(IN)SECURITY , RISK & THE LIFECYCLE OF VULNERABILITIES Dr. - - PowerPoint PPT Presentation
(IN)SECURITY , RISK & THE LIFECYCLE OF VULNERABILITIES Dr. Stefan Frei Security Architect at Swisscom frei@techzoom.net Twitter @stefan_frei Cyber & Networking Security Networking security has become critical issue for all types
(IN)SECURITY , RISK & THE LIFECYCLE OF VULNERABILITIES
Security Architect at Swisscom
frei@techzoom.net Twitter @stefan_frei
NetSec 2015 Slide 2
Cyber & Networking Security
§ Networking security has become critical issue for
all types of industries
§ But in many aspects, cyber security differs
fundamentally from past challenges
NetSec 2015 Slide 3
What makes the cyber world special?
§ Communication between people, machines and
devices
§ Increase of computing performance § Price erosion § Software eats the world
NetSec 2015 Slide 4
Technology & Innovation
In just two decades, new technologies and the Internet transformed society and businesses alike We had little time to learn or adopt – as individuals, society
We have to adopt to permanent change and high dynamics
1 Million Years 50 Years
NetSec 2015 Slide 5
The Environment
Internet usage has grown to more than three billion users The number of targets, revenue per target and type of exploitation has also evolved rapidly:
§ Networking evolved from dedicated point to point connections to
ubiquitous communication between people, platforms, and applications
§ Vulnerabilities in applications and devices are now globally
exposed and accessible
NetSec 2015 Slide 6
Why is network security an issue?
Infinite Interactions, Protocols, Service, Apps
§ Economy and our life increasingly depend on the
Internet
§ Distributed information systems have become critical
infrastructures Open Systems
§ technology is standardized and is no longer a secret
Insecurity driven by organized adversaries
§ Entirely new «business models»
NetSec 2015 Slide 7
Security has become critical
§ Security
§ Security is one of the hidden building blocks of the Internet § The limits of security imply the limits of the Internet
§ Growing online business attracts attackers
§ Attackers increase the cost of doing business online § But the business opportunities of being on the Internet far
Early Adoption (mid 90s) Hype (late 90s) Trough of Disillusionment (2000-2003) Serious Use (since 2000)
Market acceptance
Time
NetSec 2015 Slide 8
Internet Security Evolution
Figure courtesy Engin Kirda, Northwestern University
NetSec 2015 Slide 9
The Threat Environment
Vandalism Author
Tools Theft
Personal Gain Personal Fame Curiosity Script- Kiddy Hobbyist Hacker Expert
Tools created by experts are used by less-skilled criminals, for personal gain
Fast growing segment Motivation Attackers’ Expertise
systems is growing continously
security
NetSec 2015 Slide 11
Network of People, Devices, and Services
The increasing number of new ways of interaction also create novel attack paths which are not predictable by definition
NetSec 2015 Slide 12
Complex Adaptive System (CAS)
§ Connectivity
A decision on one part will affect all other related parts
§ Co-Evolution
Elements can change based on their interaction between one another and the environment
§ Sensitive Dependence
Sensitivity to initial conditions (non-linearity, cascades)
§ Emergent Order
Potential for emergent and unpredictable behaviour
Source: http://web.mit.edu/esd.83/www/notebook/Complex%20Adaptive%20Systems.pdf
NetSec 2015 Slide 13
Strategies to Handle Unpredictability Men
§ Predict and model risks § Relies on accuracy of
models and probabilities
§ Optimization:
short term gain, efficiency > fragile
Nature, Evolution
§ No attempt to predict risks § Relies on redundancy and
robustnes
§ Absorption:
long term survival, diversity > anti-fragile Prevent Shocks Absorb Shocks
Source: Antifragile: Things That Gain from Disorder, by Nassim Nicholas Taleb
NetSec 2015 Slide 14
Innovation & Price Erosion
§ Continued miniaturisation and price erosion § Today’s transistors are 90,000x more
efficient and 60,000x cheaper than in 1971
§ A car today would cost USD 0.25
and consume 0.2 ml/100 km
Source: The Economist, The End of Moore's Law
attackers can afford functionality and tools that were beyond their reach a decade ago
NetSec 2015 Slide 16
Innovation & Price Erosion
15 Years
USD 500,000
Revalidate security assumptions based on the (A) limited availability, (B) unaffordability, or (B) limited performance
USD 500
Nonexistent or previously unavailable technologies become common goods
Software Defined Radio
NetSec 2015 Slide 17
Examples of new Attack Vectors
§ Software Defined Radios (SDR)
§ All radio communication and protocols without hard crypto
protection are highly exposed § Drones
§ Drones easily bypass perimeters to sniff or insert eavesdropping
devices § Robots
§ Robots can access areas not accessible by humans. Remotely
controlled to manipulate, monitor, or take other actions
NetSec 2015 Slide 18
Playground for Software Defined Radios (SDR)
§ Unsecured communication and networks are exposed
WHO ARE THE ATTACKERS?
