Defense vs. Offense

CS 493/693 Lecture, Dr. Lawlor, 2006/02/06

It's useful to consider how society has solved the same security problems we now face with computers.

For example, a normal passenger car has laughably poor security--the vehicle can be trivially hijacked during operation using almost any weapon, the windows can be broken, the locks can be picked, the ignition can be hotwired, the tires can be deflated (denial of service) or the entire vehicle itself ignited (serious denial of service).

A "secure" car would be more like a tank--virtually impossible to steal, no windows, thick hardened steel armor. But even a tank can be disabled with a simple shaped charge (like a rocket propelled grenade) or sufficient explosive power. A modern innovation in tank armor is Reactive Armor. The most common type consists of a high explosive that explodes when shot, breaking up the incoming projectile.

The standard security model for an automobile also includes a reactive component--the cops! Car theft is treated as a serious crime, and society expends considerable resources detecting, investigating, and responding to car theft. Imagine how many more car thefts there would be, if car theft were treated the same way as computer security incidents! That is, imagine the response to a car theft was just to buy a new car and blame the victim--"You should have kept your system patched. And where was your firewall?"

In general, security problems can be addressed in one of two ways:

Defense: Harden the target. Keep your system patched. Disable unused network services. Use a good firewall. Defensive techniques normally impose fairly heavy costs on legitimate users (e.g., more annoyance at each login, fewer ways to get legitimate work done). But because of the "weakest link in the chain" problem, defensive techniques don't always impose equal costs on attackers. The problem is that time spent securing services that don't get attacked is wasted effort.
Offense: Stop the attacker. Log IP addresses and packet traces for use in court. In case of an unambiguous attack, involve law enforcement early. The (local, state, or federal) police and the courts can impose very heavy costs on attackers, while leaving legitimate users untouched. Note that "stop the attacker" does not mean vigilante justice! You can block an attacker's traffic to your subnet, perform simple connection tests to his IP (e.g., ping, traceroute), and initiate legal action against him, but even something as simple as a portscan of the attacking IP address is legally perilous.

Both security aspects are important and useful, and neither should be forgotten. We'll talk about defense, but in my opinion offensive capability against network attackers today is sorely lacking--law enforcement is very rarely involved, and prosecutions make the national news because they are so rare. The single factor that most complicates law enforcement's reach on the internet is jurisdiction--conventional law enforcement is restricted to a single geographically defined area. This means attackers not from your home town are very difficult to successfully prosecute.