to Security Guest Lecture: CS329E Dr. Bill Young Department of Computer Sciences University of Texas at Austin Last updated: October 14, 2010 at 08:59 Slideset 1: 1
What Does Security Mean? We re interested in security. But security is an extremely expansive and widely used term. Personal security Physical security Corporate security National (homeland) security Operations security Personnel security Communication security Computer security Network security System security What s the common thread? What does security really mean? Slideset 1: 2
What Does Security Mean? In the most general terms, security seems to mean something like protection of assets against attack. But what assets? What kind of attack? What does protection mean? Doesn t the meaning of protection vary depending on the nature of the threat? What are some threats for computer security? Slideset 1: 3
What Does Security Mean? In the most general terms, security seems to mean something like protection of assets against attack. But what assets? What kind of attack? What does protection mean? Doesn t the meaning of protection vary depending on the nature of the threat? What are some threats for computer security? Some examples of threats: Interruption: an asset becomes unusable, unavailable, or lost. Interception: an unauthorized party gains access to an asset. Modification: an unauthorized party tampers with an asset. Fabrication: an asset is counterfeit. Slideset 1: 4
Thought Experiment Let s make it personal. Suppose you visit an e-commerce website such as your bank, Amazon.com, your stock broker, etc. Before you type in highly sensitive information, you d like to have some assurance that your information will be protected. Do you? How can you know? What security-relevant things do you want to happen, or not happen when you use such a website? What are the assets you are trying to protect and from what? Slideset 1: 5
Thought Experiment You might want: Privacy of your information Integrity of your information Authentication of the other parties Authorization to perform your goals Confidentiality Non-repudiation Availability of necessary resources Protection against phishing What else? Slideset 1: 6
What is Security According to security experts these are some of the major aspects of information needing protection: Confidentiality: assurance that information is not disclosed to unauthorized persons; Integrity: protection against unauthorized modification or destruction of information; Availability: timely, reliable access to data and information services for authorized users; Authentication: measures to establish the validity of a transmission, message, or originator. Non-repudiation: assurance that the sender is provided with proof of a data delivery and recipient is provided with proof of the sender s identity, so that neither can later deny having processed the data. So much to protect; so little time! Which of these are the most important? How would you decide? Slideset 1: 7
What is the Security Problem Computer and network security is becoming both more important and harder to attain. Why do you think that is? Slideset 1: 8
What is the Security Problem Computer and network security is becoming both more important and harder to attain. Why do you think that is? Increased connectivity; Large number of valuable assets online; Low threshhold to access; Sophisticated attack tools and strategies available (script kiddies); Any others? What do each of these mean? Why are they relevant? Slideset 1: 9
Why is Security Hard? Why do you suppose that security is a more difficult problem than most things in computer science? Slideset 1: 10
Why is Security Hard? Why do you suppose that security is a more difficult problem than most things in computer science? Most areas of computer science are concerned with ensuring that something good happens. In contrast, security is all about ensuring that bad things never happen. Not only do you have to find bugs that make the system behave differently than expected, you have to identify any features of the system that are susceptible to misuse and abuse. You have to defeat an actively malicious adversary. Ross Anderson characterizes this as Programming Satan s Computer. Slideset 1: 11
The Difficulty in Security Thus, the hardest thing about security is convincing yourself that you ve thought of all possible attack scenarios, before the attacker thinks of them. A good attack is one that the engineers never thought of. Bruce Schneier Principle of Easiest Penetration: an intruder will use any available means of penetration. Thus, the defender has to find and eliminate all exploitable vulnerabilities; the attacker only needs to find one! Slideset 1: 12
Why You Need a Systems Point of View Several fairly recent vulnerabilities: Date Program Effect March 2002 zlib DoS affecting many programs, including those that display PNG files. Nov. 2002 Internet Explorer Malicious PNG file can be used to execute arbitrary code when displayed in IE. Aug. 2004 libpng DoS affecting users of Firefox, Opera, Safari, and many others. Sep. 2004 MS GDI+ JPG-rendering code enables the remote execution of arbitrary code. Affects IE, MS Office, and other MS products. July 2005 zlib Potential for remote code execution. Affects programs that display or manipulate PNG files. Dec. 2005 Windows Graphics Rendering of WMF files enables remote Rendering Engine execution of arbitrary code. Expoited through IE. Jan. 2007 Java 2 Platform Rendering of GIF image allows remote execution of arbitrary code through hostile applet. Slideset 1: 13
Taking a Systems Point of View Notice that none of the programs (in the table above) were security features of the relevant systems. They were all related to displaying images. Yet each vulnerability caused almost total compromise of the security of the system. What does that mean for the security professional/community? Slideset 1: 14
The Difficulty in Security Perfect security is probably impossible in any useful system. Often, this means that a tradeoff is necessary between security and other important software project goals including functionality, usability, efficiency, time-to-market, and simplicity. The three golden rules to ensure computer security are: do not own a computer; do not power it on; and do not use it. Robert T. Morris, Sr. Unfortunately the only way to really protect [your computer] right now is to turn it off, disconnect it from the Internet, encase it in cement and bury it 100 feet below the ground. Prof. Fred Chang (2009) Slideset 1: 15
