[PDF] - Cybersecurity Status regarding traditional vulnerabilities Some PDF Document

SLIDE 1

1

Cybersecurity

Ed Lazowska IT & Public Policy Autumn 2004

2

Topics

❚ Status regarding “traditional” vulnerabilities ❚ Some “grand challenges” ❚ IT and counterterrorism ❚ Some legal and regulatory issues ❚ Security in open vs. closed systems ❚ Does it make sense to hunt for security holes? ❚ An economic perspective ❚ President’s Information Technology Advisory Committee on Cybersecurity

3

Cybersecurity Today and Tomorrow – NRC CSTB 2002

❚ General observations

❙ Vulnerabilities are growing faster than our ability/willingness to respond ❙ Achieving/maintaining security is expensive, so people “use” as little as they think they can get away with ❙ Overall security is only as strong as the weakest link ❙ The best is the enemy of the good ❙ Constant action and reaction ❙ Commercial and face-saving concerns of victims constitute a barrier to reporting

4

❚ Management

❙ We are doing far worse than best practices make possible ❙ We must change market incentives – for example, by becoming able to quantify security, and by shifting liability

5

❚ Operational considerations

❙ To promote accountability, frequent and unannounced penetration testing (“red-teaming”) is essential ❙ Mis-configuration is a leading cause of vulnerabilities; configuration tools are “miserably inadequate” today ❙ Organizations must have actionable fallback plans for when a cyberattack occurs

6

❚ Design and architectural considerations

❙ “Human error” is usually scapegoating – the problem usually is management, or operational, or design ❙ Current authentication methods are lame ❙ The “defensive perimeter” approach, while not totally useless, falls way short – there must be mutual suspicion within the perimeter

SLIDE 2

2

9

Information Technology for Counterterrorism – NRC CSTB 2003

10

❚ Observations

❙ IT is in the control loop of every other element of the nation’s critical infrastructure ❙ IT can be a target ❙ IT can also be a weapon: can be exploited to launch or exacerbate an attack, or to interfere with a response ❙ IT has an additional key role in counter-terrorism (e.g., datamining) and in response to terrorism (communication)

11

❚ Recommended short-term actions

❙ Enhance the communication and computing capabilities of emergency responders ❙ Promote the use of current best practices in information and network security

12

❚ Recommended research investments

❙ Information and network security

❘ Authentication, intrusion detection, containment, recovery, bug prevention/detection/repair

❙ C3I (Command, Control, Communication, and Intelligence) systems

❘ Interoperability, capacity, decision support, location- aware systems, sensornets

❙ Information fusion and datamining ❙ Privacy and confidentiality ❙ Human and organizational factors

SLIDE 3

3

13

Critical Information Infrastructure Protection and the Law – NRC CSTB 2003

❚ Information sharing

❙ Freedom of Information Act – companies reluctant to disclose CIIP-related information with the government ❙ Antitrust law – companies reluctant to share CIIP- related information with competitors

14

❚ Liability

❙ May need civil as well as criminal liability, to allow victims to recover losses from parties guilty of negligence or misconduct ❙ May need tort law as well as contract law – is there a legal duty on the part of a company to secure its CII? ❙ Standards, best practices, and audits: improve security, and provide a defense ❙ Current patchwork of regulations must be regularized

15

❚ The big picture

❙ Collective risks => collective actions ❙ “The crisis management mentality in the aftermath of 9/11 has pushed aside issues of privacy and civil liberties” ❙ Confused and confusing messages from government are a real problem – “a clear and consistent message from the government to the private sector will go a long way toward building the trust that is necessary to protect the nation’s CII”

16

Security in Open vs. Closed Systems – Ross Anderson, 2002

❚ It cuts both ways!

❙ When a researcher publishes a new abstract vulnerability, an attacker can devise a concrete attack much more easily if source is available ❙ However, time-to-market for a defense may be shorter for OSS ❙ But OSS makes it possible to identify new code, which is where the bug density will be highest ❙ But each individual tester has preferences, so there is something to “many eyeballs” at least in terms of variation in focus

17

Is finding security holes a good idea? – Eric Rescorla, 2004

Eric Rescorla, “Is finding security holes a good idea?,” Workshop on Economics and Information Security, May 2004

SLIDE 4

4

19

Why Information Security is Hard: An Economic Perspective – Ross Anderson, 2001

❚ Asymmetry of security

❙ Suppose Windows has 1M bugs, each with MBTF of 1B hrs ❙ Suppose Paddy works for the IRA, trying to hack the British Army’s Windows systems ❙ Suppose Brian is the British Army assurance guy in charge of blocking Paddy ❙ Paddy has a day job – so he can only test 1000 hrs/yr ❙ Brian has full Windows source code, dozens of Ph.D.s at his disposal, etc. – 10M hrs/yr of testing

20

❙ After a year, Paddy finds 1 bug, Brian patches 100K ❙ But the chance Brian has patched Paddy’s bug is

nly 10%

21

❚ Assignment of liability is crucial

❙ Survey of fraud against automatic teller machines

❘ US: if a customer disputes a transaction, the bank must prove the customer was mistaken ❘ Britain, Norway, the Netherlands: burden of proof lies with the customer

❙ Clear differences in bank behavior in these two situations!

