computer security what it is, where it’s goingmdr/teaching/dss16/01-intro_nc.pdf · computer...
TRANSCRIPT
Security: protect values What values? • Money [economic security] But NOT ONLY MONEY. • Life and the quality of life.
• Privacy is a value in itself. • Good technologies vs. bad ones • Freedom, justice, etc…
Security ≥ Safety
Difference: protect against intentional damages...
Notion of an Attacker / Adversary. Notion of an Attack.
**Dimensions of Security
• Physical vs. Logical
• Psychological / Human vs. • Organizational / Business
very different!
Computer security: another def
What is security ? Inability to achieve: 1. Adversarial goal (security against what)
2. By means of: money, human resources, computing power, memory, risk, expertise, etc.. (resources of the adversary)
3. Access to the system.
Computer Industry and Security
Science background:
Tech Background: “Industry Standards” such as:
• Intel CPU and Chipset, • RAM and hard drives, • C language, • UNIX / Windows • TCP/IP, • HTTP, • TLS,
Computer Industry and Security
Science background: • What technology “enablers”(computers) and “disablers” (cryptology,HWSec) can/cannot achieve? • How to define / classify security problems and find “good” solutions
Computer Industry and Security
Social-econ background: things exist for a reason. “Nice or unpleasant” facts of life: • software/hardware economics:
• which industry dominates which • free market triumphs and disasters
• stupid humans that cannot be bothered to obey the policy… • bureaucratic organisations that just cannot get their best interest(?) right • nobody is buying/using the wonderful(?) technology academics/companies are creating, adoption barriers • theory vs. practice • crime war terrorism… • laws / regulations • etc…
insecure rubbish!
Who are the attackers? • Bored teenagers, • Petty criminals to organized criminals, • Foreign states, • Industrial spies, • Disgruntled employees, • Competitors, • Researchers, • Terrorists, • …
Attacker means • Software vulnerabilities
– Buffer overflow attacks – Insecure direct object references – SQL injection attacks – Javascript attacks (e.g., XSS) – Broken authentication, access control, and
session mgt • Security misconfiguration
Attacker means continued • Social engineering
– Phishing attacks • Traffic interception (e.g. wireless) • Hardware/physical attacks • Ingenuity, hard work, good luck, brute
force
Attacker motivation • Profits and other benefits
– Crime business, – Promoting legal security business,
• Political activism, terrorism • Enjoyment, fame, ego • Development of science and offensive
technology: – University researchers, (good/bad) – Security professionals (defenders) – Professional hackers, pen testers, etc…
Recent Trend: Rapid growth.
The industrialization of hacking: • division of labour, clear definition of roles • forming a supply chain • professional management
Why does commercial security fail?
Claim: the link between “money” and security is frequently broken today: – Security is a public good.
• “private” incentives are weak. – Worse than “market for lemons”:
• Not only the customer cannot see the difference between good security and bad.
Frequently the manufacturer cannot either.
Too frequently security (and our safety) remains something that money cannot buy…(money seems to work for cars, and to fail for computers)
The Very Nature of Security: Bruce Schneier “Beyond Fear” book [2003], p.1:
Critical to any security decision is the notion of security trade-offs, meaning the costs – terms of money, convenience, comfort, freedoms, and so on - that inevitably attach themselves to any security system. People make security trade-offs naturally.
Many costs are intangible and hard to trade for money: Paying attention, loss of freedom & privacy, being subject to unforeseen risks and consequences etc.
Why Things Happen? Bugs… or don’t care.
• Programming developed with absence of security. • C/C++ is unsafe • Security/cryptography research developed with obsession with
security. Both never met. • Economics/business:
– many things just don’t matter! – customers do not see => do not care about security – usability: user burden frustrates them.
Risk Management = 1+2 A risk is the potential for something bad to
happen (e.g., loss of C-I-A)
1. Measuring or/and assessing risks
2. Developing strategies and solutions to manage risks:
• reduce/avoid and • handle risks
**Risk Management contd…
handle risks risk retention risk transfer
contract… hedging
(e.g. insurance) (minimise exposure by some transaction)
Detection and Recovery Detect • Monitoring/logging • Tripwire • Anomaly analysis Recover • Incident management • Forensics • Change procedures • Install new technologies
Attack tree
but what about unknown attacks?
