510 likes | 668 Views
IT Security: General Trends and Research Directions. Sherif El-Kassas Department of Computer Science The American University in Cairo. Outline. Practical considerations Academic and research perspective National perspective. Practical considerations.
E N D
IT Security: General Trends and Research Directions Sherif El-Kassas Department of Computer Science The American University in Cairo
Outline • Practical considerations • Academic and research perspective • National perspective
Practical considerations • Types of attacks on the IT infrastructure • Technical • Physical • Social
Technical Attacks • ~ 80% Considered the easiest to defend against (easiest doesn't mean easy) • The remaining ~ 20% are difficult! • Examples include forms of technical hacking, automated attacks, Malicious software, …etc.
Typical attack Incident and Vulnerability Trends, http://www.cert.org/present/cert-overview-trends/
The Slammer worm! • The fastest mass attack in history • It doubled in size each 8.5 seconds • It infected 90% of vulnerable systems in 10 minutes!
Slammer after a few minutes D. Moore and others, Inside the Slammer Worm, IEEE Security & Privacy, July/August, 2003
Geographic Distribution D. Moore and others, Inside the Slammer Worm, IEEE Security & Privacy, July/August, 2003
Flash Worms “[…] infecting 95% of hosts in 510ms, and 99% in 1.2s.” Staniford and others, The Top Speed of Flash Worms, www.caida.org/outreach/papers/2004/topspeedworms/
Google worms “inurl:id= filetype:asp site:gov” – 572,000 results The Hacking Evolution: New Trends in Exploits and Vulnerabilities, www.sans.org
Physical Attacks • Combine physical and technical intrusions • High risk for attacker, but may provide quicker access to sensitive resources • Examples include: trashing, hardware loggers, …etc.
http://keystroke-loggers.staticusers.net/ http://www.keyghost.com/ http://www.amecisco.com/hkstandalone.htm http://www.littlepc.com/products_wireless.htm
Social & Semantic Attacks • Rely on attacking the users of the systems, using social engineering, and possibly assisted with technical tools • Reported to be the most effective and low risk (from the attacker’s point of view) • Examples include fake web sites, phishing, ..etc.
Please update your billing information by clicking […]: • <a href="http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand= RedirectToDomain&DomainUrl= http://goens.net/.www.ebay.com/" onMouseOut="status='';return true" target=_blank onMouseOver="status=‘ https://billing.ebay.com/';return true"> • https://billing.ebay.com/</a>
Technologies and Tools
What are we doing about the threat! • Perspective to security: Prevention
What are we doing about the threat! • Perspective to security: Security = Prevention + Detection + Response
What are we doing about the threat! • Layered view of information security Data & Information Applications System Network
ISO17799 / BS 7799 • Business Continuity Planning • System Access Control • System Development and Maintenance • Physical and Environmental Security • Compliance • Personnel Security • Security Organization • Computer & Network Management • Asset Classification and Control • Security Policy
Common Criteria for Information Technology Security Evaluation • Rooted in the Orange book or the DoD Trusted Computer System Evaluation Criteria • ISO 15408 http://csrc.nist.gov/cc/
Academic & research perspective:Future Directions and Issues
Ken Thompson: on Trusting Trust The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) […] A well installed microcode bug will be almost impossible to detect. www.acm.org/classics/sep95/
Cryptology • Cryptography • Theoretical research: number theory, algebraic geometry, complexity theory, graph theory, …etc. • Research for the development of new (or bespoke) cryptographic algorithms and protocols • Cryptanalysis • tools research (e.g., grid computing)
Security Policy Models • Fundamentals of security models (e.g., Multi level vs. multi lateral security) • National (possibly government) security policy models • Evaluating and auditing methodologies for national and established models (e.g., ISO 17799, and CC / ISO 15408)
Computing models • Failure resistant systems • Digital immune systems (and anti virus systems) • http://www.research.ibm.com/antivirus/ • http://www.ibm.com/autonomic • AI and NN applications
Security management and system development issues • Incremental and Agile development methods (Iterative, XP) • Threat modeling and risk analysis (threat trees, ..etc.) • Good opportunity for interdisciplinary research with economics • Applications and use of formal methods in security (BAN logic, B, Z, ..etc.)
Hardware and physical security related issues • Engineering embedded hardware security devices (e.g., ARM processor core like systems) • Tamper resistant/evident systems • Emission and tempest security • Resisting High-power microwave
Firewalls and network isolation • Distributed firewall systems • The use of agent technologies • Application level firewalls for Web services and similar technologies • Firewalls to face challenges paused by new technologies: IP telephony, wireless networks, …etc.
Intrusion Detection and Prevention • High performance IDS systems • Applications of NNs, GAs, and other AI techniques • Applications of data mining • Statistical modeling and correlation
Authentication and access control • Biometrics • Smartcards • Other systems (secure hardware!)
Application security • Education • IDS/IPS for applications • Libraries and design patterns • More..
Research aimed at better understanding attack technologies and trends • National Honynet like project • Large scale data collection and statistical trend analysis research • Vulnerability research
Other issues • Computer Forensics • Telecommunications security • Systems, Metering, Signaling, Switching • Mobile phone security (cloning, GSM security, …etc.) • Secure hardware • PKI & PMI • Legal issues
Conclusions • Security is a wide and challenging field • Developers: • Look for shifts • The phone is the computer • The application is the security problem • Web services and virtual computing • Think services • Researches: • Risk modeling • Fundamental issues • Don’t be swayed by fads • Government: • Adopt standards and security process • Diversify • Think in terms of threat pyramids • Manage trust • Encourage R&D