27

Given that you sometimes can not defend from a form of threat, is it then valid to ignore said threat? Instead of defending from the threat, just mitigate the symptom.

An example of this comes from media distribution, where DRM has been less than effective at protecting the data. Ultimately, there is nothing that stops the client from circumventing the protection because it, in fact, needs to be undefended at some point in order to view it.

While the above particular case is well known, some analogous cases might not be as well known. Given that developing a protective measure might be cost prohibitive, when does one suggest the client should:

  • ignore the security threat
  • change business model to one that sidesteps the threat
Kevin
  • 151
  • 5
joojaa
  • 475
  • 4
  • 11
  • 2
    I modified the question a bit removed some extra dimensions that might have been subjective or provocative. Since i got downvoted i presume that this does not fit here well. Is this not a valid question? I admit that my tags do not fit the question very well, help welcome! – joojaa May 12 '16 at 06:01
  • I did not downvote, but I think this has to do with risk analysis and not so much about information security. And in risk analysis, you should never ignore a risk. – clem steredenn May 12 '16 at 06:14
  • 2
    Your question is invalid, as piracy is not a "threat". It's a valuable warning sign, showing that your business model needs work. When a product is easily available at a reasonable price, piracy tends to disappear; this has been show over and over and over again in many markets throughout the world and in all different media types. (When's the last time you torrented a song or a movie, now that ubiquitous online marketplaces and streaming systems make legitimate consumption easy?) – Mason Wheeler May 12 '16 at 19:32
  • @MasonWheeler its just an example of a situation where you can not avoid lest you do business. There are other cases. Yes its not a threat its a cost of doing business. But not all people think the way you do. – joojaa May 12 '16 at 19:45
  • 1
    There's no such thing as "perfect" security, in any context: any and every defensive measure can be circumvented given sufficient skill and resource. The objective of defensive measures is usually to raise the level of skill and resource required beyond that of your perceived attackers. Even if a measure will not defeat all attackers, there may still be benefit in reducing the number who are capable of success, for example so that mitigating actions can be focused on fewer cases (eg: legal action to enforce intellectual property rights is easier to conduct against a small number of people). – eggyal May 13 '16 at 05:36
  • 1
    @MasonWheeler Saying that is like saying that robberies in real life are a valuable warning sign, because if you had made those things available for sale, people would have bought them. The problems are that (a) someone is still robbing you and (b) now the robber is going to shoot you because he doesn't believe that you have nothing of value on you. (That last one was a joke, in case [you couldn't tell.](https://en.m.wikipedia.org/wiki/Poe%27s_law)) – Nic May 13 '16 at 11:34
  • 1
    @QPaysTaxes Except that [copying is not theft](https://www.youtube.com/watch?v=IeTybKL1pM4) because nothing is lost. (No, not even the oh-so-cliché "lost sales". Studies have repeatedly shown that every 1000 pirated copies is worth 1 sale. When you're not providing your product at an affordable price, the people who are pirating it can't afford it, so they wouldn't have bought it anyway. When you're not making it legitimately available at all--think region coding--the people who are pirating it couldn't have bought it anyway because you weren't letting them. And so on...) – Mason Wheeler May 13 '16 at 12:25
  • @MasonWheeler Exactly. The robber wasn't going to buy stuff from you anyway; he was just gonna rob you. All you do by lowering the price is make more money while the same number of people pirate you as before. Saying "It's a valuable sign" is bullshit, because -- like you said -- one in a thousand people pirating will buy it even if you reduce the price. How much money you make with a higher or lower price depends on the market, but it _does not affect piracy_. Therefore, it's invalid to say it's some sort of sign; it's just people not wanting to pay for things they want to own. – Nic May 13 '16 at 12:29
  • 1
    @QPaysTaxes That's not what I said. I said that one in a thousand people pirating would have bought it, *because the rest of them can't under current conditions.* This is why fixing the conditions fixes piracy. That's not a hypothetical; it's happened in the real world, every time. And again, your "robbery" analogy is completely invalid, because there is no loss when a copy is made. (If I stole your car, you'd call the police. If I made an exact copy of your car and kept it for my own... would you even care?) – Mason Wheeler May 13 '16 at 12:33
  • @MasonWheeler Oh, I see. Could you do me a favor and link some of these studies? I tried Googling "piracy one in a thousand buys" but couldn't find any primary sources. – Nic May 13 '16 at 12:44
  • I'm not experienced in security so I'd really appreciate an explanation of how the question title is not just an eye-catcher for upvotes/attention? It seems like a ridiculously asinine question with an obvious answer like, "You would never ignore a threat". I don't see how this is useful to anyone- at all. The body itself is interesting but I don't see how it genuinely related to the question header, which _should_ be, "Is mitigating the system a valid way to defend from a threat?" which is a loose translation of body statement, "Instead of defending from the threat just mitigate the symptom" – 8protons May 13 '16 at 16:16
  • @8protons i didnt know that there is a difference between accepting a threat and ignoring it. To me those are much the same thing, maybe the difference comes from thinkng that deciding to not do anything about a occurence is not the same as ignoring it since you did think about it. Hence the question. No im actually planning just to accept that there is a inherent threat to the business model but there is nothing to be gained by doing anything about it. Not doing the business means 100% likelyhood of no money, the threat will happen eventually and eat the entire buisness. – joojaa May 13 '16 at 18:18

