220 likes | 332 Views
Saikat Chakrabarti saikat@netlab.uky.edu Graduate Student, Computer Science University of Kentucky. A recent snapshot of network security: problems, policies, solutions, and unanswered questions. Agenda. Threats, recent attacks, and experiments
E N D
Saikat Chakrabarti saikat@netlab.uky.edu Graduate Student, Computer Science University of Kentucky A recent snapshot of network security: problems, policies, solutions, and unanswered questions CS@UK Security Seminar
CS@UK Security Seminar Agenda • Threats, recent attacks, and experiments • TJX incident, shutdown of anti-spam companies, mock attacks • Honeypot experiment • What are network security personnel @ CS.UK doing? • Context 1: Securing content-distribution systems • Context 2: Providing accountability in privacy-preserving systems • Context 3: Securing inter-domain routing protocols (secure-BGP) • Context 4: Securing source routing protocols in ad hoc networks • The “real world”: use of policies in information security • HIPAA, Sarbanes-Oxley, Are policies needed at all? • Conclusions (Questions)
CS@UK Security Seminar Recent attacks • January 2007 • Reported by: TJX, owner of TJ Maxx and Marshall‘s • Hackers use long-range antennas to tap Wi-Fi networks of TJX • Hackers gain access to 45M users' credit card information • Theft cost more than $256 million
CS@UK Security Seminar Recent attacks • May 2007 • Estonia's government relocates Soviet memorial in country's capital • Russian hackers launch DDoS attacks against Estonia’s government • Banking and media Web sites down for more than a week • No direct connection between hackers and Russian government found
CS@UK Security Seminar Recent attacks • May 2006 • Blue Security Inc. developed a powerful anti-spam mechanism, Blue Frog • Blue Frog program sent messages back to the sender of any spam • Hackers aimed several denial-of-service attacks • Blue Security Inc. shutdown
CS@UK Security Seminar Experiments • Staged attack reveals vulnerability in power grid • Department of Energy's Idaho lab • March 2007
CS@UK Security Seminar BBC’s honeypot experiment • Malicious programs view honeypots like any other PC • Honeypots use variety of forensic tools to log what happens to them
CS@UK Security Seminar Network Security Folks @ CS.UK • Context 1: Securing content-distribution systems • Context 2: Providing accountability in privacy-preserving systems • Context 3: Securing inter-domain routing protocols (secure-BGP) • Context 4: Securing source routing protocols in ad hoc networks
CS@UK Security Seminar Securing content-distribution systems
CS@UK Security Seminar Sub-context: reliable, group-oriented multicast applications • Problems • Source needs verify whether message was reliably delivered to intended receivers • Source needs verify whether message was reliably delivered to intended receivers • Source needs to verify all individual signatures • Solution does not scale: “Signed-Ack implosion problem” • Solution Overview: • Create aggregate signature: combine n signatures from n signers into a single signature, preserving length • Create aggregate public key: combine n public keys to create single public key. Use aggregate public key to verify aggregate signature
CS@UK Security Seminar Authenticating feedback in multicast applications • Leaves: • Register PKs with TTP • Send (Ack, Sig) pair toward source • Internal nodes: • Verify incoming signatures • Aggregate PKs of children • Aggregate sigs • Register Aggregate PKs • Send (Ack, Sig) pair Multicast/Feedback Delivery Tree
CS@UK Security Seminar Designing privacy-preserving accountability systems • Accountability • Who is responsible for the packet? • Authority needs to vouch for legitimacy of message • Need to preserve privacy • Keep ownership of message secret from authority • Existing proposals • Routers need to “mark” packets • Idea of an accountability provider
CS@UK Security Seminar Designing privacy-preserving accountability systems • Idea: use blind signatures • Conventional blind signatures • Used in: E-Cash, Self-certified public keys, E-Voting schemes • Heavy-weight in nature • Observation: blind signatures have potential to form critical building blocks in privacy-preserving accountability protocols • Need to construct efficient blind signatures
CS@UK Security Seminar Solution Overview • Signer (ISP) • Generate ephemeral key pair • Send ephemeral public key to owner of message (customer) • Owner (Customer): • Generate blinded hash of message • Send blinded message to signer • Signer • Sign blinded message • Send signature to owner • Owner: generate blind signature on original message • Transformed blind signature valid on original message under public key of ISP • ISP cannot associate (message, blind signature) pair with customer
CS@UK Security Seminar The “real world”: Use of policies in information security • HIPAA: health care industry has embraced policies to take administrative, technical and physical safeguards • Ensure integrity and confidentiality of individually identifiable health information held or transferred by them • Protect against any reasonably anticipated threats, unauthorized use or disclosure • Ensure compliance by officers and employees • So what? I don’t work for a health care company! • People thought about protecting systems and information via policies • Other regulatory frameworks may try to piggyback off of the HIPAA model
CS@UK Security Seminar The “real world”: use of policies in information security • Sarbanes-Oxley (SOX) • After Enron, Adelphia Communications and others showed there were flaws in current financial reporting requirements. Congress passed SOX • Purpose: to protect investors by improving accuracy and reliability of corporate disclosures made pursuant to security laws • IT Governance Institute has used frameworks to create specific IT control objectives for SOX • What do you have to do to comply with SOX? • Security policy and standards • Access and authentication • User account management • Network security • Monitoring • Segregation of duties • Physical security
CS@UK Security Seminar The “real world”: use of policies in information security • Security Policy • For SOX, policies are key to demonstrating compliance • Auditors will look for: • Whether policies exist for appropriate information security topics • Whether policies have been approved at appropriate management levels • Whether policies are communicated effectively to personnel • See ISO 17799 and SANS Security Policy Project http://www.sans.org.resources/policy
CS@UK Security Seminar The “real world”: use of policies in information security • Policies for access and authentication • Company must employ methods to validate that only authorized personnel can access system and perform activities within their level of authorization. • Methods could include • Biometric mechanisms • Password mechanisms: subject to policies regarding length, complexity, aging and reuse; prohibit password sharing
CS@UK Security Seminar The “real world”: use of policies in information security • Policies for network security • Perimeter security with firewalls and IDS • Internal firewalls could be warranted to segregate sensitive areas of the internal network or wireless access points • Encryption should be used for sensitive information (SSL, PGP, etc. for financial information) • Anti-virus protection should be installed and regularly updated • Wireless security requires special assessment and could be segregated from remainder of network (Remember TJX incident!) • Regular penetration testing
CS@UK Security Seminar The “real world”: use of policies in information security • Auditors will look for: • Whether standards exist for appropriate technology areas given the nature of your business and your environment • Whether standards have been approved at appropriate management levels • Whether standards are communicated effectively to personnel • Whether standards are followed • Process for error and exception handling • Process for modification of standards
CS@UK Security Seminar Conclusions (Questions) • Are we aware, are we conscious? • Context: business world • Are policies needed at all? (Depends on context) • Enforcing policies increase cost. Companies are moving out of the US before going public • Do we protect the company more or the user more? • Context: academic world (overlaps with business world?) • Are traditional security courses enough? • Do graduate security courses need to include material on security policies? • How aware do students graduating and entering the “real world” need to be about security policies?
Thank you Discussions CS@UK Security Seminar