Embed Size (px)
Citation preview
CONCETTI BASE SULLA SICUREZZA
1
Obiettivi
• Illustrare teorie, metodi, tecniche e strumenti
per rendere un sistema informatico più sicuro.
• Acquisire conoscenza tecnica per poter
decidere in maniera informata.decidere in maniera informata.
• Acquisire intuizioni per poter utilizzare
concetti e valutare tecnologie rilevanti
• Acquisire scetticismo tecnologico
2
Security incidents reported to CERT
3
Some numbers
• Economic impact of viruses, worms and Trojan horses $17.1 billion in 2000 ($8.75 billion due to the I Love You virus alone)
• In one study, one out of every 325 e-mails had a malicious Attachmentmalicious Attachment
• In a recent EU study, one out of every two e-mails sent is unsolicited junk costing European businesses more than €2,5 billion a year in lost productivity
• In the first half of 2005 a record 1,862 new software vulnerabilities discovered, 60% of them in programs that run over the Internet
4
(Lack of) Security in the Media
• “Computer Hacker Invades Web Site of the Justice Department”, NYT, 18 August 1996
• “Hacker Group Commandeers The New York Times Web Site”, NYT, 14 September 19981998
• “Yahoo Blames a Hacker Attack for a Lengthy Service Failure”, NYT, 8 February 2000
• “A Hacker May Have Entered Egghead Site”, NYT, 23 December 2000
5
(Lack of) Security in the Media
• “Stung by Security Flaws, Microsoft Makes Software Safety a Top Goal”, NYT, 17 January 2002
• “Millions of Cisco Devices Vulnerable To • “Millions of Cisco Devices Vulnerable To Attack”, Information Week, 18 July 2003
• “A method for shutting down networking devices circulates on the Internet”
• “New Doomjuice Worm Emerges, Targets Microsoft”, Reuters UK, 9 February 2004
6
(Lack of) Security in the Media
• And countless other incidents that are not
publicized for fear of embarrassment
• Yet when a public incident occurs, security
experts and antivirus software vendors experts and antivirus software vendors
tend to exaggerate its costs
• In 2002, US companies spent more than
$4.3 billion on antivirus software products
alone
7
Changing face of attackers
• Shift from large, multipurpose attacks on the
network perimeter towards smaller, more
targeted attacks to desktop computers
• Shift from malicious “hacking” to criminal • Shift from malicious “hacking” to criminal
attacks with economic motives
– Identity theft
– Phishing
– Denial-of-service
8
Identity theft
• In April 2005, an intrusion into database of LexisNexis compromises personal information of about 310,000 persons
• In August 2004, an intrusion had compromised 1.4 million records of personal information at 1.4 million records of personal information at UC Berkeley
• In August 2007, identity thieves who compromised Monster.com's database also made off with the personal information of 146,000 people who use USAJobs
9
Phising
• During the first half of 2005 the volume of
phishing e-mails grew from an average of
about 3 million a day to about 5.7 million
• One out of every 125 email messages is a • One out of every 125 email messages is a
phishing attempt
• 1% of US households were victims of
successful phishing attacks in 2004
10
Cyberextortion
• During the first half of 2005 Denial-of-Service (DoS)
attacks increased from an average of 119 a day to
927
• 17% of US businesses surveyed report having 17% of US businesses surveyed report having
received shut-down threats by DoS attacks
• One company refusing to pay extortion spends
$100,000 annually to defend against DoS attacks
Burstnet informatica © 11
“Botnets” and “Zombies”
• SecurityFocus, 23 January 2006
In October 2005, Dutch authorities arrested three men
in the Netherlands who allegedly controlled a
network of more than 1.5 million compromised
computers
• International Herald Tribune, 10 November 2007
A computer security consultant accused of installing
malicious software to create an army of up to 250,000
"zombie“ Computers so he could steal identities and
access bank accounts will plead guilty to four federal
charges
Burstnet informatica © 12
Update
• New York Times, 25 September 2006
ChoicePoint, CardSystems Solutions, Time Warner and dozens
of universities have collectively revealed 93,754,333 private
records
The Commerce Department announced that between 2001 The Commerce Department announced that between 2001
and the present, 1,137 laptops were lost, missing or had been
stolen
• USA Today, 23 January 2009
Heartland Payment Systems disclosed that intruders hacked
into the computers it uses to process 100 million payment card
transactions per month for 175,000 merchants
13
Update
• Forbes.com, 2 February 2009
..., the cost of a data breach for companies has risen to $202
per lost record, up from $197 in the institute's 2007 study. For
the 47 companies audited in the study, those costs added up
to $6.6 million per incidentto $6.6 million per incident
• PCWorld, 7 August 2009
The distributed denial of service attack on Thursday that
targeted Twitter, Facebook, LiveJournal, and several Google
sites may have been politically motivated
14
System managementSymantec Internet Security Threat Report
covering the first 6 months of 2006.