7 Answers7

39

You would never ignore a threat, and perhaps that is semantics over your wording. You either accept, mitigate, or outsource the risk for the given threat. In this case, that would be:

  1. accept that there will be a $X loss,
  2. mitigate fix DRM or find DRM alternate to protect the product, or
  3. outsource using insurance or place the risk on someone else in the same way insurance does.

In your case, if 1) is not acceptable then they need to move to 2 or 3 as their alternatives.

Undo
  • 450
  • 5
  • 14
turagittech
  • 447
  • 3
  • 6
  • 1
    Like everyone https://www.youtube.com/watch?v=9IG3zqvUqJY – JSmyth May 12 '16 at 13:41
  • There is another strategy that is just as successful that may apply to specific cases. Taking DRM as example, Apple argued with the music industry that DRM was not only useless at stopping piracy but also causes negative PR with consumers. Their solution was to make songs cheap - cheap enough that the extra effort to pirate would appear less attractive to most consumers. The general strategy is to make the effort of the threat not worth the rewards. One example of this in the real world is shops banking in twice a day or more so that robberies won't net you much money. – slebetman May 13 '16 at 09:53
  • Speaking in generell: while accepting the threat, you still monitor it in order to see which damage has been done. When one of the (sub-) systems is damaged, maybe you simply can switch it out. – hamena314 May 31 '16 at 10:43
14

TL;DR: NO (but we should define what "ignoring" means; from the text of the question I suspect we're actually of the same opinion).

You do not "ignore" a threat. The ancient saw says that you do not fear a threat that you cannot avoid - stultum est timere quod vitare non potes, since fear will avail you nothing.

But few threats are completely unavoidable in their every aspect and consequence, and do not in the least benefit from consideration, so that all that remains is saving some time by ignoring them.

You cannot avoid death for example, but you still endeavour to delay it as much as possible with medicine and lifestyle; you plan for it with insurances and a will; you mitigate its consequences on those you care for, and if and where possible and legal, you try and mitigate consequences on yourself (those consequences you can).

It is exactly the same thing with lesser threats (minus the religious implications).

You start by defining the threat and its attack surface. You then evaluate whether you can, and at what costs, reduce that attack surface. That is where the "rethink the business model" part might come in. Or even the "abandon the project altogether" or "dump it on someone else".

Then you know that you have a vulnerability, but this still leaves you with the problem of determining whether that vulnerability is being exploited, and how much, and what the damage actually is. In the content duplication scenario this would mean deploying some sensor capable of telling you what is being illegally copied, and how much. In several jurisdictions you cannot do anything until and unless you can quantify an economic damage, or the risk thereof.