22

❚ Alignment of financial incentives also is crucial

❙ Hal Varian: A consumer might pay $100 for anti- virus software to keep her system clean, but is unlikely to pay even $1 to prevent her system from being used to attack Amazon.com!

23

Pr e s i de nt ’ s I nf

r

m a t i

n

Te chnol

gy

Advi s

r

y Com m i t t e e

Subc

m m i

t t e e

n

Cybe r Se c ur i t y Pr e s e nt a t i

n
f

Dr a f t Fi ndi ngs and Re c

m m e

nda t i

ns

F. Thom s

n

Lei ght

n,

Cha i r

Nove m be r 19, 2004 Gr a nd Hya t t W a s hi ngt

n

a t W a s hi ngt

n

Ce nt e r W a s hi ngt

n,

D. C.

24

Soc i e t a l Cons eque nce s

f

I nf

r

m a t i

n

Te c hnol

gy

Vul ner a bi l i t i e s ( 1)

I

T i s a t t he he a r t

f

s

c

i e t y; I T r uns c r i t i ca l i nf r a s t r uc t ur e s : e l ec t r i c powe r gr i d, f i na nc i a l s ys t em s , a i r t r af f i c cont r

l

, f

od

di s t r i but i

n,

de f e ns e ne t wor ks , e t c .

The

us e

f

I T ( a nd t he f a i t h i n i t ) ha s ha d e nor m ous pos i t i ve i m pac t

n

pr

duc

t i vi t y, wi t h t r em e ndous r em a i ni ng pot e nt i a l ( e . g. , s e e PI TAC He a l t h Car e r e por t ) .

SLIDE 5

5

25

Soc i e t a l Cons eque nce s

f

I nf

r

m a t i

n

Te c hnol

gy

Vul ner a bi l i t i e s ( 2)

Ubi

qui t

us

i nt e r c

nnec

t i

n

i s c e nt r a l t

wha

t m ake s I T i m por t a nt t

s
c

i e t y.

Butubi

qui t

us

i nt e r c

nne

c t i

n

i s a l s

a

pr i m a r y s

ur

ce

f

wi de s pr ea d vul ne r a bi l i t y.

26

The Pr

bl

em s a r e Gr

wi

ng a t a Dr am a t i c Ra t e ( 1)

The

num be r

f

ne w vul ne r a bi l i t i e s di s c

ve

r e d i n s

f

t wa r e i s gr

wi

ng a t 140% pe r ye a r , a nd i s now i n e xc e s s

f

4000 pe r ye a r ( CERT) .

The

a ve r age t i m e be t we e n di s c l

s

ur e

f

a vul ne r a bi l i t y a nd r e l e a s e

f

a n a s s

c

i a t e d e xpl

i

t ha s dr

ppe

d t

5.

8 days ( Sym a nt e c) .

The

pe r c e nt

f

PCs i nf e c t e d pe r m ont h ha s gr

wn

f r

m

1% i n 1996 t

ve

r 10% i n 2003 ( I CSA La bs ) .

The

r a t e a t whi c h ne w hos t s a r e “z

m bi

e d” r

s

e f r

m

2, 000 pe r day t

30,

000 pe r day dur i ng t he f i r s t 6 m ont hs

f

2004 ( Sym a nt e c ) .

27

The Pr

bl

em s a r e Gr

wi

ng a t a Dr am a t i c Ra t e ( 2)

92%
f
r

ga ni z a t i

ns

e xpe r i e nce d “vi r us di s a s t e r s ” i n 2003 ( I CSA La bs ) .

83%
f

f i na nc i a l i ns t i t ut i

ns

e xpe r i e nc e d c

m pr
m i

s e d s ys t e m s i n 2003, m or e t ha n doubl e t he r a t e i n 2002 ( De l

i

t t e ) .