Get admin access
Abuse user account
Get Limited Access Escalate system privileges
1/10
Privilege escalation exploit #36
sub-goals refinement details
Expanded Example Get admin access
Become admin directly
Obtain legit. admin account
Obtain Sb’s credentials
login password
Abuse user account
Get user access Escalate privileges
1/100
Privilege escalation exploit #36 bribe
£1000
shoulder surfing
intercept
keyboard sniffer
1/10
guess / crack
reset
Weakest Link
Security like a chain:
Get Admin Access Become admin directly Abuse user account
1/100 1/10
easier!
Defense in Depth Security is layered
Crack Password spec secrecy
cipher secrecy
password hardness
getting the pw file
Conclusion:
In complex systems, the principles of weakest link and defence in depth will occur simultaneously.
Military vs. Commercial Military data security:
focus on secrecy, prevent leaks.
Commercial data security: integrity and authenticity:
prevent fraud.
Traditional military doctrine • Each country has 3 frontiers:
• land • sea • air, space
as a consequence they have 3 armies.
Now, we have a new frontier, the digital frontier. Shouldn’t we have a fourth army? • Would it be totally useless and waste of money?
• Arguably less than the 3 above (better technical education for young people).
Secrecy:
Very frequently an obvious business decision.
• Creates entry barriers for competitors. • But also defends against hackers.
Kerckhoffs’ principle: [1883]
Most of the time: incorrectly understood.
It doesn’t mean that companies should disclose their designs.
• Security when disclosed. • Better security when not disclosed.
Yes (2):
2) Basic economics:
these 3 extra months (and not more ")
are simply worth a a lot of money.
Yes (3):
3) Prevent the erosion of
profitability / barriers for entry for competitors / “inimitability”
Yes (4):
4) Avoid Legal Risks • companies they don't know where their code is coming from, they want
to release the code and they can't because it's too risky! • re-use of code can COMPROMISE own IP rights and create royalty
obligations – cloned/stolen code is more stable, more reliable, easier to understand!
When is open source security good?
• Cryptography – AES, RSA, SHA256 etc, heavily tested, not yet broken – Compare closed-source crypto
– Oyster card, car immobilisers, broken in months
Which model is better?
Open and closed security are more or less equivalent…
more or less as secure: opening the system helps both the attackers and the defenders.
Ross Anderson: Open and Closed Systems are Equivalent (that is, in an ideal world). In Perspectives on Free and Open Source Software, MIT Press 2005, pp. 127-142.
Key Question:
Is actively researching serious security vulnerabilities socially desirable?
- Of Course Yes! …will tell you every professional hacker
and every academic code-breaker…
Bruce Schneier [14 May 2008]: Problem: A hacker who discovers one [attack] can sell
it on the black market, blackmail the vendor with disclosure, or simply publish it without regard to the consequences.
Q: […] is it ethical to research new vulnerabilities? A: Unequivocally, yes. [according to Schneier] Because: • Vulnerability research is vital because it trains our
next generation of computer security experts. http://www.schneier.com/blog/archives/2008/05/the_ethics_of_v.html
Responsible disclosure
Researchers should disclose vulnerabilities to the system owners, and give them “reasonable time” to fix them.
especially if …these vulnerabilities are likely to be rediscovered Cf. E. Rescorla. “Is finding security holes a good idea?” In 3rd Workshop on the
Economics of Information Security (2004).
Benefits:
Disclosure creates incentives for fixing these vulnerabilities
Companies advertise bounties = rewards for finding bugs/vulnerabilities
Increasing freedom Freedom brings new technologies ⇒ More possibilities ⇒ More security problems…
Claim: Freedom → ∞ ⇒ Security → 0
Freedom ⇒ Security issues…
Examples: • invention of train/metro
⇒ threat of pickpockets • car traffic
⇒ major cause of death • invention of the internet
⇒ pirates and hackers • Unlimited exchange of data over the internet ⇒ unlimited security problems
Critics [Schneier]
Why security it is an after-thought? “Aftermarket security is actually a very inefficient way to spend our security
dollars; it may compensate for insecure IT products, but doesn't help improve their security”.
“Additionally, as long as IT security is a separate industry, there will be companies making money based on insecurity -- companies who will lose money if the internet becomes more secure.”
Why security is not built-in? “utopian vision”
Security is difficult, expensive and takes time…