Home Blog Device Evaluation How to determine the cost of an attack objectively?

How to determine the cost of an attack objectively?

Author: Riscure Team

Setting priorities right is very important when it comes to security. As a developer of a software and/or hardware solution, you simply cannot chase every single bug or design issue. A common way to solve this challenge is to look at your development from an attacker’s perspective. If you know how your device or program can be attacked, you can work on countermeasures. However, there are many ways to attack, and this has to be prioritized further.

For every attack there is a cost-benefit ratio: if the cost outweighs the benefits, an attacker is less likely to proceed. But how to objectively determine what is the cost of an attack? One possibility is to follow the methodology proposed by the JHAS group, namely the Application of Attack Potential to Smartcards and Similar Devices. Although this document was created with Smartcards in mind, with strong certification requirements and robust security mechanisms in place, the methodology is actually applicable to any software or hardware development.

Based on this methodology, we have created a simple tool to prioritize different attack scenarios according to their properties. You can access the tool here.

The methodology evaluates two stages of an attack: Identification and Exploitation. It is often much harder to find and exploit a vulnerability for the first time, and much easier to utilize the exploit later. For example, an attacker could spend a lot of time and require specialized tools to develop an exploit. After this exploit is published, it can be used by other adversaries with lower skills. For both Identification and Exploitation phases you can indicate the time and knowledge needed to achieve a goal. The number of product samples usually applies to hardware devices only. In this scenario an attacker may need a large number of devices to understand their points of vulnerability. For a software product this is usually not applicable, which you can indicate when filling out this chart.

The result is the score that indicates how resistant your solution is against a certain attack scenario. Typically, the score is used in the certification process, when ‘basic’ attacks should be avoided. Even if you don’t have to certify, you can understand, what skills are required to successfully compromise your hardware or software. Attacks with higher score (and time/skills needed) are less likely to be conducted. And that is what allows you to prioritize.

This evaluation is one of the examples of a structured approach to embedding security practices in your development process. Riscure is developing security training that not only explains typical attacks and vulnerabilities, but also allows you to implement such routines to devise a high-level approach to security. The examples of courses that cover this topic are Secure Coding Fundamentals, Online SCA, and FI courses.

Share This