Secrets and Lies Secrets and Lies a summary traversal of Bruce - PDF document

Secrets and Lies Secrets and Lies a summary traversal of Bruce Schneier a summary traversal of Bruce Schneier’ ’s book s book David Morgan Page 1 Page 1 Complexity is the worst enemy of security. Trajectory of our industry Trajectory of our industry decreasing security, security, later earlier BECAUSE increasing complexity, complexity, earlier later “As systems get more complex [they do], they necessarily get more secure.”

Security of computer systems is a Security of computer systems is a business problem business problem � a business uncertainty � cost/benefit – what does it cost the business (not somebody else) to be secure? – what does it cost to not be secure? – which is the better deal? � treated by risk management Standardized practice, regulation,enforcement Standardized practice, regulation,enforcement � employment workplace � environment � air traffic � building and civil engineering � food and drug � accounting “There's no reason to treat software any differently from other products. Today Firestone can produce a � computer products tire with a single systemic flaw and they're liable, but Microsoft can produce an operating system with multiple systemic flaws discovered per week and not be liable. Today if a home builder sells you a house with hidden flaws that make it easier for burglars to break in, you can sue the home builder; if a software company sells you a software system with the same problem, you're stuck with the damages.” p. 8

3- -step to sweeten the security deal step to sweeten the security deal 3 � enforce liabilities � allow liability transfer among parties � reduce risk Enforce liabilities Enforce liabilities � create (negative) incentive to be secure – prevailing vacuum no liability � no incentive � no security � enforce liabilities, proportion to parties – maker of vulnerable software – author of attack tool that exploits it – user of attack tool (“attacker”) – sysadmin for victim network

Enforce liabilities Enforce liabilities � who gets the blame? � why? – 100% sysadmin – available to blame – 0% tool user – can’t catch him – 0% tool author – can’t catch him – 0% maker – liability unenforced what if this changes? Allow liability transfer among parties Allow liability transfer among parties � insurance industry – assuming liability is their business � incentivize higher security with lower premiums

Provide mechanisms to reduce risk Provide mechanisms to reduce risk � automatic by makers, pursuant to incentive � security standards set, centralized, required by insurance industry � outsourcing to firms that security-specialize THE LANDSCAPE what are the issues we need to address

Idle claim Idle claim � “this software is secure” � idle because it is incomplete – does not address the system, only the product – does not address threat � idle because it isn’t possible to attest – security weakness is about what you don’t know – you do not know what you don’t know – therefore you do not know your security weakness Windows 10 promotional video Windows 10 promotional video 10-reasons-to-upgrade-to-Windows-10_security.mp4 …against what?

“most secure ever most secure ever” ” probably means probably means “ � Windows 10 fixed more security vulnerabilities � added more security features – than ever It doesn’ ’t mean t mean… … It doesn � that it’s the most secure Windows ever � that Microsoft knows whether it is � that that’s knowable The landscape – The landscape – themes themes � security is not black and white � “We are secure” is naïve and simplistic – secure from whom? – secure against what? � security of the system, not the product, counts � context matters more than technology – security against average hacker � against NSA – what is the size of the fire?

Some pre- -digital digital Some pre threats threats � theft � embezzlement � voyeurism � extortion � fraud – snake oil � impersonation Threats in the digital age Threats in the digital age � theft � embezzlement � voyeurism � extortion � fraud – snake oil � impersonation

Threats in any age Threats in any age � bad guy has a business model too � asset he threatens is worth only so much to him � useful to good guy to understand that model – that way you might influence bad guy’s motive (threat components: agent, means, opportunity, motive) So what’ So what ’s new with threats? s new with threats? � automation – salami attack � action at a distance – the world’s pickpockets are all in your house � technique propagation – first attacker needs skill, others use his software

Technique propagation So what’ So what ’s new with threats? s new with threats? � physical theft – stolen material gone – you can no longer use it – basis of legal injury – availability and integrity violated � digital theft – stolen material still there – no similar injury – you can still use it – availability and integrity preserved

Attacks Attacks � criminal � publicity � legal Adversaries classified Adversaries classified � objectives � access � resources � expertise � risk

Adversaries Adversaries � hackers � organized crime � lone criminals � police � malicious insiders � terrorists � industrial espionage � national intelligence � press � infowarriors Security needs Security needs � privacy � multilevel security � anonymity � authentication � integrity � audit � electronic currency � proactive solutions

TECHNOLOGIES what tools do we have to address the issues Tools for offense and defense Tools for offense and defense � cryptography � network � software � hardware � etc - to discuss another day mostly, but: – Schneier devotes 12 chapters to “Part 2: Technologies” – I want to discusss “Computer Security” and “Software Reliability”

CIA triad again CIA triad again Access control is central Access control is central � early, computer security stressed confidentiality � because early research was military � But confidentiality is about access control � So are integrity and availability � C, I, A all boil down to access control – C � about access for reading – I � about access for writing – A � about access in general itself � goal: authorized people have access to do what’s authorized, everyone else does not

Need access control? Need access control? no - yes � first computers – small scale, full trust � became multi-user at scale � personal computers, single-user � networking – multi-user at scale Access – Access – subject & object subject & object � subject – user – processe � objects – file – database record – device – memory region – another process (plug-in)

Controlling access Controlling access Control what can be done to objects – permissions – e.g. permission mechanisms in particular filesystems, ext or ntfs or… or Control what subjects can do – capabilities – e.g. database management systems are these different methods, or different perpectives? Security models Security models � multi-level – formalization of military classification/clearance � Bell-LaPadula – no write down, no read up � mandatory vs discretionary access controls � chinese wall � clark-Wilson

Security at low level (hardware/OS) Security at low level (hardware/OS) � reference monitor – active, explicit mediation of every access � trusted computing base – set of components that collectively enforce a security policy � secure kernel – (sub)set of components in the trusted computing base that implements the reference monitor specifically Multics operating system Multics operating system � most successful historical implementation � built with the security model and mathematical formalisms explicitly in mind � small, 56,000 lines of code – 15 million in Windows 95 – linux similarly large � last Multics system deactiveated 2000

Covert channels Covert channels � communication channel that can transfer information in violation of a system’s security policy � storage channels – least significant bits of color bytes in an image file – reserved or user-definable fields in packet headers � timing channels – port knocking – non-covert timing channel: Morse code http://funtranslations.com/morse# Evaluation criteria � Orange book – hierarchy of security level designations D, C1, C2, B1, B2, B3, A – did not make systems provably secure – for local, stand-alone computers, not networked ones – varies from other nations’ standards efforts � Common Criteria – international standardization effort

Software reliability � Murphy’s computer – must work in the presence of random faults – adversaryless � Satan’s computer – must work in the presence of deliberate faults – witted adversary Murphy’s Law: Anything that can go wrong, will go wrong. STRATEGIES now what are we going to do about it all