Network Security in Building Networks Prof. Dr. (TU NN) Norbert Pohlmann Institute for Internet Security - if(is) Westphalian University of Applied Sciences Gelsenkirchen, Germany www.if-is.net
Content IT Security over time Changes in the general condition IT Security Situation Today Some IT Security Solution Paradigm Shifts in IT and IT Security Summary 2
Network Security over time Overview: Our Problem Network security problems Today Time 3
IT Security over time Overview: Our challenge Network security problems Today Time 4
Changes in the general condition Basic conditions The Internet is going beyond all borders and cultures! Problems with criminal prosecution in a lot of countries Different opinions about what is right and what is wrong Different legal frameworks Radical change and development in IT Mobile devices, Social Networks, Cloud Computing, new Player, new operation systems, new IT concepts, new attacks Internet of things: SmartGrid, SmartCar, SmartTraffic, SmartHome, e.g. nuclear phase-out provides more risk on the Internet The kind of values that we have to protect are changing over the time bits and bytes are changing from data and information to knowledge into intelligence Accessible from anywhere (Mobile devices Cloud Computing, ) 5
Changes in the general condition Imbalance of power Imbalance of power in cyberspace between attackers and defenders Highly motivated and skilled attackers We see an innovation in attack models and the attackers are getting more professional (Successful business concepts) The attacker operating in secrecy from almost anywhere in the world, Use a lot of computers (Malware, botnets) with unlimited power 6
IT Security Situation Today Threat Potential (1/8) Too many vulnerabilities in our software The quality of software of the operating systems and applications is not good enough! Error rate: Number of errors (bugs) per 1,000 Lines of Code (LoC). Error rate Classification of programs < 0.5 stable programs 0.5 3 maturing programs 3 6 unstable programs 6 10 error-prone programs > 10 useless programs Operating systems have more than 10 million LoC more than 3,000 errors (Error rate 0.3 ) and thus too many potential vulnerabilities 7
IT Security Situation Today Threat Potential (2/8) Insufficient anti-malware protection (1/2) 100% Anti malware solutions have a too low detection rate only 75 to 95%! In case of direct attacks less than 27% 27% 0% Security gaps 24h Day 3 Day 14 signature-based detection proactive detection 8
IT Security Situation Today Threat Potential (3/8) Insufficient anti-malware protection (2/2) One in 25 computers has malware! Data theft / data manipulation (Key logger, Trojan horses, ) Spamming, click fraud, use of computing power, data encryption / ransom, Cyber War (Advanced Persistent Threat - APT) SUXNET, Frame, One of the biggest threats for the moment! Cyber War 9
IT Security Situation Today Threat Potential (4/8) No international identity management (2013) Passwords, passwords, passwords, are still the tools for authentication in the Internet! Identification is valid in corporation or customer environment, but not international! Federation approaches are not yet widespread enough! http://moneytipcentral.com/ 10
IT Security Situation Today Threat Potential (5/8) Insecure websites in the field Today most of the malware is distributed by insecure websites 2.5 % of the German measured websites are infected with malware. ( US ~ 1.01; Japan ~ 0.51; ) Reasons for insecure websites Many websites / webserver are not implemented securely Patches are not or very late installed There is no responsibility for own websites! http://moneytipcentral.com/ 11
IT Security Situation Today Threat Potential (6/8) Smartphones become a challenge Losing the mobile devices Constantly changing insecure environments (airports, railway stations, cafés...)... thus the probability of loss is much higher! (mobile phone statistic in London taxies) Apps as spyware / malware (mass instead of class) Movement profile Public Inspections False or manipulated hotspot (trustworthiness) Consumerization or Bring Your Own Devices (BYOD) stop the thief Address of the secretay Address of the competitor 12
IT Security Situation Today Threat Potential (7/8) Cloud Computing becomes a challenge The cyber provides additional points of attacks Identity theft, session hijacking, vulnerabilities in shared services, separation of corporate data, and so on I do not know the places where my data is stored and who has the opportunity to read the data! How can I be sure that the data still exists? The aspect Trust becomes much more important Problems with the laws of some countries 13
IT Security Situation Today Threat Potential (8/8) Internet User Internet users need to know the problems of the Internet or they harm themselves and others ( Internet competence) BITKOM survey: (Germany 2012) Almost one in three Internet users is not adequately protected! - no personal firewall (30 %) - no anti malware (28 %) - is careless about e-mails and links - etc. Study Messaging Anti-Abuse Working Group : 57 % of the Internet users have ever opened spam e-mail or clicked links in spam e-mails 14
Some Network Security Solution Idea of a central firewall system Building Networks Firewall System Internet 15
