Why is Internet Security So Hard?

sweetlipscasteSecurity

Nov 2, 2013 (3 years and 11 months ago)

127 views

Why is Internet Security
So Hard?

Dr. Stephen Kent

Chief Scientist
-

Information Security


Internet Security


Security for the Internet includes both security for
network operations and security for network users


The former is usually the purview of ISPs, the
latter is a shared responsibility among users, ISPs,
and vendors


For network users, there is a need to secure
information on computers and in transit across the
Internet


This presentation focuses on security for Internet
users


What is Security?



ISO 7498
-
2 defines five security services


Confidentiality (secrecy)


Authentication (identify verification)


Integrity


Access control


Non
-
repudiation (not “taking back” what one “said”)


Users also would likely include


Preventing spam


Preventing denial of service


Privacy




Information Security Disciplines


Physical security


Procedural security


Personnel security


Compromising emanations security


Operating system security


Communications security



a failure in any of these areas can
undermine the security of a system

Security Terminology


Vulnerabilities



security flaws in systems


Attacks



means of exploiting vulnerabilities


Countermeasures


technical or procedural means of addressing
vulnerabilities or thwarting specific attacks


Threats



motivated adversaries capable of mounting attacks
which exploit vulnerabilities

Adversaries (The Bad Guys)


Hackers


Disgruntled employees


Industrial spies


Terrorists


Special interest groups


Journalists


Real spies


Criminals (organized or otherwise)

Adversary Characteristics


Capabilities


Network wiretapping


Remote attacks against operating systems or
applications


“Social engineering” (e.g., SPAM)


Physical attacks


Personnel subversion


Resources


Personnel


Technology


Funds


Aversion to detection

Vulnerabilities


The simple characterization of our problem is the
existence of vulnerabilities in products


We face a two sorts of vulnerability problems:


Known vulnerabilities


Unknown vulnerabilities


For known vulnerabilities we can deploy specific
countermeasures


For unknown vulnerabilities, at best we try to
prevent/detect behavior that might be exploiting
these vulnerabilities

Sources of Vulnerabilities


Design flaws


operating system & application vulnerabilities


protocol design vulnerabilities


Implementation flaws


programming errors


undocumented system & application “features”


Mismanagement


unintended and/or residual authorizations


failure to deploy security bug fixes

Security Continuum


There are no perfect, secure systems


Systems are "adequately secure" only relative to a
perceived threat


Absence of obvious insecurities is not a good
indication that a system is adequately secure


Risk analysis, if properly performed, provides a
methodology for identifying what constitutes
adequate security

The Threshold Effect


Once a technical attack against a security
technology has been "debugged" it can be
executed by a wide range of (inexperienced)
attackers


A technical attack that can be effected using
inexpensive hardware or software is especially
easy to transfer from sophisticated attackers to
amateurs


Thus it is dangerous to dismiss an attack as "too
complex or too technical" because the perceived
attackers do not possess the technical capability to
mount the attack

Why are the Bad Guys Winning?


Most vendor software has poor security
characteristics


Too complex


Badly designed


Buggy


Most users are sloppy


Don’t install the latest patches


Easily tricked (social engineering)


Poor password choices, password reuse, …


Hackers value their time at 0, but user have other
priorities in life!

Common Defense Strategies


Firewalls


Intrusion Detection Systems


Anti
-
virus technology (in hosts and in mail
gateways)


Anti
-
spam technology (in hosts and in mail
gateways)


Periodic penetration testing (enterprise nets)


Centralized patch management (enterprise nets)



Anti
-
DOS mechanisms (ISPs)

Firewalls


Recently renamed Intrusion Prevention Devices
(IPDs), probably to help sell more of them :
-
)


The term covers a wide range of technologies,
from simple, stateless packet filtering, to
application
-
specific devices


At the low end, these offer minimal protection
against most adversaries


At the high end they are expensive and often
interact badly with new applications


In all cases, management of the firewall rule sets
is complex, time consuming, and thus imperfect

Intrusion Detection Systems (IDSs)


An IDS attempts to:


Detect behavior that exploits known vulnerabilities


Detect behavior that might exploit some class of unknown
vulnerabilities


Detect behavior that might be a precursor to an attack


IDS may attempt to:


