Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Incident(s) of the Week
Why is that a security example ?
• Complex architecture
– It seems noone understood the interactions
• Acting on unchecked assumptions
– Unreachability of data downgrade
Economics of Security 1
How to sell security in your organization
What makes security a hard sell
• It’s a very different way of thinking than most normal people have
• It’s (usually) not where the money is (unless you turn to the dark side)
The Invisible Attack
• The worst attacks are the one no one notices – Stealing your product plans, bid proposals, … – Sabotaging production sites, products, office progress
• Those only make the news if something went wrong (e.g., Stuxnet) – Gives a wrong impression on what’s actually happening
• It’s hard to motivate someone to spent money on an unseen problem – Can’t judge how bad the problem is – Can’t measure if the money works – Can’t be hold accountable if attack occurs
The Unseen Costs
Even if an attack is anticipated, it is often hard to estimate the costs it will cause
• What-if-scenarios – Oracle vs SAP: $4 billion damage ??
– Hollywood against P2P: $62.500 per song ?
• Security Incident often only one puzzle piece – How much did the OV card hack cost ?
– So our ex-employee copied all technical notes. Now what ?
Black Swans
Black Swan: Highly unlikely, high impact event Same effect as with the financial crisis:
Additional cost and loss of competitiveness NOW against a disaster in the future If the disaster comes too late, everyone who acted responsibly is already bankrupt. In the IT world, an over-secure product may never take of in the first place.
Assurance: How to judge security
• Difficult to tell quality levels
– There is no easy measure for security
• Attack models differ, approaches don’t compare well
– First attempts: Orange book. Now have Common Criteria, which needs experts to understand
• Has levels, but they are meaningless without looking at the protection profile
• E.g., Windows NT has EAL4 against a meaningless profile
• Often, even difficult to tell quality from nonsense
– And the nonsense is usually faster and leaner
Customer Pull
• Customers not willing to pay extra for security
• E.g., MiFare: – Never meant for access control in buildings, but
cheaper than the alternative
– Would you send a customer home if he wants to buy it for the wrong purpose ?
• E.g., Smart Meters – Cheapest manufacturer wins
– No regulation in place (yet)
Lack of Differentiator
• Would you buy a TV that is more secure ?
– Even negative effect: Highlighting security scares customers
• Did you consider security when choosing your email provider ? Your ISP ?
– Do you actually know about their security policy ?
– Do you use two-factor authentication ?
Lack of Differentiator
• Would you buy a TV that is more secure ?
– Even negative effect: Highlighting security scares customers
• Did you consider security when choosing your email provider ? Your ISP ?
• Did you buy the latest virus scanner/firewall ?
– Did you go by price or by quality ?
Accountability
Who is accountable for security incidents ?
• Marco-Level: Are companies responsible for delivering bad security ?
Software Licenses
• 5. APPLICABLE LAW • This LICENSE shall be deemed to have been made in, and shall be construed pursuant to, the laws
of the State of California. The United Nations Convention on Contracts for the International Sale of Goods is specifically disclaimed.
• 6. DISCLAIMER OF WARRANTIES AND LIMITATION ON LIABILITY • 6.1 No Warranties. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE SOFTWARE IS
PROVIDED "AS IS" AND Company AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, EITHERWHETHER EXPRESS OR, IMPLIED, OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY AND, FITNESS FOR A PARTICULAR PURPOSE. , TITLE, AND NON-INFRINGEMENT. Without limiting the foregoing, you are solely responsible for determining and verifying that the SOFTWARE that you obtain and install is the appropriate version for your model of graphics controller board, operating system, and computer hardware.
