Who Are The Enemies? What Can They Do?

Transcription

1 Who Are The Enemies? What Can They Do? Internet Software Security Issues in the Software Development Process Dr Charles P Pfleeger Pfleeger Consulting Group chuck@pfleeger.com

2 Overview WAMPS Workshop Anual do MPS 2

3 Overview Security Process Many Kinds of Threat Agents Countering Threats Software Process Improving Security in Software WAMPS Workshop Anual do MPS 3

4 What Developers Should Know about Security WAMPS Workshop Anual do MPS 4

5 What Developers Should Know about Security Security is not automatic People and situations are hostile Security can be tricky No magic technique or checklist leads to security BUT security can be compatible with good development processes WAMPS Workshop Anual do MPS 5

6 Security Considerations Goals Threats and Vulnerabilities Method + Opportunity + Motive Controls WAMPS Workshop Anual do MPS 6

7 What Security Is Confidentiality information available for reading only when authorized Integrity information available for modification only when authorized Availability information available for use when authorized

8 Threat Sources WAMPS Workshop Anual do MPS 8

9 Threat Sources Natural Fire, flood, hardware failure Human Unintentional Errors (accidental file deletion) Omissions (missing data) Intentional Outsiders Insiders WAMPS Workshop Anual do MPS 9

10 Method + Opportunity + Motive WAMPS Workshop Anual do MPS 10

11 Method + Opportunity + Motive Method tools, techniques, knowledge Opportunity access, ability work factor: difficulty, time Motive reason (if any) WAMPS Workshop Anual do MPS 11

12 Types of Harm WAMPS Workshop Anual do MPS 12

13 Types of Harm Confidentiality Reveal private data Integrity Damage or delete data Availability Denial of access or service WAMPS Workshop Anual do MPS 13

14 Controls Physical Guards, fences, sprinklers Administrative Logical Policies, laws Technical Devices (login tokens) Software (intrusion monitors) Combinations (network monitoring) WAMPS Workshop Anual do MPS 14

15 Why Security is Hard (1) The defender must counter all threats; an attacker needs only one vulnerability Developers can introduce/allow flaws without knowing it Testing may not demonstrate security Harm can come from intentional or unintentional causes WAMPS Workshop Anual do MPS 15

16 Why Security is Hard (2) Is 1000 the same as 1,000? Is invisible text acceptable? Does efficiency or inefficiency matter? Does order matter? WAMPS Workshop Anual do MPS 16

17 Why Security is Hard (3) How can you demonstrate protection? How can you justify spending for security? Security is not just a set of features WAMPS Workshop Anual do MPS 17

18 Security Conclusions WAMPS Workshop Anual do MPS 18

19 Security Conclusions No one person or group alone can be responsible for security Solid security is not added at the end Security is hard WAMPS Workshop Anual do MPS 19

20 Security Design Concepts WAMPS Workshop Anual do MPS 20

21 Security Design Concepts Common sense Saltzer and Schroeder documented and published in 1975 Others (Viega & McGraw, Howard & LeBlanc, NIST, OWASP, more) build on Saltzer and Schroeder WAMPS Workshop Anual do MPS 21

22 Saltzer and Schroeder Economy of mechanism Fail safe defaults Complete mediation Open design Separation of privilege Least privilege, permission-based Least common mechanism Ease of use WAMPS Workshop Anual do MPS 22

23 Viega and McGraw Secure the weakest link Keep it simple Promote privacy Remember that hiding secrets is hard Be reluctant to trust Use community resources WAMPS Workshop Anual do MPS 23

24 Howard and LeBlanc Minimize attack surface Assume external systems are insecure Security features are not the same as secure features Don t mix code and data Plan for failure Learn from mistakes Backward compatibility is tricky Fix security issues correctly WAMPS Workshop Anual do MPS 24

25 Security Control Philosophy WAMPS Workshop Anual do MPS 25

26 Security Control Philosophy Secure perimeter Control of users and environment (devices, software) Defense in depth Perfect (secure) software WAMPS Workshop Anual do MPS 26

27 Web Characteristics WAMPS Workshop Anual do MPS 27

28 Web Characteristics Wide availability, to the masses Mandatory presence Very low cost of entry Very low skill to enter Low genetic diversity Very rapid technology turnover High demand for oh, wow WAMPS Workshop Anual do MPS 28

29 Software Development vs. the Web Orderly, managed process Well-defined system Well-defined requirements Integrated testing Continuous improvement Controllable => securable Unmanaged No perimeter; constant change Programs usedreused for any situation Testing varies Little feedback Uncontrolled => unsecured WAMPS Workshop Anual do MPS 29

30 Some Sources of Computer Incidents Errors Insiders Nonmalicious and malicious Hackers Organizations Terrorists WAMPS Workshop Anual do MPS 30

31 Errors WAMPS Workshop Anual do MPS 31

32 Errors Humans are human Errors are unintentional Pressure, distraction, confusion Random WAMPS Workshop Anual do MPS 32

33 Insiders WAMPS Workshop Anual do MPS 33

34 Insiders Insiders account for much harm Many insiders, many actions Much power Most insider harm is unintentional Intentional harm from anger, payoff, values conflict WAMPS Workshop Anual do MPS 34

35 Hackers WAMPS Workshop Anual do MPS 35

36 Hackers Individuals, loose federations Motivation Personal Objective Experience, fame Impact Modest Sometimes accidental side effects WAMPS Workshop Anual do MPS 36

