1 / 21

Dirty Little Secrets of IA (Information Assurance)

Dirty Little Secrets of IA (Information Assurance). Why we might not be doing as good as you would hope… Bruce Potter (gdead@shmoo.com). Administrivia. What is SecurityGeeks? Part learning, part information exchange, part social… How often should we meet? Once a month? Topics? Format?

niran
Download Presentation

Dirty Little Secrets of IA (Information Assurance)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Dirty Little Secrets of IA(Information Assurance) Why we might not be doing as good as you would hope… Bruce Potter (gdead@shmoo.com) Filename/RPS Number

  2. Administrivia • What is SecurityGeeks? • Part learning, part information exchange, part social… • How often should we meet? • Once a month? • Topics? Format? • Future location ideas? • List Charter? • More questions?

  3. ShmooCon Pimpin’ • Tix are on sale (sorta) • More to go on sale Jan 1, Feb 1 • CFP still open • Though we have a lot of submissions in already… if you’re thinking of submitting, do so soon • ShmooCon Labs • A limited set of folks that will set up the network and learn from experts (apply now) • Hacker Arcade • Hack or Halo

  4. Don’t Believe Anything I Say • "Do not believe in anything simply because you have heard it. Do not believe in anything simply because it is spoken and rumored by many. Do not believe in anything simply because it is found written in your religious books. Do not believe in anything merely on the authority of your teachers and elders. Do not believe in traditions because they have been handed down for many generations. But after observation and analysis, when you find that anything agrees with reason and is conducive to the good and benefit of one and all, then accept it and live up to it.” - Buddha • Information Assurance is all about not trusting what you are hearing, seeing, or being sent to you • By Day, Senior Associate for Booz Allen Hamilton • Focusing on IC • Wireless Security, application assurance, information security strategy • By Night, Founder of The Shmoo Group and restorer of hopeless Swedish cars • Anyone know what a Volvo 1800 is?

  5. IT Security Needs Pyramid Honeypots IDS Sophistication and Operational Cost Software Sec ACLs Firewalls Auth / Auth Patch Mgt Op. Procedures

  6. Secret #1 - We’re not gaining on the attackers • For the last 4 decades, information assurance professionals have been attempting to solve the same problem “Another major problem is the fact that there are growing pressures to interlink separate but related computer systems into increasingly complex networks “Underlying most current users’ problems is the fact that contemporary commercially available hardware and operating systems do no provide adequate support for computer security “In addition to the experience of accidental disclosure, there has also been a number of successful penetrations of systems where the security was ‘added on’ or claimed from fixing all known bugs in the operating system. The success of the penetrations, for the most part, has resulted from the inability of the system to adequately isolate a malicious user, and from inadequate access control mechanisms built into the operating system” • Computer Security Technology Planning Study - October 1972, Electronic Systems Division, Air Force

  7. Current InfoSec Trends • Anti-virus, Intrusion Detection, and Strong passwords • Defense in Depth… aka: layer enough protection mechanisms on, and something will stop the bad guys (is this a good idea?) • Microsoft is the root of all security evils (is this true?) • Most of the threat against your systems are from script kiddies who have more guts than brains (is this still the case?) • All these ideas are geared toward a threat model that existed 10 years ago • Lets look at attackers today

  8. The “Open Source” Model of Security Research • Only in the last 15 years has public discussions of Information Security issues come into vogue • From obscure geeky bulletin boards to the front page of the NY Times… • InfoSec is not really a science yet • Crypto is “math”. InfoSec is much, much more • Because of the specialized knowledge required, and the lack of a formal body of knowledge, a community has grown • Information on vulnerability research methods, specific vulnerability information and live exploits were publicly discussed • The idea of “responsible disclosure” was born (and debated at length) • But things have changed…

  9. Secret #2 - Existing Security Products are Becoming Obsolete • Firewalls and IDS’s were created for a different threat model • They are probably still necessary but no where near sufficient • At a recent conference, CIO’s where ask if they would notice if their firewall and IDS logs went away, and most said “no”. • IDS’s are best geared toward policy monitoring and enforcement • Host based security is becoming increasingly important • Lost laptops aren’t just a problem for the VA • Much easier to find attacks at the endpoints than in the infrastructure… cept for all the noise • With the mobile workforce, laptops are often outside the sphere of protection of the enterprise security architectures • Anomaly detecting systems are also a wave of the future • But statistical analysis if a single dimension of data may be a better bet than multiple data source correlation or some manner of AI-based system • How do we secure SOA-based systems?

  10. Secret #3 - Having trusted hardware can completely change the face of information assurance • Secure cryptographic operations • Secure key storage • Integrity attestation • By some accounts, can ultimately rid us of the problems of malware, viruses, etc.. • Trusted boot -> signed kernel -> signed drivers ->signed apps • Signed does not mean “secure” but it at least means “what I intended” • Why is now (finally) the time for trusted computing?

