1 carnegie mellon university system security and u. rich pethia software engineering institute...
TRANSCRIPT
1 Carnegie Mellon University
System Security and U.
Rich Pethia
Software Engineering InstituteCarnegie Mellon UniversityPittsburgh, PA 15213
This work is sponsored by the U.S. Department of Defense.
2 Carnegie Mellon University
CERT Coordination Center The SEI established the Computer Emergency Response Team Coordination Center in 1988.
The CERT/CC’s mission is to respond to security emergencies on the Internet, serve as a focal point for reporting and resolving security vulnerabilities, serve as a model to help others establish incident response
teams, and raise awareness of security issues.
3 Carnegie Mellon University
Activity
Since 1988, the CERT/CC has responded to over 100,000 security incidents that have affected hundreds of thousands of Internet sites; has worked over 5000 reported vulnerabilities, and has issued hundreds of advisories and bulletins. In addition, the CERT/CC has helped foster the creation of over 90 other incident response teams.
4 Carnegie Mellon University
The Internet has Become Indispensable to Business, Government, Universities
The Internet allows organizations to:•conduct electronic commerce•provide better customer service•collaborate with business & research partners•reduce communications costs•improve internal communication•access needed information rapidly
5 Carnegie Mellon University
The Risks While computer networks revolutionize the way you do business, the risks computer networks introduce can be fatal to a business.
Network attacks lead to lost:•money•time•products•reputation•lives•sensitive information
6 Carnegie Mellon University
0
10,000
20,000
30,000
40,000
50,000
60,000
1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001
Incidents Reported to CERT/CC
7 Carnegie Mellon University
0
500
1000
1500
2000
2500
3000
1995 1996 1997 1998 1999 2000 2001
Vulnerabilities Reports are Increasing
8 Carnegie Mellon University
Surveyed Companies Identify Risks -1Activity 2000 2001
Detected security breaches 90% 85%
Financial losses 70% 64%
Average loss $1M + $2M +
Vandalism 64% 90%
Source - Computer Security Institute/FBI Survey
Attacks
9 Carnegie Mellon University
Surveyed Companies Identify Risks -2Activity 2000 2001
Insider attacks 71% 31%
Internet attacks 59% 70%
Denial of service 27% 38%
2 to 5 incidents 35% 21%
10+ incidents 19% 58%
Source - Computer Security Institute/FBI Survey
Attacks
10 Carnegie Mellon University
How Did We Get Here?
11 Carnegie Mellon University
The Problem In the rush to benefit from using the Internet, organizations often overlook significant risks.
•the engineering practices and technology used by system providers do not produce systems that are immune to attack
•network and system operators do not have the people and practices to defend against attacks and minimize damage
•policy and law in cyber-space are immature and lag the pace of change
12 Carnegie Mellon University
Strain on System Administrators - 1
There is continued movement to complex,client-server, peer to peer, and heterogeneous configurations with distributed management.
There is little evidence of security improvements in most products; new vulnerabilities are found routinely.
Comprehensive security solutions are lacking; current tools address only parts of the problem.
13 Carnegie Mellon University
Strain on System Administrators - 2
Engineering for ease of use has not been matched by engineering for ease of secure administration •ease of use and increased utility are driving a dramatic explosion in use
•system administration and security administration are more difficult than a decade ago
•this growing gap brings increased vulnerability
14 Carnegie Mellon University
Other Reasons for Concern
Many security audits and evaluations only skim the surface of the organization and its technology; major risks are often overlooked.
Lack of understanding leads to reliance on partial solutions.
15 Carnegie Mellon University
More Sophisticated Intruders
Intruders are •growing in number and type•building technical knowledge and skills•gaining leverage through automation•building skills in vulnerability discovery•becoming more skilled at masking their behavior
16 Carnegie Mellon University
Attack Sophistication vs. Intruder Technical Knowledge
High
Low
1980 1985 1990 1995 2000
password guessing
self-replicating code
password cracking
exploiting known vulnerabilities
disabling audits
back doors
hijacking sessions
sweepers
sniffers
packet spoofing
GUIautomated probes/scans
denial of service
www attacks
Tools
Attackers
IntruderKnowledge
AttackSophistication
“stealth” / advanced scanning techniques
burglaries
network mgmt. diagnostics
DDOS attacks
network worms
17 Carnegie Mellon University
So What?
