1 Dan Fleck CS 469: Security Engineering IntroductionDan FleckCS 469: Security EngineeringComing up: OutlineThese slides are modified with permission from Bill Young (Univ of Texas)
2 Outline Introduction: What is “security” Why is security hard? Security as risk managementAspects of securityComing up: What does security mean?
3 What does security mean? The term security is used in a variety of contexts. What’s the common thread?Personal securityCorporate securityPersonnel securityEnergy securityHomeland securityOperational securityCommunications securityNetwork securitySystem securityComing up: What does security mean?
4 What does security mean? In the most general terms, security seems to mean something like “protection of assets against threats.”What assets?What kinds of threats?What does “protection” mean?Does the nature of protection vary depending on the threat?Coming up: Security on a Personal Level
5 Security on a Personal Level Suppose you’re visiting an online retailer, and need to enter personal information. What protections do you want? From what threats?Authentication (protection from phishing)AuthorizationPrivacy of your dataIntegrity of your dataAvailabilityNon-repudiationWhat else?AnswersAuthentication (protection from phishing)AuthorizationPrivacy of your dataIntegrity of your dataAvailabilityNon-repudiationWhat else?Coming up: Security on an Institutional Level
6 Security on an Institutional Level Consider the following scenarios:A large corporation’s computer systems are penetrated and data on thousands of customers is stolen.A student hacks into university registrar’s system and changes his grade in several classes he has taken.An online retailer’s website is overwhelmed by malicious traﬃc, making it unavailable for legitimate customer purchases.Does this suggest why it’s hard to deﬁne “security” in the context of digital systems?What are the consequences? Mitigations?Coming up: Why are Attacks Becoming More Prevalent?
7 Why are Attacks Becoming More Prevalent? Increased connectivityMany valuable assets onlineLow threshold to accessSophisticated attack tools and strategies availableOthers?Coming up: Some Sobering Facts
8 Some Sobering FactsThere were over 1 million new unique malware samples discovered in each of the past two quarters. Unlike the worms and mass-mailers of the past, many of these were extremely targeted to particular industries, companies and even users. (www.insecureaboutsecurity.com, 10/19/2009)Once PCs are infected they tend to stay infected. The median length of infection is 300 days. (www.insecureaboutsecurity.com, 10/19/2009)Coming up: Some Sobering Facts
9 Some Sobering FactsA recent study of 32,000 Websites found that nearly 97% of sites carry a severe vulnerability. –Web Application Security Consortium, Sept 2008“NSA found that inappropriate or incorrect software security conﬁgurations (most often caused by conﬁguration errors at the local base level) were responsible for 80 percent of Air Force vulnerabilities.” –CSIS report on Securing Cyberspace for the 44th Presidency, Dec. 2008, p. 55Coming up: Why Should We Care?
10 Why Should We Care?A dozen determined computer programmers can, if they ﬁnd a vulnerability to exploit, threaten the United States’ global logistics network, steal its operational plans, blind its intelligence capabilities or hinder its ability to deliver weapons on target. – William J. Lynn, U.S. Deputy Secy of Defense, Foreign Aﬀairs (2010)A top FBI oﬃcial warned today that many cyber-adversaries of the U.S. have the ability to access virtually any computer system, posing a risk that’s so great it could “challenge our country’s very existence.” –Computerworld, March 24, 2010Coming up: Educate Yourself
11 Educate Yourself Educating yourself about computer security can: enhance your own protection;contribute to security in your workplace;enhance the quality and safety of interpersonal and business transactions;improve overall security in cyberspace.Coming up: Outline
12 Outline Introduction: What is “security” Why is security hard? Security as risk managementAspects of securityComing up: Is Cyber Security Particularly Hard?
13 Is Cyber Security Particularly Hard? Question: Why would security be any more diﬃcult than most technological problems?Answer 1: Most technology-related eﬀorts are concerned with ensuring that something good happens. Security is all about ensuring that bad things never happen.In security, not only do you have to ﬁnd “bugs” that make the system behave diﬀerently than expected, you have to identify any features of the system that are susceptible to misuse and abuse, even if your programs behave exactly as you expect them to.Coming up: What Bad Things?
