**9. Outstanding issues**

The most difficult issue in any defensive endeavor is knowing what to defend against. One of the most famous large investments that failed to protect against the real risk was the Maginot line. It was a set of fortifications and tank obstacles designed to give the French time to mobilize. The line proved useless for defending France because the Germans simply conquered Belgium and went around the defenses. This led to the adage that "generals always fight the last war, especially if they have won it" (Kemp, 1988). Unfortunately there are numerous examples of companies that sit behind their line of firewalls believing that they are safe while the enemy simply goes around their defenses.

The canonical example of this class of problem in cyber-security is called a "zero-day exploit". An exploit is actual code that acts on a vulnerability or combination of vulnerabilities. A zero-day exploit is an exploit that takes advantage of vulnerabilities that are unknown or considered to pose insufficient risk to worry about; then a malefactor figures out an automated exploit and hundreds or thousands of computers are compromised in a few hours. The computers join a botnet. We can see that an opponent that

Table 1 includes only the direct costs. There are also indirect costs, including increasing frustration on the part of computer users, increased time spent on working with necessary

Worldwide, cyber crimes have cost in the neighborhood of \$388 billion in 2010, according to the 2011 Norton Cybercrime Report (Norton, Inc., 2011). This figure includes both direct and indirect costs, and is a staggering amount. And unfortunately, this figure has only been

The list of interested parties has grown in direct proportion to the number of connected entities. It would probably be much easier to list those who need not be concerned with cyber crime, because IT has become an integral part of companies, government agencies, the military, our infrastructure (including water, electricity, roads, bridges, natural gas, etc.), health care, research, and our personal lives, and because a very large portion of all IT is now connected via the Internet. Anyone who has any device connected via the Internet – and this includes cell phones, MP3 players, computer gaming equipment, and ALL forms of computers – anyone with any of these devices should be concerned about cyber crime. All of these devices have fallen victim to cyber crime, and it is unlikely that

Perhaps the parties most difficult to convince of this are the general public. Only a small percentage of the population is deeply aware of how easily the security of their connected devices can be compromised. And because only a small percentage are affected by cyber crime each year, the general public remains relatively uncommitted to deploying the latest and best security software. And as long as this remains true, it is inevitable that cyber crime

The most difficult issue in any defensive endeavor is knowing what to defend against. One of the most famous large investments that failed to protect against the real risk was the Maginot line. It was a set of fortifications and tank obstacles designed to give the French time to mobilize. The line proved useless for defending France because the Germans simply conquered Belgium and went around the defenses. This led to the adage that "generals always fight the last war, especially if they have won it" (Kemp, 1988). Unfortunately there are numerous examples of companies that sit behind their line of firewalls believing that they are safe while the enemy simply goes around their

The canonical example of this class of problem in cyber-security is called a "zero-day exploit". An exploit is actual code that acts on a vulnerability or combination of vulnerabilities. A zero-day exploit is an exploit that takes advantage of vulnerabilities that are unknown or considered to pose insufficient risk to worry about; then a malefactor figures out an automated exploit and hundreds or thousands of computers are compromised in a few hours. The computers join a botnet. We can see that an opponent that

security measures, lost business opportunities, and a tarnished reputation.

increasing for the past several years, with no sign of major improvement.

**8. Interested parties** 

this will change.

will continue to increase.

**9. Outstanding issues** 

defenses.

exploits a vulnerability the first time has the advantage of surprise. No matter how rapid the response by software developers and security vendors to a zero-day exploit, the black hats have a significant window of opportunity to attack vulnerable systems until a remediation and/or a signature for the malware is deployed to the defenses on the platform. Cybersecurity will always be a race between malefactors who want to compromise systems and the vendors, developers, and legitimate users of computing systems who want to secure their systems.

A major hurdle is that decision makers often think like the French government before WWII, they think their large investment in firewalls will protect them while the reality is that new software and hardware are continuously being deployed to add functionality and remediate vulnerabilities and no static defense can provide protection in a dynamic environment. Experience teaches that the fixes often create new vulnerabilities. At the same time malefactors are continuously searching for vulnerabilities and creating exploits for the vulnerabilities that they isolate. Thus the problem becomes one of continuously defending a relatively slowly changing target from an unknown, rapidly moving and evolving attacker.

In the current world of IT, attackers have a huge advantage. The majority of machines deployed in businesses and homes run the same platform software. Microsoft platforms got the reputation for having poor security because their platform provided a large set of targets that made the value of an exploit much greater. Finding vulnerabilities and developing exploits is a technically demanding and uncertain process. A large monoculture to attack provides the incentive to invest in exploits. There is now an active underground market in zero-day exploits that are sold to the highest bidder. An active market provides incentives for skilled individuals to invest time and expertise to create "products" that are in demand.
