1 / 34

The Enemy Has Surrounded the Castle— Is It Time to Develop a Plan?

The Enemy Has Surrounded the Castle— Is It Time to Develop a Plan?. Dr Charles P Pfleeger CISSP  c.pfleeger@computer.org . The Enemy at the Gates. Status of the security field today Progress of the last three decades Prognosis for the future A plan Conclusions. © 2003 Charles P Pfleeger.

latham
Download Presentation

The Enemy Has Surrounded the Castle— Is It Time to Develop a Plan?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The Enemy Has Surrounded the Castle—Is It Time to Develop a Plan? Dr Charles P Pfleeger CISSP c.pfleeger@computer.org

  2. The Enemy at the Gates • Status of the security field today • Progress of the last three decades • Prognosis for the future • A plan • Conclusions The Enemy is at the Gates © 2003 Charles P Pfleeger

  3. Information Security Today • Infrastructure • Systems • Applications • People • Users The Enemy is at the Gates

  4. Critical Internet Threats SANS Institute: • BIND/DNS weakness, root compromise • Vulnerable CGI programs • RPC weakness, root compromise • RDS flaw MS Internet Info Server (IIS) • Sendmail and MIME buffer overflows • Sadmind and mountd buffer overflows • Global file sharing vulnerabilities in NT, Unix NFS, and Macintosh Web sharing • UserIDs with weak (or no) passwords • IMAP and POP buffer overflows • Default SNMP community strings unencrypted, weak The Enemy is at the Gates

  5. Common Themes • Buffer overflows and other coding errors • Insecure initial configuration, defaults, and administration • Privilege compromise • Protocol weaknesses The Enemy is at the Gates

  6. Malicious Code Events • approx 1983: first virus • today, one anti-virus tool manufacturer reports protection against over 50,000 strains • 1987: C. Stoll’s attacker in The Cuckoo’s Egg • 1988: Morris worm • 1992+: Kevin Mitnick • 1994: first Microsoft Word virus • late 1990s: web site defacements • New York Times, H-P, Compaq, Alta Vista, eBay, Int’l Girl Scouts, … • 2001: Code Red, NIMDA • 2002: Melissa, ILoveYou • 2003: Slammer, sobig.f The Enemy is at the Gates

  7. 19 June 2001: initial flaw report; patch posted a few days later 13 July 2001: initial attack; slow spread for first few days Estimated effect: 750,000 servers affected 12.5% of servers worldwide 400,000 after 1 Aug 2001 >$2 billion US to clean up Code Red Virus • At least four variants • Structured buffer overflow in Microsoft IIS • Components: • web site defacement • Trojan horse for later control • distributed denial of service The Enemy is at the Gates

  8. NIMDA, Melissa, Slammer, … • Standard attack components • Compromise mechanism • Propagation mechanism • Payload • Massive effect • Large number of affected systems • Widespread infection • Much wailing and gnashing of teeth • Public attention/concern short The Enemy is at the Gates

  9. 18 Jun 2001 MS01-33 Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise Windows NT4 Security Patch:  Superfluous decoding operation could allow command execution via IIS 14 May 2001 Windows NT4 IIS4 Security Patch: File Fragment Reading via .HTR Vulnerability 29 Jan 2001 Windows NT 4.0 Security Patch: Malformed Web Form Submission Vulnerability 21 Dec 2000 Windows NT 4.0 IIS4 Security Patch: Web Server File Request Parsing Vulnerability 20 Nov 2000 Windows NT 4.0 IIS4 Security Patch: IIS Cross-Site Scripting Vulnerability 2 Nov 2000 Windows NT 4.0 IIS4 Security Patch: Session ID Cookie Marking Vulnerability 23 Oct 2000 Windows NT 4.0 IIS4 Security Patch: Cross-Site Scripting Vulnerability 24 Aug 2000 Windows NT 4.0 IIS4 Security Patch: Absent Directory Browser Argument Vulnerability 13 Jul 2000 Windows NT4.0 Internet Information Server 4 (IIS4) Security Patch: Malformed Extension Data in URL 11 May 2000 Windows 2000 IIS4 Security Patch: Undelimited .HTR Request and File Fragment Reading via .HTR 10 May 2000 Internet Information Server 4.0 (IIS4) Security Patch: Myriad Escaped Characters Vulnerability 11 Apr 2000 Internet Information Server (IIS) 4 Security Patch 4.2.739.1: Chunked Encoding Post Vulnerability 20 Mar 2000 Internet Information Server 4.0 (IIS4) Security Patch: Virtualized UNC Share Vulnerability (Intel) 24 Feb 2000 Internet Information Server (IIS) and Client Web Capacity Analysis Tool 4.35 20 Jan 2000 Internet Information Server 4.0 (IIS4) and Site Server 3.0 Security Patch: Virtual Directory Naming 7 Dec 1999 Internet Information Server (IIS) Security Patch 4.2.732.1: Escape Character Parsing Vulnerability 6 Dec 1999 IIS 4.0 Security Patch History The Enemy is at the Gates