• 6.2 No Liability for Consequential Damages. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL Company OR ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS PROFITS, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, OR ANY OTHER PECUNIARY LOSS) ARISING OUT OF THE USE OF OR INABILITY TO USE THE SOFTWARE, EVEN IF Company HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
And another one
6. Disclaimer of Warranties. YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT USE OF THE Company SOFTWARE IS AT YOUR SOLE RISK AND THAT THE ENTIRE RISK AS TO SATISFACTORY QUALITY, PERFORMANCE, ACCURACY AND EFFORT IS WITH YOU. EXCEPT FOR THE LIMITED WARRANTY ON MEDIA SET FORTH ABOVE AND TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE Company SOFTWARE IS PROVIDED “AS IS”, WITH ALL FAULTS AND WITHOUT WARRANTY OF ANY KIND, AND Company AND Company’s LICENSORS (COLLECTIVELY REFERRED TO AS “Company” FOR THE PURPOSES OF SECTIONS 6 AND 7) HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH RESPECT TO THE Company SOFTWARE, EITHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES AND/OR CONDITIONS OF MERCHANTABILITY, OF SATISFACTORY QUALITY, OF FITNESS FOR A PARTICULAR PURPOSE, OF ACCURACY, OF QUIET ENJOYMENT, AND NON-INFRINGEMENT OF THIRD PARTY RIGHTS. Company DOES NOT WARRANT AGAINST INTERFERENCE WITH YOUR ENJOYMENT OF THE Company SOFTWARE, THAT THE FUNCTIONS CONTAINED IN THE Company SOFTWARE WILL MEET YOUR REQUIREMENTS, THAT THE OPERATION OF THE Company SOFTWARE WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT DEFECTS IN THE Company SOFTWARE WILL BE CORRECTED. NO ORAL OR WRITTEN INFORMATION OR ADVICE GIVEN BY Company OR AN Company AUTHORIZED REPRESENTATIVE SHALL CREATE A WARRANTY. SHOULD THE Company SOFTWARE PROVE DEFECTIVE, YOU ASSUME THE ENTIRE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES OR LIMITATIONS ON APPLICABLE STATUTORY RIGHTS OF A CONSUMER, SO THE ABOVE EXCLUSION AND LIMITATIONS MAY NOT APPLY TO YOU.
7. Limitation of Liability. TO THE EXTENT NOT PROHIBITED BY LAW, IN NO EVENT SHALL Company BE LIABLE FOR PERSONAL INJURY, OR ANY INCIDENTAL, SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES WHATSOEVER, INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, LOSS OF DATA, BUSINESS INTERRUPTION OR ANY OTHER COMMERCIAL DAMAGES OR LOSSES, ARISING OUT OF OR RELATED TO YOUR USE OR INABILITY TO USE THE Company SOFTWARE, HOWEVER CAUSED, REGARDLESS OF THE THEORY OF LIABILITY (CONTRACT, TORT OR OTHERWISE) AND EVEN IF Company HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME JURISDICTIONS DO NOT ALLOW THE LIMITATION OF LIABILITY FOR PERSONAL INJURY, OR OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THIS LIMITATION MAY NOT APPLY TO YOU. In no event shall Company’s total liability to you for all damages (other than as may be required by applicable law in cases involving personal injury) exceed the amount of fifty dollars ($50.00). The foregoing limitations will apply even if the above stated remedy fails of its essential purpose.
Accountability
Who is accountable for security incidents ?
• Marco-Level: Are companies responsible for delivering bad security ?
• Micro-Level: Who in the organization is accountable ?
In-Organization accountability
• Who is responsible for a security issue ? – Programmer ?
– Architect ?
– CIO/CSO ?
– Management ?
– Quality Assurance Officer ?
• Which of those is still around when the problem comes up ?
• Does he have authority together with responsibility ?
Tragedy of the commons
Why should I not have my PC managed by the Mafia ?
Tragedy of the commons
Why should I not have my PC managed by the Mafia ?
• Mafia Business Model: – Send Spam
– Denial of Service attacks
– Sybil attacks on Online Poker games
– File-Servers for illegal content
• For this, they need my PC up and running, connected, and free of any other malware
• That’s actually a good deal for me
Covering your back (1)
Strong Accountability may create its own artifacts • Security goes to where it is visible
• Fight vandalism rather than crime • Blind Activism
• Measures everybody sees rather than ones that work
• Overprotect one part at the expense of others • E.g., war on Terror: All funding in airport
passenger screening, less for harbors
Covering your back (2)
If something goes wrong, someone has to be guilty; chances are it’s you.
Never unconditionally recommend inferior solutions. Point out the weak points, formulate the risk in a way management can understand them, and let them decide.
Example: Inferior Encryption Algorithm
“Due to memory constraints on the given hardware platform, it is not possible to use the industry standard in encryption (i.e., AES). Ciphers that do fit into the given memory exist, though there is no industry standard; a reasonable choice would be to use XTEA. It should be stressed however that all those ciphers have not undergone the level of analysis required to get a comparable confidence as AES provides, and there is some risk that a new attack is discovered which would render those ciphers useless. If the decision is taken to use a small-footprint cipher, we heavily recommend implementing an update plan (i.e., the ability to replace the cipher in the filed), and move to AES with the next hardware generation, which hopefully has more available memory. In addition, known weaknesses of XTEA if used as a hash function should be added to the documentation.”
