tech2 - Stanford University

Download Report

Transcript tech2 - Stanford University

U.S. National Cybersecurity
Understanding
Internet Security
William J. Perry
Martin Casado • Keith Coleman • Dan Wendlandt
MS&E 91SI
Fall 2004
Stanford University
U.S. National Cybersecurity
October 12th, 2004
Announcements
• Axess + Email lists
• Coursework Forum
• Bios/Photos
U.S. National Cybersecurity
October 12th, 2004
Goal: Provide Working
Knowledge of Internet Security
Outline
What is Security?
Attack Classifications
Internet Security Mechanisms
Discussion Questions (if time)
U.S. National Cybersecurity
October 12th, 2004
What is “Security” ?
U.S. National Cybersecurity
October 12th, 2004
The “Big Five”
Security is traditionally broken up into:
1) Availability
2) Integrity
3) Confidentiality
4) Authentication
5) Access Control
U.S. National Cybersecurity
October 12th, 2004
Security From What?
What can disrupt
the higher-level
services running
on the Internet?
• Attacks
• Accidents
• Failures
U.S. National Cybersecurity
NASA Control Room
October 12th, 2004
Failures on the Internet
Why do security failures matter?
Security failures affect the Internet’s
ability to function as a reliable and
secure critical infrastructure.
U.S. National Cybersecurity
October 12th, 2004
Vulnerabilities
Def. vulnerability (n)
“a state with the potential to lead to a failure”
Where can vulnerabilities exist in technology?
Services (Amazon, SCADA)
Applications (Word, IE, Email Client)
Service-Level Protocols (http, smtp)
Network and Network Protocols (ip, tcp)
Operating Systems (Windows, Linux, Cisco IOS)
Physical Hardware (cables, routers, CPUs)
Basic Infrastructure (electricity)
U.S. National Cybersecurity
October 12th, 2004
Attack Classifications
(not mutually exclusive)
U.S. National Cybersecurity
October 12th, 2004
Vulnerabilities & Attacks
The nature of the network technologies, protocols, and
operators are the basis for attacks.
Attacks can (and will) come at vulnerabilities in every layer.
Big Question: What is it about the Internet architecture that
causes these vulnerabilities to exist?
Attacks
Humans
Application
Transport
Network
Physical
U.S. National Cybersecurity
October 12th, 2004
Scanning & Fingerprinting
What is it?
Reconnaissance technique to explore
networks, classify + analyze connected
hosts, and identify potential vulnerabilities.
Example: nmap security scanner
U.S. National Cybersecurity
October 12th, 2004
Exploits
What is it?
The use of vulnerabilities in or
misconfiguration of software or hardware
to gain access to information or resources
on a system.
Exploits may be manual or automated.
worms/viruses are exploits with code to
facilitate propagation.
example: Blaster worm exploits RPC bug
U.S. National Cybersecurity
October 12th, 2004
Trojaned Software
What is it?
Software/Hardware with hidden
functionality that its use allows an
attacker an avenue to access a
system or its information.
This is sometimes also referred to as
a “backdoor”.
Example: A free copy of MSWord downloaded off of Kazaa may
have been modified to include a trojan leading to a compromise.
U.S. National Cybersecurity
October 12th, 2004
Denial of Service
What is it?
The malicious consumption of resources in order to
make a system incapable of fulfilling its designed role.
Attacks are often “distributed” to increase resource
consumption (zombies or botnets).
example: SYN flood against Yahoo
U.S. National Cybersecurity
October 12th, 2004
Social Engineering Attack
What is it?
Any attempt that employs non-technical means to
attack a system. Often the attacker uses
information gleaned from outside sources to
produce false credentials (dumpster diving).
Attacks are often hybrid, relying on human and
technical factors.
example: Beagle virus used email domain name to pose as
a message from the user’s ISP.
U.S. National Cybersecurity
October 12th, 2004
Access Control Failures
What is it?
Failure to set up adequate
access control
– Default configurations
– Privilege revocation
Example: default administrator
password for windows
U.S. National Cybersecurity
October 12th, 2004
Authentication Failures
What is it?
Some authentication
schemes are better than
others:
– Passwords
– Public Key Crypto
Example: phishing schemes
that steal passwords break
the authentication model.
U.S. National Cybersecurity
October 12th, 2004
Infrastructure Attack
What is it?
An attack against the core systems that
operate as the Internet infrastructure. Attacks
can be either physical or virtual, often
focusing on central points of failure.
example: Attack on root DNS servers.
U.S. National Cybersecurity
October 12th, 2004
Insider Threats
What is it?
Attacks that exploit an existing trust
relationship to harm the overall security of
a system.
example: former employee uses knowledge of a
company’s network systems and passwords to
steal customer information entrusted to the
company
U.S. National Cybersecurity
October 12th, 2004
Traffic Sniffing/Modification
What is it?
Using access to a link or infrastructure
system to examine or modify the contents of
Internet traffic. Similar to a phone tap, with
ability to change contents.
example: ISP’s potential for information
gathering
U.S. National Cybersecurity
October 12th, 2004
Don’t Forget
Attacks are only one of the reasons systems
can fail. There are many other, perhaps less
exciting, ways systems are vulnerable.
U.S. National Cybersecurity
October 12th, 2004
Internet Security
Mechanisms
U.S. National Cybersecurity
October 12th, 2004
What is Cryptography
A critical TOOL in securing information
systems and their communications.
• You may have heard of:
– SSL
– Trusted Computing
– Public Key Cryptography
– Tripwire
U.S. National Cybersecurity
October 12th, 2004
Cryptography Overview
Crypto can great hard guarantees (backed by math) in
the digital world similar to those we have long relied