37 Hackers Motivations Selfgratification, addiction, espionage, theft, profit, vengeance, sabotage, freedom, 27% Challenge, knowledge, pleasure, 49% Recognition, excitement (illegal activity), friendship, 24% Denning 1999, citing Chantler WAMPS Workshop Anual do MPS 37

38 Disturbing Hacker Trends ~0-day exploits Bagle, Netsky, Zafi worm writers join forces Enormous botnets for rent Conficker very sophisticated; evolving WAMPS Workshop Anual do MPS 38

39 Organized Crime Organized bureaucracies (computer work is only one activity) Motivation Financial Objective Fraud, extortion Impact e.g., identity theft, credit WAMPS Workshop Anual do MPS 39

40 Intelligence Services Motivation Data: political, economic, military Objective needs of military during engagement about potentially hostile nations transnational threats (drugs, WMD) Mostly to learn Sometimes to influence world Occasionally to act WAMPS Workshop Anual do MPS 40

41 Terrorists WAMPS Workshop Anual do MPS 41

42 Terrorists Motivation Ideological, political Objective Intelligence gathering Psychological fear, panic, persuasion, misinformation Mass annoyance to mass disruption WAMPS Workshop Anual do MPS 42

43 Cyber Warfare Activities Disruption Sabotage Denial of service Misinformation Deception WAMPS Workshop Anual do MPS 43

44 Uses of Computers in Terrorism Disseminate information web pages, desktop publishing Communicate with each other Gather, hold, analyze information data mining, web browsing Target computers (uncommon) unauthorized access (read, write, delete) denial of service WAMPS Workshop Anual do MPS 44

45 Why Cyber-Advertising (and Spam) Is Attractive Remote operation, anonymous Massive reach, low cost Agile, easy to change, tune Message tuned to audience (coupled with data mining) Novel campaign garners media attention WAMPS Workshop Anual do MPS 45

46 Why Cyber-Terrorism Is Also Attractive Remote operation, anonymous Massive reach, low cost Agile, easy to change, tune Message tuned to audience (coupled with data mining) Novel campaign garners media attention WAMPS Workshop Anual do MPS 46

47 The Medium Is the Message The Internet may be worth more as a communications medium than a target Individual nodes or whole subdomains can still be targets WAMPS Workshop Anual do MPS 47

48 Lessons (To Be) Learned Evidence of vulnerability is visible to others Attackers work together Talk (articles, blogs) may alert them to weaknesses WAMPS Workshop Anual do MPS 48

49 Recent Events 2008 attack on firewall of China Apparently political 2006 top level domain server DOS attack 2002 disabled 8/13 root name servers Apparently a simple ICMP packet flood 2007 attack on Estonia web Motive unknown; testing? 2003 power blackout in NE Canada, US Apparently tree limbs, cascading errors 2000 attack on wastewater treatment control center Apparently a disgruntled former employee WAMPS Workshop Anual do MPS 49

50 Interdependent Risk One company, two divisions, both at risk of catastrophic (company) failure If Division 1 invests in risk-reduction, it remains at risk unless Division 2 does also In fact, Division 1 s investment is wasteful if Division 2 does not invest What is incentive for an interdependent multi-corporation industry (power, finance, telecommunications) to invest in security? WAMPS Workshop Anual do MPS 50

51 Playing Security Analyst: A Smart Terrorist Would Plan, research, experiment Plant attacks today for use tomorrow Diversify the approach Implement multiple concurrent attacks Use different approaches to come from all directions WAMPS Workshop Anual do MPS 51

52 Software Process WAMPS Workshop Anual do MPS 52

53 Software Process Models MPS.BR CMMI ISO 9000 Others WAMPS Workshop Anual do MPS 53

54 Common Aspects Establish an organizational policy Plan and define a process Monitor and control the process Evaluate adherence Collect improvement information Correct root causes of problems Ensure continuous improvement WAMPS Workshop Anual do MPS 54

55 Basic Process Areas WAMPS Workshop Anual do MPS 55

56 Basic Process Areas Requirements development Project planning Project monitoring and control Measurement and analysis Process and product quality assurance Configuration management WAMPS Workshop Anual do MPS 56

57 Measurement WAMPS Workshop Anual do MPS 57

58 Measurement What is important to measure How to measure it How precise the measurement must be How to interpret the measurement How to use measurement to improve WAMPS Workshop Anual do MPS 58

59 System Development Controls System development lifecycle Requirements determination Protection specifications development Design review System test review Certification and accreditation Service level agreement WAMPS Workshop Anual do MPS 59

60 Conclusions: What to Do? WAMPS Workshop Anual do MPS 60

61 What to Do: Process Requirements development Project planning Project monitoring and control Measurement and analysis Process and product quality assurance Configuration management Include security requirements Security overseer Threat control analysis Security control coverage Security testing at all stages Security review prior to stage release WAMPS Workshop Anual do MPS 61

62 What to Do: Design Include security from the start Make security trade-off decisions visible and based on balance of competing factors Ensure a security expert is integral part of design team Ensure that project team members are all sensitive to security WAMPS Workshop Anual do MPS 62

63 What to Do: Measurement What is important to measure How to measure it How precise the measurement must be How to interpret the measurement WAMPS Workshop Anual do MPS 63