A crime against statistics that is probably worse than the cyber attacks faced in County Durham

Posted by   Martijn Grooten on   Feb 21, 2018

Tomorrow, I will give a talk entitled "Don't know much about security" at the offices of ENISA, the EU's agency for network and information security.

Despite the title, the talk will not be about myself; rather, it will be about the fact that there are many aspects of security that we simply don't understand well – from the size of many botnets and attacks to the attribution of prominent threats.

What is worse is that we often claim to know more about things than we really do. A typical, if fairly extreme, example of this is a recent report by UK organisation Big Brother Watch that claims that local councils in the UK "have been subjected to over 98 million cyber attacks in the past five years".

That is a very large number, and anyone working in security will immediately understand that the authors of the report probably used a very weak definition of what counts as an attack.

Curious, I started reading the report (pdf), and I learned that the researchers had simply asked all local councils how many attacks they had faced in the past five years. Many reported zero or one attack, while a few reported numbers that were significantly larger.

For example, sysadmins at Somerset County Council said they received some 30,000 attacks a month, in Portsmouth the total for the period was 463,000 attacks, while in Essex they have recorded an incredibly precise number of 731,910 attacks in five years.

But all of that is trivial compared to what the sysadmins at Durham County Council have had to endure: they reported no fewer than 1.3 million attacks per month. This adds up to 78 million attacks in a five-year-period, and thus accounts for more than 80% of the attacks reportedly faced by UK local authorities.

durhamcyberattacks.png

Now, it is possible that Durham County Council is of particular interest to attackers. Far more likely, however, is that the question was simply interpreted differently by the different respondents and that, for County Durham, this number included spam emails or port scans. To say that it is a bit odd simply to add up all these numbers is an understatement.

Of course, these kinds of 'crimes against statistics' are hardly unique to security, and I am not too concerned about the fact that the number might be wrong: what matters is that the number is useless.

Local authorities, like all organisations, suffer cyber attacks, and one might wonder whether they are being attacked more than the average organisation. One might also wonder whether there is a particular trend over time, or whether certain local authorities (such as the larger or more prosperous ones) suffer more attacks than others.

However, none of these questions are addressed in the report, which merely produces a big number. Security reports often contain such big numbers, and even when the methodology used to produce them is sound, it is rare for these numbers to have any meaning at all. All they do is scare people into believing that the state of security is bad. We can do much better than that, and we ought to.

As for Durham County Council, there is a silver lining: despite the 78 million attacks the authority faced, its sysadmins also reported that they didn't experience a single cybersecurity incident. Their neighbours in Hartlepool, who were only attacked twice, did have an incident to report.

durhamcountycouncil.png

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VB2018 paper: Office bugs on the rise

At VB2018 Sophos researcher Gábor Szappanos provided a detailed overview of Office exploit builders, and looked in particular at the widely exploited CVE-2017-0199. Today we publish his paper and release the video of his presentation.

VB2018 video: The Big Bang Theory by APT-C-23

Today, we release the video of the VB2018 presentation by Check Point researcher Aseel Kayal, who connected the various dots relating to campaigns by the APT-C-23 threat group.

VB2019 London - join us for the most international threat intelligence conference!

VB calls on organisations and individuals involved in threat intelligence from around the world to participate in next year's Virus Bulletin conference.

VB2018 paper: Tracking Mirai variants

Today, we publish the VB2018 paper by Qihoo 360 researchers Ya Liu and Hui Wang, on extracting data from variants of the Mirai botnet to classify and track variants.

VB2018 paper: Hide'n'Seek: an adaptive peer-to-peer IoT botnet

2018 has seen an increase in the variety of botnets living on the Internet of Things - such as Hide'N'Seek, which is notable for its use of peer-to-peer for command-and-control communication. Today, we publish the VB2018 paper by Bitdefender…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.