Incident(s) of the Week

Why is that a security example ?

• Complex architecture

– It seems noone understood the interactions

• Acting on unchecked assumptions

– Unreachability of data downgrade

Economics of Security 1

How to sell security in your organization

What makes security a hard sell

• It’s a very different way of thinking than most normal people have

• It’s (usually) not where the money is (unless you turn to the dark side)

The Invisible Attack

• The worst attacks are the one no one notices – Stealing your product plans, bid proposals, … – Sabotaging production sites, products, office progress

• Those only make the news if something went wrong (e.g., Stuxnet) – Gives a wrong impression on what’s actually happening

• It’s hard to motivate someone to spent money on an unseen problem – Can’t judge how bad the problem is – Can’t measure if the money works – Can’t be hold accountable if attack occurs

The Unseen Costs

Even if an attack is anticipated, it is often hard to estimate the costs it will cause

• What-if-scenarios – Oracle vs SAP: $4 billion damage ??

– Hollywood against P2P: $62.500 per song ?

• Security Incident often only one puzzle piece – How much did the OV card hack cost ?

– So our ex-employee copied all technical notes. Now what ?

Black Swans

Black Swan: Highly unlikely, high impact event Same effect as with the financial crisis:

Additional cost and loss of competitiveness NOW against a disaster in the future If the disaster comes too late, everyone who acted responsibly is already bankrupt. In the IT world, an over-secure product may never take of in the first place.

Assurance: How to judge security

• Difficult to tell quality levels

– There is no easy measure for security

• Attack models differ, approaches don’t compare well

– First attempts: Orange book. Now have Common Criteria, which needs experts to understand

• Has levels, but they are meaningless without looking at the protection profile

• E.g., Windows NT has EAL4 against a meaningless profile

• Often, even difficult to tell quality from nonsense

– And the nonsense is usually faster and leaner

Customer Pull

• Customers not willing to pay extra for security

• E.g., MiFare: – Never meant for access control in buildings, but

cheaper than the alternative

– Would you send a customer home if he wants to buy it for the wrong purpose ?

• E.g., Smart Meters – Cheapest manufacturer wins

– No regulation in place (yet)

Lack of Differentiator

• Would you buy a TV that is more secure ?

– Even negative effect: Highlighting security scares customers

• Did you consider security when choosing your email provider ? Your ISP ?

– Do you actually know about their security policy ?

– Do you use two-factor authentication ?

Lack of Differentiator

• Would you buy a TV that is more secure ?

– Even negative effect: Highlighting security scares customers

• Did you consider security when choosing your email provider ? Your ISP ?

• Did you buy the latest virus scanner/firewall ?

– Did you go by price or by quality ?

Accountability

Who is accountable for security incidents ?

• Marco-Level: Are companies responsible for delivering bad security ?

Software Licenses

• 5. APPLICABLE LAW • This LICENSE shall be deemed to have been made in, and shall be construed pursuant to, the laws

of the State of California. The United Nations Convention on Contracts for the International Sale of Goods is specifically disclaimed.

• 6. DISCLAIMER OF WARRANTIES AND LIMITATION ON LIABILITY • 6.1 No Warranties. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE SOFTWARE IS

PROVIDED "AS IS" AND Company AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, EITHERWHETHER EXPRESS OR, IMPLIED, OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY AND, FITNESS FOR A PARTICULAR PURPOSE. , TITLE, AND NON-INFRINGEMENT. Without limiting the foregoing, you are solely responsible for determining and verifying that the SOFTWARE that you obtain and install is the appropriate version for your model of graphics controller board, operating system, and computer hardware.

• 6.2 No Liability for Consequential Damages. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL Company OR ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS PROFITS, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, OR ANY OTHER PECUNIARY LOSS) ARISING OUT OF THE USE OF OR INABILITY TO USE THE SOFTWARE, EVEN IF Company HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

