Upload
tyler-mccormack
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
A Model for When Disclosure Helps A Model for When Disclosure Helps Security: Security: What is Different About What is Different About Computer & Network Security?Computer & Network Security?
Peter P. SwirePeter P. SwireOhio State UniversityOhio State UniversityGeorge Mason CII ConferenceGeorge Mason CII ConferenceJune 11, 2004June 11, 2004
Framing the ProjectFraming the Project
My background in privacyMy background in privacy Data spreads rapidly and widelyData spreads rapidly and widely Scott McNealy: “You have zero privacy. Get Scott McNealy: “You have zero privacy. Get
over it.”over it.” My current research in securityMy current research in security
Data spreads rapidly and widelyData spreads rapidly and widely ““You have zero secrecy. Get over it.”You have zero secrecy. Get over it.” Is that right? When does secrecy help Is that right? When does secrecy help
security?security?
Is Secrecy Dead?Is Secrecy Dead?
A paradoxA paradox Open Source mantra: “No Security Open Source mantra: “No Security
Through Obscurity”Through Obscurity” Secrecy does not workSecrecy does not work Disclosure is virtuousDisclosure is virtuous
Military motto: “Loose Lips Sink Ships”Military motto: “Loose Lips Sink Ships” Secrecy is essentialSecrecy is essential Disclosure is treasonDisclosure is treason
OverviewOverview
A model for when each approach is A model for when each approach is correct -- assumptions for the Open correct -- assumptions for the Open Source & military approachesSource & military approaches
Key reasons computer & network security Key reasons computer & network security often differ from earlier security problemsoften differ from earlier security problems
Relax the assumptionsRelax the assumptions Insights from the Efficient Capital Markets Insights from the Efficient Capital Markets
Hypothesis literature for efficiency of Hypothesis literature for efficiency of computer attackscomputer attacks
I. Model for When Disclosure I. Model for When Disclosure Helps SecurityHelps Security
Identify chief costs and benefits of Identify chief costs and benefits of disclosuredisclosure Effect on attackersEffect on attackers Effect on defendersEffect on defenders
Describe scenarios where disclosure of a Describe scenarios where disclosure of a defense likely to have net benefits or costsdefense likely to have net benefits or costs
Open Source & DisclosureOpen Source & DisclosureHelps DefendersHelps Defenders
Attackers learn little or nothing from public Attackers learn little or nothing from public disclosuredisclosure
Disclosures prompts designers to improve Disclosures prompts designers to improve the defense -- learn of flaws and fixthe defense -- learn of flaws and fix
Disclosure prompts other defenders/users Disclosure prompts other defenders/users of software to patch and fixof software to patch and fix Net: Costs of disclosure low. Bens high.Net: Costs of disclosure low. Bens high.
[I am [I am notnot taking a position on proprietary v. taking a position on proprietary v. Open Source – focus is on when disclosure Open Source – focus is on when disclosure improves security]improves security]
Military Base & DisclosureMilitary Base & Disclosure Helps Attackers Helps Attackers
It is hard for attackers to get close enough It is hard for attackers to get close enough to learn the physical defensesto learn the physical defenses
Disclosure teaches the designers little Disclosure teaches the designers little about how to improve the defensesabout how to improve the defenses
Disclosure prompts little improvement by Disclosure prompts little improvement by other defenders. other defenders. Net: Costs from disclosure high but few Net: Costs from disclosure high but few
benefits. benefits.
Effects of DisclosureEffects of Disclosure
Low Help Attackers HighLow Help Attackers High
Open SourceOpen Source
Military/Military/
IntelligenceIntelligence
Hel
p D
efen
ders
Low
H
igh
Effects of Disclosure -- IIEffects of Disclosure -- II
Military/Military/
IntelligenceIntelligence
Open SourceOpen Source
Low Help Attackers HighLow Help Attackers High
Hel
p D
efen
ders
Low
H
igh
Effects of Disclosure -- IIEffects of Disclosure -- II
Open Source Information Sharing
Public Domain Military/Intelligence
II. Why Computer & Network II. Why Computer & Network Security Often DiffersSecurity Often Differs
Hiddenness & the first-time attackHiddenness & the first-time attack ““Uniqueness” of the defenseUniqueness” of the defense Computer/network security and “no Computer/network security and “no
security through obscurity”security through obscurity” FirewallsFirewalls Software programsSoftware programs Encryption algorithmsEncryption algorithms
The First-Time AttackThe First-Time Attack
A weak defense often succeeds against A weak defense often succeeds against the first attackthe first attack Pit covered with leaves & first attackPit covered with leaves & first attack More realistically, hidden minesMore realistically, hidden mines By 2d or 10th attack, it does not workBy 2d or 10th attack, it does not work
““Uniqueness” of the DefenseUniqueness” of the Defense
E:E: initial effectiveness of a defenseinitial effectiveness of a defense N:N: number of attacks number of attacks L:L: learning by defenders from an attack learning by defenders from an attack C:C: communication to other defenders communication to other defenders A:A: alteration by the next attack alteration by the next attack
Designers learn how to fix (the patch)Designers learn how to fix (the patch) Other defenders install the patchOther defenders install the patch
Example of placement of hidden pit/minesExample of placement of hidden pit/mines
Low Uniqueness Common for Low Uniqueness Common for Computer & Network SecurityComputer & Network Security
FirewallsFirewalls High High N, L, C & AN, L, C & A Even unskilled script kiddies can get inEven unskilled script kiddies can get in Secrecy about a flaw will likely not workSecrecy about a flaw will likely not work Disclosure of vulnerability may prompt Disclosure of vulnerability may prompt
designers to fix and firewall owners to install designers to fix and firewall owners to install the patchthe patch
Mass-market SoftwareMass-market Software
Mass-market softwareMass-market software High High N, L, C, & AN, L, C, & A Secrecy about a flaw will likely not workSecrecy about a flaw will likely not work Disclosure of vulnerability may prompt Disclosure of vulnerability may prompt
designers to fix and software users to install designers to fix and software users to install the patchthe patch
EncryptionEncryption
““Hidden writing” and the birthplace of Hidden writing” and the birthplace of openness about algorithmsopenness about algorithms High High L, C, & A; very high N on the NetL, C, & A; very high N on the Net Kerckhoffs’ theorem -- the cryptosystem Kerckhoffs’ theorem -- the cryptosystem
should assume openness but the key should should assume openness but the key should remain secretremain secret
Network/Computer SecurityNetwork/Computer Security
Enlargement of the Public DomainEnlargement of the Public Domain Search engines and the NetSearch engines and the Net Attackers have higher Attackers have higher C, C, so lower costs if so lower costs if
decide to disclosedecide to disclose Designers and other defenders learn more Designers and other defenders learn more
quickly, so higher benefits if decide to quickly, so higher benefits if decide to disclosedisclose
Open Source paradigm more likely to apply Open Source paradigm more likely to apply than for traditional, physical attacksthan for traditional, physical attacks
III. Relaxing the AssumptionsIII. Relaxing the Assumptions
Other results in the paper about Other results in the paper about deterrence, surveillance, etc.deterrence, surveillance, etc.