14 What Bad Things?Answer 2: If security is all about ensuring that bad things never happen, that means we have to know what those bad things are. The hardest thing about security is convincing yourself that you’ve thought of all possible attack scenarios, before the attacker thinks of them. “A good attack is one that the engineers never thought of.” –Bruce SchneierComing up: Programming Satan’s Computer
15 Programming Satan’s Computer Answer 3: Unlike most technology problems, you have to defeat one or more actively malicious adversaries. Ross Anderson characterizes this as “Programming Satan’s Computer.” The environment in which your program is deployed works with malice and intelligence to defeat your every eﬀort. The defender has to ﬁnd and eliminate all exploitable vulnerabilities; the attacker only needs to ﬁnd one!Coming up: Easiest Penetration
16 Easiest PenetrationAnswer 4: Information management systems are a complex, “target-rich” environment comprising: hardware, software, storage media, peripheral devices, data, people. Principle of Easiest Penetration: an intruder will use any available means to subvert the security of a system. “If one overlooks the basement windows while assessing the risks to one’s house, it does not matter how many alarms are put on the doors and upstairs windows.” –Melissa DanforthComing up: Security Isn’t the Point
17 Security Isn’t the Point Answer 5: Security is often an afterthought. No-one builds a digital system for the purpose of being secure. They build digital systems to do something useful. Security mechanisms may be viewed as a nuisance to be subverted, bypassed, or disabled.Coming up: Upshot: Perfect Security Ain’t Happening
18 Upshot: Perfect Security Ain’t Happening Perfect security is probably impossible in any useful system.“The three golden rules to ensure computer security are: do not own a computer; do not power it on; and do not use it.” –Robert H. Morris, former Chief Scientist of the National Computer Security Center (early 1980’s)“Unfortunately the only way to really protect [your computer] right now is to turn it oﬀ, disconnect it from the Internet, encase it in cement and bury it 100 feet below the ground.” –Prof. Fred Chang, former director of research at NSA (2009)Coming up: If Security Gets in the Way
19 If Security Gets in the Way Security is meant to prevent bad things from happening; one side-eﬀect is often to prevent useful things from happening.Typically, a tradeoﬀ is necessary between security and other important project goals: functionality, usability, eﬃciency, time-to-market, and simplicity.Coming up: Some Lessons
20 Some LessonsHe who defends everything defends nothing. –old military adageSecurity is diﬃcult for several reasons. Since you can never achieve perfect security, there is always a tradeoﬀ between security and other system goals.Coming up: Outline
21 Outline Introduction: What is “security” Why is security hard? Security as risk managementAspects of securityComing up: Security as Risk Management
22 Security as Risk Management If perfect security is not possible, what can be done.Viega and McGraw (Building Secure Software) assert that software and system security really is “all about managing risk.”Risk is the possibility that a particular threat will adversely impact an information system by exploiting a particular vulnerability.The assessment of risk must take into account the consequences of an exploit.Coming up: Risk Management Framework
23 Risk Management Framework Risk management is a process for an organization to identify and address the risks in their environment.One particular risk management procedure (from Viega and McGraw) consists of six steps:Assess assetsAssess threatsAssess vulnerabilitiesAssess risksPrioritize countermeasure optionsMake risk management decisionsComing up: Coping with Risk
24 GMU Does it: https://itsecurity.gmu.edu/DRAC/about-DRAC.cfm Coping with RiskOnce the risk has been identiﬁed and assessed, managing the risk may involve:Risk acceptance: risks are tolerated by the organization. e.g. sometimes the cost of insurance is greater than the potential loss.Risk avoidance: not performing an activity that would incur risk. e.g. disallow remote login.Risk mitigation: taking actions to reduce the losses due to a risk; most technical countermeasures fall into this category.Risk transfer: shift the risk to someone else. e.g. most insurance contracts, home security systems.GMU Does it: https://itsecurity.gmu.edu/DRAC/about-DRAC.cfmComing up: Annualized Loss Expectancy
25 Annualized Loss Expectancy One common tool for risk assessment is annualized loss expectancy (ALE), which is a table of possible losses, their likelihood, and potential cost for an average year.Example: consider a bank with the following ALE. Where should the bank spend scarce security dollars?Loss typeAmountIncidenceALESWIFT* fraud$50,000,0000.005$250,000ATM fraud (large)0.20$50,000ATM fraud (small)$20,0000.50$10,000Teller theft$3,240200$648,000* - large scale transfer of funds.Coming up: Is ALE the Right Model?
26 Is ALE the Right Model?Annualized Loss Expectancy eﬀectively computes the “expected value” of any security expenditure.Consider the following two scenarios:I give you a dollar.We ﬂip a coin. Heads: I give you $1000. Tails: you give me $998.Note that the expected values are the same in both cases ($1), but the risks seem quite diﬀerent.Coming up: Lessons
27 LessonsBecause perfect security is impossible, realistic security is really about managing risk.Systematic techniques are available for assessing risk.Assessing risk is important, but diﬃcult and depends on a number of factors (technical, economic, psychological, etc.)End of presentation