Firewalls: Re: 95% undetected?

Firewalls
(March 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: 95% undetected?
From:	fc @ all . net (Dr. Frederick B. Cohen)
Date:	Fri, 31 Mar 1995 15:12:23 -0500 (EST)
To:	ches @ plan9 . att . com
Cc:	firewalls @ greatcircle . com
In-reply-to:	<199503311758 . JAA16170 @ miles . greatcircle . com> from "ches @ plan9 . att . com" at Mar 31, 95 12:26:46 pm

> There are several interesting rates that are  not
> easily figured out:
> 	1 what percentage of attacks are detected?
> 	2 what percentage of hosts attacked are breached?
> 	3 what percentage of breaches are detected?
> 	4 what percentage of attackers gain the root account
> 	from an unprived account.
> 
> My guesses:  1) <1%,  2) beats me: depends on the type (.mil, .edu, etc.);
> 	3) <10%,  4) >40%.  (Tsutomu thinks may estimate for #4 is way low,
> 	and I suspect he is right.)

I have the following statistics to offer (more details in the book):

1 what percentage of attacks are detected?

In DoD less than 1 in 8900 entry attempts are detected AND REPORTED -
note that reporting is supposed to be mandatory in that environment. 
These are standard attacks ala what you see in ISS, etc. run by people
whose job it is to get these statistics.

My own experiments (always done with permission of the owner but not
always with the knowledge of the systems admin) show that in over 100
custom virus-based attacks, 100% got full privileges, and 0% were
detected. 

2 what percentage of hosts attacked are breached?

See above - also, about 40% of automated attacks done by all.net get
entry.  It's a good bet that of those, almost all would get superuser
pretty quickly.  Note these attacks are against self-selected test
subjects, many of whom are running firewalls and trying pretty hard to
be secure. 

In the DoD tests, 80% of attempts resulted in getting root privileges
on the host under test.

3 what percentage of breaches are detected?

No help here - except the above statistics (all with very low detection rates)

4 what percentage of attackers gain the root account
      from an unprived account?

No real-world statistics for this one, but the above stats should give you
a pretty good idea of how well you do if you try hard.  Most
attackers are not up to this skill level.

-- 
-----------------
\Management  /\/| 216-686-0090 - PO Box 1480, Hudson, OH 44236
 \        /\/   | Check out info-security heaven and test your system
  \/\  /\/      | for known vulnerabilities at URL:
     \/Analytics|                           http://all.net:8080
-----------------
Read "Protection and Security on the Information Superhighway"
		-just released by Wiley and Sons-

References:

Re: 95% undetected?
From: ches @ plan9 . att . com

Indexed By Date	Previous:	protecting username/password across the unsecure net From: jnb @ ptech . com (Jimmy Brown)
Indexed By Date	Next:	Re[2]: 95% undetected From: "Gary Tucker" <tuckerg @ CC . IMS . DISA . MIL>
Indexed By Thread	Previous:	Re: 95% undetected? From: ches @ plan9 . att . com
Indexed By Thread	Next:	Microsoft SMTP Gateway From: "Bai, Mario" <BAIM @ itg . viacom . com>