Presentation on theme: "Security Implications of Future Networking and Communications Systems Presented to: IEEE GlobeCom 2005 St. Louis, MO December 1, 2005 Joan Woodard, Ph.D."— Presentation transcript:
Security Implications of Future Networking and Communications Systems Presented to: IEEE GlobeCom 2005 St. Louis, MO December 1, 2005 Joan Woodard, Ph.D. Executive Vice-President Sandia National Laboratories
Some Characteristics of Future Networking and Communication Systems More information, accessed and processed faster Increased Use of reconfigurable logic (soft hardware) rather than “ASICs” or Software Quantum Information Technology –will improve cryptanalysis –improve encryption techniques –bring new challenges for communication systems. More malicious code attacks Sandia is working to improve our posture in all of these areas.
Shocking Facts about Information Security SCADA Attack –Malicious code implant caused rupture of Gas pipeline in Siberia, largest non- nuclear explosion on record, 1982 NIPRNET Attack –SuperSlammer worm infected 60% of NIPRNET computers in eight minutes. Nuclear Power Plant Attack –A recent worm infected business network at Ohio’s Davis-Besse nuclear power plant, spread to process control network (fortunately off-line at the time). Botnet Attack –Used for Denial of Service –Potentially used for criminal activity
Our reliance on Information and Information Technology is inconsistent with our ability to protect it.
Two general approaches to address this problem Lower our dependence on information and information technology Improve our ability to protect information and information technology
How do we lower our dependence on secure information? To the extent that we can minimize reliance on the need for information in new systems designs, we should. However in general we expect our dependence on information to grow.
How do we improve our ability to protect information and information systems? A: Improve basic processes B: Improve system protections - Technological - People C: Improve high assurance methods D: Improve modeling/simulation
A: Improve Basic Processes Define security processes for: –Identifying information that is sensitive to unauthorized disclosure, modification, denial of service, and misuse –Identifying those authorized for disclosure, modification, reconfiguration (denial) of service –Preventing unauthorized access, monitor use, respond appropriately –Accrediting information systems for protection of the assets they contain
Assessment & Red Teaming Based on Threat Analysis Attack graphs are used to understand options from a threat perspective. Red Team & Assessment Adversarial Modeling Process is used to refine definition of threat
B: Improve System Protections (Technological) Use a well-founded Risk Assessment Methodology*: –Identification of threats to specific assets –Map protections to these “threat-asset pairs” –Analyze “residual risk” –Iterate to achieve “acceptable” risk (Better metrics will improve this process…) Better Protection Technology –better encryption –better configuration control –better access control – applying system of systems … – other technologies *For example: “A Security Methodology for Computer Networks”, L. G. Pierson and E. L. Witzke, AT&T Technical Journal, May-June 1988
Better Protection Technology High Speed Encryption Communication Security Protocols 1996 R&D 100 Award: Scaling Encryption
B: Improve System Protections (People) Better Personnel assurance –Principle of Least Privilege –Minimize insider threat –Design in “deterrence” –Practice “Need-to-Know” –Security conscious users report anomalies
C: Improve High Assurance Methods Today’s computers are designed to execute any arbitrary program (even malicious ones) Build “inherent security” into systems from the start, rather than “bolting on later” Need trusted systems built from trusted and untrusted components (composed from “COTS” elements) –Trusted Computing Group (TCG) –Microsoft’s Next Generation Secure Computing Base (NGSCB)
D: Improve Modeling/Simulation Detect unknown vulnerabilities –Current stand-alone SCADA systems being replaced with internet connected ones –More people have access –disruptions can be caused by hackers who have no training in control systems engineering –the use of the Internet exposes SCADA systems to all the inherent vulnerabilities of interconnected computer networks that are currently being exploited by hackers, organized crime, terrorists organizations, and nation states. Especially vulnerable is the electric power grid. –Complex systems –Interconnected infrastructures –Cascading failures
D: Improve Modeling/Simulation System Dynamics Modeling Characteristics –Based on Stocks and Flows of Infrastructure Goods, Commodities, and Finances –Performs Quick Simulations and Analyses of Aggregate, Dynamic Infrastructure Interactions –Provides Systems-Wide View of Infrastructure Operations, Including Interdependencies Effects Uses –Quantified Consequences for Evaluating Risks –Limiting Factors Under Different Ambient Conditions, Hypothetical Events, Policies –Effects of Alternatives, Pathways, Redundancies, and Inventories –Potential Magnitude, Location and Timing of Disruptions that Propagate to Other Infrastructures and Regions –Positive and Negative Feedbacks from Interdependencies and their Net Effect on the Supply/Demand Balance
How do we protect against loss of physical assets (today)? Passive protection (fortification (concrete), disguise/hide) Armed guards and legal authority to use lethal force Monitoring/response (video cameras, sensors, response force) Insurance (measured value, characterized threat, risk management) Investigation (was there a theft? What was its value? Who did it?) Deterence?
