>I'm still trying to figure out what it means to *claim* that 95% of
>breakins are undetected. How the heck do you know how many breakins
>there are if only 1 out of 20 is noticed?
Actually, people are looking at this from the wrong side. Sure, our traps
and alarms can give some evidence of the external interest in our site,
but the real data comes from either the people breaking in, or the
people watching them do it.
Now it is true that hackers may not know that they have been detected, so their
numbers may be wrong, too. But Josh Quitner noted in his book that
MOD members found machines they had entered years before were still broken.
And I have have slogged through endless keystroke logs of hackers
wading through many systems where it is clear that the sysadmins are
clueless.
There are several interesting rates that are not
easily figured out:
1 what percentage of attacks are detected?
2 what percentage of hosts attacked are breached?
3 what percentage of breaches are detected?
4 what percentage of attackers gain the root account
from an unprived account.
My guesses: 1) <1%, 2) beats me: depends on the type (.mil, .edu, etc.);
3) <10%, 4) >40%. (Tsutomu thinks may estimate for #4 is way low,
and I suspect he is right.)
Bill Cheswick
Bell Labs
Follow-Ups:
|
|