  11. Guess what? DRM is Cool • According to a recent survey, iPods are cooler than beer • Apple made DRM sexy and cool • The iPod begat ITMS • ITMS was made possible because Apple came up with a rights management scheme that the content providers could deal with at a $1 a pop • In Feb 2006, the 1 billionth song was downloaded from ITMS • 1 billion songs means people things ITMS is cool • Through transitivity, Apple made DRM cool • What does Apple have to do with Trusted Hardware? or

  12. Funny You Should Ask • Apple just made trusted hardware sexy and cool (And you didn’t even realize) • Enter the MacBook Pro • When Apple switched to Intel, the developed Rosetta… an emulator that dynamically translates PPC opcodes to x86 • Apple is using the TPM to protect Rosetta from starting unless the TPM is there • Ensures Apple proprietary SW only runs on Apple HW • Maxxuss repeatedly bypassed this protection Intel Processor Legacy PPC App Rosetta App Translated to x86 TPM

  13. IA Trend - Trusted Hardware • Many other vendors also working to integrate trusted hardware • A variety of impacts on field operations • Can make decryption of encrypted data VERY difficult • Can make compromising a target’s computer more difficult • Provides security throughout the network, not just at a system level.. This is FANTASTIC for device authentication • Trusted Network Connect • Key management is not just for strong crypto anymore • More info: http://www.trustedcomputing.org/

  14. Secret #4 - Decreased exploit development timeframe and mercenary exploit dev are empowering the individual attackers Vuln Disc. Patch Rel. Exploit Rel. High Risk for Large Scale and Highly Targeted Attacks Majority Patched • Patches have two major uses • Secure a system that has a known vulnerability • Determine what vulnerability was patched in order to develop an exploit • In the last several years, there has been an incredible decrease in the amount of time between patch release and creation of a successful exploit • Microsoft’s Patch Tuesday has been great for both attackers and defenders alike • The moral? Patch disclosure is essentially the same as vulnerability disclosure • Many security companies now offer money in exchange for exclusive rights to exploits from mercenary exploit developers • Tipping Point’s Zero Day Initiative (ZDI) • iDefense’s Vulnerability Contributor Program (VCP) • Etc… • These programs have “rewards” programs, as well as other incentives… • This has TOTALLY changed the “full disclosure” argument V u l n e r a b I l I t y T i m e l i n e

  15. Secret #5 - For Operational Security, Microsoft may be your best bet • Operational security is just as much about scalability, monitorability, and manageability as it is about the technical “security” of the product • MS got it wrong for a LONG time… it allowed a HUGE industry to develop around it that provided security products to the consumer and enterprise • Also, other operating systems were viewed as “more secure” for a variety of reasons • But now MS has spent more money on security than many countries spend on IT • Even if they get most of it wrong, they’re moving in the right direction… They’re talking about MLS by ‘10 • Unlike OSS, with MS, you have a product roadmap, you have a coherent integration of many business apps, you have security woven through the entire OS and application layers, AND you have a patch process that basically makes sense • Ultimately, the premise has changed… while before the security vendors knew security better, now MS does • Causing obvious problems with 64-bit Vista • http://www.shmoo.com/~gdead/ for more info on operational security and MS

  16. Secret #6 What is the best mechanism for finding attackers in your networks?

  17. Administrators are the first responders • … they should be armed as such… • Networks are dynamic critters. The systems and network administrators know them better than any monitoring software will • For networks without administrators (sensor nets, local networks in airframes, etc) specific monitoring procedures need to be developed. But these networks tend to be closed systems with easily profilable behaviors. • What gets one off (dangerous) attackers caught? • Bandwidth increases • Running out of disk space • Patches not applying properly • Change management failures • CRAZY syslog entries (huge binary blobs in syslog entries, for instance) • In summary… things sysadmins and NOC operators will notice. Hard for automated systems to recognize whether these are security issues or not

  18. Secret #7: Most organizations don’t have staff dedicated to monitoring the security of their networks and systems • What works for securing DoD may never work for anyone else • Just like how MS deals with software security may not work for anyone else • 800 lbs gorillas are not good examples • You’re lucky to find staff dedicated to security configuration, let alone security monitoring

  19. Secret #8: There are several proactive detective mechanisms that work without breaking the bank or your staff • Host integrity monitoring • Looking for changes in the end hosts, esp in system directories can be very successful • Network services monitoring • Scanning internal networks looking for open ports will at least find new TCP services… great for change management control as well • Monitoring defacement archives and other open source locations for your assets • If the Internet knows you’re p0wned, shouldn’t you? • If you don’t get these right… why do more?

  20. Questions?

More Related