Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


The ROI of Attack

Like defenders, attackers sometimes need to weigh the costs and benefits of their efforts

Recently, there was a report about the sabotage of a computer that supports the International Space Station. The computer, which measures stress on the station, was considered "non-critical" – although I'm not sure how a machine that performs such a function could be non-critical.

The interesting thing about this event was the method used for the sabotage. Apparently, several wires were cut, making the unit non-functional. Pretty effective, right? Well, not really. As my wife pointed out, a software modification to the system would have been much more difficult to detect, and therefore more effective in preventing the system from operating. As it is, NASA can just repair the wires, and it's back to business.

This brings me to an article written by Daniel Geer in a recent edition of ACM Queue. Geer points out that it is not only effectively impossible to reduce our risk level zero – it is not even desirable. The goal is to lower risk to a point where the expense of security and the cost of failure are both at a minimum.

The flip side of this statement is also true – attackers don't have unlimited resources, either. They need to maximize the impact of the attack while minimizing the cost.

What does this have to do with the NASA story? Well, assuming that the saboteur was rational (never a sure thing), the NASA attack may have been a success – in the attacker's eyes. The cost of the attack could have been much higher (buying a person capable of subtly introducing a fatal error in a highly reliable embedded system can’t come cheap).

I think it is safe to assume, based on the system attacked, that the goal here wasn’t to destroy the space station, but to enhance the attacker's reputation. The last thing NASA needed was another negative story, but this sabotage was so blatant that it could not be missed. And the cost was cheap – anybody with physical access to the box and a pair of wire cutters could implement it.

If this was a reputation attack, it was quite a success, even though it didn't have much long-term impact. The value of a reputation is almost impossible to measure. Here in Cambodia, one of the surest ways to get sent to prison (or worse) is to publicly say something that everybody knows is true, but is extremely embarrassing.

The same goes for business – embarrassing a competitor is sometimes worth more than stealing the designs for its new product.

— Nathan Spande has implemented security in medical systems during the dotcom boom and bust, and suffered through federal government security implementations. Special to Dark Reading

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This gives a new meaning to blind leading the blind.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
There is a XSS vulnerability in the ticket overview screens. It's possible to collect various information by having an e-mail shown in the overview screen. Attack can be performed by sending specially crafted e-mail to the system and it doesn't require any user intraction. This issue affects: OTRS A...
PUBLISHED: 2021-06-16
A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.
PUBLISHED: 2021-06-16
Insecure storage of sensitive information has been reported to affect QNAP NAS running myQNAPcloud Link. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism. This issue affects: QNAP Systems Inc. myQNAPcloud Link vers...
PUBLISHED: 2021-06-16
Rapid7 Nexpose is vulnerable to a non-persistent cross-site scripting vulnerability affecting the Security Console's Filtered Asset Search feature. A specific search criterion and operator combination in Filtered Asset Search could have allowed a user to pass code through the provided search field. ...
PUBLISHED: 2021-06-16
tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the `verifyWithMessage` method of `tEnvoyNaClSigningKey` always returns `true` for any signature that has a SHA-5...