Download - Secrets and Lies - University of Southern Californiainf520/inf519/slides/inf520-schneier.pdf · Secrets and Lies a summary traversal ... – salami attack action at a distance ...

Transcript
Page 1: Secrets and Lies - University of Southern Californiainf520/inf519/slides/inf520-schneier.pdf · Secrets and Lies a summary traversal ... – salami attack action at a distance ...

Secrets and LiesSecrets and Lies

a summary traversal of Bruce Schneiera summary traversal of Bruce Schneier’’s books book

David Morgan

Page 1Page 1

Complexity is the worst enemy of security.

security,

earlier

security,

later

complexity,

earlier

complexity,

later

decreasing

increasing

Trajectory of our industryTrajectory of our industry

BECAUSE

“As systems get more complex [they do], they necessarily get more secure.”

Page 2: Secrets and Lies - University of Southern Californiainf520/inf519/slides/inf520-schneier.pdf · Secrets and Lies a summary traversal ... – salami attack action at a distance ...

Security of computer systems is a Security of computer systems is a

business problembusiness problem

� a business uncertainty

� cost/benefit

– what does it cost the business (not somebody else) to be

secure?

– what does it cost to not be secure?

– which is the better deal?

� treated by risk management

Standardized practice, regulation,enforcementStandardized practice, regulation,enforcement

� employment workplace

� environment

� air traffic

� building and civil engineering

� food and drug

� accounting

� computer products

“There's no reason to treat software any differently

from other products. Today Firestone can produce a

tire with a single systemic flaw and they're liable, but

Microsoft can produce an operating system with

multiple systemic flaws discovered per week and not

be liable. Today if a home builder sells you a house

with hidden flaws that make it easier for burglars to

break in, you can sue the home builder; if a software

company sells you a software system with the same

problem, you're stuck with the damages.” p. 8

Page 3: Secrets and Lies - University of Southern Californiainf520/inf519/slides/inf520-schneier.pdf · Secrets and Lies a summary traversal ... – salami attack action at a distance ...

33--step to sweeten the security dealstep to sweeten the security deal

� enforce liabilities

� allow liability transfer among parties

� reduce risk

Enforce liabilitiesEnforce liabilities

� create (negative) incentive to be secure

– prevailing vacuum no liability � no incentive � no security

� enforce liabilities, proportion to parties

– maker of vulnerable software

– author of attack tool that exploits it

– user of attack tool (“attacker”)

– sysadmin for victim network

Page 4: Secrets and Lies - University of Southern Californiainf520/inf519/slides/inf520-schneier.pdf · Secrets and Lies a summary traversal ... – salami attack action at a distance ...

Enforce liabilitiesEnforce liabilities

� who gets the blame?

– 100% sysadmin

– 0% tool user

– 0% tool author

– 0% maker

� why?

– available to blame

– can’t catch him

– can’t catch him

– liability unenforced

what if this changes?

Allow liability transfer among partiesAllow liability transfer among parties

� insurance industry

– assuming liability is their business

� incentivize higher security with lower premiums

Page 5: Secrets and Lies - University of Southern Californiainf520/inf519/slides/inf520-schneier.pdf · Secrets and Lies a summary traversal ... – salami attack action at a distance ...

Provide mechanisms to reduce riskProvide mechanisms to reduce risk

� automatic by makers, pursuant to incentive

� security standards set, centralized, required by insurance industry

� outsourcing to firms that security-specialize

THE

LANDSCAPE

what are the issues we need to address

Page 6: Secrets and Lies - University of Southern Californiainf520/inf519/slides/inf520-schneier.pdf · Secrets and Lies a summary traversal ... – salami attack action at a distance ...

Idle claimIdle claim

� “this software is secure”

� idle because it is incomplete

– does not address the system, only the product

– does not address threat

� idle because it isn’t possible to attest

– security weakness is about what you don’t know

– you do not know what you don’t know

– therefore you do not know your security weakness

Windows 10 promotional videoWindows 10 promotional video

10-reasons-to-upgrade-to-Windows-10_security.mp4

…against what?

Page 7: Secrets and Lies - University of Southern Californiainf520/inf519/slides/inf520-schneier.pdf · Secrets and Lies a summary traversal ... – salami attack action at a distance ...

