Dan Fleck CS 469: Security Engineering Introduction Dan Fleck CS 469: Security Engineering Coming up: Outline These slides are modified with permission from Bill Young (Univ of Texas)
Outline Introduction: What is “security” Why is security hard? Security as risk management Aspects of security Coming up: What does security mean?
What does security mean? The term security is used in a variety of contexts. What’s the common thread? Personal security Corporate security Personnel security Energy security Homeland security Operational security Communications security Network security System security Coming up: What does security mean?
What does security mean? In the most general terms, security seems to mean something like “protection of assets against threats.” What assets? What kinds of threats? What does “protection” mean? Does the nature of protection vary depending on the threat? Coming up: Security on a Personal Level
Security on a Personal Level Suppose you’re visiting an online retailer, and need to enter personal information. What protections do you want? From what threats? Authentication (protection from phishing) Authorization Privacy of your data Integrity of your data Availability Non-repudiation What else? Answers Authentication (protection from phishing) Authorization Privacy of your data Integrity of your data Availability Non-repudiation What else? Coming up: Security on an Institutional Level
Security on an Institutional Level Consider the following scenarios: A large corporation’s computer systems are penetrated and data on thousands of customers is stolen. A student hacks into university registrar’s system and changes his grade in several classes he has taken. An online retailer’s website is overwhelmed by malicious traffic, making it unavailable for legitimate customer purchases. Does this suggest why it’s hard to define “security” in the context of digital systems? What are the consequences? Mitigations? Coming up: Why are Attacks Becoming More Prevalent?
Why are Attacks Becoming More Prevalent? Increased connectivity Many valuable assets online Low threshold to access Sophisticated attack tools and strategies available Others? Coming up: Some Sobering Facts
Some Sobering Facts There were over 1 million new unique malware samples discovered in each of the past two quarters. Unlike the worms and mass-mailers of the past, many of these were extremely targeted to particular industries, companies and even users. (www.insecureaboutsecurity.com, 10/19/2009) Once PCs are infected they tend to stay infected. The median length of infection is 300 days. (www.insecureaboutsecurity.com, 10/19/2009) Coming up: Some Sobering Facts
Some Sobering Facts A recent study of 32,000 Websites found that nearly 97% of sites carry a severe vulnerability. –Web Application Security Consortium, Sept 2008 “NSA found that inappropriate or incorrect software security configurations (most often caused by configuration errors at the local base level) were responsible for 80 percent of Air Force vulnerabilities.” –CSIS report on Securing Cyberspace for the 44th Presidency, Dec. 2008, p. 55 Coming up: Why Should We Care?
Why Should We Care? A dozen determined computer programmers can, if they find a vulnerability to exploit, threaten the United States’ global logistics network, steal its operational plans, blind its intelligence capabilities or hinder its ability to deliver weapons on target. – William J. Lynn, U.S. Deputy Secy of Defense, Foreign Affairs (2010) A top FBI official warned today that many cyber-adversaries of the U.S. have the ability to access virtually any computer system, posing a risk that’s so great it could “challenge our country’s very existence.” –Computerworld, March 24, 2010 Coming up: Educate Yourself
Educate Yourself Educating yourself about computer security can: enhance your own protection; contribute to security in your workplace; enhance the quality and safety of interpersonal and business transactions; improve overall security in cyberspace. Coming up: Outline
Outline Introduction: What is “security” Why is security hard? Security as risk management Aspects of security Coming up: Is Cyber Security Particularly Hard?
Is Cyber Security Particularly Hard? Question: Why would security be any more difficult than most technological problems? Answer 1: Most technology-related efforts are concerned with ensuring that something good happens. Security is all about ensuring that bad things never happen. In security, not only do you have to find “bugs” that make the system behave differently than expected, you have to identify any features of the system that are susceptible to misuse and abuse, even if your programs behave exactly as you expect them to. Coming up: What Bad Things?