NetSec 2015 Slide 20
Attacker Motivation
§ Ego
§ Show the world what one can do, impress peers § To live some fantasy of omnipotence
§ Revenge, destruction, creation of fear
§ Cyber warfare § Terrorism § Secret service activities (Stuxnet 2010, Snowden/NSA 2013) § Revenge (e.g. a disgruntled employee)
§ Criminal intent
§ Blackmail, racketeering (Schutzgelderpressung) § Credit card fraud § Infiltrating e-banking § Spamming, phishing
NetSec 2015 Slide 21
What can attackers do?
§ Attack flow of information
§ Send fake messages § Replay messages § Modify messages in transit
§ Denial of service (DOS)
§ Overload system resources
§ Internet infrastructure
§ DNS, BGP, ARP
§ Unauthorized access to
services
§ Infiltrate security protocols
§ Abuse Systems
§ Infiltrate system with attack code
§ Modify web pages
§ change content § place attack code
§ Hijack sessions
§ E-banking
§ Identity theft § Social engineering § Break crypto § etc.
NetSec 2015 Slide 22
Where are the attack targets?
§ Local Attacks: Client-side attacks dominate
§ Browser attacks targeting plug-ins § IFrame based attacks are now prevalent
§ Attacks of all shapes and sizes
§ Anti-virus worms § Social networking attacks – Twitter & Facebook § Phishing - banking industry is target #1 § Web mines - www.goggle.com rather than www.google.com § Documents - PDFs are not safe!
§ Data stored on end-points is often most valuable and the
least protected!
NetSec 2015 Slide 23
Targeted Opportunistic
Attacker Objectives Resources Proceeding
Nation States, Agencies
Terrorism
financial resources
not cost
hidden attacks
chain
Terrorists
Doubt (FUD)
financial resources
network of supporters
black market
(Organized) Crime
long term
specialists
Hacktivists, Groups
vulnerabilities in systems/organizations
resources
amateurs & specialists
unpredictable momentum
Vandals, Script Kiddies
resources and know-how
Actors & Attackers
NetSec 2015 Slide 24
Actor: Nation States
§ Nation States
§ Virtually unlimited resources § The have a mandate by law to do certain things § Access (technical or legal) to critical components of the Internet
infrastructure (like backbone)
§ Attacks on the integrity of the supply chain § Espionage and sabotage
NetSec 2015 Slide 25
Actor: Terrorists
§ Terrorists
§ Maximize attention/publicity § Spread Uncertainty Doubt and Fear (FUD) § Misuse of services with large number of followers/large audience
(Twitter, Facebook, TV, ..)
§ Targeting large events (Sports, conferences, ..)
NetSec 2015 Slide 26
Cyber | Crime – All New?
