measures. Yet things somehow muddle along: two billion people use the Internet and seem to derive more good from it than harm. If security is only as good as the weakest link why don't worst-case outcomes happen regularly? Why isn't everyone hacked every day? The answer may lie in economics rather than technology. Scalable and Non-scalable attacks
more » ... alable attacks Let's segment attacks into two types, those that scale and those that don't [1]. Scalable attacks have costs that grow much slower than linearly in the number, N, of users attacked. Doubling the number attacked causes the costs to increase by far less than a factor of two: (2N) << 2 (N). Thus, the cost of a scalable attack scarcely grows at all with the number attacked. Phishing is scalable, as is any attack that uses spam as the spread vector. Drive-by download attacks, self-replicating viruses and anything that can be completely automated would be scalable, as the cost has very little dependence on the number attacked. Scalable attacks have similar economics to a software product or information good in that first-copy costs dominate [2]. Non-scalable attacks, by contrast, are everything else. Generally they have a linear cost dependence on N. Doubling the number attacked doubles the cost: (2N) ≈ 2 (N). Anything that requires per-user effort is non-scalable. Attacks that involve knowledge about the target aren't scalable. For example, the majority of the social engineering attacks described by Mitnick [3] require elaborate target-specific effort. That certainly doesn't scale unless the information can be gathered by a script. Thus, learning the likely answers to backup authentication questions is not scalable. It is far from simple to gather the pet's name, favorite sports team or name of the favorite high-school teacher for a million users in an automated way. Physical side-channel attacks, which require proximity, aren't scalable: getting close to a million people costs a lot more than getting close to one. This segmentation into scalable and non-scalable attacks is obviously a simplification. Even spam has a linear cost component (e.g. gathering target addresses, finding enough machines and IP addresses to do the sending). However, first-copy costs dominate, so that doubling the
doi:10.1109/msp.2013.46 fatcat:qrq27hmxbfbonmiz346ndd4xre