John Pescatore

I’ve said that the typical bot net threat will be the basic mechanism for the delivery of damaging targeted attacks for the next several years. Many feel they would never be targeted, so the risk that they will be hit by such attacks feels low. The typical risk calculus goes like this:

Not all that many web sites are easily compromised to install infector code, andthere are 25 million web sites out there and users only go to about 100 sites per day, our web security gateway blocks at lots of attempts to get to malicious sites and users are trained not to click on suspicious stuff.

This optimistic view points gets you to a 1 in 1 billion chance (.000001 %) that you would be hit by a bot net attack.

A more realistic view:

2/3 web sites are easily compromised to install infector code, and there are 25 million web sites out there and users only go to about 100 sites per day, our web security gateway blocks at best 50% of attempts to get to malicious sites and even though users are trained not to click on suspicious stuff, 3 times out of 4 they do.

That gets you a 1 in a million chance.

That all changes when the bad guys do target you, and they are targeting lots of low visibility companies precisely because those who feel they are secure by being obscure usually are not – making them easy pickings. So, the best calculus comes out to:

Not all that many web sites easily compromised to install infector code, but there are 25 million web sites out there and users only go to about 100 sites per day, but a targeted phishing attack will succeed in getting some of our users to go there, our web security gateway won’t block it because it is a targeted attack and our users have proven they will click away.

That drops 1/million down to 1 in 3 chance. I don’t know about you, but whenever the weather forecasters say there is a 30% chance of rain, I get wet.

1 Comment »

Category: Uncategorized     Tags:

Share

Tweet