Information assets differ from physical assets Can be given away and still kept Can be stolen and not missed Can be distributed almost instantly Cannot easily tell if it is authentic or not Complexity (system of systems) Forensics
How do we protect against loss of information assets today? Passive protection (firewall functions, proxy devices, encryption, etc) –Basic problem is discrimination between good and bad/authorized or unauthorized access Posting guards (N/A) Monitoring/response (computer intrusion detection systems an pagers to summon a system manager) Insurance (backups protect against data corruption and system failure, but it data valuation and threat characterization is hard) Investigation (logs, digital forensics tools, but complexity, large data, lack of computer awareness makes this hard) Hard to determine how much security is enough? How to balance physical protective systems and cyber protective systems in order to minimize risk and minimize overall cost for both protective systems.
Future View/Future Threat For example, Game changing technologies Composing Trusted Systems from both Trusted and Untrusted components Solutions for broad classes of problems rather than individual cases Methods of detecting unknown malicious code rather than known More sophisticated threat with wider range of access points (wireless laptops, PDA’s, cell phones, etc.)
How much is enough? Risk Investment User Unskilled, Unorganized Security Policy Implementation Enforcement Auditing Total Systematic Risk Threat Level Security Engineering and Intelligence Function Non-Systematic Threats Skilled, Unorganized Skilled, Organized Mitigation for specific threats Acceptable Risk Region Hacker Hacker Coalitions Organized Crime Terrorists, Nation State
Technologies that will “change the game” Reconfigurable Logic (soft hardware) is replacing ASIC technology in many markets… we will require new techniques to assure these devices are configured and maintained as intended (without introduction of “malware”, just as we have virus checkers, etc. today for software) Tamper-Resistant Cryptographic Authentication of hardware and software (continuously, as programs are executing) will turn low assurance systems into high assurance systems. Quantum Information Technology will improve cryptanalysis (rendering some encryption techniques obsolete) and also improve encryption techniques (introducing new challenges for communication systems, especially in long haul telecommunications).
Tamper-Resistant Cryptographic Authentication Problem: Current computing architectures are “inherently insecure” because they are designed to execute ANY arbitrary sequence of instructions therefore subject to subversion by malicious code. Goal: Produce a cryptographic method of “tamper-proofing” code over a large portion of the software/hardware life cycle by decrypting/authenticating each instruction within the CPU. Accomplishments: Demonstrated “shrink-wrapping” of applications running in reconfigurable processor and now increasing cryptographic protection. Initial “security analysis” completed. Next step would incorporate chip level physical tamper-proofing techniques and apply to specific applications. Cryptographically Enabled CPU Protected Volume (Trusted Facility) *“Secure Computing using Cryptographic Assurance of Execution Correctness”, in Proceedings, 2004 International Carnahan Conference on Security Technology
Scope of Protection in the Software Lifecycle: Security Analysis Objective: Protect against introduction of malicious code over a large portion of the software life cycle Requirements Design CodeCompilePackageDistribute InstallExecute Load Fetch Decode exploit
Quantum Information Technology Security of current key exchange systems is based on inability to factor large numbers* A quantum computer is inherently well suited to this problem (Shor’s algorithm provides exponential speedup) –May threaten security of current cryptosystems Recent physics experiments have demonstrated feasibility of QC concept on small scale (few qubits) From D. P. DiVincenzo, Quant. Inf. Comp. 1 (Special), 1 (2001) *Bouwmeester, et al., The Physics of Quantum Information, Quantum Cryptography (Quantum Encoding for Secrecy) will improve this situation -- Currently slow, short distances, not applicable to storage
Trusted systems from trusted & untrusted components Certification of highly trusted COTS elements Need methodology to combine trusted and less trusted components so as to improve the security of an infrastructure Goal: Increase infrastructure security, reduce cost of security Virtualized Architecture Improve security of infrastructure composed of trusted and less trusted components.
Current Situation Current computing architectures are “inherently insecure” -- they are designed to execute ANY arbitrary sequence of instructions. –Need to modify computing architecture –Achieve modification by incorporating encryption and authentication into the fetching of the instruction stream –Careful revision of computing architecture can accomplish this while preserving huge investment in software/hardware infrastructure –First applications will be “high consequence” ones that can sustain the performance degradation of the cryptographic overhead –Combine these more trusted components with less trusted components to achieve a more secure infrastructure at manageable cost.
Technical Problem Problem: Current methods of enforcing security policy depend on security patches, anti-virus protections, and configuration control in the end user’s computer at ever increasing intervals. Goal: To “harden” computer infrastructure with a combination of high assurance and low assurance (and higher performing) components. (at a lower cost than replacing the entire infrastructure with high assurance components) Infrastructure Security Required Security Personnel Current Methodology Scalability Goal Improve security of infrastructure composed of trusted and less trusted components.
Challenges to Industry “Sell security” (insert “inherently secure” requirements into business model) –Assure vs “Assure Against” –Security vs time-to-market »vs cost »vs ease of use »vs information richness –Collective Security vs Personal Autonomy Adopt security methodology countering “incremental security” Human factors engineering
Challenges to Research Community Focus on cyber security technology Increase government and academic partnerships
Challenges To All Facilitate information sharing on threats, vulnerabilities
Concluding Thoughts Systems are increasingly complex and interconnected Threat is becoming more sophisticated New technologies will impact security The attackers are far ahead of the defenders Paradigm shift: We need a quantum leap in security by designing inherently secure information systems.