Knowing the damage (actual and potential) also is key to choosing a strategy. You might choose to do nothing (but continue monitoring!) if the damage turned out to be minimal, and likely to remain minimal; or if the damage has also a bright side - for example: illegal copying of a software also means that there is an illegal user base that would not otherwise be there, and a part of that user base needs to go legit at some time or another. Think an office suite that you get illegally familiar with when a student, and then offer in your CV, and/or influences the purchase choices of a big firm (do they go with UnknownOffice v1.0? Or do they prefer WellKnownOffice 1.0? This reflects on the availability of skilled users -- and, therefore, on their wages). You would "lose" a lot of users that you would never have gained anyway - huge virtual loss, zero revenue loss - and gain some users that you would not have had otherwise. You still maybe need to look into a Home or Student licensing, or offering a free trial or open limited version, but the fact is that in this case your "threat" would actually be helping you.

If the damage turns out to be huge, you can look into other strategies (possibly political - can not legislation be changed to make prosecuting possible? - or technical - how about a dongle system? Only supplying live streams to authenticated users? Getting out your own incompatible viewing system? - these are all very costly options that would also impact diffusion, so you need hard data to justify even considering them).

Then, there being a damage does not mean that you accept it passively. Some parts of the damage could be contained or otherwise limited, reduced, or their impact lessened somehow.

You can proactively adopt strategies designed to defuse a part of the danger, or reflect it back on the source. Just shooting the wind here, but if you routinely release a lower quality version of a digital content after a fixed time from official release, you're bound to severely demotivate a significant fraction of illegal copiers (as well as, in some jurisdictions, make the case harder on those who do copy). This decreases availability of illegal copies and may increase revenue. That's one theory, of course: one would need to put it to the test. And then maybe experiment with different qualities and delays to see which is most effective. You could put bounties on whistleblowers: I remember an anti-piracy scheme in which you could turn a pirated license into a legal one at almost no cost, provided you could produce a proof of purchase of the pirated material. This did nothing against home piracy, but the risk of supplying software illegally to a small/medium business was enormous; whatever you charged for the software, you could never beat a zero cost license.

LSerni
  • 22,521
  • 4
  • 51
  • 60
  • 1
    Who is the Ancient Saw and how can I procure some more of his or her wisdom?! – Lightness Races in Orbit May 12 '16 at 10:42
  • 2
    That one is by Publilius Syrus, a Latin author (https://en.wikipedia.org/wiki/Publilius_Syrus). That and more e.g. here: https://books.google.it/books?id=EZJoSq45EPQC&lpg=PA114&ots=czn3CKBrsf&dq=&hl=it&pg=PA114#v=onepage&q=&f=false . I'm thinking about forking the EUR 18,76 for the ebook :-) – LSerni May 12 '16 at 11:32
  • Love the Latin...it's literally "It's stupid to fear what you can't avoid." – Chris B. Behrens May 12 '16 at 17:05
10

There are four basic strategies to control risks:

  1. Avoidance: Applying safeguards that eliminate or reduce the remaining uncontrolled risks for the vulnerability
  2. Transference: Shifting the risk to other areas or to outside entities
  3. Mitigation: Reducing the impact if the vulnerability is exploited
  4. Acceptance: Understanding the consequences and accepting the risk without control or mitigation

And 'Acceptance' is different to 'Ignorance'.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Arief Karfianto
  • 324
  • 1
  • 6
2

If there is a risk it will not simply vanish if you ignore it. If the risk is small enough it is unlikely that it will happen and you can probably ignore it. This is part of the usual risk management, i.e. there is no fully secure system.

But if the risk is large enough ignoring it will be a bad idea. So while ignorance is in this case still a valid strategy it can be considered a useless strategy. Addressing the risk would be better. I.e. in your example with DRM this could be a change of the business model or lobbying for changes to the legal system to reduce your own risk by increasing the attackers risk.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • I understand that the risk does not dissapear. But isnt it better to be aware that nothing has been done to mitigate the risk because the cure like changing laws takes too long and is too expensive to do. Is it not better to be aware of a risk. If you must play atleast do so with all the facts on the table? Atleast i sill have an eye out for new solutions. – joojaa May 12 '16 at 06:14
  • @joojaa: Maybe we have a different understanding of "ignoring". In my understanding you are not ignoring a risk if you "only" be aware of it. Because in this case you still model you business to somehow adapt to this risk, i.e. make sure it does not affect you too much. Not every risk can or needs to be addressed by a technical solution. – Steffen Ullrich May 12 '16 at 06:48
1

You should not "ignore" a threat just because you cannot prevent it. Threats have two sides: the before, and the after. "After" still exists if you cannot do anything about "before".