§ Crime & Organized Crime
§ The first law code ever edited (code of
Hammurabi) documents that organized crime was very real 4000 years ago Long history of the dark that developed itself in the middle of people, and society § Cyber
§ Term coined by Norbert Wiener in 1948, used in
reference to the control of complex systems
§ Today: Mesh of computers, networks,
and lots of people Short history of new technologies
Code of Hammurabi Cyber Threats
NetSec 2015 Slide 27
Usage of Technology & Innovation
§ Throughout history, new technologies have revolutionized
crime and warfare alike, so has information technology
§ Criminals proofed repeatedly to be very fast adopters of
new technology
§ Bonnot Gang: Notorious French anarchists, inventors of the motorized get-
away to outrun the police on horses (1911)
SECURITY CONCEPTS
NetSec 2015 Slide 29
What is the Objective?
Confidentiality
§ prevention of unauthorized
disclosure of information
Integrity
§ prevention of unauthorized
modification or deletion of information § Availability
§ prevention of unauthorized
withholding of information
And more: Authenticity, Accountability, Non repudiation, Privacy confidentiality integrity availability
NetSec 2015 Slide 30
Attack Classification
Classification due to Steve Kent, BBN Technologies
NetSec 2015 Slide 31
Secure communication using an insecure channel
Sender Receiver
Channel
Security trans- formation
Message Secret Key 1
Attacker
Security trans- formation
Message Secret Key 2
encryption decryption
Kerckhoff’s design principles for military ciphers
NetSec 2015 Slide 32
What is a “Secure Channel”?
Not confidential channel An attacker can eavesdrop on all information sent. Confidential channel No eavesdropping possible on information sent. Not authentic channel The receiver has no guarantee that the sender is the one he claims to be, and that the content is original. Authentic channel The receiver can be assured that the sender of the information is the one he claims to be and that the content is original.
Channel type Not confi- dential confi- dential Not authentic authentic secure = authentic and confidential
NetSec 2015 Slide 33
Security on different layers
Application Transport Network Application Transport Network Application Transport Network
User Interface User Interface Quantum Cryptography IPSEC SSL SSH Link encryption Auth Auth Auth Intrusion detection/protection, spam filtering, economic incentives, legal enforcement, forensics Hardware & software platforms, environments
Physical Layer Physical Layer Physical Layer
RISK MANAGEMENT
Never interrupt your enemy when he is making a mistake
Napoleon Bonaparte (1769-1821)
NetSec 2015 Slide 35
Security is a trade-off
§ There’s no such thing as absolute security, security
always involves trade-offs
§ If no airplanes flew, 9/11 couldn’t have happened. § If your business is offline, you can’t be hacked.
§ We can have as much security as we want
§ What are you willing to give up to get it? § Trade-offs can be financial, social, functional, etc.
§ We make decisions every day about these trade-offs.
§ Have you ever crossed a busy road?
NetSec 2015 Slide 36
Take risk at the right place
NetSec 2015 Slide 37
Risk Analysis – A Process Methodology
those risks?
cause?
solution impose?
Source: Bruce Schneier, BlackHat 2003
§ Finally: Is the trade-off worth it?
Are the costs, risks and trade-offs caused by the security countermeasure worth the additional security?
NetSec 2015 Slide 38
Risk Management
§ Security is relative
§ Many risks and mitigations are possible. § Things fail all the time > manage risks. § Security is one of a number of competing objectives.
Against a profit driven attacker, it is sufficient to be a harder target than your compeditor.
NetSec 2015 Slide 39
Risk Management
§ Options
§ avoid risk
(give up business, skip project, ..)
§ decrease risk
(by technology, procedures)
§ transfer risk
(buy insurance)
§ accept risk
§ Security measures must make business sense
§ Risk < Opportunity
NetSec 2015 Slide 40
Reduce Risk and Evaluate
Avoid Insure Decrease Accepted risk Opportunity Total risk
NetSec 2015 Slide 41
Dealing with Risks
Avoid
decision to not become involved, or action to withdraw
Reduce
action to reduce probability or impact
Transfer
buy insurance
Accept
accept loss or gain
Impact
Low Medium Catastrophic Very High Very Low Medium
Probability
"It is better to take risks you understand than to try to understand risks you are taking."
