I’ve said that the typical bot net threat will be the basic mechanism for the delivery of damaging targeted attacks for the next several years. Many feel they would never be targeted, so the risk that they will be hit by such attacks feels low. The typical risk calculus goes like this:
Not all that many web sites are easily compromised to install infector code, andthere are 25 million web sites out there and users only go to about 100 sites per day, our web security gateway blocks at lots of attempts to get to malicious sites and users are trained not to click on suspicious stuff.
This optimistic view points gets you to a 1 in 1 billion chance (.000001 %) that you would be hit by a bot net attack.
A more realistic view:
2/3 web sites are easily compromised to install infector code, and there are 25 million web sites out there and users only go to about 100 sites per day, our web security gateway blocks at best 50% of attempts to get to malicious sites and even though users are trained not to click on suspicious stuff, 3 times out of 4 they do.
That gets you a 1 in a million chance.
That all changes when the bad guys do target you, and they are targeting lots of low visibility companies precisely because those who feel they are secure by being obscure usually are not – making them easy pickings. So, the best calculus comes out to:
Not all that many web sites easily compromised to install infector code, but there are 25 million web sites out there and users only go to about 100 sites per day, but a targeted phishing attack will succeed in getting some of our users to go there, our web security gateway won’t block it because it is a targeted attack and our users have proven they will click away.
That drops 1/million down to 1 in 3 chance. I don’t know about you, but whenever the weather forecasters say there is a 30% chance of rain, I get wet.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.