  10. Common Themes • Numerous security patches—”penetrate and patch” returns • Patching, administration, maintenance moved to end user • Defender needs complete protection; attacker needs only one vulnerability • Fragile community, infrastructure: devastated by simple attack The Enemy is at the Gates

  11. What Do Users Expect? • Functionality,Functionality,Functionality • More, better, faster, sexier • Security • Implemented by “fairy dust” • For free The Enemy is at the Gates

  12. What Do Users Get? • System crashes— no apparent cause, seemingly random times • Vulnerability patches of unknown content • Few choices The Enemy is at the Gates

  13. Last Three Decades’ Progress • Milestones in information security • Progress The Enemy is at the Gates

  14. Information Security Papers • 1969-W. Ware and 1972-J. Anderson panels: need an organized approach to security • 1975-J. Saltzer and M. Schroeder: secure system design principles • 1979-R. Morris and K. Thompson: password security case study • 1984-K. Thompson: potential effect of an embedded Trojan horse • 1989-S. Crocker and M. Bernstein: ARPA-DARPA-Internet disaster causes (references at end) The Enemy is at the Gates

  15. Results: New Ideas • Operating systems • Multics, KVM, PSOS, KSOS, SE-VMS, SCOMP • Unix (and Linux) • Windows NT/2K, 98/ME/XP • Networks • Verdix LAN, Boeing SNS • TCP/IP, Novell • IPv6 with security features… still in the future The Enemy is at the Gates

  16. Results: Old Ideas • Firewalls • Implementation of “reference monitor” concept of 1972 • Virus scanners • based on 1970s pattern matching reseach • VPNs • an outgrowth of military cryptography • Intrusion detection systems • based on 1985 research The Enemy is at the Gates

  17. Evaluation: User’s and Trust • Criteria: US (‘83), Canada (‘87), UK (‘89), Germany (‘89), ITSEC (‘91), US Federal Criteria (‘93), Common Criteria (‘94) • Status • Scheme with mutual recognition • Dozens of evaluated products • US (military) encouragement • Evaluation limited: scope, time, depth • Not a major market differentiator The Enemy is at the Gates

  18. Who is Ahead? • 50,000 virus and malicious code strains • >600 million Internet users (not all of whom are malicious) • <10,000 certified information security professionals--SANS GIACs and CISSPs (plus many professionals who are not certified) • US$6.7 billion worldwide market for security services; growing to US$21 billion by 2005 The Enemy is at the Gates

  19. Today’s Key Problems • Buffer overflow • Interface failures • Passwords • Time-of-check to time-of-use • Unintended side effects • Hard to understand controls • User awareness, understanding All problems from 1970s The Enemy is at the Gates

  20. Frank Assessment • Flaws and flawed products are increasing faster than the security community • Attacks and attackers are getting nastier • We [the good folks] are slipping farther and farther behind • Spending for security and security research is increasing far more slowly than the threat The Enemy is at the Gates

