Saturday, 12 March 2016

If We Are The Weakest Link, Why?

The Global Cyber-Vulnerability Report was published this week - a book from authors at University of Maryland and Virgina Tech which ranked 44 nations on how vulnerable they are to cyber attack.  It explored the vulnerability of over four million machines per year, covering a two-year period as reported by Symantec. It used an impressive 20 billion telemetry reports comprising malware and binary reputation reports from at least 500 hosts in each country.

[SPOLIRE ALERT] Denmark, Norway and Finland ranked the safest. China, India, Russia, Saudi Arabia and South Korea ranked among the most vulnerable. The United States came in as 11th.

There have been surveys such as this done previously.  One of those that takes a broad view of legislation, regulation, infrastructure, etc the Cyber Power Index has the United Kingdom in 1st place.  However, this latest report appears to be much more focussed on true technical vulnerability.  I've not seen it done in this way previously so the results are rather interesting.

One does have to be careful with this report as, at least in part, the levels of vulnerability are based upon the numbers of machines attacked and the frequency of attacks.  It is worth understanding the methodology to fully understand what the report is, well, reporting.  It is an approach that many security software vendors have used to a degree in producing their annual reports on the security landscape.  Typical example of which include:

  1. Microsoft's Security Intelligence Report
  2. Symantec's Security Threat Report
  3. Kasperksy's Threat Report
Even Europol's Internet Organised Crime Threat Assessment (iOCTA) uses data from vendors in considering the threat landscape [I declare an interest with iOCTA as I help produce it].

However, where this new report is different from pure system telemetry based reports is that it includes factors such as education and economics ie it covers some of those factors focussed on by the Cyber Power Index.  But, in doing so the datasets being produced appear to offer an opportunity to predict how and where malware might spread.  Some of these thoughts, including much of the same data was presented in this context at the 9th ACM International Conference of Web Search and Data Mining in February 2016. 

The predictions turn out to be remarkably robust.  In some ways not surprising as the datasets over which the models "learn" and thence forecast as very large - unfortunately large one might say.  The models are interesting in their own right. They are an ensemble of feature extraction and time series analysis.  Hence, the ability to predict what and when, not just when or what.

One of the benefits of being able to accurately predict the spread of malware is that one can start o look at the human behaviour occurring in those most "vulnerable", and from that you can begin to understand what elements of human behaviour make us more vulnerable.  This work has been taken quite some way already and is due to be published in the journal ACM Transactions on Intelligent Systems and Technology. A pre-print of the paper can be read here.

This is important because whilst many have asserted that humans are a weak link in the security chain, there has been little quantified research published: it is based on anecdotal evidence and tends to be reported at a macro level.  This data was much more granular and does show quantitative evidence that certain behaviours make you more vulnerable.  Some may not surprise you: direct correlations with the number of unsigned downloads you make and the level of malware on your machine. But at least we now have evidence.

Hence, the research is beginning to show not just that humans are a weakness (we all knew we were) but it is starting to zero on the specific behaviours that represent this weakness. As technology exists only to serve humans we have to find ways of enabling the technology to help us stay secure, rather than simply removing human from the loop which is rather self defeating.

As we understand which behaviour lead to vulnerability we can consyruct the technology so as to ensure that we take such actions only in the conscious knowledge that we could be putting ourselves at risk.