upon for security in the physical world:
- Data Encryption (privacy)
“No one else can read my message”
- Data Integrity
“My message has not been modified”
“My message is from who it says it is”
Also provides for some improved authentication schemes.
U.S. National Cybersecurity
October 12th, 2004
Cryptography Examples
How do these mechanisms function?
(at 10,000 feet)
U.S. National Cybersecurity
October 12th, 2004
Problems with Crypto
• Bad Standards
– WEP, CSS
• Bad Implementation
– IE, OpenSSL
• Attacks on Authentication
– Phishing, password sniffing
• Weak back-end
– Weak link, insider attacks
• Encryption is often slow & cumbersome
• PKI has difficulty scaling to large numbers
U.S. National Cybersecurity
October 12th, 2004
Ideal vs. Real Internet Security
Ideally we can utilize authentication and access
control to protect systems and data.
In reality this is not practical.
E.g. What if everyone needed to be
authenticated to talk to you computer?
Additionally, authentication schemes are only as
secure as those using them.
E.g. An uneducated but authenticated user may
install a trojan.
U.S. National Cybersecurity
October 12th, 2004
Attack Detection/Prevention
Firewalls – Software to inspect packets, compare them to
rules and drop traffic specified by these rules.
Intrusion Detection/Prevention Systems (IDS/IPS) –
Software to inspect traffic flows for signatures or other
behavior that appears to be malicious.
Anti-Virus Software – Inspects files for signs of infectious
programs and eliminates them.
These mechanisms can either be deployed on individual
hosts or on dedicated network servers.
U.S. National Cybersecurity
October 12th, 2004
Patching
Fix vulnerabilities in software that may lead to
exploitation. Patch management is major hidden cost to
companies.
Important:
- Process is still embarrassingly manual (changing?).
- Gap between release of patch + first exploit “in the wild” is shrinking (Witty
worm and zero-days).
- Often patches are not applied to critical systems because updates
sometimes have conflicts that can break software running on the systems.
Do we patch?
Check out: “Security Holes? Who Cares” by Eric Rescorla. :
http://www.rtfm.com/upgrade.pdf
U.S. National Cybersecurity
October 12th, 2004
Process, Education & Risk
Assessment
Often forgotten as security mechanisms:
- Having well-defined and consistent
preparation, response, and recovery plans
across an organization.
- Attempting to secure humans, often the
weakest link.
- Determining the danger associated with each
potential vulnerability.
U.S. National Cybersecurity
October 12th, 2004
Discussion Questions
U.S. National Cybersecurity
October 12th, 2004
Attributability
For traffic on the Internet, can we
determine who a packet come from?
Two levels:
 Can we tell what computer sent a given packet?
(what are the implications of source spoofing?)
 Can we attribute a packet to a human?
- What does this say about our ability to catch and
prosecute perpetrators of online attacks? What about
active response?
U.S. National Cybersecurity
October 12th, 2004
Determining Intent
Can you infer intent from analyzing network
traffic? What about at the application level?
- What is the different between a denial of service attack
and normal overwhelming usage?
- What is more important, the intent or the result of Internet
traffic?
- What about ‘enablement’ versus ‘use’?
U.S. National Cybersecurity
October 12th, 2004
Trust Relationships
What are key trust relationships relating to
cybersecurity? Think about:
- designers
- developers
- distributors
- owners
- operators
- users
If security is a “weakest-link” issue, what forces
keep one of these trust links from breaking?
U.S. National Cybersecurity
October 12th, 2004
The Power of the Core
- How much control do we have with determining where
traffic flows on the Internet, and what entities have control
over it?
- What can someone ‘on route’ potentially do? How can
you trust the integrity of what you see?
- What does it take to have control of the Internet core?
U.S. National Cybersecurity
October 12th, 2004
Infrastructure Attacks
How vulnerable is the actual Internet
infrastructure to attacks?
- Could a single group bring down the Internet? What does
this mean? What kind of resources would it take?
- How reliant is the Internet on a relatively few critical
systems?
- What happens when you rely on the security of
infrastructure that you have absolutely no control over?
As a company? As a country? How does this compare to
security in the physical world?
U.S. National Cybersecurity
October 12th, 2004
Determining Identity
How can we trust an Internet entity is who
they say they are?
- Why is this process more difficult than it is in the “brick &
mortar” world?
- How important is this for a critical infrastructure?
- Do our solutions for providing identity scale to the millions
of actions on the Internet?
U.S. National Cybersecurity
October 12th, 2004
Overwhelming Complexity
What does the extreme complexity of the
Internet mean for our ability to secure it?
- Are there just too many things that could go wrong to ever
possibly be able to completely rely on it?
- In what way does the complexity impact our ability to
educate average users? Is user education necessary? Is
effective user education even possible?
- Will the Internet become more or less complex to manage
in the future?
U.S. National Cybersecurity
October 12th, 2004
Why is this so hard?
What are the major barriers to providing
security guarantees for an information
system on the Internet?
- What (or who) are the weak links for security systems?
- Can we ever really secure a usable Internet computer
system? (e.g. directed attack)
- How does software size & complexity relate to our ability
to secure a system? What is zero-day?
U.S. National Cybersecurity
October 12th, 2004