• The Symantec Probe Network detected
157,477 unique phishing messages
Botnets have become a major part of the • Botnets have become a major part of the
underground economy
• An average of 6,110 denial-of-service
attacks per day
15
Update
16
Symantec report of the Underground
Economy – June 2008
17
Security in context
• Security has to be custom tailored to individual needs, much like a suit or a dental prothesis
• There is no “one-size-fits-all” solution
• Security is a complex and extensive area that permeates all levels of computing systems
• Security is a complex and extensive area that permeates all levels of computing systems including their physical environment
• Hardware-OS-Application-Network-Operator
• And like security in any other context, computer security is as strong as its weakest link
18
Security in context
• We will study the technical issues related to security in a non-technical context
• “If you work with computer and network security long enough, you realize that the biggest problem is people: the people who design the software, is people: the people who design the software, the people who deploy it, the people who use the systems, the people who abuse the systems, and sometimes the people who guard the systems. There are certainly many technological challenges to be met, but the biggest problems still come back to people.” Gene Spafford
19
Network Information Systems
We will cast our study of security in the context
of Network Information Systems
Networked Information Systems (NIS) Networked Information Systems (NIS)
integrate:
• computers,
• communications, and
• people (as users and as operators)
20
Network Information Systems
These systems are increasingly pervasive in
everyday life:
• Public telephone system
• Electrical power grid
• Internet• Internet
• Banking and finance
• E-Business
• Ballistic missile defense
Yet they are not trustworthy
21
Network Information Systems
Provide new opportunities
• Increase speed/bandwidth of interaction
• New modes for interaction with customers
• New services
Introduce new risks
• Dependence on complex hardware/software infrastructures
• Attacks from anywhere
• Sharing with anyone
• Automated infection
22
Network Information Systems:
software charateristics
• Substantial legacy content
– Documentation missing or incomplete
– Difficult to modify or port
• Grows by accretion and agglomeration• Grows by accretion and agglomeration
– No master plan or architect
– Nobody understands how/why the system works
• Uses commercial off the shelf (COTS) components and COTS middleware
23
Some relevant business trends
• Organizations driven to operate faster /
more efficiently (e.g. JIT production and
services) due to increased competitiveness
• Climate of deregulation (e.g. power, • Climate of deregulation (e.g. power,
telecom) requires cost control and product
enhancements
• Rise of electronic commerce
24
Trustworthiness
• NIS is trustworthy when it works correctly
despite
– Malicious/hostile attacks
– Design and implementation errors (bugs)– Design and implementation errors (bugs)
– Human user and operator errors
– Environmental disruptions(in increasing order of frequency)
Burstnet informatica © 25
Trustworthiness
• Trustworthiness is an example of a
nonfunctional requirement
• System satisfies functional requirements if it
does what it is supposed to do: inputs does what it is supposed to do: inputs
produce correct outputs
• System satisfies nonfunctional requirements
(in a given context) if it does no more or no
less than its functional requirements
Burstnet informatica © 26
Trustworthiness
• By their nature, attacks/errors/bugs are
unpredictable and cannot be formalized; to do
so would rule out possible scenarios, and thus
would be incorrectwould be incorrect
• Trustworthiness cannot be added to an
existing system as an afterthought
27
Trustworthiness
• All aspects of trustworthiness can be seen as perturbations in the system. Are they all the same?
• Environmental disruptions are typically independent, thus replication can be independent, thus replication can be effective
• Attacks and errors are not independent, thus replication is not effective
• Software bugs are probably the worst as they may have arbitrary privileges
28
What if NIS is not Trustworthy?
• Information disclosure (stored or transmitted)
– personal embarrassment
– compromise of corporate strategy
– compromise of national security
• Information alteration• Information alteration
– affect government or corporate operations
• New forms of warfare
– disable capacity without physical destruction
– attack without physical penetration by attacker
– “time bomb” and undetectable attacks
29
Real world security
• Security in the real world is based on
– Value
– Locks
– Punishment
• Bad guys who break in are caught and • Bad guys who break in are caught and punished often enough to make crime unattractive
• Ability to punish implies existence of a “police” force and a judiciary
• Locks must add minimum interference to life
30
Real world security
• All locks are not the same
– Different keys
– Different strengths
– Environment dependent
• Individual security needs based on • Individual security needs based on perception
• Pay for what you believe you need
• Locks do not provide absolute security but prevent casual intrusion by raising the threshold of for a break-in
31
Real world security
• Perfect defense against theft: put all of your personal belongings in a safe deposit box
• Problem: expensive and inconvenient
• Practical security balances cost of protection and risk of loss (cost of recovery times probability of
• Practical security balances cost of protection and risk of loss (cost of recovery times probability of loss)
• If cost of protection is higher than the risk of loss, it is better to accept it as “cost of doing business” (Auto insurance, Banks, credit card companies do this all the time)
32
NIS Security
• With computers, security is mainly about
software, which is cheap to manufacture,
never wears out, cannot be attacked with
drills or explosives
• Computer security ≈ Cryptography
• Since cryptography can be nearly perfect,
so can computer security
• This reasoning is flawed for several reasons
33
Why trustworthy NIS do not exist?
