Computer Security What it is, where it’s going

Mark Ryan Based on slides by Nicolas Courtois

What is security?

Definition 1

Security: protect values.

What values ? ALL !

Security: protect values What values? •  Money [economic security] But NOT ONLY MONEY. •  Life and the quality of life.

•  Privacy is a value in itself. •  Good technologies vs. bad ones •  Freedom, justice, etc…

Security: Definition 2.

asset holder

Security ≥ Safety

Difference: protect against intentional damages...

Notion of an Attacker / Adversary. Notion of an Attack.

**Dimensions of Security

•  Physical vs. Logical

•  Psychological / Human vs. •  Organizational / Business

very different!

Security on one slide

Computer security: another def

What is security ? Inability to achieve: 1.  Adversarial goal (security against what)

2.  By means of: money, human resources, computing power, memory, risk, expertise, etc.. (resources of the adversary)

3.  Access to the system.

Main Goals:

• Confidentiality •  Integrity • Authenticity

Availability Accountability

Why is security hard?

Computer Industry and Security

Science background:

Tech Background: “Industry Standards” such as:

•  Intel CPU and Chipset, •  RAM and hard drives, •  C language, •  UNIX / Windows •  TCP/IP, •  HTTP, •  TLS,

Computer Industry and Security

Science background: • What technology “enablers”(computers) and “disablers” (cryptology,HWSec) can/cannot achieve? • How to define / classify security problems and find “good” solutions

Computer Industry and Security

Social-econ background: things exist for a reason. “Nice or unpleasant” facts of life: • software/hardware economics:

• which industry dominates which • free market triumphs and disasters

• stupid humans that cannot be bothered to obey the policy… • bureaucratic organisations that just cannot get their best interest(?) right • nobody is buying/using the wonderful(?) technology academics/companies are creating, adoption barriers • theory vs. practice • crime war terrorism… • laws / regulations • etc…

insecure rubbish!

The Product Development cycle ☺

Science background:

everything ends up here rapid obsolescence

Attackers

Vocabulary Attacker / Adversary / Threat Agent

Who are the attackers? •  Bored teenagers, •  Petty criminals to organized criminals, •  Foreign states, •  Industrial spies, •  Disgruntled employees, •  Competitors, •  Researchers, •  Terrorists, •  …

Attacker means •  Software vulnerabilities

– Buffer overflow attacks –  Insecure direct object references – SQL injection attacks – Javascript attacks (e.g., XSS) – Broken authentication, access control, and

session mgt •  Security misconfiguration

Attacker means continued •  Social engineering

– Phishing attacks •  Traffic interception (e.g. wireless) •  Hardware/physical attacks •  Ingenuity, hard work, good luck, brute

force

Attacker motivation •  Profits and other benefits

– Crime business, – Promoting legal security business,

•  Political activism, terrorism •  Enjoyment, fame, ego •  Development of science and offensive

technology: – University researchers, (good/bad) – Security professionals (defenders) – Professional hackers, pen testers, etc…

Recent Trend: Rapid growth.

The industrialization of hacking: •  division of labour, clear definition of roles •  forming a supply chain •  professional management

Software vulnerabilities

Vulnerabilities in 2014

Operating systems with most vulnerabilities in 2014

CompSec and Economics

Question

Why do so many vulnerabilities exist in the first place?

Why does commercial security fail?

Claim: the link between “money” and security is frequently broken today: –  Security is a public good.

•  “private” incentives are weak. –  Worse than “market for lemons”:

•  Not only the customer cannot see the difference between good security and bad.

Frequently the manufacturer cannot either.

Too frequently security (and our safety) remains something that money cannot buy…(money seems to work for cars, and to fail for computers)

The Very Nature of Security: Bruce Schneier “Beyond Fear” book [2003], p.1:

Critical to any security decision is the notion of security trade-offs, meaning the costs – terms of money, convenience, comfort, freedoms, and so on - that inevitably attach themselves to any security system. People make security trade-offs naturally.

Many costs are intangible and hard to trade for money: Paying attention, loss of freedom & privacy, being subject to unforeseen risks and consequences etc.

the Long Tail theory

frequency

cost

Why Things Happen? Bugs… or don’t care.

•  Programming developed with absence of security. •  C/C++ is unsafe •  Security/cryptography research developed with obsession with

security. Both never met. •  Economics/business:

–  many things just don’t matter! –  customers do not see => do not care about security –  usability: user burden frustrates them.

*Risk

Risk Management = 1+2 A risk is the potential for something bad to

happen (e.g., loss of C-I-A)

1.  Measuring or/and assessing risks

2.  Developing strategies and solutions to manage risks:

•  reduce/avoid and •  handle risks

**Risk Management contd…

handle risks risk retention risk transfer

contract… hedging

(e.g. insurance) (minimise exposure by some transaction)

Residual Risk = def

what remains after defences are in place…

Defendersrelevant, though boring vocabulary..

3 Actions of Defenders

Types of Prevention

Detection and Recovery Detect •  Monitoring/logging •  Tripwire •  Anomaly analysis Recover •  Incident management •  Forensics •  Change procedures •  Install new technologies

Reasoning about security

Attack trees

Attack tree

but what about unknown attacks?