And another one

6. Disclaimer of Warranties. YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT USE OF THE Company SOFTWARE IS AT YOUR SOLE RISK AND THAT THE ENTIRE RISK AS TO SATISFACTORY QUALITY, PERFORMANCE, ACCURACY AND EFFORT IS WITH YOU. EXCEPT FOR THE LIMITED WARRANTY ON MEDIA SET FORTH ABOVE AND TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE Company SOFTWARE IS PROVIDED “AS IS”, WITH ALL FAULTS AND WITHOUT WARRANTY OF ANY KIND, AND Company AND Company’s LICENSORS (COLLECTIVELY REFERRED TO AS “Company” FOR THE PURPOSES OF SECTIONS 6 AND 7) HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH RESPECT TO THE Company SOFTWARE, EITHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES AND/OR CONDITIONS OF MERCHANTABILITY, OF SATISFACTORY QUALITY, OF FITNESS FOR A PARTICULAR PURPOSE, OF ACCURACY, OF QUIET ENJOYMENT, AND NON-INFRINGEMENT OF THIRD PARTY RIGHTS. Company DOES NOT WARRANT AGAINST INTERFERENCE WITH YOUR ENJOYMENT OF THE Company SOFTWARE, THAT THE FUNCTIONS CONTAINED IN THE Company SOFTWARE WILL MEET YOUR REQUIREMENTS, THAT THE OPERATION OF THE Company SOFTWARE WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT DEFECTS IN THE Company SOFTWARE WILL BE CORRECTED. NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY Company OR AN Company AUTHORIZED REPRESENTATIVE SHALL CREATE A WARRANTY. SHOULD THE Company SOFTWARE PROVE DEFECTIVE, YOU ASSUME THE ENTIRE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES OR LIMITATIONS ON APPLICABLE STATUTORY RIGHTS OF A CONSUMER, SO THE ABOVE EXCLUSION AND LIMITATIONS MAY NOT APPLY TO YOU.

7. Limitation of Liability. TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT SHALL Company BE LIABLE FOR PERSONAL INJURY, OR ANY INCIDENTAL, SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES WHATSOEVER, INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, LOSS OF DATA, BUSINESS INTERRUPTION OR ANY OTHER COMMERCIAL DAMAGES OR LOSSES, ARISING OUT OF OR RELATED TO YOUR USE OR INABILITY TO USE THE Company SOFTWARE, HOWEVER CAUSED, REGARDLESS OF THE THEORY OF LIABILITY (CONTRACT, TORT OR OTHERWISE) AND EVEN IF Company HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME JURISDICTIONS DO NOT ALLOW THE LIMITATION OF LIABILITY FOR PERSONAL INJURY, OR OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS LIMITATION MAY NOT APPLY TO YOU. In no event shall Company’s total liability to you for all damages (other than as may be required by applicable law in cases involving personal injury) exceed the amount of fifty dollars ($50.00). The foregoing limitations will apply even if the above stated remedy fails of its essential purpose.

Accountability

Who is accountable for security incidents ?

• Marco-Level: Are companies responsible for delivering bad security ?

• Micro-Level: Who in the organization is accountable ?

In-Organization accountability

• Who is responsible for a security issue ? – Programmer ?

– Architect ?

– CIO/CSO ?

– Management ?

– Quality Assurance Officer ?

• Which of those is still around when the problem comes up ?

• Does he have authority together with responsibility ?

Tragedy of the commons

Why should I not have my PC managed by the Mafia ?

Tragedy of the commons

Why should I not have my PC managed by the Mafia ?

• Mafia Business Model: – Send Spam

– Denial of Service attacks

– Sybil attacks on Online Poker games

– File-Servers for illegal content

• For this, they need my PC up and running, connected, and free of any other malware

• That’s actually a good deal for me

Covering your back (1)

Strong Accountability may create its own artifacts • Security goes to where it is visible

• Fight vandalism rather than crime • Blind Activism

• Measures everybody sees rather than ones that work

• Overprotect one part at the expense of others • E.g., war on Terror: All funding in airport

passenger screening, less for harbors

Covering your back (2)

If something goes wrong, someone has to be guilty; chances are it’s you.

Never unconditionally recommend inferior solutions. Point out the weak points, formulate the risk in a way management can understand them, and let them decide.