For example, Denial of Service is very difficult to prevent. If a determined attacker with enough resources (or a stupid determined attacker with some resources) decides to get you, there's not a whole lot you can do beyond shut your site down, pay for a ton of extra bandwidth ahead of time, or hope your hosting provider/ISP will use some of their resources to help your situation.

You can, however, make some attempt to mitigate the effects should the Denial of Service happen. While pure websites cannot do much in this way, an example where such is possible is software that needs contact with a website. Say you have a program that stores data on a server. You could build in the capability to handle the site (or network, should the issue be on the user's end) being down by temporarily storing data locally and limiting functionality that would require new data to be downloaded.

This helps mitigate the effects of the Denial of Service on your software, even if you can do little to prevent it. Merely ignoring the threat would suggest you should not attempt such mitigation efforts.

Of course, there are cases where even effect mitigation is difficult or impossible. As I suggested, websites have little they can do aside from go down or run up the bandwidth bill while responding slowly. In this sort of case, perhaps "ignore" could be applied - although "accept you can do nothing to mitigate the issue" might be a more politic and verbose term for it.

To an extent, it's a matter of scale as well. If you run a huge IT/Web company, like say Google, you might have more options in the continued example of Denial of Service than Mrs. Smith's Pastries Online would, such as direct law enforcement involvement and various behind the scenes technical tricks.

I primarily used DoS as it is a classic example of a threat that is hard or impossible to prevent, but you could apply a similar process of reasoning to almost anything.

I think a point worth noting, since you mentioned DRM, is that sometimes your mitigation efforts might come with costs; in that case, it is decreased user satisfaction and bad PR. In some pure IT cases, it might be increased costs and poor performance. It's in weighing these costs that you might decide even the possible effects of a threat are worth it to ignore, at least until they prove to become a substantial problem.

1

Rather than ignore, I'd suggest you evaluate the threat, determine the losses, and determine the cost to defend against the threat.

If the cost to defend is higher than the losses, it's valid to choose to accept the threat's losses without developing a strategy to deal with the threat.

As others point out, though, there are many ways to manage threats that don't cost a lot. As an example, the DRM threat is managed using social pressure in the form of advertisements, "You wouldn't steal a car...", and well-publicized lawsuits suggesting users may be risking their finances if they break the DRM.

Some security researchers limit their defenses to primarily technical solutions, however there are many, many more tools available to the open-minded security threat researcher.

Adam Davis
  • 1,071
  • 7
  • 11
0

Ignore is a pretty strong word, but I can tell you it is standard procedure in a lot of companies to avoid doing anything that would bring to light a threat that would be difficult to deal with.

The general policy in nearly all IT shops is to do "due diligence", which basically means to do the stuff you are supposed to be doing. Since very advanced attacks (Chinese APT etc) generally are not detectable by standard due diligence methods like installing AV on a computer, they are not easily handled by the typical IT department.

So, basically what this means is if somehow an APT intrusion is detected the company has to hire special, high expertise security consultants to solve the problem. This is VERY VERY expensive. So, the net outcome is that everybody is upset. The CEO is angry because of the money spent. The IT department looks bad because they let the thing happen in the first place. And, finally, even after the super pros sweep your system, there is no guarantee the intruders are still not present and have code on your network somewhere.

So, for all these reasons the average IT department does not even want to go there, so they avoid doing anything that would create problems like this. The general idea is that if it can't be detected by standard methods (AV and commercial IDS), then it doesn't exist as far as they are concerned.

Tyler Durden
  • 1,116
  • 1
  • 9
  • 18