Hos

t i l e ( wor m ) t r a f f i c

r

i gi na t e d f r

m

40%

f

ne t wor ks c

nt

r

l

l e d by For t une 100 c

m pa

ni e s i n 1H04, de s pi t e t he f a c t t ha t t he s e com pa ni e s have t a ke n a va r i e t y

f

pr

t

e c t i ve m e a s ur e s ( Sym a nt e c ) .

28

The Pr

bl

em s a r e Gr

wi

ng a t a Dr am a t i c Ra t e ( 3)

17%
f

100 c

m pa

ni e s s ur ve ye d r e por t e d be i ng t he t a r ge t

f

cybe r e xt

r

t i

n

( CM U- I nf

r

m a t i

n

W e e k)

The

num be r

f

uni que phi s hi nga t t a c ks i s doubl i ng e ve r y m ont h wi t h 2000 di f f e r e nt a t t a c ks pe r pe t r a t e d aga i ns t m i l l i

ns
f

us e r s i n J ul y a l

ne

( Ant i

Phi

s hi ngW or ki ng Gr

up)

.

1%
f

US hous e hol ds f e l l vi c t i m t

phi

s hi ng a t t a c ks i n e a r l y 2004, a t a c

s

t

f
ve

r $400M i n di r e c t m one t a r y l

s

s e s ( Cons um e r s Uni

n)

.

29

W ha t M us t be Done t

I

m pr

ve

Cybe r Se cur i t y ( 1)

Fundi

ng

f

Ba s i c Re s ea r c h

– Ba s i c r e s e a r c h i s ne e de d t

m ove

us f r

m

a m ode l

f

“pl uggi ng hol e s i n t he di ke ” i n r e s pons e t

e

a c h ne w vul ne r a bi l i t y t

a

m ode l whe r e t he s ys t e m a s a whol e i s s e c ur e aga i ns t l a r ge c l a s s e s

f

c ur r e nt a nd f ut ur e t hr e a t s . – Ba s i c r e s e a r c h i s t he r e s pons i bi l i t y

f

t he Fe de r a l Gove r nm e nt .

30

W ha t M us t be Done t

I

m pr

ve

Cybe r Se cur i t y ( 2)

De

ve l

pm e

nt a nd Te c hnol

gy

Tr a ns f e r

– Ef f e c t i ve deve l

pm e

nt ne e ds s uppor t i ng m e c hani s m s s uc h as t e s t be dsand m e t r i c s . – The Fe de r al Gove r nm e nt has a c r i t i c al r

l

e t

pl

ay i n t he de ve l

pm e

nt

f

m e t r i c s , t e s t be ds , and be s t pr ac t i c e s .

M a

r ke t Adopt i

n
f

Pr

duc

t s a nd Be s t Pr a c t i c e s by Gove r nm e nt a nd I ndus t r y

– Ve r y i m por t ant but not t he pr i m a r y f

c

us

f

t hi s r e por t .

SLIDE 6

6

31

Re s ea r c h Ac t i vi t i e s i n Fe der a l Age nc i e s

Cybe

r s ec ur i t y R& D t ake s pl ac e i n a num be r

f

age nc i e s .

Pr

i m ar y f

c

us

f

t he Subc

m m i

t t ee ha s be e n

n

NSF, DARPA, a nd DHS.

Al

s

f

not e : NI ST, NSA, a nd ARDA.

Ot

he r s : ODDR& E, DOE, FAA, NASA, NI J , a nd t he uni f

r

m e d s e r vi ces .

32

Na t i

na

l Sc i ence Founda t i

n

( NSF)

Onl

y s ubs t a nt i a l pr

gr

am t

f
c

us

n

ba s i c r e s e a r c h f

r

t he c i vi l i a n s e c t

r

.

M uc

h

f

NSF’ s cybe r s e c ur i t y a c t i vi t y t a ke s pl a c e wi t hi n i t s Cybe r Tr us t Pr

gr

am .

– Cons t r ue s “ cybe r s e c ur i t y” ve r y br

adl

y – FY 2004: $64 m i l l i

n

t

t

al ; $31 m i l l i

n

f

r

r e s e a r c h gr ant s ( whi c h i nc l ude s $5M f r

m

DARPA) – Funde d about 8%

f

pr

pos

al s ( 6%

f

r e que s t e d dol l ar s ) ; about 25% wor t hy

f

f undi ng

Ot

he r a c t i vi t i e s i nc l ude s c hol a r s hi p s uppor t a nd i ni t i a t i ve s t ha t i nvol ve

t

he r NSF pr

gr

am s .