Example: Inferior Encryption Algorithm

“Due to memory constraints on the given hardware platform, it is not possible to use the industry standard in encryption (i.e., AES). Ciphers that do fit into the given memory exist, though there is no industry standard; a reasonable choice would be to use XTEA. It should be stressed however that all those ciphers have not undergone the level of analysis required to get a comparable confidence as AES provides, and there is some risk that a new attack is discovered which would render those ciphers useless. If the decision is taken to use a small-footprint cipher, we heavily recommend implementing an update plan (i.e., the ability to replace the cipher in the filed), and move to AES with the next hardware generation, which hopefully has more available memory. In addition, known weaknesses of XTEA if used as a hash function should be added to the documentation.”

The Loosing Card

Sometimes, security really does not pay off

• Predictability

– Credit Cards

– Car Theft

• Liability Protection

– Enough to prove “criminal intent”

Security is a NEGOTIATION

• There is a lot of convincing involved

• Understand your business

– Security rarely is a goal on its own. Usually, functional features get priority

– Understand where the money comes from to see what has to be protected

• Both sides have to give

Where you can give

• Technology Innovation – Develop technologies that make security cheaper

• Specialization – The more precise the use case, the less resources you

need – Yes, I know I’m contradicting myself here

• Application Innovation – Put security somewhere where it doesn’t hurt

• Compromise – Live with less security to allow doing something

• Hard Work: Be Visible, Available for help, willing to discuss

Analyzing your stakeholders

Their Needs

• What is he measured on ?

• What is he worried about ?

• Whom does he want to impress ?

Their access

• Who tells him what to do over a beer ?

• Can he influence other stakeholders ?

26

Group Best

Technique

Best

Approach

Expected

Results

Senior Managers

Cost justification

Industry

comparison

Audit report

Presentation

Video

Violation reports

Funding

Support

Line Supervisors Risk analysis

Demonstrate job

performance

benefits

Perform security

reviews

Presentation

Circulate news

articles

Video

Support

Resource help

Adherence

Users

Sign responsibility

statements

Policies and

procedures

Presentation

Newsletters

Video

Adherence

Support

Purchasing Department

• Gets their bonus for buying things cheaper

– BOM (Bill of materials)

• As long as no new hardware is needed, they’re usually happy

• One-time cost (e.g., buying a software license) easier to argue than monthly/per item cost

Sales & Marketing

• Wants it out yesterday

– Don’t delay their launch-date

• Needs a sales message

– Help them define security as something good

– Ideally, give them a bumper-sticker message

• Needs to be checked if talking about security

Quality Assurance

• Most familiar with security way of thinking

• Is used to computable risks

– Will need help with the risk analysis

– Needs convincing that there’s more uncertaincy in security

Software Architects

• If it’s no work for them, it’s fine

• Need to fit it all into limited resources

– Both on the personnel and on the hardware side

• Danger that they just do it themselves (or, their bosses ask them too)

Some points on discussing security

• Careful with the vocabulary

– Security = Encryption ?

• Let them come up with the issues themselves

– “What happens if…”, “Would it be an issue if…”, “Do you trust XYZ ?”, “How do you deal with …”

• Give them something to remember/pass on

– Easy to remember and visualize concepts

Negative Campaign Example

“We’re here to help you prevent that our TVs look like your PC”

Fear or Hope ?

• You can only predict the apocalypse that often before it wears out.

• Given all the prediction of security experts, the world does to surprisingly well!

Security IS a differentiator!

“What would you do if security and privacy issues did not exist ?”

A lot of designers have already unconsciously given up on lucrative use cases

• Including medical information (requires HIPAA)

• Asking customers for private data

• Going Wireless

Security is here to serve us…

TCG Confidential Copyright© 2007 Trusted Computing Group. Picture Copyright© Jyrki Kallinen, Nokia. - Other names and brands are properties of their respective owners.

…to enable us to enjoy the things that matter.

The Opportunity Made Real

In Asia the excellent penetration of mobile devices represents a huge opportunity

International standardization vs. narrow, fragmented and

national solutions

Mobile Trusted Module brings cost-efficiency, R&D savings

and access to new markets

Cross-industry collaboration on MTM development has

aimed at maximizing the quality of user experience

Mobile Trusted Module is here. Join us to develop compelling

value-added services!

TCG Confidential Copyright© 2007 Trusted Computing Group. Picture Copyright© Jyrki Kallinen, Nokia. - Other names and brands are properties of their respective owners.

37

Generic Positive Bumpersticker

Security is like the brakes on your car.