Detect signatures of known attacks


Detect anomalous behavior


Do both


IDS’s tend to work poorly, because of the ambiguities
associated with attempts to deal with unknown attacks or
to define “normal” behavior


False positives (incorrect flagging of traffic as “evil” is
common, and makes these systems hard to use

Anti
-
virus Systems


These attempt to detect viruses (and worms),
typically distributed via e
-
mail attachments or
other forms of file transfer


Usually they are signature based, which means
they know only about previously
-
detected viruses


A network manager or user has to acquire
signature list updates periodically, or become
vulnerable to newer viruses


These can be effective if properly managed, but
people are sloppy, and virus writers are prolific

Anti
-
spam Technology


The problem with spam is that it is impossible to
distinguish from legitimate mail, in the worst case


Some anti
-
spam technology works on signatures,
like anti
-
virus technology, but it is not very
effective because spam generation software does
not focus on software vulnerabilities, like viruses


Some anti
-
spam technology is based on Baysean
filters (probabilistic measures), but it too is subject
to false positive/false negative tuning problems


Spam is of value to its senders primarily because
users are greedy or naïve; solving this is NOT a
technical problem

Penetration Testing


This is an approach used by many enterprises, but
rarely by individual users


At the low end it is automated, mostly a patch
check on end systems and a firewall filer rules
check


At the high end one pays “experts” to try to break
into your system(s)


The low end is useful as a form of external
checking re good housekeeping


The high end is very expensive

Centralized Patch Management


The notion here is to enable an IT organization to
check the status of end systems and to patch them
before the systems are successfully attacked


Vendors like Cisco and Microsoft offer this as a
service, part of “admission control” to a LAN


This is another form of “good housekeeping”
checking, on a more frequent basis


It is analogous to low end penetration testing, a
form of centrally managed anti
-
virus updating


BUT, an already
-
compromised system can avoid
detection if the attacker is clever

Anti
-
DoS Technology


Denial of service attacks seek to make resources
unavailable, typically through overloading network access
lines with lots of traffic


The problem is that it is hard to tell good traffic from bad
traffic out in the Internet (vs. at an end system)


Some systems try to look at traffic flows and discard
packets if the flow to a given destination is “too high”
BUT, good traffic is often discarded as well as bad!


We know that some DoS hackers have thousands of
“zombie” systems available to them, dispersed over the
Internet, to launch attacks, which makes it almost
impossible to counter such attacks without causing
problems for legitimate users as well

Abstraction and Attacks


One strategy for an adversary is to attack below
the layer of abstraction at which security measures
are defined, or via ill
-
defined interfaces


Complex applications and operating systems like
Windows have many ill
-
defined interfaces


Security measures implemented in applications (or
middleware) embody high levels of abstraction


The trend is to create more opportunities for an
attacker as we use more complex, high level
application development environments, e.g., web
services

Security in Products:

Functionality vs. Assurance



Security functions
: usually visible, security
-
relevant features that provide the means by which
security is invoked and managed


Security assurance
: often invisible means by
which one develops confidence in the correct
operation of security features


Many products now advertise lots of security
functions (because today, security sells), but the
products offer little or no assurance!

Security Assurance


Product security assurance techniques


penetration testing


detailed code review


use of formal specifications


security evaluation criteria


Unfortunately, these techniques are either very
expensive or very haphazard


As a result, we have few products for which we
have a good idea of their security quality

Security & Privacy: A Quick Look


Security


Accountability


Uniform identification


Extensive auditing


Correlation of audit data


Centralized management


Mediated access to all
data




Privacy


Anonymity


Use of diverse identifiers


Limited data collection


No sharing of records


Distributed autonomy


Mediated access to
records that affect
privacy


Security and privacy need not be in conflict,
but it takes a lot of effort to balance the two

Conclusions


Internet security is hard because:


Its hard to counter unknown vulnerabilities in products


Even security products themselves often have unknown
vulnerabilities


The utility of an IDS is limited by feature rich
environments


Most CIOs can’t even track all the systems in their nets


There is no methodology for designing a secure system
from secure components (and we have few secure
components anyway)


Abstraction favors the adversary


Some problems (e.g., spam) are not technical in nature


People are sloppy, greedy, and sometimes naïve

Questions