• Most security problems due to buggy code– Cryptography won’t help this at all
– Reported bugs are in cryptographic modules
• Security is complex and difficult to get right and set up correctly
• Security is a pain and gets in the way of doing things• Security is a pain and gets in the way of doing things
• Since the danger is small, people prefer to buy features over security
• Software and system market dominated by commercial off-the-shelf (COTS) components– Leverage huge economies of scale, interoperability, reduced
time-to-market but inherit lack of trustworthiness
34
Why trustworthy NIS do not exist?
• Patent restrictions
• Government regulations (restrictions on export of cryptography technologies)
• Reliance on existing communication infrastructures (Internet)(Internet)
• Everything is interconnected– Telephone and power companies use Internet
technology
– Their operational systems are linked to their corporate systems, which are linked to the Internet
– And the Internet requires power, and is largely built on top of Telephone circuits
35
Economics of Trustworthiness
• Few customers understand
– What trustworthiness buys
– What is risked by its absence (reliability is an
exception)
– Consumers seem to prefer functionality!
• Producers/consumers cannot assess
– Trustworthiness of products
– Costs of having trustworthiness in products
– Costs of not having trustworthiness in products
36
Overview of NIS Security
Like any system, we can study security with
respect to:
• Specification: What is it supposed to do?
• Implementation: How does it do it?• Implementation: How does it do it?
• Correctness: Does it really work?
In security, these are called
• Policy (Specification)
• Mechanism (Implementation)
• Assurance (Correctness)
37
Overview of NIS Security
• Assurance is particularly important for
security since the system may be subject to
malicious attack
• Deployed systems may be perfectly • Deployed systems may be perfectly
functional for ordinary users despite having
thousands of bugs
• But attackers try to drive the system into
states that they can exploit, which increase
as the number of bugs increases
38
Definitions
• Vulnerability: A weakness that can be exploited to cause damage
• Attack: A method of exploiting a vulnerability
• Threat: A motivated, capable adversary that mounts an attackmounts an attack
Strategies:
• Identify and fix each vulnerability (bug)
• Identify threats and eliminate those vulnerabilities that those threats exploit
39
Shrinking
Vulnerability-to-Attack Time
• In 2005, the mean time between the
disclosure of a vulnerability and the release
of associated exploit code is 6.0 days
• In 2005, an average of 54 days elapsed
between the appearance of a vulnerability
and the release of an associated patch by
the affected vendor
40
Vulnerabilities, attacks, threats
Range of threats that NIS face:
• Inquisitive, unintentional blunders ( error)
• Hackers driven by technical challenges
• Disgruntled employees/customers seeking revenge
• Criminals interested in personal financial gain
• Organized crime with intent of financial gain
• Organized terrorist groups seeking isolated attacks
• Foreign espionage agents seeking information for economic, political, military purposes
41
Knowledge vs Damage
Severity of a threat is related to the resources
available for the attack
• Knowledge is a resource
• Money can buy anything, including • Money can buy anything, including knowledge
• Easy access to “packaged” knowledge (e.g., SATAN for Unix systems) results in a discontinuity between the technical expertise of a particular threat and the severity of the damage
42
Google Hacking
• International Herald Tribune, 28 September
2006. “Hacking made easy: 'Secret' data
just a Google search away”:
– One widespread vulnerability can be exploited – One widespread vulnerability can be exploited
through a practice that has come to be known
as Google hacking. These hacks require no
special tools and little skill. All that is needed is
a Web-connected PC and a few keywords to
look for, like "filetype:sqlpassword" or
"index.of.password.”
43
Security Policies
NIS security needs typically worry about
• Secrecy (confidentiality): controlling who
gets to read information
• Integrity: controlling how information • Integrity: controlling how information
changes or resources are used
• Availability: providing prompt access to
information and resources
• Accountability: knowing who has had
access to information or resources44
Security Policies
What do locks, keys, values and the police have to
do with computer security?
• Locks: authorization, access control mechanismsmechanisms
• Keys: authentication required to open a lock. Can be something the user knows, has or is
• Police: same as the real world. Since attacks can be launched remotely, equivalents of video cameras are needed for convictingoffenders
45
Gold standard of security
Any system claiming to be secure must
contain
mechanisms for:
• Authentication• Authentication
• Authorization
• Auditing
46
Assurance vs Functionality
• Assurance is the ability to convince
ourselves that a system is trustworthy
• Increased functionality implies increased
complexity and complexity is the worst complexity and complexity is the worst
enemy of security
47
Assurance vs Functionality
Two general principles to promote higher
assurance:
• Economy of Mechanism: small and simple mechanisms whenever possible
• Open Design: security of a mechanism should not depend on attacker’s ignorance of how the mechanism works or is built
– No “security through obscurity”
– Makes security harder but is necessary for increased assurance
48