33

De f e ns e Adva nce d Re s e ar ch Pr

j

e c t s Age ncy ( DARPA)

M i

l i t a r y f

c

us : Som e e m pha s i s

n

ne t wor ki ng s ys t e m s t ha t f i nd t a r ge t s a nd s ys t e m s t ha t ki l l t a r ge t s .

Shor

t / m i ddl e

t

e r m t i m e hor i z

n:

De pa r t ur e f r

m

hi s t

r

i c a l s uppor t

f

l

nge

r

t

e r m r e s e ar c h.

Pr
gr

a m s a r e i nc r e a s i ngl y c l a s s i f i e d, t he r e by e xc l udi ng m os t a c a de m i c i ns t i t ut i

ns

. Al s

a

de pa r t ur e f r

m

hi s t

r

i c a l s uppor t

f

uni ve r s i t y r e s e a r c he r s .

As

s um e s

t

he r a ge nc i e s , e s pe c i a l l y NSF, wi l l f und ba s i c r e s e a r c h— DARPA’ s ( ne w) m i s s i

n

i s t

i

nc

r

por a t e pr e

e

xi s t i ng t e c hnol

gy

i nt

pr
duc

t s f

r

t he m i l i t a r y.

34

De pa r t m ent

f

Hom e l a nd Se c ur i t y ( DHS)

Foc

us

n

coope r a t i ve e f f

r

t s , i nf r a s t r uc t ur e s uc h a s m e t r i c s a nd t e s t be ds , a nd t e c hnol

gy

t r a ns f e r . Som e e f f

r

t s t

i

m pr

ve

Gove r nm e nt a dopt i

n
f

ne w pr

duc

t s .

FY

2004 budge t ( a nd FY 2005 a s we l l ) i s $18 m i l l i

n

f

r

cybe r s e c ur i t y; a bout $1. 5 m i l l i

n

di r e c t e d t

ba

s i c r e s e a r c h. M os t f undi ng f

r

s hor t

t

e r m a c t i vi t i e s .

W M D

i s pr i m a r y pr i

r

i t y. As s um e s NSF a nd i ndus t r y a r e r e s pons i bl e f

r

ba s i c r e s e a r c h.

35

Na t i

na

l I ns t i t ut e

f

St a nda r ds a nd Te c hnol

gy

( NI ST)

Foc

us

n

s t a ndar ds , m e t r i c s , gui de l i ne s , t e s t i ng, s ec ur i t y c he ckl i s t s , a nd r e s ea r c h.

Re

s ea r c h pr

gr

am i s pr i m a r i l y ne ar

t

er m .

Cybe

r s ec ur i t y budge t i s a ppr

xi

m a t e l y $15 m i l l i

n

i n FY 2004 ( whi c h i ncl ude s $5 m i l l i

n

i n r e i m bur s em e nt s f r

m
t

he r age nc i es ) .

36

Na t i

nal

Se c ur i t y Age ncy ( NSA) & Adva nce d Re s e a r c h a nd De ve l

pm e

nt Ac t i vi t y ( ARDA)

NSA

– Foc us

n

hi gh- e nd t hr e at s . – Al m os t al l cybe r s e c ur i t y r e s e ar c h i s di r e c t e d t

war

ds t he m i l i t ar y and i nt e l l i ge nc e c

m m uni

t i e s .

ARDA

– Foc us

n

hi gh- r i s k, hi gh- payof f s pons

r

e d r e s e a r c h. – Al m os t al l r e s e a r c h i s di r e c t e d t

wa

r ds t he i nt e l l i ge nc e c

m m uni

t y.

SLIDE 7

7

37

St a t e m e nt

f

t he Fundam e nt a l Pr

bl

e m

The i nf

r

m at i

n

i nf r as t r uc t ur e

f

t he Uni t e d St at e s ,

n

whi c h we de pe nd bot h di r e c t l y and f

r

c

nt

r

l
f
ur

phys i c al i nf r as t r uc t ur e , i s vul ne r abl e t

t

e r r

r

i s t and c r i m i nal at t ac ks . The pr i vat e s e c t

r

has a key r

l

e t

pl

ay i n s e c ur i ng t he nat i

n’

s I T i nf r as t r uc t ur e , by de pl

yi

ng good s e c ur i t y pr

duc

t s and adopt i ng good s e c ur i t y pr ac t i c e s . But t he Fe de r al gove r nm e nt al s

has

a key r

l

e t

pl

ay i n pr

vi

di ng t he i nt e l l e c t ual c api t al and e val uat i

n

i nf r as t r uc t ur e t hat e nabl e s t he s e good s e c ur i t y pr

duc

t s and pr ac t i c e s . The c

m m i

t t e e f i nds t hat t he U. S. gove r nm e nt i s l ar ge l y f ai l i ng i n i t s r e s pons i bi l i t i e s i n t hi s r e gar d.