Some Network Security Solution Assessment of a central firewall system Transmitter (T) entity Communication model with an integrated firewall element Producer: Trustworthiness of the Implementation of the Security Services User: Configuration Trustworthiness protocol element x i set of rules integration and enforcement module x i analysis modul protocol element security relevant event (e i ) r i result of decision Receiver (R) entity result of Authentication analysis Producer: Depth of analysis decision modul User: Security Policy Security Management Firewall Systems x i protocol state machine action a k s j state machine Producer: Implementation action 1 action 2 action 3 action t action t+1 action u a k = action-select( protocol-state-machine(x i, s j ), authenticity(x i, t l ), result-of-decision( analysis(x i ), security-management(rules) ), functionality-of-the-firewall-system() ) Assets 16
Smart Metering Gateway Introduction Essential part of the (German) smart grid activities Connects Smart Homes and the Wide Area Network (WAN) Smart components: solar power plants, smart cars, smart fridges, smart digital meters, Exchange of meter and grid condition data Accounting of meter data Ensure integrity, authenticity and confidentiality of data Data privacy problems 17
Smart Metering Gateway Environment of the Gateway Federal Office for Information Security (BSI) Protection Profile for the Gateway of a Smart Metering System Technical guide line BSI TR-03109 Defines security mechanisms and other requirements Protocols, algorithms, 18
Smart Metering Gateway Security Objectives Threads Security mechanisms TLS/SSL-Encryption Digital Signature Timestamp Anonymisation and Pseudonymisation Data manipulation X X X Meter data manipulation X X X X Data disclosure X X Physical manipulation shortened representation Physical Protection (Security Module) X 19
Paradigm Shift (1) More responsibility less indifference Producer responsibility Software and hardware will better matched and problems would be better identified and solved. Validation / Certification Independent and qualified organization prove (improve) the quality of IT (security) products and solution 20
Paradigm Shift (2) More proactive less reactive IT security Reactive IT Security Systems Today we use a lot of reactive IT security solutions and that means we are always running behind the attacker. The idea of reactive IT security is, if we detect an attack, we try to protect us as fast as possible to reduce the damage. For example reactive IT security systems are Firewall Systems Intrusion Detection Solutions Anti-Malware products Anti-Spam /-Phishing Airbag approach : If it happens, it should hurt less. 21
Paradigm Shift (2) More proactive less reactive IT security Proactive IT Security Systems We need much more proactive IT security to protect our values. Our IT systems will be more robust and much more trustworthy with the idea of proactive IT security. Here we use for example a security kernel with separation and isolation technology combined with intelligent cryptographic security mechanisms. (Trustworthy Basis ) ESP strategy : Avoid skidding, before it happens. 22
Paradigm Shift (2) Trustworthy Base Robustness/Modularity Modularization Virtualization Trusted Plattform Trusted Computing Base App Policy Enforcement Strong Isolation OS OS Security Kernel / Virtualization Hardware App Trusted Software Layer Trusted Process Security Management App OS Security Module Integrity Control App Trusted Virtual Domains Trusted Interaction Remote Attestation, Binding, Sealing Trusted Boot 23
Paradigm Shift (3) More object less perimeter security Perimeter security Defense Model: Protect a set of computer systems and networks with the help of Firewalls, VPNs, Intrusion detection and so on. Assumption: The computers and the networks are fixed installed. Evaluation: Modern world uses flexible and distributed mobile devices. Perimeter security can t protect us like in the past! 24
Paradigm Shift (3) More object less perimeter security Object Security (Information Flow Control) Idea: Domain object-oriented security, in which the objects are provided with rights. The rights define who can use the object with which action in which IT environment Object Lifecycle Protection Distributed Policy Enforcement (even on foreign systems) generation destruction Control processing 25
Paradigm Shift (4) More collaboration less separation Imbalance of power in cyberspace between attackers and defenders. Collaboration helps to overcome the imbalanced situation 26
The Trouble of Network Security Summary It is very important that we use network security in the right way Changes in the general condition! Radical change in IT (Mobile devices, Social Networks, Cloud, ) The protected values are constantly rising and changing over the time Attack models are innovating and attackers are getting more professional Over the time our IT security and privacy problems are getting bigger and bigger! We need paradigm shifts in IT and IT security, so that we can build trust in using the networks and the Internet in the future More responsibility less indifference More proactive less reactive IT security More object less perimeter security More collaboration less separation 27
Network Security in Building Networks Thank you for your attention! Questions? Prof. Dr. (TU NN) Norbert Pohlmann Institute for Internet Security - if(is) Westphalian University of Applied Sciences Gelsenkirchen, Germany www.if-is.net