Get admin access

Abuse user account

Get Limited Access Escalate system privileges

1/10

Privilege escalation exploit #36

sub-goals refinement details

Expanded Example Get admin access

Become admin directly

Obtain legit. admin account

Obtain Sb’s credentials

login password

Abuse user account

Get user access Escalate privileges

1/100

Privilege escalation exploit #36 bribe

£1000

shoulder surfing

intercept

keyboard sniffer

1/10

guess / crack

reset

Unix Log In

Weakest Link

Security like a chain:

Get Admin Access Become admin directly Abuse user account

1/100 1/10

easier!

Defense in Depth Security is layered

Crack Password spec secrecy

cipher secrecy

password hardness

getting the pw file

Conclusion:

In complex systems, the principles of weakest link and defence in depth will occur simultaneously.

Accessing Password Database

Accessing Password Database

Stealing Data with Costs

Opening a Safe with Costs

© Bruce Schneier

Cheapest Attack without Special Equipment

© Bruce Schneier

Attack Tree for PGP © Bruce

Schneier

Reading a message sent between 2 Windows

machines with countermeasures

© Bruce Schneier

About the software development process

***IT Sec and the Military

Military vs. Commercial Military data security:

focus on secrecy, prevent leaks.

Commercial data security: integrity and authenticity:

prevent fraud.

Traditional military doctrine •  Each country has 3 frontiers:

•  land •  sea •  air, space

as a consequence they have 3 armies.

Now, we have a new frontier, the digital frontier. Shouldn’t we have a fourth army? •  Would it be totally useless and waste of money?

•  Arguably less than the 3 above (better technical education for young people).

Secrecy vs. Transparency

Open source vs. closed source

and security

Secrecy:

Very frequently an obvious business decision.

•  Creates entry barriers for competitors. •  But also defends against hackers.

Kerckhoffs’ principle: [1883]

“The system must remain secure should it fall in enemy hands …”

Kerckhoffs’ principle: [1883]

Most of the time: incorrectly understood.

It doesn’t mean that companies should disclose their designs.

•  Security when disclosed. •  Better security when not disclosed.

Yes (1,2,3,4):

1. Military: layer the defences.

Yes (2):

2) Basic economics:

these 3 extra months (and not more ")

are simply worth a a lot of money.

Yes (3):

3) Prevent the erosion of

profitability / barriers for entry for competitors / “inimitability”

Yes (4):

4) Avoid Legal Risks •  companies they don't know where their code is coming from, they want

to release the code and they can't because it's too risky! •  re-use of code can COMPROMISE own IP rights and create royalty

obligations –  cloned/stolen code is more stable, more reliable, easier to understand!

When is open source security good?

•  Cryptography –  AES, RSA, SHA256 etc, heavily tested, not yet broken –  Compare closed-source crypto

–  Oyster card, car immobilisers, broken in months

Which model is better?

Open and closed security are more or less equivalent…

more or less as secure: opening the system helps both the attackers and the defenders.

Ross Anderson: Open and Closed Systems are Equivalent (that is, in an ideal world). In Perspectives on Free and Open Source Software, MIT Press 2005, pp. 127-142.

Key Question:

Is actively researching serious security vulnerabilities socially desirable?

- Of Course Yes! …will tell you every professional hacker

and every academic code-breaker…

Bruce Schneier [14 May 2008]: Problem: A hacker who discovers one [attack] can sell

it on the black market, blackmail the vendor with disclosure, or simply publish it without regard to the consequences.

Q: […] is it ethical to research new vulnerabilities? A: Unequivocally, yes. [according to Schneier] Because: •  Vulnerability research is vital because it trains our

next generation of computer security experts. http://www.schneier.com/blog/archives/2008/05/the_ethics_of_v.html

Responsible disclosure

Researchers should disclose vulnerabilities to the system owners, and give them “reasonable time” to fix them.

especially if …these vulnerabilities are likely to be rediscovered Cf. E. Rescorla. “Is finding security holes a good idea?” In 3rd Workshop on the

Economics of Information Security (2004).

Benefits:

Disclosure creates incentives for fixing these vulnerabilities

Companies advertise bounties = rewards for finding bugs/vulnerabilities

In There a Need for More Security?

or will I have a job tomorrow?

Hegel [1770-1831], German philosopher

Increasing freedom Freedom brings new technologies ⇒ More possibilities ⇒ More security problems…

Claim: Freedom → ∞ ⇒ Security → 0

Freedom ⇒ Security issues…

Examples: •  invention of train/metro

⇒ threat of pickpockets •  car traffic

⇒ major cause of death •  invention of the internet

⇒ pirates and hackers •  Unlimited exchange of data over the internet ⇒ unlimited security problems

Critics [Schneier]

Why security it is an after-thought? “Aftermarket security is actually a very inefficient way to spend our security

dollars; it may compensate for insecure IT products, but doesn't help improve their security”.

“Additionally, as long as IT security is a separate industry, there will be companies making money based on insecurity -- companies who will lose money if the internet becomes more secure.”

Why security is not built-in? “utopian vision”

Security is difficult, expensive and takes time…

Visions [Schneier]