Nassim N. Taleb, Author of The Black Swan
Avoid risks you do not understand
NetSec 2015 Slide 42
Example: Unnecessary Risk Taking
§ Do not connect a critical system to the outside unless you know exactly what the consequences are § Is connecting the inflight entertainment bus to the flight control bus worth the risk? § Can you even assess this risk? § Are these systems truly separated? § You are about to give passengers and the Internet access to control systems (ask Fiat/Chrysler)
VULNERABILITY LIFECYCLE
There is no security on this earth, only opportunity
Douglas MacArthur (1880-1964)
NetSec 2015 Slide 44
Software Complexity
Facts
§ Software complexity is increasing § There is no secure software
Thus, we need to
§ handle vulnerabilities § deploy software updates efficiently § systematically test the security of critical systems
NetSec 2015 Slide 45
Vulnerabilities
§ Security vulnerability
§ “refers to a weakness in a system allowing an attacker to violate
the confidentiality, integrity, availability of the system or the data and applications it hosts.”
§ many similar definitions exist
§ There may be disagreement in concrete cases
§ “it’s a feature, not a vulnerability”, vendor may say
§ The security landscape is determined by vulnerabilities
NetSec 2015 Slide 46
CVE - standardized vulnerability names
§ Common Vulnerability Exposures (CVE)
§ CVE aims to standardize the names for all publicly known
vulnerabilities and security exposures.
§ CVE has become a de facto industry standard of vulnerability
identifiers.
§ CVE-yyyy-nnnn, e.g. CVE-2007-0943
§ Any security issue of relevance will eventually get a CVE
number assigned.
Source http://cve.mitre.org/about/index.html http://nvd.nist.gov
NetSec 2015 Slide 47
There Is No Secure Software
In spite of increased investment, the software industry at large is still unable to produce secure code
(red: top-10 software vendors) Source: http://techzoom.net/BugBounty/SecureSoftware
Security Vulnerabilities
(# published per month)
Insecure code gets exposed with the growth of Internet
NetSec 2015 Slide 48
Software Complexity & Security
Trend 5 yrs vs. last year (as of Aug 2015)
We need to handle and fix software vulnerabilities - and deploy updates effectively Only two of the top-10 software vendors reduced vulnerabilities over 5 year period - they employ the best computer scientists and engineers
Source: http://techzoom.net/BugBounty/SecureSoftware
NetSec 2015 Slide 49
Lyfecycle of a Vulnerability
Source: http://www.techzoom.net/security-ecosystem
NetSec 2015 Slide 50
Risk exposure
§ Pre-disclosure risk (exogenous)
§ Time from discovery to disclosure § Only a closed group is aware of the vulnerability. This group could
be anyone from hackers, organized crime or responsible security researchers/vendors § Post-disclosure risk (exogenous)
§ Time from disclosure to patch § User waits for the vendor to issue a patch. Public is aware of this
risk but has not yet received remediation from vendor § Post-patch risk (endogenous)
§ The time from patch availability to patch installation
NetSec 2015 Slide 51
Discovery, Exploit, Patch
§ x-axis: public disclosure date of vulnerability § y-axis: num. of days event happened before (-) or after (+)
disclosure
NetSec 2015 Slide 52
From discovery to disclosure
§ Measure of pre-disclosure risk § 50% of vulns known to insiders 30 or more days before
disclosure (less-than-zero-day).
ECDF: Empirical Cumulative Distribution Function
NetSec 2015 Slide 53
From discovery to disclosure
Assume you discover a high risk vulnerability in a prevalent product: What are your options?