Now, critique assumption that attackers Now, critique assumption that attackers already already know about vulnerabilitiesknow about vulnerabilities
Idea: Open Source paradigm implicitly assumes Idea: Open Source paradigm implicitly assumes strong or semi-strong ECMHstrong or semi-strong ECMH
But, argument for But, argument for
Analogy to ECMHAnalogy to ECMH
Idea: Open Source paradigm implicitly assumes Idea: Open Source paradigm implicitly assumes strong or semi-strong ECMHstrong or semi-strong ECMH
ECMH: quickly get to efficient outcome where ECMH: quickly get to efficient outcome where outsiders/traders exploit available informationoutsiders/traders exploit available information Information about the company will be used Information about the company will be used
by tradersby traders Open Source: quickly get to outcome where Open Source: quickly get to outcome where
outsiders/attackers exploit available informationoutsiders/attackers exploit available information Information about the defense will be used by Information about the defense will be used by
attackersattackers
ECMH in the Academy TodayECMH in the Academy Today
Previously, many economists accepted Previously, many economists accepted ECMH; today, less faith in itECMH; today, less faith in it
My claim is that efficiency is less for My claim is that efficiency is less for attackers discovering vulnerabilitiesattackers discovering vulnerabilities Modern software large, so Modern software large, so N N per line of code per line of code
may be lowmay be low Security efforts, so bugs/line of code downSecurity efforts, so bugs/line of code down ““Bug hunters” say each vulnerability can be Bug hunters” say each vulnerability can be
costly to discovercostly to discover
Physical & Cyber SecurityPhysical & Cyber Security
Defend the buried pipelineDefend the buried pipeline Hard for attackers to learn the key vulnerable Hard for attackers to learn the key vulnerable
pointpoint Expensive to rebuild pipeline once in placeExpensive to rebuild pipeline once in place Vulnerabilities often uniqueVulnerabilities often unique
Defend the softwareDefend the software Easy for attackers to learn of vulnerability (warez Easy for attackers to learn of vulnerability (warez
& hacker sites)& hacker sites) Relatively inexpensive to patch & updateRelatively inexpensive to patch & update Vulnerabilities often large scale/mass marketVulnerabilities often large scale/mass market
Effects of DisclosureEffects of Disclosure
Low Help Attackers HighLow Help Attackers High
Open SourceOpen Source
Physical facilitiesPhysical facilities 1.1. Military/ IntelMilitary/ Intel
2.2. Physical facilitiesPhysical facilities
Hel
p D
efen
ders
Low
H
igh
What Makes Cyber Attacks What Makes Cyber Attacks Different?Different?
A key concept: the first-time attackA key concept: the first-time attack The first time, defenders have the advantage:The first time, defenders have the advantage:
Simple tricks can foil the attackSimple tricks can foil the attack Attackers have not learned weak pointsAttackers have not learned weak points
On attack #1000, attackers have the edge:On attack #1000, attackers have the edge: They avoid the established defensesThey avoid the established defenses They learn the weak pointsThey learn the weak points
Computer scientists: “Instance” helps the Computer scientists: “Instance” helps the defensedefense
What Is Different for Cyber What Is Different for Cyber Attacks? Attacks?
ManyMany attacks attacks Each attack is low costEach attack is low cost
More costly to find out location of machine More costly to find out location of machine gunsguns
Attackers learn from previous attacksAttackers learn from previous attacks This trick got me root accessThis trick got me root access
Attackers communicate about vulnerabilitiesAttackers communicate about vulnerabilities Because of attackers knowledge, disclosure Because of attackers knowledge, disclosure
often helps defenders more than attackers for often helps defenders more than attackers for cyber attacks cyber attacks
ConclusionConclusion I am proposing a basic model for when I am proposing a basic model for when
disclosure helps securitydisclosure helps security Disclosure helps defenders? Attackers?Disclosure helps defenders? Attackers?
Explains reasons for less disclosure of Explains reasons for less disclosure of vulnerabilities for military, intel, & physicalvulnerabilities for military, intel, & physical
Explains reasons for greater disclosure for many Explains reasons for greater disclosure for many software and computer system settingssoftware and computer system settings
Other reasons to consider disclosure or notOther reasons to consider disclosure or not FOIA/accountabilityFOIA/accountability Privacy/confidentialityPrivacy/confidentiality
Have an intellectual framework for proceedingHave an intellectual framework for proceeding