Archive 7 min read

One Billion Attacks Per Day

Accurate data for cybersecurity threats is hard to come by. That doesn't mean you can just make it up...

One Billion Attacks Per Day

Watch this episode on YouTube.

Reasonably Accurate 馃馃 Transcript

Morning. How's it going? Everybody? I'm just gonna double check that. Uh the streams are good. The level is good. Um Seeing if the youtube stream kicks in, find, uh yesterday's experiment seemed to go well, it seems like the youtube stream is kicking in now, which is great.

Um Interestingly, it takes a little longer for the youtube stream to kick up than uh on Facebook, but neither is instantaneous. It's all good. We're up and running now. It is Friday. Um Welcome to mornings with Mark episode 2323.

As always, you can hit me up. Uh marknca online Happy to chat. Um Shoot the Breeze, uh See what's going on. Um You know, discussing the issues we're talking about here on the show.

Um So uh weird one today. Well, not necessarily weird but one that may be touchy. Um Now I'm going to pull this up in my browser just to make sure. So, uh there was an article on CBC this morning that said um so CBC news uh I'll link to below.

Um Spy agency chief says new powers would help stop cyber attacks before they happen. So this is for Canada. Um the head of the CS E which is our one of our main spy agencies.

Um They are also responsible for cyber security within the government of Canada. Um That is a responsibility that is expanding based on the latest federal budget, which is great. That's excellent. They should absolutely be in charge of defense.

They are arguing that they want more powers so that they can go on the offense. Now, if we look at the other models, most prominent being the Americans, the NSA in the States is responsible for both offense and defense.

Um Let's just say that they don't have a stellar record. Um Eternal blue and the entire uh eternal set of exploits that were behind wanna cry, not pet. Yeah. A number of other outbreaks came, it's rumored came from there.

Um I think it's a definitive conflict of interest that you cannot be responsible for both offense and defense because in um unlike in hockey where a good two way center is invaluable and you'll pay through the nose for them.

Um when it comes down to, um cyber security and cyber offense, that means vulnerabilities, that means zero days, that means finding defense is all about covering those up. So, if your offense knows about them, it's not in their best interests to then push those out through responsible disclosure, which I'm a massive believer in um to get them resolved.

So I think there is a direct conflict of interest there. They can't live within the same agency. Um It's difficult enough within the same um interest, which in this case is the Canadian interest or the American interest or whoever's interest is in play.

But that's not what I wanted to dive into, into so much detail here. What I wanted to take exception to or what I do take exception to is one of the numbers quoted in this article.

So the head of the CS C um Greta Boson mayor um came out and said the Canadian Federal government is being hit up to a billion times a day. A bi I had just double check a, a billion times a day.

Holy crap. That's a lot. Where is it? And this is why I really got peeved because they're saying there's 11.5 1000 attacks per second on Canadian federal government systems and while two people who aren't aware of the technical nuances, um that sounds like an insane amount.

That sounds like we are under constant barrage. Now, I do. This is all coming from uh le uh Bert's article. So I need to go in and, and review the uh test money directly.

I'm just looking at it right now. But essentially they said they're blocking over 1 billion malicious attempts to compromise government systems on average per day that they told, they told the committee which could include everything from minor pokes to assess the strength of the system to malware to dedicated hacking 1 billion attempts per day.

So why do I, why does this frustrate me? This frustrates me because um it is disingenuous. Um If you are unaware of the technical nuances, it sounds like a ridiculous amount. It sounds like a torrent of activity.

It sounds like wave after wave of threat against government systems and it may be, but it is most likely not. Um And this is where I think it is beholden to us with the knowledge, with the forensic capabilities, to educate the public in this case, to educate the government to let them know what the actual challenge is here.

So I ran a quick test this morning. Um I spun up a server for an hour and I left it wide open. Um It wasn't doing anything. It literally was running nothing other than the base os.

Um And I set up a bunch of rules around the firewall within that server to log every connection attempt. I filtered out my personal attempts and guess what I was attacked, I was attacked constantly.

In fact, in an over the course of the day, if I left that server up and running, I would have been attacked 14.5 1000 times. That's one attack every six seconds. It's a lot, isn't it?

It's not, it's background noise. So when you do the math, actually just based on this random background noise, it turns out that um if the 1 billion figure is true. And the numbers generally scale and based on my experience, they generally do.

Um if the government has about 70,000 servers, which it does, this is just background noise, a billion attempts per day could be absolute background noise. And the flip side of this is that um these are attempts that you know about which means you block them, which means your defenses did the job.

So why do you need to freak out about these because you've logged them. Um What uh you know, that means your firewall saw them or your IP S system saw them and stop them.

And so, you know about them, the ones that you don't know about are the real problem. Um Or more important is the stat that the government pushes out every year about the number of data breaches that had occurred, whether from malicious intrusions or whether from um pure accident.

That is a far more important stat. And last time I checked that was hovering around 5000, incidents per year, um I will pull up that and I'm going to write this up. Um Maybe push it out as an op ed somewhere.

Really depends, but it's frustrating because this is a challenge we're seeing this at the nation level and I'm calling this out simply because of the CBC article. But this is a challenge that C OS face every day when they're trying to go in and talk to their board and they're trying to give metrics about the value of what they do.

What do they do? What's the value to what you bring? And they pull up this crazy number, right. In this case, a billion attempts per day, it doesn't mean anything. It's not a valuable metric.

And if you're measuring this or you're trying to use this to scare people, you are actually doing yourself a disservice because there are far more valuable metrics that you could be tracking. There are far more impactful metrics like number of citizen records that were at threat based on, on data breaches.

That's a huge thing. But that won't support the case of trying to go out and argue for more offensive capabilities. Now, don't get me wrong. I fully support um uh the agency's current assigned mission.

Um Let me rephrase this. I fully support the agency given their current assigned mission, arguing for more resources. This is the same thing that we want law enforcement to do. So, law enforcement RC MP, arguing about the fact that they need the ability to break encryption.

I like the fact that they're arguing for that. I completely disagree with them and I would not support it in a second, but it's their job to argue for as many tools as they can to accomplish the mission.

They've been given what we as citizens need to do is ensure that they've been given the right mission and that they have rules and laws. Um They have laws and regulations and policies in place to make sure they um uh execute that mission within the parameters we want.

So it's multi layered multifaceted here. But what really ticked me off this morning was this 1 billion number. Um Because I'll tell you my little server that's doing nothing. Doesn't even have information of value on it was getting attacked 15,000 times per day.

Um, so if I put up something with value, I'm sure we get attacked more. This is just a background noise of the internet. So, um, it's a scary number. It's meant to scare, it doesn't mean squat.

So what do you think about metrics? Metrics are a whole different ball a and very difficult to pull off effectively have been a challenge since the institution of security teams within organizations. Let me know marknca.

Um, hit me up in the comments down below. Love to hear your thoughts on this because I know it's a contentious issue. Listen to me on a Friday. I'm getting a little riled up on it myself.

I can only imagine your reaction. Um, let's discuss, hit me up and we'll talk it through. I think it's a really important thing and we absolutely need to hash this out. Have a great day and have an excellent weekend.

We'll see you on Monday.

Read next