““most secure evermost secure ever”” probably meansprobably means

� Windows 10 fixed more security vulnerabilities

� added more security features

– than ever

It doesnIt doesn’’t meant mean……

� that it’s the most secure Windows ever

� that Microsoft knows whether it is

� that that’s knowable

� security is not black and white

� “We are secure” is naïve and simplistic

– secure from whom?

– secure against what?

� security of the system, not the product, counts

� context matters more than technology

– security against average hacker ≠ against NSA

– what is the size of the fire?

The landscape The landscape –– themesthemes

Page 8: Secrets and Lies - University of Southern Californiainf520/inf519/slides/inf520-schneier.pdf · Secrets and Lies a summary traversal ... – salami attack action at a distance ...

Some preSome pre--digitaldigital

threatsthreats

� theft

� embezzlement

� voyeurism

� extortion

� fraud

– snake oil

� impersonation

Threats in the digital ageThreats in the digital age

� theft

� embezzlement

� voyeurism

� extortion

� fraud

– snake oil

� impersonation

Page 9: Secrets and Lies - University of Southern Californiainf520/inf519/slides/inf520-schneier.pdf · Secrets and Lies a summary traversal ... – salami attack action at a distance ...

Threats in any ageThreats in any age

� bad guy has a business model too

� asset he threatens is worth only so much to him

� useful to good guy to understand that model

– that way you might influence bad guy’s motive

(threat components: agent, means, opportunity, motive)

So whatSo what’’s new with threats?s new with threats?

� automation

– salami attack

� action at a distance

– the world’s pickpockets are all in your house

� technique propagation

– first attacker needs skill, others use his software

Page 10: Secrets and Lies - University of Southern Californiainf520/inf519/slides/inf520-schneier.pdf · Secrets and Lies a summary traversal ... – salami attack action at a distance ...

Technique propagation

So whatSo what’’s new with threats?s new with threats?

� physical theft

– stolen material gone

– you can no longer use it – basis of legal injury

– availability and integrity violated

� digital theft

– stolen material still there – no similar injury

– you can still use it

– availability and integrity preserved

Page 11: Secrets and Lies - University of Southern Californiainf520/inf519/slides/inf520-schneier.pdf · Secrets and Lies a summary traversal ... – salami attack action at a distance ...

AttacksAttacks

� criminal

� publicity

� legal

Adversaries classifiedAdversaries classified

� objectives

� access

� resources

� expertise

� risk

Page 12: Secrets and Lies - University of Southern Californiainf520/inf519/slides/inf520-schneier.pdf · Secrets and Lies a summary traversal ... – salami attack action at a distance ...

AdversariesAdversaries

� hackers

� lone criminals

� malicious insiders

� industrial espionage

� press

� organized crime

� police

� terrorists

� national intelligence

� infowarriors

Security needsSecurity needs

� privacy

� multilevel security

� anonymity

� authentication

� integrity

� audit

� electronic currency

� proactive solutions

Page 13: Secrets and Lies - University of Southern Californiainf520/inf519/slides/inf520-schneier.pdf · Secrets and Lies a summary traversal ... – salami attack action at a distance ...

TECHNOLOGIES

what tools do we have to address the issues

Tools for offense and defenseTools for offense and defense

� cryptography

� network

� software

� hardware

� etc - to discuss another day mostly, but:

– Schneier devotes 12 chapters to “Part 2: Technologies”

– I want to discusss “Computer Security” and “Software Reliability”

Page 14: Secrets and Lies - University of Southern Californiainf520/inf519/slides/inf520-schneier.pdf · Secrets and Lies a summary traversal ... – salami attack action at a distance ...

CIA triad againCIA triad again

Access control is centralAccess control is central

� early, computer security stressed confidentiality

� because early research was military

� But confidentiality is about access control

� So are integrity and availability

� C, I, A all boil down to access control

– C � about access for reading

– I � about access for writing

– A � about access in general itself

� goal: authorized people have access to do what’s authorized, everyone else does not

Page 15: Secrets and Lies - University of Southern Californiainf520/inf519/slides/inf520-schneier.pdf · Secrets and Lies a summary traversal ... – salami attack action at a distance ...

Need access control?Need access control?

� first computers – small scale, full trust

� became multi-user at scale

� personal computers, single-user

� networking – multi-user at scale

no - yes

Access Access –– subject & objectsubject & object

� subject

– user

– processe

� objects

– file

– database record

– device

– memory region

– another process (plug-in)

Page 16: Secrets and Lies - University of Southern Californiainf520/inf519/slides/inf520-schneier.pdf · Secrets and Lies a summary traversal ... – salami attack action at a distance ...

Controlling accessControlling access

Control what can be done to objects

– permissions

– e.g. permission mechanisms in particular

filesystems, ext or ntfs or…

or

Control what subjects can do

– capabilities

– e.g. database management systems

are these different methods, or different perpectives?

Security modelsSecurity models

� multi-level

– formalization of military classification/clearance

� Bell-LaPadula

– no write down, no read up

� mandatory vs discretionary access controls

� chinese wall

� clark-Wilson

Page 17: Secrets and Lies - University of Southern Californiainf520/inf519/slides/inf520-schneier.pdf · Secrets and Lies a summary traversal ... – salami attack action at a distance ...

Security at low level (hardware/OS)Security at low level (hardware/OS)

� reference monitor

– active, explicit mediation of every access

� trusted computing base

– set of components that collectively enforce a

security policy

� secure kernel

– (sub)set of components in the trusted computing

base that implements the reference monitor

specifically

Multics operating systemMultics operating system

� most successful historical implementation

� built with the security model and mathematical formalisms explicitly in mind

� small, 56,000 lines of code

– 15 million in Windows 95

– linux similarly large

� last Multics system deactiveated 2000

Page 18: Secrets and Lies - University of Southern Californiainf520/inf519/slides/inf520-schneier.pdf · Secrets and Lies a summary traversal ... – salami attack action at a distance ...

Covert channelsCovert channels

� communication channel that can transfer information in violation of a system’s security policy

� storage channels

– least significant bits of color bytes in an image file

– reserved or user-definable fields in packet headers

� timing channels

– port knocking

– non-covert timing channel: Morse code

http://funtranslations.com/morse#

Evaluation criteria

� Orange book

– hierarchy of security level designations

D, C1, C2, B1, B2, B3, A

– did not make systems provably secure

– for local, stand-alone computers, not networked ones

– varies from other nations’ standards efforts

� Common Criteria

– international standardization effort

Page 19: Secrets and Lies - University of Southern Californiainf520/inf519/slides/inf520-schneier.pdf · Secrets and Lies a summary traversal ... – salami attack action at a distance ...

Software reliability

� Murphy’s computer

– must work in the presence of random faults

– adversaryless

� Satan’s computer

– must work in the presence of deliberate faults

– witted adversary

Murphy’s Law: Anything that can go wrong, will go wrong.

STRATEGIES

now what are we going to do about it all

Page 20: Secrets and Lies - University of Southern Californiainf520/inf519/slides/inf520-schneier.pdf · Secrets and Lies a summary traversal ... – salami attack action at a distance ...

Things you should keep in mind Things you should keep in mind

when you are securingwhen you are securing…… what?what?

� object of the verb: “the entire system”

– all your organization’s computer infrastructure

– plus your extended environment (not just equipment)

� your office space

� your people

– plus your telecommute workers’ homes

– plus your road warriors’ hotels

– plus your trusted vendors’ “entire systems”

– plus your ISP, plus your cloud provider, plus, plus, plus…

� Security is

– a chain, weakest link breaks it (weak link == vulnerability)

– a process, not a product

Security as a process/practiceSecurity as a process/practice

� the math doesn’t fail

� the implementation of it fails, the process of using the math

– sometimes I don’t buckle my bike helmet strap

– sometimes I mis-distribute my crypto keys

� implementation could even exacerbate

– iatrogenic effects – “iatro” doctor, “genic” originated

– disease caused by treatment

Page 21: Secrets and Lies - University of Southern Californiainf520/inf519/slides/inf520-schneier.pdf · Secrets and Lies a summary traversal ... – salami attack action at a distance ...

Attack methodologyAttack methodology

� Plan what to attack

� Plan how to attack

� Get in

� Do it

� Get out

– Cleanse traces

– Check evidence of how system is maintained

– Install a future path back in

� weak links in the chain

� intersection of

– system susceptibility

– attacker access to it

– attacker capability

� vulnerability � “attack surface”

– network attack surface

– software attack surface

– human attack surface

VulnerabilitiesVulnerabilities

http://www.spi.dod.mil/tenets.htm

Page 22: Secrets and Lies - University of Southern Californiainf520/inf519/slides/inf520-schneier.pdf · Secrets and Lies a summary traversal ... – salami attack action at a distance ...

CountermeasuresCountermeasures

� ways to reduce vulnerabilities

� 3 parts

– protection

– detection

– reaction

Vulnerability landscapeVulnerability landscape

� physical security

� virtual security

– firewall == fence

– authentication == gate guard

� the trust model

– without benefit of an individual’s physical presence

� lifecycle of a system

Page 23: Secrets and Lies - University of Southern Californiainf520/inf519/slides/inf520-schneier.pdf · Secrets and Lies a summary traversal ... – salami attack action at a distance ...

Lifecycle of a systemLifecycle of a system

� design

� manufacture

� shipment

� installation

� operation

� maintenance

Each stage is an opportunity for possible insertion of vulnerable components.

Rationally apply countermeasuresRationally apply countermeasures

� protect against threats that pose greatest risk

� not against most manifest, ignoring all others

� value depends on context

– attacker, defender may ascribe different value

– teenagers steal floppies for value of the disk itself

Page 24: Secrets and Lies - University of Southern Californiainf520/inf519/slides/inf520-schneier.pdf · Secrets and Lies a summary traversal ... – salami attack action at a distance ...

Threat modelingThreat modeling

� figuring out all the ways to

– rig an election

– defeat secure communication

– subvert electronic payment systems

� beacause your personality can’t help it

– Mr. Cook model

� assess risk

– some unlikely

– some should be expected

– which should you protect against?

Threat modelingThreat modeling

� identify and risk-rank threats

� decide a security policy to defend against them

� design countermeasures to effect the policy

– protection

– detection

– reaction

Page 25: Secrets and Lies - University of Southern Californiainf520/inf519/slides/inf520-schneier.pdf · Secrets and Lies a summary traversal ... – salami attack action at a distance ...

Product testing and verificationProduct testing and verification

� beta (functional) testing doesn’t test security

� security is independent of functionality

� products should “do what they’re designed to do and no more”

– why “and no more”?

� beta testing tests that they do what they’re designed to do

Security testingSecurity testing

� can show presence of flaws

� cannot show absence of flaws

� trust comes only from long, broad, uneventful usage, not testing

– RSA probably OK

– prime factoring probably infeasible

Page 26: Secrets and Lies - University of Southern Californiainf520/inf519/slides/inf520-schneier.pdf · Secrets and Lies a summary traversal ... – salami attack action at a distance ...

Patch Patch ≠ fix

� heartbleed public announcement & patch concurrent

� one minute later nothing was fixed

� one year later is heartbleed fixed?

The future of productsThe future of products

� getting more complex

– lines of code in successive Windows versions

– number of function calls in OS’s

� so, getting less secure

� ever increasing insecurity (worse than entropy!!)

Page 27: Secrets and Lies - University of Southern Californiainf520/inf519/slides/inf520-schneier.pdf · Secrets and Lies a summary traversal ... – salami attack action at a distance ...

More complex, less secureMore complex, less secure

� number of security bugs

� modularity (exposure at interfaces)

� interconnectedness of systems

� more unknowable

� less susceptible to analysis

� increased testing requirements

Sun is gone, IOT is hereSun is gone, IOT is here

“Complexity is creeping into everything…. My old

thermostat had one dial…. My new thermostat has a

digital interface and a programming

manual….Thermostats based on Sun Microsystems’s

“Home Gateway” system come with an internet

connection, so you can conveniently contract with some

environmental company to operate your too-complicated

thermostat. Sun is envisioning Internet connections for

all your appliances and your door locks.”

-- year 2000

Page 28: Secrets and Lies - University of Southern Californiainf520/inf519/slides/inf520-schneier.pdf · Secrets and Lies a summary traversal ... – salami attack action at a distance ...

Security processesSecurity processes

� old approach

– prevent threats

� new approach

– accept threats, detect them and respond

– manage the risk they pose

“Risk management is the future of digital security. Whoeve learns how

to best manage risk is the one who will win. Insurance is one critical

component of this. Technical solutions to mitigate risk to the point

where it is insurable is another…. The prize doesn’t go to the company

that best avoids the threats, it goes to the company that best manages the

risks.” look at the credit card industry