Secrets and Lies Secrets and Lies a summary traversal of Bruce - - PDF document
Secrets and Lies Secrets and Lies a summary traversal of Bruce Schneier a summary traversal of Bruce Schneier s book s book David Morgan Page 1 Page 1 Complexity is the worst enemy of security. Trajectory of our industry Trajectory
a summary traversal of Bruce Schneier a summary traversal of Bruce Schneier’ ’s book s book
David Morgan
Page 1 Page 1
Complexity is the worst enemy of security.
security, earlier security, later complexity, earlier complexity, later
decreasing increasing
Trajectory of our industry Trajectory of our industry
BECAUSE
“As systems get more complex [they do], they necessarily get more secure.”
Security of computer systems is a Security of computer systems is a business problem business problem
a business uncertainty cost/benefit
– what does it cost the business (not somebody else) to be secure? – what does it cost to not be secure? – which is the better deal?
treated by risk management
Standardized practice, regulation,enforcement Standardized practice, regulation,enforcement
employment workplace environment air traffic building and civil engineering food and drug accounting computer products
“There's no reason to treat software any differently from other products. Today Firestone can produce a tire with a single systemic flaw and they're liable, but Microsoft can produce an operating system with multiple systemic flaws discovered per week and not be liable. Today if a home builder sells you a house with hidden flaws that make it easier for burglars to break in, you can sue the home builder; if a software company sells you a software system with the same problem, you're stuck with the damages.” p. 8
3 3-
step to sweeten the security deal
enforce liabilities allow liability transfer among parties reduce risk
Enforce liabilities Enforce liabilities
create (negative) incentive to be secure
– prevailing vacuum no liability no incentive no security
enforce liabilities, proportion to parties
– maker of vulnerable software – author of attack tool that exploits it – user of attack tool (“attacker”) – sysadmin for victim network
Enforce liabilities Enforce liabilities
who gets the blame?
– 100% sysadmin – 0% tool user – 0% tool author – 0% maker
why?
– available to blame – can’t catch him – can’t catch him – liability unenforced
what if this changes?
Allow liability transfer among parties Allow liability transfer among parties
insurance industry
– assuming liability is their business
incentivize higher security with lower premiums
Provide mechanisms to reduce risk Provide mechanisms to reduce risk
automatic by makers, pursuant to incentive security standards set, centralized, required by
insurance industry
what are the issues we need to address
Idle claim Idle claim
“this software is secure” idle because it is incomplete
– does not address the system, only the product – does not address threat
idle because it isn’t possible to attest
– security weakness is about what you don’t know – you do not know what you don’t know – therefore you do not know your security weakness
Windows 10 promotional video Windows 10 promotional video
10-reasons-to-upgrade-to-Windows-10_security.mp4
…against what?
“ “most secure ever most secure ever” ” probably means probably means
Windows 10 fixed more security vulnerabilities added more security features
– than ever
It doesn It doesn’ ’t mean t mean… …
that it’s the most secure Windows ever that Microsoft knows whether it is that that’s knowable security is not black and white “We are secure” is naïve and simplistic
– secure from whom? – secure against what?
security of the system, not the product, counts context matters more than technology
– security against average hacker against NSA – what is the size of the fire?
The landscape The landscape – – themes themes
Some pre Some pre-
digital threats threats
theft embezzlement voyeurism extortion fraud
– snake oil
impersonation
Threats in the digital age Threats in the digital age
theft embezzlement voyeurism extortion fraud
– snake oil
impersonation
Threats in any age Threats in any age
bad guy has a business model too asset he threatens is worth only so much to him useful to good guy to understand that model
– that way you might influence bad guy’s motive
(threat components: agent, means, opportunity, motive)
So what So what’ ’s new with threats? s new with threats?
automation
– salami attack
action at a distance
– the world’s pickpockets are all in your house
technique propagation
– first attacker needs skill, others use his software
So what So what’ ’s new with threats? s new with threats?
physical theft
– stolen material gone – you can no longer use it – basis of legal injury – availability and integrity violated
digital theft
– stolen material still there – no similar injury – you can still use it – availability and integrity preserved
Attacks Attacks
criminal publicity legal
Adversaries classified Adversaries classified
access resources expertise risk
Adversaries Adversaries
hackers lone criminals malicious insiders industrial espionage press
police terrorists national intelligence infowarriors
Security needs Security needs
privacy multilevel security anonymity authentication integrity audit electronic currency proactive solutions
what tools do we have to address the issues
Tools for offense and defense Tools for offense and defense
cryptography network software hardware etc - to discuss another day mostly, but:
– Schneier devotes 12 chapters to “Part 2: Technologies” – I want to discusss “Computer Security” and “Software Reliability”
CIA triad again CIA triad again Access control is central Access control is central
early, computer security stressed confidentiality because early research was military But confidentiality is about access control So are integrity and availability C, I, A all boil down to access control
– C about access for reading – I about access for writing – A about access in general itself
goal: authorized people have access to do
what’s authorized, everyone else does not
Need access control? Need access control?
first computers – small scale, full trust became multi-user at scale personal computers, single-user networking – multi-user at scale
no - yes
Access Access – – subject & object subject & object
subject
– user – processe
– file – database record – device – memory region – another process (plug-in)
Controlling access Controlling access
Control what can be done to objects
– permissions – e.g. permission mechanisms in particular filesystems, ext or ntfs or…
Control what subjects can do
– capabilities – e.g. database management systems are these different methods, or different perpectives?