NetSec 2015 Slide 54
From discovery to disclosure
§ (Less than) zero day vulnerability
§ Vulnerabilities not yet known to the public are systematically used
by cybercriminals, government agencies, .. § There is a market for new vulnerabilities
§ ZeroDayInitiative of Tipping Point, iDefense § Black market § Pricing from 1,000 to > 200,000 USD
Check out: http://www.zerodayinitiative.com/advisories/upcoming http://labs.idefense.com/vcp http://www.techzoom.net/security-ecosystem
NetSec 2015 Slide 55
Forbes article, 2012
Source: http://bit.ly/ForbsExploits by Forbes
“Each price assumes an exclusive sale, the most modern version of the software, and, of course, not alerting the software’s vendor. Some fees might even be paid in installments, with each subsequent payment depending on the vendor not patching the security vulnerabilities used by the exploit.”
NetSec 2015 Slide 56
From Exploit to Disclosure
§ High dynamics at the disclosure date (zero-day exploits) § Exploit availability jumps from 15% to 80% at disclosure § New exploits are readily assessed by advisory providers
NetSec 2015 Slide 57
Zero-day exploits and vulnerabilities
§ The zero-day: the day when a vulnerability becomes
known
§ By whom? (attacker, developer/vendor, public)? § Our position: by the public
§ Zero-day exploit: Attack that exploits a previously
unknown vulnerability
§ Exploit may make vulnerability public § Public announcement may make exploit possible
§ Terminology is not consistent in the security community
NetSec 2015 Slide 58
From disclosure to patch
§ Measure of post-disclosure risk § At disclosure, less than 50% of vulns have a patch § A month after disclosure, still ~30% unpatched vulns § zero day patch: disclosure date of the vulnerability - date when patch is
available = 0
NetSec 2015 Slide 59
Dynamics of (In)security
§ Difference between the exploit (red) and patch (green)
curves shows the imbalance in favor of insecurity.
§ The bad are consistently faster than the good.
NetSec 2015 Slide 60
Dynamics of (In)security
§ Extremely high dynamics around the disclosure day
§ Only around 50% of patches available at zero-day. § Around 80% of exploits available at zero-day.
§ Security is slow
§ Exploit availability stays higher than patch availability § Many vulnerabilities are unpatched even 100 days after disclosure.
§ Insiders
§ Many vulnerabilities known to closed group well before the
disclosure.
CONCLUSIONS AND TAKE HOME MESSAGE
NetSec 2015 Slide 63
Take Home Message
§ Security is Interdisciplinary
§ Technology, Economics, Organization, Psychology, .. § It‘s a complex adaptive system! § Complexity is our worst enemy § Security is a process, not a one-off thing
§ Risk Management
§ Security is a tradeoff § Risk management and analysis methodology § People and risk decisions § Don't take risks you don't understand
NetSec 2015 Slide 64
Take Home Message
§ Security Concepts
§ CIA Triad § Attacker classification § Security can be implemented on different OSI layers
§ Vulnerability Lifecycle
§ What is a vulnerability, CVE § Lifecycle events and risk-periods § Zero-day exploit/patch § Key numbers, global trends § Gap of insecurity
NetSec 2015 Slide 65
Take Home Message
§ Critical Communications
§ Critical communications must be secured
(authentication, confidetiality, integrity, availability)
§ Consider all unprotected network or radio
communication as highly exposed
§ Test the isolation between critical and non-critical
systems
NetSec 2015 Slide 66
Reader & References
§ Reader
§ Security Ecosystem and Vulnerability Lifecycle
http://weis09.infosecon.net/files/103/paper103.pdf
§ References
§ Common Vulnerabilities and Exposures (CVE)
http://cve.mitre.org
§ National Vulnerability Database (NVD)
http://nvd.nist.gov
§ E. Levy, Approaching Zero
IEEE Security and Privacy, vol.2, no.4, pp.65 2004
http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=1324603 (document only accessible from within ETH, or with established ETH VPN connection)