What Bad Things? Answer 2: If security is all about ensuring that bad things never happen, that means we have to know what those bad things are. The hardest thing about security is convincing yourself that you’ve thought of all possible attack scenarios, before the attacker thinks of them. “A good attack is one that the engineers never thought of.” –Bruce Schneier Coming up: Programming Satan’s Computer
Programming Satan’s Computer Answer 3: Unlike most technology problems, you have to defeat one or more actively malicious adversaries. Ross Anderson characterizes this as “Programming Satan’s Computer.” The environment in which your program is deployed works with malice and intelligence to defeat your every effort. The defender has to find and eliminate all exploitable vulnerabilities; the attacker only needs to find one! Coming up: Easiest Penetration
Easiest Penetration Answer 4: Information management systems are a complex, “target-rich” environment comprising: hardware, software, storage media, peripheral devices, data, people. Principle of Easiest Penetration: an intruder will use any available means to subvert the security of a system. “If one overlooks the basement windows while assessing the risks to one’s house, it does not matter how many alarms are put on the doors and upstairs windows.” –Melissa Danforth Coming up: Security Isn’t the Point
Security Isn’t the Point Answer 5: Security is often an afterthought. No-one builds a digital system for the purpose of being secure. They build digital systems to do something useful. Security mechanisms may be viewed as a nuisance to be subverted, bypassed, or disabled. Coming up: Upshot: Perfect Security Ain’t Happening
Upshot: Perfect Security Ain’t Happening Perfect security is probably impossible in any useful system. “The three golden rules to ensure computer security are: do not own a computer; do not power it on; and do not use it.” –Robert H. Morris, former Chief Scientist of the National Computer Security Center (early 1980’s) “Unfortunately the only way to really protect [your computer] right now is to turn it off, disconnect it from the Internet, encase it in cement and bury it 100 feet below the ground.” –Prof. Fred Chang, former director of research at NSA (2009) Coming up: If Security Gets in the Way
If Security Gets in the Way Security is meant to prevent bad things from happening; one side-effect is often to prevent useful things from happening. Typically, a tradeoff is necessary between security and other important project goals: functionality, usability, efficiency, time-to-market, and simplicity. Coming up: Some Lessons
Some Lessons He who defends everything defends nothing. –old military adage Security is difficult for several reasons. Since you can never achieve perfect security, there is always a tradeoff between security and other system goals. Coming up: Outline
Outline Introduction: What is “security” Why is security hard? Security as risk management Aspects of security Coming up: Security as Risk Management
Security as Risk Management If perfect security is not possible, what can be done. Viega and McGraw (Building Secure Software) assert that software and system security really is “all about managing risk.” Risk is the possibility that a particular threat will adversely impact an information system by exploiting a particular vulnerability. The assessment of risk must take into account the consequences of an exploit. Coming up: Risk Management Framework
Risk Management Framework Risk management is a process for an organization to identify and address the risks in their environment. One particular risk management procedure (from Viega and McGraw) consists of six steps: Assess assets Assess threats Assess vulnerabilities Assess risks Prioritize countermeasure options Make risk management decisions Coming up: Coping with Risk
GMU Does it: https://itsecurity.gmu.edu/DRAC/about-DRAC.cfm Coping with Risk Once the risk has been identified and assessed, managing the risk may involve: Risk acceptance: risks are tolerated by the organization. e.g. sometimes the cost of insurance is greater than the potential loss. Risk avoidance: not performing an activity that would incur risk. e.g. disallow remote login. Risk mitigation: taking actions to reduce the losses due to a risk; most technical countermeasures fall into this category. Risk transfer: shift the risk to someone else. e.g. most insurance contracts, home security systems. GMU Does it: https://itsecurity.gmu.edu/DRAC/about-DRAC.cfm Coming up: Annualized Loss Expectancy
Annualized Loss Expectancy One common tool for risk assessment is annualized loss expectancy (ALE), which is a table of possible losses, their likelihood, and potential cost for an average year. Example: consider a bank with the following ALE. Where should the bank spend scarce security dollars? Loss type Amount Incidence ALE SWIFT* fraud $50,000,000 0.005 $250,000 ATM fraud (large) 0.20 $50,000 ATM fraud (small) $20,000 0.50 $10,000 Teller theft $3,240 200 $648,000 * - large scale transfer of funds. Coming up: Is ALE the Right Model?
Is ALE the Right Model? Annualized Loss Expectancy effectively computes the “expected value” of any security expenditure. Consider the following two scenarios: I give you a dollar. We flip a coin. Heads: I give you $1000. Tails: you give me $998. Note that the expected values are the same in both cases ($1), but the risks seem quite different. Coming up: Lessons
Lessons Because perfect security is impossible, realistic security is really about managing risk. Systematic techniques are available for assessing risk. Assessing risk is important, but difficult and depends on a number of factors (technical, economic, psychological, etc.) End of presentation