Security models Security models
multi-level
– formalization of military classification/clearance
Bell-LaPadula
– no write down, no read up
mandatory vs discretionary access controls chinese wall clark-Wilson
Security at low level (hardware/OS) Security at low level (hardware/OS)
reference monitor
– active, explicit mediation of every access
trusted computing base
– set of components that collectively enforce a security policy
secure kernel
– (sub)set of components in the trusted computing base that implements the reference monitor specifically
Multics operating system Multics operating system
most successful historical implementation built with the security model and mathematical
formalisms explicitly in mind
small, 56,000 lines of code
– 15 million in Windows 95 – linux similarly large
last Multics system deactiveated 2000
Covert channels Covert channels
communication channel that can transfer
information in violation of a system’s security policy
storage channels
– least significant bits of color bytes in an image file – reserved or user-definable fields in packet headers
timing channels
– port knocking – non-covert timing channel: Morse code http://funtranslations.com/morse#
Evaluation criteria
Orange book
– hierarchy of security level designations
D, C1, C2, B1, B2, B3, A
– did not make systems provably secure – for local, stand-alone computers, not networked ones – varies from other nations’ standards efforts
Common Criteria
– international standardization effort
Software reliability
Murphy’s computer
– must work in the presence of random faults – adversaryless
Satan’s computer
– must work in the presence of deliberate faults – witted adversary
Murphy’s Law: Anything that can go wrong, will go wrong.
now what are we going to do about it all
Things you should keep in mind Things you should keep in mind when you are securing when you are securing… … what? what?
– all your organization’s computer infrastructure – plus your extended environment (not just equipment)
your office space your people
– plus your telecommute workers’ homes – plus your road warriors’ hotels – plus your trusted vendors’ “entire systems” – plus your ISP, plus your cloud provider, plus, plus, plus…
Security is
– a chain, weakest link breaks it (weak link == vulnerability) – a process, not a product
Security as a process/practice Security as a process/practice
the math doesn’t fail the implementation of it fails, the process of
using the math
– sometimes I don’t buckle my bike helmet strap – sometimes I mis-distribute my crypto keys
implementation could even exacerbate
– iatrogenic effects – “iatro” doctor, “genic” originated – disease caused by treatment
Attack methodology Attack methodology
Plan what to attack Plan how to attack Get in Do it Get out
– Cleanse traces – Check evidence of how system is maintained – Install a future path back in
weak links in the chain intersection of
– system susceptibility – attacker access to it – attacker capability
vulnerability “attack surface”
– network attack surface – software attack surface – human attack surface
Vulnerabilities Vulnerabilities
http://www.spi.dod.mil/tenets.htm
Countermeasures Countermeasures
ways to reduce vulnerabilities 3 parts
– protection – detection – reaction
Vulnerability landscape Vulnerability landscape
physical security virtual security
– firewall == fence – authentication == gate guard
the trust model
– without benefit of an individual’s physical presence
lifecycle of a system
Lifecycle of a system Lifecycle of a system
design manufacture shipment installation
maintenance
Each stage is an opportunity for possible insertion of vulnerable components.
Rationally apply countermeasures Rationally apply countermeasures
protect against threats that pose greatest risk not against most manifest, ignoring all others value depends on context
– attacker, defender may ascribe different value – teenagers steal floppies for value of the disk itself
Threat modeling Threat modeling
figuring out all the ways to
– rig an election – defeat secure communication – subvert electronic payment systems
beacause your personality can’t help it
– Mr. Cook model
assess risk
– some unlikely – some should be expected – which should you protect against?
Threat modeling Threat modeling
identify and risk-rank threats decide a security policy to defend against them design countermeasures to effect the policy
– protection – detection – reaction
Product testing and verification Product testing and verification
beta (functional) testing doesn’t test security security is independent of functionality products should “do what they’re designed to
do and no more”
– why “and no more”?
beta testing tests that they do what they’re
designed to do
Security testing Security testing
can show presence of flaws cannot show absence of flaws trust comes only from long, broad, uneventful
usage, not testing
– RSA probably OK – prime factoring probably infeasible
Patch Patch fix
heartbleed public announcement & patch
concurrent
The future of products The future of products
getting more complex
– lines of code in successive Windows versions – number of function calls in OS’s
so, getting less secure ever increasing insecurity (worse than entropy!!)
More complex, less secure More complex, less secure
number of security bugs modularity (exposure at interfaces) interconnectedness of systems more unknowable less susceptible to analysis increased testing requirements
Sun is gone, IOT is here Sun is gone, IOT is here
“Complexity is creeping into everything…. My old thermostat had one dial…. My new thermostat has a digital interface and a programming manual….Thermostats based on Sun Microsystems’s “Home Gateway” system come with an internet connection, so you can conveniently contract with some environmental company to operate your too-complicated
all your appliances and your door locks.”
Security processes Security processes
– prevent threats
new approach
– accept threats, detect them and respond – manage the risk they pose
“Risk management is the future of digital security. Whoeve learns how to best manage risk is the one who will win. Insurance is one critical component of this. Technical solutions to mitigate risk to the point where it is insurable is another…. The prize doesn’t go to the company that best avoids the threats, it goes to the company that best manages the risks.”
look at the credit card industry