  21. Research: Who Funds What • Company: products and technologies • Firewalls, PKI solutions, IDSs, authentication devices, etc. • Consortium: members’ interests • Protocols (IPv6, LDAP), standards (CORBA), APIs (crypto, access) • Foundation: public interest • Ethics, privacy (ACLU, recording industry) • Government: long-term, conceptual • Technology (Internet, formal methods), Problem-solving (secure OS) The Enemy is at the Gates

  22. Research Needs • Self defense • Domain confinement • Trust, assurance • Software “plug and play” • Software fault tolerance • Identity management • Patch approach The Enemy is at the Gates

  23. Self Defense • Problem • Patches, mobile code, distributed applications, client-side functionality • Unknown origin, quality, action • Known approaches • Signing • Confinement The Enemy is at the Gates

  24. Domain Confinement • Problem • Limiting harmful effects of untrustworthy code • Known approaches • Sandbox (Java)—software • Hardware-enforced separation • Domain type enforcement The Enemy is at the Gates

  25. Trust, Assurance • Problem • Basis for trust between unknown parties • Metrics for trust and assurance • Algebra of trust: good + very good = ? • Known approaches • Evaluation schemes • Testing • E-mail: PGP vs PKI • Screening (firewall), trial period The Enemy is at the Gates

  26. Software “Plug And Play” • Problem • Little “genetic diversity,” component substitution • Desire to substitute high assurance component for factory default • Known approaches • Software engineering, modularity, APIs • Reverse engineering The Enemy is at the Gates

  27. Software Fault Tolerance • Problem • Oversights (buffer overflows) undetected • Failures produce catastrophic results; software does not detect and protect (isolate, recover) • Known approaches • Software engineering: reviews, testing • Training: trustworthy computing initiative • Hard to do for system composed of many parts The Enemy is at the Gates

  28. Identity Management • Problem • Continuous I&A for distributed system • Application-level authentication • Basis for authentication of previously unknown parties • Process acting on behalf of individual • Users want “single sign on” • Known approaches • Local I&A, remote authentication (one-time), encrypted channels The Enemy is at the Gates

  29. Patch Approach • Problem • Never-ending check for patches • Patching can introduce errors, break other code (“If it works don’t fix it”) • Responsibility on naïve end-user • Known approaches • Telephone • Automatic update The Enemy is at the Gates

  30. Problems with Research • Research is hard • Easier to find one flaw than prevent all • Results are not easily accepted • Ease of use • Cost of security • Little user demand • Time-to-market The Enemy is at the Gates

  31. From Earth to Moon • US/USSR space race • International priority • Large investment • Attracted bright, dedicated people • Interdisciplinary • Some setbacks, but many, very visible successes; spin-offs • Some national defense value but much non-military • Not essential to world The Enemy is at the Gates

  32. Conclusions • Rich history of research results • Much of best work done in ’70s-’80s • Interesting challenges • International problem • Money needed, but comparatively little The Enemy is at the Gates

  33. A Final Word … The Enemy is at the Gates

  34. References • Anderson, J., “Computer Security Technology Planning Study,” U.S. Air Force Elect. Sys. Div. Tech. Rpt. 73-51, Oct 1972; also http://csrc.nist.gov/publications/history/ande72.pdf • Crocker, S. and Bernstein, M., “ARPANET Disruptions: Insight into Future Catastrophes,” TIS Report #247, TIS Labs at Network Associates, 24 Aug 1989. No URL  • Morris, R. and Thompson, K., “Password Security: A Case History,” Comm. of the ACM, Nov 1979. • Saltzer, J. and Schroeder, M, “Protection of Information in Computer Systems,” Proc. of the IEEE, Sept 1975. • Thompson, K., “Reflections on Trusting Trust,” Comm.. of the ACM, Aug 1984. • Ware, W., “Security Controls for Computer Systems,” Rand Corp. Tech. Rpt. R-609-1, 1970 (reissued 1979); also http://www.rand.org/publications/R/R609.1/R609.1.html The Enemy is at the Gates

More Related