38

I s s ue 1: Fundi ng Leve l s f

r

Ci vi l i a n Cybe r Se cur i t y Re s ea r c h

Fi

ndi ng: The Fe de r a l R& D budge t pr

vi

de s s e ve r e l y i ns uf f i c i e nt f undi ng f

r

c i vi l i a n ba s i c r e s e a r c h i n cybe r s e c ur i t y.

Re

c

m m e

nda t i

n:

The

ve

r a l l f undi ng f

r

c i vi l i a n ba s i c r e s e a r c h i n cybe r s e c ur i t y s houl d be s ubs t a nt i a l l y i nc r e a s e d, i . e . , by a n a m ount

f

a t l e a s t $90 M a nnua l l y. Fur t he r i nc r e a s e s m ay be ne c e s s a r y de pe ndi ng

n

t he Na t i

n’

s cybe r s e c ur i t y pos t ur e i n t he f ut ur e .

39

Som e

s pe c i f i c t

pi

c s i n ne e d

f

gr e a t e r a t t e nt i

n:

– Com put er Aut he nt i ca t i

n

M e t hodol

gi

e s – Se c ur i ng Fundam e nt al Pr

t
c
l

s – Se c ur e Sof t wa r e Engi nee r i ng – End- t

e

nd Sys t e m Se c ur i t y – M oni t

r

i ng a nd De t e c t i

n

– M i t i ga t i

n

a nd Rec

ve

r y M e t hodol

gi

es – Cybe r f

r

ens i c sa nd Tec hnol

gy

t

Enabl

e Pr

s

ec ut i

n
f

Cr i m i nal s – M odel i ng a nd Te s t be dsf

r

Ne w Te c hnol

gi

e s – M e t r i c s , Be nc hm ar ks , a nd Be s t Pr ac t i ce s – Soc i e t al a nd Gover na nce I s s ue s

40

I s s ue 2: The Cybe r Se cur i t y Ba s i c Re s e a r c h Com m uni t y

Fi

ndi ng: The cybe r s e cur i t y ba s i c r e s e a r c h c

m m uni

t y i s t

s

m al l , cons i de r i ng t he i m por t a nce

f

t he wor k i t unde r t a ke s , and f a i l s t

a

de qua t e l y e ngage t he r ange

f

i nt e l l e c t ual t al e nt ne e de d f

r

ge nui ne pr

gr

e s s .

Re

com m e nda t i

n:

The Fe de r al gove r nm e nt s houl d a ggr e s s i ve l y s e e k t

s

t r e ngt he n a nd e nl a r ge t he cybe r s e cur i t y ba s i c r e s e a r ch com m uni t y by s uppor t i ng m e cha ni s m s a i m e d at r e cr ui t i ng and r e t a i ni ng cur r e nt a nd f ut ur e a c a de m i c r e s e a r c he r s i n r e s e a r c h uni ve r s i t i e s .

41

I s s ue 3: Tr a ns l a t i ng Res ea r c h I nt

Be

t t e r Cyber Se c ur i t y f

r

t he Na t i

n
Fi

ndi ng: Te c hnol

gy

t r a ns f e r e f f

r

t s i n t he cybe r s e c ur i t y a r e a a r e c r i t i c a l t

t

he s uc ce s s f ul i nc

r

por a t i

n
f

Fe de r a l gove r nm e nt

s

pons

r

e d r e s e a r c h i nt

be

s t pr a c t i c e s a nd pr

duc

t s .

Re

c

m m e

nda t i

n:

The Fe de r a l gove r nm e nt s houl d s us t a i n a nd s t r e ngt he n i t s s uppor t f

r

t e c hnol

gy

t r a ns f e r a c t i vi t i e s i n cybe r s e c ur i t y.

42

I s s ue 4: Coor di na t i

n

a nd Ove r s i ght f

r

Fe de r al Cybe r Se c ur i t y R& D Ef f

r

t s

Fi

ndi ng: The pr e s e nt Fe de r a l cybe r s e c ur i t y R& D e f f

r

t l a c ks a de qua t e c

or

di na t i

n

a nd c

he

r e nce .

Re

c

m m e

nda t i

n:

An e nt i t y wi t hi n t he Na t i

na

l Sc i e nc e a nd Te c hnol

gy

Counc i l s houl d pr

vi

de gr e a t e r coor di na t i

n

a nd m oni t

r

i ng

f

f e de r a l R& D e f f

r