U.S. National Cybersecurity October 12th, 2004

U.S. National CybersecurityU.S. National Cybersecurity

Understanding Understanding Internet SecurityInternet Security

William J. PerryMartin Casado • Keith Coleman • Dan Wendlandt

MS&E 91SIFall 2004

Stanford University

U.S. National Cybersecurity October 12th, 2004

Announcements

• Axess + Email lists

• Coursework Forum

• Bios/Photos

Goal: Provide Working Knowledge of Internet Security

U.S. National Cybersecurity October 12th, 2004

Outline

What is Security?

Attack Classifications

Internet Security Mechanisms

Discussion Questions (if time)

U.S. National Cybersecurity October 12th, 2004

What is “Security” ?

U.S. National Cybersecurity October 12th, 2004

The “Big Five”

Security is traditionally broken up into:

1) Availability

2) Integrity

3) Confidentiality

4) Authentication

5) Access Control

U.S. National Cybersecurity October 12th, 2004

Security From What?

What can disrupt the higher-level services running on the Internet?

• Attacks

• Accidents

• Failures NASA Control Room

U.S. National Cybersecurity October 12th, 2004

Failures on the Internet

Why do security failures matter?

Security failures affect the Internet’s ability to function as a reliable and secure critical infrastructure.

U.S. National Cybersecurity October 12th, 2004

Vulnerabilities

Def. vulnerability (n)

“a state with the potential to lead to a failure”

Where can vulnerabilities exist in technology?

Services (Amazon, SCADA)

Applications (Word, IE, Email Client)

Service-Level Protocols (http, smtp)

Network and Network Protocols (ip, tcp)

Operating Systems (Windows, Linux, Cisco IOS)

Physical Hardware (cables, routers, CPUs)

Basic Infrastructure (electricity)

U.S. National Cybersecurity October 12th, 2004

Attack Classifications

(not mutually exclusive)

U.S. National Cybersecurity October 12th, 2004

Vulnerabilities & Attacks

The nature of the network technologies, protocols, and operators are the basis for attacks.

Attacks can (and will) come at vulnerabilities in every layer.

Big Question: What is it about the Internet architecture that causes these vulnerabilities to exist?

Physical

Network

Transport

ApplicationHumans

Attacks

U.S. National Cybersecurity October 12th, 2004

Scanning & Fingerprinting

Reconnaissance technique to explore networks, classify + analyze connected hosts, and identify potential vulnerabilities.

Example: nmap security scanner

What is it?

U.S. National Cybersecurity October 12th, 2004

Exploits

What is it?

The use of vulnerabilities in or misconfiguration of software or hardware to gain access to information or resources on a system.

Exploits may be manual or automated.

worms/viruses are exploits with code to facilitate propagation.

example: Blaster worm exploits RPC bug

U.S. National Cybersecurity October 12th, 2004

Trojaned Software

What is it?

Software/Hardware with hidden functionality that its use allows an attacker an avenue to access a system or its information.

This is sometimes also referred to as a “backdoor”.

Example: A free copy of MSWord downloaded off of Kazaa may have been modified to include a trojan leading to a compromise.

U.S. National Cybersecurity October 12th, 2004

Denial of Service

The malicious consumption of resources in order to make a system incapable of fulfilling its designed role. Attacks are often “distributed” to increase resource consumption (zombies or botnets).

example: SYN flood against Yahoo

What is it?

U.S. National Cybersecurity October 12th, 2004

Social Engineering Attack

What is it?

Any attempt that employs non-technical means to attack a system. Often the attacker uses information gleaned from outside sources to produce false credentials (dumpster diving).

Attacks are often hybrid, relying on human and technical factors.

example: Beagle virus used email domain name to pose as a message from the user’s ISP.

U.S. National Cybersecurity October 12th, 2004

Access Control Failures

What is it?

Failure to set up adequate access control– Default configurations– Privilege revocation

Example: default administrator password for windows

U.S. National Cybersecurity October 12th, 2004

Authentication Failures

What is it?

Some authentication schemes are better than others:– Passwords– Public Key Crypto

Example: phishing schemes that steal passwords break the authentication model.

U.S. National Cybersecurity October 12th, 2004

Infrastructure Attack

An attack against the core systems that operate as the Internet infrastructure. Attacks can be either physical or virtual, often focusing on central points of failure.

example: Attack on root DNS servers.

What is it?

U.S. National Cybersecurity October 12th, 2004

Insider Threats

What is it?

Attacks that exploit an existing trust relationship to harm the overall security of a system.

example: former employee uses knowledge of a company’s network systems and passwords to steal customer information entrusted to the company

U.S. National Cybersecurity October 12th, 2004

Traffic Sniffing/Modification

What is it?

Using access to a link or infrastructure system to examine or modify the contents of Internet traffic. Similar to a phone tap, with ability to change contents.

example: ISP’s potential for information gathering

U.S. National Cybersecurity October 12th, 2004

Don’t Forget

Attacks are only one of the reasons systems can fail. There are many other, perhaps less exciting, ways systems are vulnerable.

U.S. National Cybersecurity October 12th, 2004

Internet Security Mechanisms

U.S. National Cybersecurity October 12th, 2004

What is Cryptography

A critical TOOL in securing information systems and their communications.

