Wednesday, April 1, 2009

Conficker - A Balanced Assessment

Well, April 1st is here and the Internets are still working. Personally, im not surprised. This story was hyped because the media reported on the vulnerabilities caused by Conficker but did not provide an overall assessment of the risk presented by the worm.

Certainly, having 10 million infected hosts under the control of a mysterious group of hackers is a dangerous vulnerability. However, the measure of risk presented by this vulnerability can only be calculated when threat and consequence are measured.

Risk = Threat + Vulnerability + Consequence

As we've discussed in class, threat is a combination of capabilities and intention. In the case of Conficker, the hackers had the capabilities to do pretty much whatever they wanted with the infected hosts. They could have launched a massive denial of service attack or installed key-loggers on the infected machines and stolen personally identifiable information. However, at this point the intentions of the hackers are unclear. The intentions of hackers are unclear because know one knows who the hackers are or who they are working for. It is therefore impossible to measure the threat measured by Conficker and therefore an accurate assessment of risk cannot be determined.

Threat = Capabilities + Intentions

If the Conficker botnet is controlled by cyber criminals, which is the most likely scenario, then its highly probable that these criminals will rent out portions of the botnet for spam runs, denial of service attacks, click-fraud, and phishing attacks. As we've discussed in class these types of attacks occur everyday on the Internet and havent caused a cataclysmic meltdown yet. Worms aren't new and bots arent new. The Internets will survive.

We need to move past hysterical vulnerability assessments that claim the sky is falling and instead conduct through risk assessments before claiming the Internet will collapse.

No comments: