slides

advertisement
Introduction
Dan Fleck
CS 469: Security Engineering
Coming up: Outline
These slides are modified with permission from Bill Young (Univ of Texas)
Outline
•
•
•
•
Introduction: What is “security”
Why is security hard?
Security as risk management
Aspects of security
Coming up: What does security mean?
What does security mean?
The term security is used in a variety of contexts. What’s the
common thread?
•
•
•
•
•
•
•
•
•
Personal security
Corporate security
Personnel security
Energy security
Homeland security
Operational security
Communications security
Network security
System security
Coming up: What does security mean?
What does security mean?
• In the most general terms, security seems to mean something
like “protection of assets against threats.”
• What assets?
• What kinds of threats?
• What does “protection” mean?
• Does the nature of protection vary depending on the threat?
Coming up: Security on a Personal Level
Security on a Personal Level
Suppose you’re visiting an online retailer, and need to enter
personal information. What protections do you want? From
what threats?
•
•
•
•
•
•
•
Authentication (protection from phishing)
Authorization
Privacy of your data
Integrity of your data Answers
Availability
Non-repudiation
What else?
Coming up: Security on an Institutional Level
Security on an Institutional Level
Consider the following scenarios:
1.
A large corporation’s computer systems are penetrated and data
on thousands of customers is stolen.
2.
A student hacks into university registrar’s system and changes his
grade in several classes he has taken.
3.
An online retailer’s website is overwhelmed by malicious traffic,
making it unavailable for legitimate customer purchases.
• Does this suggest why it’s hard to define “security” in the context of
digital systems?
Coming up: Why are Attacks Becoming More Prevalent?
Why are Attacks Becoming More Prevalent?
•
•
•
•
•
Increased connectivity
Many valuable assets online
Low threshold to access
Sophisticated attack tools and strategies available
Others?
Coming up: Some Sobering Facts
Some Sobering Facts
• There were over 1 million new unique malware samples
discovered in each of the past two quarters. Unlike the worms
and mass-mailers of the past, many of these were extremely
targeted to particular industries, companies and even users.
(www.insecureaboutsecurity.com, 10/19/2009)
• Once PCs are infected they tend to stay infected. The median
length of infection is 300 days.
(www.insecureaboutsecurity.com, 10/19/2009)
Coming up: Some Sobering Facts
Some Sobering Facts
• A recent study of 32,000 Websites found that nearly 97% of
sites carry a severe vulnerability. –Web Application Security
Consortium, Sept 2008
• “NSA found that inappropriate or incorrect software security
configurations (most often caused by configuration errors at
the local base level) were responsible for 80 percent of Air
Force vulnerabilities.” –CSIS report on Securing Cyberspace for
the 44th Presidency, Dec. 2008, p. 55
Coming up: Why Should We Care?
Why Should We Care?
• A dozen determined computer programmers can, if they find a
vulnerability to exploit, threaten the United States’ global
logistics network, steal its operational plans, blind its
intelligence capabilities or hinder its ability to deliver weapons
on target.
– William J. Lynn, U.S. Deputy Secy of Defense,
Foreign Affairs (2010)
• A top FBI official warned today that many cyber-adversaries of
the U.S. have the ability to access virtually any computer
system, posing a risk that’s so great it could “challenge our
country’s very existence.”
–Computerworld, March 24, 2010
Coming up: Educate Yourself
Educate Yourself
Educating yourself about computer security can:
• enhance your own protection;
• contribute to security in your workplace;
• enhance the quality and safety of interpersonal and business
transactions;
• improve overall security in cyberspace.
Coming up: Outline
Outline
•
•
•
•
Introduction: What is “security”
Why is security hard?
Security as risk management
Aspects of security
Coming up: Is Cyber Security Particularly Hard?
Is Cyber Security Particularly Hard?
Question: Why would security be any more difficult than most
technological problems?
• Answer 1: Most technology-related efforts are concerned with
ensuring that something good happens. Security is all about
ensuring that bad things never happen.
• In security, not only do you have to find “bugs” that make the
system behave differently than expected, you have to identify
any features of the system that are susceptible to misuse and
abuse, even if your programs behave exactly as you expect
them to.
Coming up: What Bad Things?
What Bad Things?
Answer 2: If security is all about ensuring that bad things never
happen, that means we have to know what those bad things
are.
The hardest thing about security is convincing yourself that
you’ve thought of all possible attack scenarios, before the
attacker thinks of them.
“A good attack is one that the engineers never thought of.”
–Bruce Schneier
Coming up: Programming Satan’s Computer
Programming Satan’s Computer
Answer 3: Unlike most technology problems, you have to defeat
one or more actively malicious adversaries.
Ross Anderson characterizes this as “Programming Satan’s
Computer.” The environment in which your program is deployed
works with malice and intelligence to defeat your every effort.
The defender has to find and eliminate all exploitable
vulnerabilities; the attacker only needs to find one!
Coming up: Easiest Penetration
Easiest Penetration
Answer 4: Information management systems are a complex,
“target-rich” environment comprising: hardware, software,
storage media, peripheral devices, data, people.
Principle of Easiest Penetration: an intruder will use any
available means to subvert the security of a system.
“If one overlooks the basement windows while assessing the
risks to one’s house, it does not matter how many alarms are
put on the doors and upstairs windows.” –Melissa Danforth
Coming up: Security Isn’t the Point
Security Isn’t the Point
Answer 5: Security is often an afterthought. No-one builds a
digital system for the purpose of being secure. They build digital
systems to do something useful.
Security mechanisms may be viewed as a nuisance to be
subverted, bypassed, or disabled.
Coming up: Upshot: Perfect Security Ain’t Happening
Upshot: Perfect Security Ain’t Happening
• Perfect security is probably impossible in any useful system.
• “The three golden rules to ensure computer security are: do
not own a computer; do not power it on; and do not use it.” –
Robert H. Morris, former Chief Scientist of the National
Computer Security Center (early 1980’s)
• “Unfortunately the only way to really protect [your computer]
right now is to turn it off, disconnect it from the Internet,
encase it in cement and bury it 100 feet below the ground.”
–Prof. Fred Chang, former director of research at NSA (2009)
Coming up: If Security Gets in the Way
If Security Gets in the Way
• Security is meant to prevent bad things from happening; one
side-effect is often to prevent useful things from happening.
• Typically, a tradeoff is necessary between security and other
important project goals: functionality, usability, efficiency,
time-to-market, and simplicity.
Coming up: Some Lessons
Some Lessons
• He who defends everything defends nothing. –old military
adage
• Security is difficult for several reasons. Since you can never
achieve perfect security, there is always a tradeoff between
security and other system goals.
Coming up: Outline
Outline
•
•
•
•
Introduction: What is “security”
Why is security hard?
Security as risk management
Aspects of security
Coming up: Security as Risk Management
Security as Risk Management
• If perfect security is not possible, what can be done.
• Viega and McGraw (Building Secure Software) assert that
software and system security really is “all about managing
risk.”
• Risk is the possibility that a particular threat will adversely
impact an information system by exploiting a particular
vulnerability.
• The assessment of risk must take into account the
consequences of an exploit.
Coming up: Risk Management Framework
Risk Management Framework
• Risk management is a process for an organization to identify
and address the risks in their environment.
• One particular risk management procedure (from Viega and
McGraw) consists of six steps:
1.
2.
3.
4.
5.
6.
Assess assets
Assess threats
Assess vulnerabilities
Assess risks
Prioritize countermeasure options
Make risk management decisions
Coming up: Coping with Risk
Coping with Risk
Once the risk has been identified and assessed, managing the risk may
involve:
• Risk acceptance: risks are tolerated by the organization. e.g.
sometimes the cost of insurance is greater than the potential loss.
• Risk avoidance: not performing an activity that would incur risk. e.g.
disallow remote login.
• Risk mitigation: taking actions to reduce the losses due to a risk;
most technical countermeasures fall into this category.
• Risk transfer: shift the risk to someone else. e.g. most insurance
contracts, home security systems.
GMU Does it: https://itsecurity.gmu.edu/DRAC/about-DRAC.cfm
Coming up: Annualized Loss Expectancy
Annualized Loss Expectancy
• One common tool for risk assessment is annualized loss
expectancy (ALE), which is a table of possible losses, their
likelihood, and potential cost for an average year.
• Example: consider a bank with the following ALE. Where
should the bank spend scarce security dollars?
Loss type
Amount
Incidence
ALE
$50,000,000
0.005
$250,000
ATM fraud (large)
$250,000
0.20
$50,000
ATM fraud (small)
$20,000
0.50
$10,000
$3,240
200
$648,000
SWIFT* fraud
Teller theft
- large
scale
transfer
Coming up: Is*ALE
the Right
Model?
of funds.
Is ALE the Right Model?
• Annualized Loss Expectancy effectively computes the
“expected value” of any security expenditure.
• Consider the following two scenarios:
• I give you a dollar.
• We flip a coin. Heads: I give you $1000. Tails: you give me $998.
Note that the expected values are the same in both cases ($1),
but the risks seem quite different.
Coming up: Lessons
Lessons
• Because perfect security is impossible, realistic security is
really about managing risk.
• Systematic techniques are available for assessing risk.
• Assessing risk is important, but difficult and depends on a
number of factors (technical, economic, psychological, etc.)
End of presentation
Download