– Their function is to slow you down.

– But their purpose is to allow you to go

fast.

Legislature and Regulation

The easiest way to introduce security is to point out regulation • FIPS 140-2

– Cryptography guidelines for products used by the US/Canadian government

• HIPAA – Privacy regulations for dealing with medical data

• Criminal Law – Sometimes, the decision maker can go to jail for bad security

• Breach Notification – For some classes of incidents, companies now need to notify

every customer who is harmed

Example: FIPS 140-1

Applicability. This standard is applicable to all Federal agencies

that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. Cryptographic modules that have been approved for classified use may be used in lieu of modules that have been validated against this standard. The adoption and use of this standard is available to private and commercial organizations.

Legislature & Regulation

• Caveat: You may end up being fully responsible

– FIPS 140-2 Certification can take 2 years and a million dollars

The Security Trojan Horse

The Trojan Horse Approach There is always something in security that… • …helps the business

– E.g., IP Protection/Anti Counterfeiting

• …someone with influence is scared of – E.g., Cyberterrorism

• This is your Trojan horse to get the resources to protect against the real threat

Causes of Information Damage Common Causes of

damage

52%

10%

10%

15%

10%3%

Human error

Dishonest people

Technical sabotage

Fire

Water

Terrorism

Who causes

damage

81%

13%

6%

Current employees

Outsiders

Former employees

Types of computer crime

44%

16%

16%

12%

10%2%

Money theft Damage of software

Theft of information Alteration of data

Theft of serv ices Trespass

Where you can give

• Technology Innovation – Develop technologies that make security cheaper

• Specialization – The more precise the use case, the less resources you

need – Yes, I know I’m contradicting myselfs here

• Application Innovation – Put security somewhere where it doesn’t hurt

• Compromise – Live with less security to allow doing something

Technology Innovation

• Develop new technology that allow to solve security issues without overhead

• Example: Zero-Knowledge Protocols in Smart Energy to enforce privacy

Smart Energy Zero Knowledge Protocol

(A) Certified readings & policy (B) ZK proof of bill & verification

Meter (Electricity, time)

User

Utility Provider

Certified Policy Dynamic rates per ½ hour

(Non-linear rates -- taxation)

Certified Electricity readings per ½ hour Certified Bill

& Zero-knowledge Proof of correctness

Specialisation

• Most security solutions are relatively generic and overpowered

• This is a good thing!

• Still, sometimes it helps to use special assumptions of the concrete usecase (e.g., lifetime of a key) to allow for optimized solutions.

ZigBee Key management: Considerations in the Healthcare Profile Basic need:

Any two devices in the hospital need to be able communicate securely

Boundary Conditions:

– Must not interfere with hospital workflow

• No visible delay

• No additional user interaction

– No assumption of always-present infrastructure

– Dynamic settings, devices may change partners frequently

– Hundreds of devices, but only a small set communicating at any time

– Minimal maintenance, but some setup effort tolerable

– Individual devices may get lost or stolen

– Must work on very small devices

Possible Compromises: – Professional Initialization of new devices, infrequent maintenance possible

– Loss of devices will eventually be detected

– Upper limit on number of devices

Solution:Blundo's polynomial key predistribution technique

Need: Method for any two devices to establish a private secret key bivatiate polynomial f(x,y) = f(y,x) only known to trusted key distribution center. On initialization, each participant gets f evaluated in one variable:

If the devices want to communicate, they individually compute FA(IDB) = f(IDA, IDB) = f(IDB, IDA)= FB(IDA)

FA(x) = f(IDA ,x) FB(x) = f(IDB ,x)

IDA

IDB

Application Innovation If one part of the system is hard to secure…

Put the security somewhere else

Application Security Why is this a good security system ?

Application Security Why is this a good security system ?

It only assists the primary security systems, which is legal (proof of criminal intend) and your insurance!

Compromise

Sometimes we have to accept limited security

• Assure the reasons why are documented

• Assure if the reasons go away, something better is implemented

• Make it a conscious risk-decision

Example Compromise

New Internet Service with access control

• Security issue that could harm producer (mostly harmless for customer)

• Issue: There where 2 weeks till code freeze

• Solution: Accept security vulnerability in the early phase with few users, assure compatibility with future better solutions