• You may have heard of:– SSL– Trusted Computing – Public Key Cryptography– Tripwire

U.S. National Cybersecurity October 12th, 2004

Cryptography Overview

Crypto can great hard guarantees (backed by math) in the digital world similar to those we have long relied upon for security in the physical world:

- Data Encryption (privacy)“No one else can read my message”

- Data Integrity “My message has not been modified”“My message is from who it says it is”

Also provides for some improved authentication schemes.

U.S. National Cybersecurity October 12th, 2004

Cryptography Examples

How do these mechanisms function?(at 10,000 feet)

U.S. National Cybersecurity October 12th, 2004

Problems with Crypto

• Bad Standards– WEP, CSS

• Bad Implementation– IE, OpenSSL

• Attacks on Authentication – Phishing, password sniffing

• Weak back-end– Weak link, insider attacks

• Encryption is often slow & cumbersome• PKI has difficulty scaling to large numbers

U.S. National Cybersecurity October 12th, 2004

Ideal vs. Real Internet Security

Ideally we can utilize authentication and access control to protect systems and data.

In reality this is not practical.

E.g. What if everyone needed to be authenticated to talk to you computer?

Additionally, authentication schemes are only as secure as those using them.

E.g. An uneducated but authenticated user may install a trojan.

U.S. National Cybersecurity October 12th, 2004

Attack Detection/Prevention

Firewalls – Software to inspect packets, compare them to rules and drop traffic specified by these rules.

Intrusion Detection/Prevention Systems (IDS/IPS) – Software to inspect traffic flows for signatures or other behavior that appears to be malicious.

Anti-Virus Software – Inspects files for signs of infectious programs and eliminates them.

These mechanisms can either be deployed on individual hosts or on dedicated network servers.

U.S. National Cybersecurity October 12th, 2004

Patching

Fix vulnerabilities in software that may lead to exploitation. Patch management is major hidden cost to companies.

Important:- Process is still embarrassingly manual (changing?).

- Gap between release of patch + first exploit “in the wild” is shrinking (Witty worm and zero-days).

- Often patches are not applied to critical systems because updates sometimes have conflicts that can break software running on the systems.

Do we patch?

Check out: “Security Holes? Who Cares” by Eric Rescorla. : http://www.rtfm.com/upgrade.pdf

U.S. National Cybersecurity October 12th, 2004

Process, Education & Risk Assessment

Often forgotten as security mechanisms:

- Having well-defined and consistent preparation, response, and recovery plans across an organization.

- Attempting to secure humans, often the weakest link.

- Determining the danger associated with each potential vulnerability.

U.S. National Cybersecurity October 12th, 2004

Discussion Questions

U.S. National Cybersecurity October 12th, 2004

Attributability

For traffic on the Internet, can we determine who a packet come from?

Two levels: Can we tell what computer sent a given packet?

(what are the implications of source spoofing?) Can we attribute a packet to a human?

- What does this say about our ability to catch and prosecute perpetrators of online attacks? What about active response?

U.S. National Cybersecurity October 12th, 2004

Determining Intent

Can you infer intent from analyzing network traffic? What about at the application level?

- What is the different between a denial of service attack and normal overwhelming usage?

- What is more important, the intent or the result of Internet traffic?

- What about ‘enablement’ versus ‘use’?

U.S. National Cybersecurity October 12th, 2004

Trust Relationships

What are key trust relationships relating to cybersecurity? Think about:

- designers- developers- distributors- owners - operators- users

If security is a “weakest-link” issue, what forces keep one of these trust links from breaking?

U.S. National Cybersecurity October 12th, 2004

The Power of the Core

- How much control do we have with determining where traffic flows on the Internet, and what entities have control over it?

- What can someone ‘on route’ potentially do? How can you trust the integrity of what you see?

- What does it take to have control of the Internet core?

U.S. National Cybersecurity October 12th, 2004

Infrastructure Attacks

How vulnerable is the actual Internet infrastructure to attacks?

- Could a single group bring down the Internet? What does this mean? What kind of resources would it take?

- How reliant is the Internet on a relatively few critical systems?

- What happens when you rely on the security of infrastructure that you have absolutely no control over? As a company? As a country? How does this compare to security in the physical world?

U.S. National Cybersecurity October 12th, 2004

Determining Identity

How can we trust an Internet entity is who they say they are?

- Why is this process more difficult than it is in the “brick & mortar” world?

- How important is this for a critical infrastructure?- Do our solutions for providing identity scale to the millions

of actions on the Internet?

U.S. National Cybersecurity October 12th, 2004

Overwhelming Complexity

What does the extreme complexity of the Internet mean for our ability to secure it?

- Are there just too many things that could go wrong to ever possibly be able to completely rely on it?

- In what way does the complexity impact our ability to educate average users? Is user education necessary? Is effective user education even possible?

- Will the Internet become more or less complex to manage in the future?

U.S. National Cybersecurity October 12th, 2004

Why is this so hard?

What are the major barriers to providing security guarantees for an information system on the Internet?

- What (or who) are the weak links for security systems?- Can we ever really secure a usable Internet computer

system? (e.g. directed attack)- How does software size & complexity relate to our ability

to secure a system? What is zero-day?