Computing Infrastructure Risk



Similar documents
Network and Host-based Vulnerability Assessment

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Government Worker Privacy Survey. Improper Exposure of Official Use, Sensitive, and Classified Materials

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

Security Defense Strategy Basics

Network Security Landscape

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

BBM 461: SECURE PROGRAMMING INTRODUCTION. Ahmet Burak Can

Cisco Advanced Services for Network Security

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Innovative Defense Strategies for Securing SCADA & Control Systems

Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

Pass-the-Hash. Solution Brief

Preemptive security solutions for healthcare

INFORMATION SECURITY INCIDENT MANAGEMENT PROCESS

Cyber Security and Science

Enhancing Organizational Security Through the Use of Virtual Smart Cards

HE WAR AGAINST BEING AN INTERMEDIARY FOR ANOTHER ATTACK

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Incident Response Plan for PCI-DSS Compliance

Security & SMEs. An Introduction by Jan Gessin. Introduction to the problem

Designing federated identity management architectures for addressing the recent attacks against online financial transactions.

SECURITY PRACTICES FOR ADVANCED METERING INFRASTRUCTURE Elif Üstündağ Soykan, Seda Demirağ Ersöz , ICSG 2014

Society for Information Management

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

Protecting Organizations from Cyber Attack

10 Smart Ideas for. Keeping Data Safe. From Hackers

Ohio Supercomputer Center

Running head: USING NESSUS AND NMAP TOOLS 1

UNCLASSIFIED Version 1.0 May 2012

Protecting Your Organisation from Targeted Cyber Intrusion

EECS 588: Computer and Network Security. Introduction January 14, 2014

The Business Case for Security Information Management

IBM Advanced Threat Protection Solution

HTML5 and security on the new web

Learning Course Curriculum

Windows Operating Systems. Basic Security

CITRUS COMMUNITY COLLEGE DISTRICT GENERAL INSTITUTION COMPUTER AND NETWORK ACCOUNT AND PASSWORD MANAGEMENT

Spyware. Michael Glenn Technology Management 2004 Qwest Communications International Inc.

Contents. McAfee Internet Security 3

CDM Vulnerability Management (VUL) Capability

Information Security. CS526 Topic 1

Network Security & Privacy Landscape

TLP WHITE. Denial of service attacks: what you need to know

Server Security. Contents. Is Rumpus Secure? 2. Use Care When Creating User Accounts 2. Managing Passwords 3. Watch Out For Aliases 4

VoIP: The Evolving Solution and the Evolving Threat. Copyright 2004 Internet Security Systems, Inc. All rights reserved worldwide

Risks and Challenges

Cyber crime. lingua house. 1 Internet crime. Lesson code: 9ZE5-4PDB-KC48 UPPER INTERMEDIATE + Match the following words to their correct definitions:

TOP 3 STRATEGIES TO REDUCE RISK IN AUTOMOTIVE/IN-VEHICLE SOFTWARE DEVELOPMENT

White Paper. Information Security -- Network Assessment

Cyber Security Metrics Dashboards & Analytics

Six ways to accelerate Android mobile application development

Hacking Database for Owning your Data

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Applying the 80/20 approach for Operational Excellence. How to combat new age threats, optimize investments and increase security.

Data Replication in Privileged Credential Vaults

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK

Chapter 11 Manage Computing Securely, Safely and Ethically. Discovering Computers Your Interactive Guide to the Digital World

Information Security Services

Information Technology Security for Small Business (video script) Descriptive Text for the Visually Impaired August 11, 2009

2) trusted network, resilient against large scale Denial of Service attacks

Securing your Virtual Datacenter. Part 1: Preventing, Mitigating Privilege Escalation

CSCI 454/554 Computer and Network Security. Instructor: Dr. Kun Sun

Stay ahead of insiderthreats with predictive,intelligent security

Brainloop Cloud Security

Database security issues PETRA BILIĆ ALEXANDER SPARBER

11th AMC Conference on Securely Connecting Communities for Improved Health

What Do You Mean My Cloud Data Isn t Secure?

Emerging Security Technological Threats

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

Cyber security Time for a new paradigm. Stéphane Hurtaud Partner Information & Technology Risk Deloitte

Incident Response 101: You ve been hacked, now what?

