Outline. IT Security: General Trends and Research Directions. Technical Attacks. Typical attack. Automated attacks via Worms, Trojans, & Viruses

Transcription

1 Outline IT Security: General Trends and Research Directions Sherif El-Kassas Department of Computer Science The American University in Cairo Practical considerations Academic and research perspective National perspective Practical considerations Types of attacks on the IT infrastructure Technical Physical Social Technical Attacks ~ 80% Considered the easiest to defend against (easiest doesn't mean easy) The remaining ~ 20% are difficult! Examples include forms of technical hacking, automated attacks, Malicious software, etc. Typical attack Automated attacks via Worms, Trojans, & Viruses ncident and ulnerability rends

2 The Slammer worm! The fastest mass attack in history It doubled in size each 8.5 seconds It infected 90% of vulnerable systems in 10 minutes! Slammer after a few minutes D. Moore and others, Inside the Slammer Worm, IEEE Security & Privacy, July/August, 2003 Geographic Distribution Flash Worms [ ] infecting 95% of hosts in 510ms, and 99% in 1.2s. Staniford and others, The Top Speed of Flash Worms, ach/papers/2004/tops peedworms/ D. Moore and others, Inside the Slammer Worm, IEEE Security & Privacy, July/August, 2003 Google worms Physical Attacks Combine physical and technical intrusions High risk for attacker, but may provide quicker access to sensitive resources Examples include: trashing, hardware loggers, etc. inurl:id= filetype:asp site:gov 572,000 results The Hacking Evolution: New Trends in Exploits and Vulnerabilities,

3 Social & Semantic Attacks Rely on attacking the users of the systems, using social engineering, and possibly assisted with technical tools Reported to be the most effective and low risk (from the attacker s s point of view) Examples include fake web sites, phishing,,..etc. Phishing & Semantic Attacks

4 SD Please update your billing information by clicking [ ]:[ <a href=" RedirectToDomain&DomainUrl= goens.net/. /" onmouseout="status='';return true" target=_blank onmouseover="status= ="status= billing.ebay.com/';return true"> billing.ebay.com/</a> What are we doing about the threat! Technologies and Tools Perspective to security: Prevention What are we doing about the threat! Perspective to security: What are we doing about the threat! Layered view of information security Security = Prevention + Detection + Response Data & Information Applications System Network

5 Products are Necessary, but not Sufficient! Security is a Process A Security Process Assessment and Risk Analysis Auditing Policies and Procedures Security Quality Standards Implementation and deployment Security Architecture ISO17799 / BS Business Continuity Planning 2. System Access Control 3. System Development and Maintenance 4. Physical and Environmental Security 5. Compliance 6. Personnel Security 7. Security Organization 8. Computer & Network Management 9. Asset Classification and Control 10. Security Policy Common Criteria for Information Technology Security Evaluation Rooted in the Orange book or the DoD Trusted Computer System Evaluation Criteria ISO

6 Academic & research perspective: Future Directions and Issues National Perspective Ken Thompson: on Trusting Trust T R U S T The moral is obvious. You can't trust code that you did not totally create yourself.. (Especially( code from companies that employ people like me.) [ ] A well installed microcode bug will be almost impossible to detect.

7 Research and Development Cryptology Cryptography Theoretical research: number theory, algebraic geometry, complexity theory, graph theory, etc. Research for the development of new (or bespoke) ) cryptographic algorithms and protocols Cryptanalysis tools research (e.g., grid computing) Security Policy Models Fundamentals of security models (e.g., Multi level vs. multi lateral security) National (possibly government) security policy models Evaluating and auditing methodologies for national and established models (e.g., ISO 17799, and CC / ISO 15408) Computing models Failure resistant systems Digital immune systems (and anti virus systems) AI and NN applications Security management and system development issues Incremental and Agile development methods (Iterative, XP) Threat modeling and risk analysis (threat trees,..etc.) Good opportunity for interdisciplinary research with economics Applications and use of formal methods in security (BAN logic, B, Z,..etc.)

8 Hardware and physical security related issues Engineering embedded hardware security devices (e.g., ARM processor core like systems) Tamper resistant/evident systems Emission and tempest security Resisting High-power microwave Firewalls and network isolation Distributed firewall systems The use of agent technologies Application level firewalls for Web services and similar technologies Firewalls to face challenges paused by new technologies: IP telephony, wireless networks, etc. Intrusion Detection and Prevention High performance IDS systems Applications of NNs, GAs,, and other AI techniques Applications of data mining Statistical modeling and correlation Authentication and access control Biometrics Smartcards Other systems (secure hardware!) Application security Education IDS/IPS for applications Libraries and design patterns More.. Research aimed at better understanding attack technologies and trends National Honynet like project Large scale data collection and statistical trend analysis research Vulnerability research

9 Other issues Computer Forensics Telecommunications security Systems, Metering, Signaling, Switching Mobile phone security (cloning, GSM security, etc.) Secure hardware PKI & PMI Legal issues Conclusions Security is a wide and challenging field Developers: Look for shifts The phone is the computer The application is the security problem Web services and virtual computing Think services Researches: Risk modeling Fundamental issues Don t t be swayed by fads Government: Adopt standards and security process Diversify Think in terms of threat pyramids Manage trust Encourage R&D Links: Questions? sherif@aucegypt.edu asrt/ IEEE 16th IEEE Computer Security Foundations Workshop (CSFW'03) 19th Annual Computer Security Applications Conference Foundations of Intrusion Tolerant Systems (OASIS'03) 2003 IEEE Symposium on Security and Privacy ACM Conference on Computer and Communications Security New Security Paradigms Workshop Wireless Security Workshop On Xml Security Recent Advances in Intrusion Detection symposium.org/