CIT 380: Securing Computer Systems Security Solutions

CIT 380: Securing Computer Systems

Security Solutions

Threat: Your Adversaries

• Youthful attackers• Organized crime• Terrorists• Governments• The competition• Hacktivists• Hired guns

Threat: Your Adversaries

• Disgruntled employees• Clueless employees• Customers• Suppliers• Vendors• Business partners• Contracts, temps, consultants

Threat Perspective

• “However, just as you don’t want to underestimate the threats that you face, neither do you want to overestimate them.” Counter Hack Reloaded page 10

Threat Assessment

• “You must sit down and carefully evaluate which threats would be motivated to go after your organization, tally the tangible and intangible value of the assets you have to protect, and then deploy security commensurate with the threat and the value of your systems and information.”

• Counter Hack Reloaded page 11

CIT 380: Securing Computer Systems Slide #6

How to evaluate security solutions?

1. What assets are you trying to protect?2. What are the risks to those assets?3. How well does the security solution mitigate

those risks?4. What other risks does the security solution

cause?5. What costs and trade-offs does the security

solution impose?


Aspects of Risks

To evaluate a risk, we need to evaluate both:– Probability of risk occurring.– Cost incurred by risk if it occurs.

Minimize product of probability and cost.

Aspects of Risks

Risks are impacted by environment.– Building a house in a flood plain incurs additional

risks beyond that of house itself.– Similarly, installation and configuration options

impact risk of software systems.



Security is a matter of Trade-offs

Security is only one of many system goals:• Functionality• Ease of Use• Efficiency• Time to market• Cost• Security


Cost-Benefit Analysis

Is it cheaper to prevent violation or recover?– Cost of good network security:• Money, time, reduced functionality, annoyed users.• Large and ongoing.

– Risks of bad network security:• Angry customers, bad press, network downtime.• Small and temporary.


Airport SecurityLet’s consider the issue of airport security again from

the standpoint of what we’ve learned. Develop a solution, keeping the 5 questions in mind:

Airport Security

1. What assets are you trying to protect?2. What are the risks to those assets?3. How well does the security solution mitigate

those risks?4. What other risks does the security solution

cause?5. What costs and trade-offs does the security

solution impose?



Human Issues: People Problems

Social engineering– Kevin Mitnick testified before Congress “I was so

successful in that line of attack that I rarely had to resort to a technical attack.”

Circumvention– Users write down passwords, leave screens

unlocked.

Insider attacks


Human Issues: OrganizationsLow priority– Security costs, but doesn’t produce income.– Lack of liability reduces costs of bad security.

Variable impact– Cost of security violation highly variable.– Insurance converts variable risk to fixed cost, but

risk too variable for much involvement so far.

Human Issues: Organizations

Power and responsibility– Personnel responsible for security often don’t

have power to enforce security.



Security: Laws and Customs

Are desired security measures illegal?– cryptography export before 2000– is it legal to monitor security breakins?– international commerce

Will users circumvent them?– writing down passwords– removing file ACLs


Security Liability

Product liability:– Tires: Continental recalled Ford SUV tires in 2002

due to wire and vibration problems.– Software: Manufacturer not liable for security

flaws.

Since Microsoft isn’t liable for Windows security failures, why would they want to sacrifice money, time, functionality, and ease of use for security?


Assumptions

• Security rests on assumptions specific to type of security required and environment.

Assumptions

• Example: – TCP/IP designed for pre-commercial Internet.• Assumed only legitimate administrators had root

access.• Trusted IP addresses, since only root can set IP address.• What happens to network when Windows 95 systems

added to network, where desktop user has all privileges?



Assurance

How much can you trust a system?Example:– Purchasing aspirin from a drugstore.– Bases for trust:• Certification of drug by FDA.• Reputation of manufacturer.• Safety seal on bottle.


How much do you trust? Ken Thompson’s compiler hack from

“Reflections on Trusting Trust.”– Modified C compiler does two things:• If compiling a compiler, inserts the self-replicating

code into the executable of the new compiler.• If compiling login, inserts code to allow a backdoor

password.

How much do you trust?

– After recompiling and installing old C compiler:• Source code for Trojan horse does not appear

anywhere in login or C compiler.• Only method of finding Trojan is analyzing binary.



Key Points• Components of security– Confidentiality– Integrity– Availability

• States of information– Storage, Processing, Transmission

• Evaluating risk and security solutions.– Security is a matter of trade-offs.

• Security is a human problem.

Discussion: Gas Drive Away Without Paying

• What measures can be imposed?• What are the costs for the merchant and the

customer?• Do the benefits outweigh the costs?


References1. Ross Anderson, Security Engineering, Wiley,

2001.2. Matt Bishop, Introduction to Computer Security,

Addison-Wesley, 2005.3. Peter Neumann, (moderator), Risks Digest,

http://catless.ncl.ac.uk/Risks/4. Bruce Schneier, Beyond Fear, Copernicus Books,

2003.5. Ken Thompson, “Reflections on Trusting Trust”,

Communication of the ACM, Vol. 27, No. 8, August 1984, pp. 761-763 (http://www.acm.org/classics/sep95/)

Documents

CIT 380: Securing Computer Systems Security Solutions