Security Goals Services

for Critical Infrastructure Protection Supervisory Control and Data Acquisition SCADA SECURITY ADVICE FOR CEOs

Chapter 6: Fundamental Cloud Security

Why a Network-based Security Solution is Better than Using Point Solutions Architectures


Beyond the Hype: Advanced Persistent Threats

Windows Phone 8 Security Overview

Welcome to the Protecting Your Identity. Training Module

BOTNETS. Douwe Leguit, Manager Knowledge Center GOVCERT.NL

THE HUMAN COMPONENT OF CYBER SECURITY

Defensible Strategy To. Cyber Incident Response

Hack Your SQL Server Database Before the Hackers Do

Threats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1

Chapter 1: Introduction

System Security Policy Management: Advanced Audit Tasks

External Supplier Control Requirements

ADC Survey GLOBAL FINDINGS

The Advantages of a Firewall Over an Interafer

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

The evolution of virtual endpoint security. Comparing vsentry with traditional endpoint virtualization security solutions

Windows Remote Access

CVE Adobe Flash Player Integer Overflow Vulnerability Analysis

Computer Security Awareness of Accounting Students

Getting a Secure Intranet

Transcription:

Issue, Analysis, and Recommendation Lynn Robert Carter 2008-12 12-2323 Copyright 2008, Lynn Robert Carter

Agenda Computing infrastructure at risk The root cause Solution elements are known Barriers to implementing the solution Recommendation 2 Issues, Analysis, and Recommendation

Infrastructure Risk Our computing infrastructure is at risk Numerous botnets have compromised millions of machines around the world Denial of service attacks are the very visible tip of the iceberg of what is possible The SPAM load on the internet is near 90% 3 Issues, Analysis, and Recommendation

Spam load approaching 90% http://www.senderbase.org/home/detail_spam_volume?displayed=lastmonth&action=&screen=&order= 4 Issues, Analysis, and Recommendation

Distributed computing threat The SETI network has borrowed over 3.4 10 6 years of compute power from its donors Such compute power can be used to solve any number of problems, many to our detriment Denial of service attacks and extortion Discover access methods to secure systems Find and compromise more machines 5 Issues, Analysis, and Recommendation

The rise of botnets Known botnets have compromised many millions of machines A Dutch botnet of 1.5 million reported in 2005 http://www.informat www.informationweek.com/shared/printablearticle.jhtml?ar?articleid=172303265 FBI: a botnet of 1 million US machines in 2007 http://www.fbi.gov/pressrel/pressrel07/botnet061307.htm New rootkits make it harder to tell that a machine is compromised or repair the system short of initializing the hard drive 6 Issues, Analysis, and Recommendation

New targets of opportunity Personal computers are just one target that the bad guys can hit Any computing device that can access the internet is potentially at risk Cell phones, PDAs, and media players Entertainment systems Navigation and control systems 7 Issues, Analysis, and Recommendation

Impact analysis-1 The banking industry has been hit hard Identity theft through phishing is just one path Compromised computers can provide a wealth of valuable information Anything the user sees or types can be stolen Data on the hard drive can be read or altered Built in cameras and microphones can be used, even when the device appears to be off 8 Issues, Analysis, and Recommendation

Impact analysis-2 Denial of service attacks have caused firms to pay to avoid future attacks Most attacks appear to have been for monetary gain or to prove capabilities, but the attack on former Soviet Block Georgia hints at what can be done The full potential of their capabilities is not clear; many options are not easily profitable 9 Issues, Analysis, and Recommendation

Impact analysis-3 Technology exists to falsify anything digital The entertainment industry has shown us what is possible (The Curious Case of Benjamin Button) Morphing still images, voices and videos is known technology and can be used to prompt potentially inappropriate action Many systems can be remotely controlled; the latest Die Hard movie is not totally fiction 10 Issues, Analysis, and Recommendation 10

Impact analysis-4 Private networks and custom systems have the potential to avoid many of these risks All it takes to compromise such a solution is to have one weak link humans are notoriously weak links in any security system Every aspect of business, government, and part of our military computing infrastructure is at risk and the exposure is growing 11 Issues, Analysis, and Recommendation 11

Agenda Computing infrastructure at risk The root causes Solution elements are known Barriers to implementing the solution Recommendation 12 Issues, Analysis, and Recommendation 12

The root causes Root cause: security was not a fundamental design criteria The so called von Neumann architecture can be easily misused to change a program so it performs completely unrelated functions The internet was designed to connect trusted researchers with the assumption that if you were on the net, you must be a good guy 13 Issues, Analysis, and Recommendation 13

von Neumann architecture While not actually von Neumann s s creation, his computer architecture paper, where data and code are stored in the same memory, was the one that became popular Programs can alter their own code as easily as they alter data; some software depends on this File systems can also be easily compromised in much the same way 14 Issues, Analysis, and Recommendation 14