18 Carnegie Mellon University
Its going to get worse - 1
Explosive growth of the Internet continues•where will all the capable system administrators come from?
Market growth will drive vendors•time to market, features, performance, cost are primary
•“invisible” quality features such as security are secondary
19 Carnegie Mellon University
Its going to get worse - 2
More sensitive applications connected to the Internet•low cost of communications, ease of connection, and power of products engineered for the Internet will drive out other forms of networking
•hunger for connectivity, data and benefits of electronic interaction will continue to push widespread use of Internet technology
20 Carnegie Mellon University
Its going to get worse - 3 The death of the firewall
•traditional approaches depend on complete administrative control and strong perimeter controls
•today’s business practices and wide area networks violate these basic principles-no central point of network control-more interconnections with customers, suppliers, partners-more network applications
-“the network is the computer”-who’s an “insider”and who’s an “outsider”
21 Carnegie Mellon University
What Can You Do Now?
22 Carnegie Mellon University
Prioritized Risks
Establish a Context-Sensitive Risk Management Process
Environment
Technology
Staffing
Threats
Security Requirements
Applications of Technology
Security Incidents
IdentifySelf-Directed Assessment
IdentifySelf-Directed Assessment
Analyze and
Prioritize
Analyze and
PrioritizeMitigate
Mitigate
-Critical assets-OrganizationIssues-TechnologyIssues
Vulnerabilities
Mission & Asset Value DataThreat Data
MitigationPlans
TechnologyPracticesOrganization Improvements
23 Carnegie Mellon University
Need
Effective security management programs must be sensitive to organizations’ goals and constraints.
Key Ideas
Identify critical assets (data, software, services, reputation) and protection requirements
Identify solution constraints: policy, regulation
Assess organization and technology against requirements
Develop strategy and plan to address deficiencies
How
Match responsibility with authority
Identify a core group to facilitate the process
Systematically walk through the steps with participation from all parts of organization Develop actionable plan
Assessment & Planning
24 Carnegie Mellon University
Implementation Need
Pervasive understanding of security policy, management practices and technical practices
Key Ideas
Organizations can improve the security & survivability of networked systems by adopting security policies and practices
Its simple, but its not easy
How
Translate actionable plan into policies and practices•borrow heavily from published work•assign roles & responsibilities
Document, train, refresh
Check up, measure, enforce
25 Carnegie Mellon University
Crisis Management Need
Organizations need to build and mature a computer security incident response capability
Key Ideas
Anticipate problems and desired outcomes
Pre-plan actions
Maintain ongoing awareness of evolving threats & vulnerabilities – adjust action plan accordingly
How
Establish organizational focal point
Identify action plans for likely scenarios
Capture lessons learned & update plans
26 Carnegie Mellon University
Need
Many of today’s solutions won’t work tomorrow.
Key Ideas
Structured networking helps organizations stay on top of a dynamic and rapidly changing problem
Sharing lessons learned leads to better practices and policies
How
Identify networking opportunities (ISA, ISACs, ISSA, InfraGuard, I4, FIRST, etc.)
Plug in to group(s) of choice
Participate!
Get Plugged In
27 Carnegie Mellon University
CERT Contact Information24-hour hotline: +1 412 268 7090
CERT personnel answer 8:30 a.m. —8:00 p.m. EST(GMT-5) / EDT(GMT-4),and are on call for emergenciesduring other hours.
Fax: +1 412 268 6989
Web site: http://www.cert.org/
Electronic mail: [email protected]
US mail: CERT Coordination CenterSoftware Engineering Institute
Carnegie Mellon University 4500 Fifth Avenue Pittsburgh PA 15213-3890 USA