Security is About Risk In Building Secure Software, Viega and McGraw assert that software and system security is all about managing risk. Viega and McGraw suggest a particular risk management procedure: 1 Assess assets 2 Assess threats 3 Assess vulnerabilities 4 Assess risks 5 Prioritize countermeasure options 6 Make risk management decisions Thought experiment: try to follow this procedure to manage risks to the stuff you have stored at your home or apartment. Slideset 1: 16
Risk Treatments Once the risk has been identified and assessed, managing the risk can be done through one of four techniques: Risk acceptance: risks not avoided or transferred are retained by the organization. e.g. sometimes the cost of insurance is greater than the potential loss. Sometimes the loss is improbable, though catastrophic. Risk avoidance: not performing an activity that would incur risk. e.g. disallow remote login. Risk mitigation: taking actions to reduce the losses due to a risk; most technical countermeasures fall into this category. Risk transfer: shift the risk to someone else. e.g. most insurance contracts, home security systems. There is generally lots more money in a bank than in a convenience store; but which is more likely to be robbed? Why? Slideset 1: 17
Some Sobering Facts A recent study of 32,000 Websites found that nearly 97% of sites carry a severe vulnerability. Web Application Security Consortium, Sept 2008 NSA found that inappropriate or incorrect software security configurations (most often caused by configuration errors at the local base level) were responsible for 80 percent of Air Force vulnerabilities. CSIS report on Securing Cyberspace for the 44th Presidency, Dec. 2008, p. 55. Slideset 1: 18
Some Sobering Facts There were over 1 million new unique malware samples discovered in each of the past two quarters. Unlike the worms and mass-mailers of the past, many of these were extremely targeted to particular industries, companies and even users. (www.insecureaboutsecurity.com, 10/19/2009) Once PCs are infected they tend to stay infected. The median length of infection is 300 days. (www.insecureaboutsecurity.com, 10/19/2009) Slideset 1: 19
Is It Hopeless? What can you do to protect yourself? Properly configure and patch operating systems, browsers, and other software programs. Use and regularly update firewalls, anti-virus, and anti-spyware programs. Be cautious about all communications; think before you click. Use common sense when communicating with users you DO and DO NOT know. Do not open email or related attachments from un-trusted sources. Slideset 1: 20
Some Questions Security, particularly CyberSecurity at the national level, has become a really hot topic lately. Sure, security is hard. But the news would have you believe we re about to fall off a cliff! 1 What have you heard recently about cybersecurity? Has it been good or bad? 2 Do you think that the current buzz about cybersecurity is overdone? 3 What are the threats to individuals? To companies? To the military? To the country as a whole? Slideset 1: 21
Why Does it Matter? America s failure to protect cyberspace is one of the most urgent national security problems facing the new administration that will take office in January 2009.... It is a battle we are losing. Losing this struggle will wreak serious damage on the economic health and national security of the United States. CSIS report on Securing Cyberspace for the 44th Presidency, Dec. 2008 Slideset 1: 22
CyberSecurity: An Existential Threat? CYBERATTACKS AN EXISTENTIAL THREAT TO U.S., FBI SAYS (Computerworld, March 24, 2010) A top FBI official warned today that many cyber-adversaries of the U.S. have the ability to access virtually any computer system, posing a risk that s so great it could challenge our country s very existence. According to Steven Chabinsky, deputy assistant director of the FBI s cyber division: The cyber threat can be an existential threat meaning it can challenge our country s very existence, or significantly alter our nation s potential, Chabinsky said. How we rise to the cybersecurity challenge will determine whether our nation s best days are ahead of us or behind us. Slideset 1: 23
CyberSecurity CYBER ATTACKS TEST PENTAGON, ALLIES AND FOES (Wall Street Journal, Sept 25, 2010) Cyber espionage has surged against governments and companies around the world in the past year, and cyber attacks have become a staple of conflict among states. U.S. military and civilian networks are probed thousands of times a day, and the systems of the North Atlantic Treaty Organization headquarters are attacked at least 100 times a day, according to Anders Fogh Rasmussen, NATO s secretary-general. It s no exaggeration to say that cyber attacks have become a new form of permanent, low-level warfare, he said. More than 100 countries are currently trying to break into U.S. networks, defense officials say. China and Russia are home to the greatest concentration of attacks. Slideset 1: 24
CyberSecurity CYBERWARRIOR SHORTAGE THREATENS U.S. SECURITY (National Public Radio, July 19, 2010) There may be no country on the planet more vulnerable to a massive cyberattack than the United States, where financial, transportation, telecommunications and even military operations are now deeply dependent on data networking. [But there s a] severe shortage of computer security specialists and engineers with the skills and knowledge necessary to do battle against would-be adversaries. Cyber security expert Gosler estimates there are now only 1,000 people in the entire United States with the sophisticated skills needed for the most demanding cyberdefense tasks of the 20,000 to 30,000 skilled specialists needed. Slideset 1: 25
StuxNet Worm KASPERSKY LAB PROVIDES ITS INSIGHTS ON STUXNET WORM (Kaspersky.com, Sept. 24, 2010) Stuxnet is a one-of-a-kind, sophisticated malware attack backed by a well-funded, highly skilled attack team with intimate knowledge of SCADA (supervisory control and data acquisition) technology. I think that this is the turning point, this is the time when we got to a really new world, because in the past there were just cyber-criminals, now I am afraid it is the time of cyber-terrorism, cyber-weapons and cyber-wars, said Eugene Kaspersky, co-founder and chief executive officer of Kaspersky Lab. This malicious program was was designed to sabotage plants, to damage industrial systems, he said. The 90s were a decade of cyber-vandals, 2000 s were a decade of cybercriminals, I am afraid now it is a new era of cyber-wars and cyber-terrorism, Kaspersky added. Slideset 1: 26