Buffer overflow Mitre reported that 85% of vulnerabilities in 2005 were application exploits Buffer overflow has been a common method employed to attack applications along with design errors and exceptional conditions Both operating systems and the applications provide pathways to compromise systems Source: Buffer Overflow Attacks: Detect, Exploit, Prevent, by James C. Foster, et al Carnegie Mellon Mellon 15 15 Issues, Analysis, and Recommendation

Security was not a design goal Computers, operating systems, programming languages, applications, and many internet protocols and systems were not designed to be secure More than 20 years has passed since the first major computer virus and we are still in an escalating game of cat and mouse or maybe more accurately, whack a mole 16 Issues, Analysis, and Recommendation 16

Agenda Computing infrastructure at risk The root causes Solution elements are known Barriers to implementing the solution Recommendation 17 Issues, Analysis, and Recommendation 17

Other architectures The Harvard architecture is similar to the von Neumann architecture, in that it uses both stored program and data ; ; but they are not stored in the same memory Memory management schemes to separate data from instructions have existed Operating systems have existed that separate the operating system from the application 18 Issues, Analysis, and Recommendation 18

An unfortunate failure The iapx 432 was a 1980s era microprocessor designed to support object orientation and segmented memory in hardware Replacing pointers with protected object references (called capabilities) that can only be created by privileged instructions is a way to design security into the hardware We need a hardened security processor 19 Issues, Analysis, and Recommendation 19

Virtualization Isolating the application and its environment from the real operating system and file system is another known solution Each time an application is launched, create a virtual machine, operating system instance, and application instance from a read-only file system employing independent checksums A security processor can host a mini-cloud of security enabled application processors Carnegie Mellon Mellon 20 20 Issues, Analysis, and Recommendation

Trusted computing Security depends upon secure foundations Processors must be uniquely identified Authentication of message sender and source is a crucial element of secure computing Key elements of security must be implemented in the hardware so physical security can be used to guarantee cyber security 21 Issues, Analysis, and Recommendation 21

Trusted communication Authentication of pushed messages and similar checking for pulled messages is crucial Randomness and multiple-independent independent agents must be at the heart of authentication The authentication agents used must be random All agents must return the same message is key 22 Issues, Analysis, and Recommendation 22

Computing antibodies We must change the way systems are built so they are aware of attacks and respond to them From notifying authorities to locking down certain key capabilities, a system should not just patiently endure an attack until the attacker succeeds The new secure internet protocols must be able to track attacks back to its source via hardware Attacking others must have consequences 23 Issues, Analysis, and Recommendation 23

Agenda Computing infrastructure at risk The root causes Solution elements are known Barriers to implementing the solution Recommendation 24 Issues, Analysis, and Recommendation 24

Barriers-1 The bad guys will not just sit around idle while we implement our solution if they know what we propose to do Many users want anonymity and yet they want to deal with a trusted-known supplier Current computing/networking marketplace does not have enough true competition for normal market forces to work effectively 25 Issues, Analysis, and Recommendation 25

Barriers-2 Many governments and corporations are in a conflict of interest; many might perceive that changing the status quo could cost them Changing internet equipment and all of the key infrastructure computers with be very costly A system is only as secure as its weakest link; people can still compromise aspects of this solution, even if only temporarily 26 Issues, Analysis, and Recommendation 26

Agenda Computing infrastructure at risk The root causes Solution elements are known Barriers to implementing the solution Recommendation 27 Issues, Analysis, and Recommendation 27

Recommendation-1 The cyber equivalent of the Manhattan Project A black program must be launched to build a new set of foundational cyber building blocks upon which to build a secure infrastructure The solution must allow the current insecure implementations to run atop it as legacy until market forces and conditions dictate they be replaced with secure solutions 28 Issues, Analysis, and Recommendation 28

Recommendation-2 Reuse of current computing assets is key, but it will not take precedence over security Asymmetric security is key; a trusted agent must be able to provide trusted copies of data to insecure users Parallel operation and proven protection of key national assets must be ensured before the existence of the project is made public 29 Issues, Analysis, and Recommendation 29

Recommendation-3 Programs to quickly and fairly move the technology into the market are crucial Significant effort to prepare for education, training, skill, and behavior change programs must be developed in preparation for the program coming out of the black Preparation for political, legal, business and social issues must be a priority 30 Issues, Analysis, and Recommendation 30

Closing thoughts The cost of recovering from the damage to New Orleans has far exceeded what would have been required to protect it from Katrina The cost of effective financial oversight would have been several orders of magnitude less than the wealth that has been lost this year We cannot continue to play this cyber security game when so much is at stake Carnegie Mellon Mellon 31 31 Issues, Analysis, and Recommendation

Issue, Analysis, and Recommendation Lynn Robert Carter 2008-12 12-2323 Copyright 2008, Lynn Robert Carter

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information