The Loosing Card
Sometimes, security really does not pay off
• Predictability
– Credit Cards
– Car Theft
• Liability Protection
– Enough to prove “criminal intent”
Security is a NEGOTIATION
• There is a lot of convincing involved
• Understand your business
– Security rarely is a goal on its own. Usually, functional features get priority
– Understand where the money comes from to see what has to be protected
• Both sides have to give
Where you can give
• Technology Innovation – Develop technologies that make security cheaper
• Specialization – The more precise the use case, the less resources you
need – Yes, I know I’m contradicting myself here
• Application Innovation – Put security somewhere where it doesn’t hurt
• Compromise – Live with less security to allow doing something
• Hard Work: Be Visible, Available for help, willing to discuss
Analyzing your stakeholders
Their Needs
• What is he measured on ?
• What is he worried about ?
• Whom does he want to impress ?
Their access
• Who tells him what to do over a beer ?
• Can he influence other stakeholders ?
26
Group Best
Technique
Best
Approach
Expected
Results
Senior Managers
Cost justification
Industry
comparison
Audit report
Presentation
Video
Violation reports
Funding
Support
Line Supervisors Risk analysis
Demonstrate job
performance
benefits
Perform security
reviews
Presentation
Circulate news
articles
Video
Support
Resource help
Adherence
Users
Sign responsibility
statements
Policies and
procedures
Presentation
Newsletters
Video
Adherence
Support
Purchasing Department
• Gets their bonus for buying things cheaper
– BOM (Bill of materials)
• As long as no new hardware is needed, they’re usually happy
• One-time cost (e.g., buying a software license) easier to argue than monthly/per item cost
Sales & Marketing
• Wants it out yesterday
– Don’t delay their launch-date
• Needs a sales message
– Help them define security as something good
– Ideally, give them a bumper-sticker message
• Needs to be checked if talking about security
Quality Assurance
• Most familiar with security way of thinking
• Is used to computable risks
– Will need help with the risk analysis
– Needs convincing that there’s more uncertaincy in security
Software Architects
• If it’s no work for them, it’s fine
• Need to fit it all into limited resources
– Both on the personnel and on the hardware side
• Danger that they just do it themselves (or, their bosses ask them too)
Some points on discussing security
• Careful with the vocabulary
– Security = Encryption ?
• Let them come up with the issues themselves
– “What happens if…”, “Would it be an issue if…”, “Do you trust XYZ ?”, “How do you deal with …”
• Give them something to remember/pass on
– Easy to remember and visualize concepts
Negative Campaign Example
“We’re here to help you prevent that our TVs look like your PC”
Fear or Hope ?
• You can only predict the apocalypse that often before it wears out.
• Given all the prediction of security experts, the world does to surprisingly well!
Security IS a differentiator!
“What would you do if security and privacy issues did not exist ?”
A lot of designers have already unconsciously given up on lucrative use cases
• Including medical information (requires HIPAA)
• Asking customers for private data
• Going Wireless
Security is here to serve us…
TCG Confidential Copyright© 2007 Trusted Computing Group. Picture Copyright© Jyrki Kallinen, Nokia. - Other names and brands are properties of their respective owners.
…to enable us to enjoy the things that matter.
The Opportunity Made Real
In Asia the excellent penetration of mobile devices represents a huge opportunity
International standardization vs. narrow, fragmented and
national solutions
Mobile Trusted Module brings cost-efficiency, R&D savings
and access to new markets
Cross-industry collaboration on MTM development has
aimed at maximizing the quality of user experience
Mobile Trusted Module is here. Join us to develop compelling
value-added services!
TCG Confidential Copyright© 2007 Trusted Computing Group. Picture Copyright© Jyrki Kallinen, Nokia. - Other names and brands are properties of their respective owners.
37
Generic Positive Bumpersticker
Security is like the brakes on your car.
– Their function is to slow you down.
– But their purpose is to allow you to go
fast.
Legislature and Regulation
The easiest way to introduce security is to point out regulation • FIPS 140-2
– Cryptography guidelines for products used by the US/Canadian government
• HIPAA – Privacy regulations for dealing with medical data
• Criminal Law – Sometimes, the decision maker can go to jail for bad security
• Breach Notification – For some classes of incidents, companies now need to notify
every customer who is harmed
Example: FIPS 140-1
Applicability. This standard is applicable to all Federal agencies
that use cryptographic-based security systems to protect sensitive information in computer and telecommunication systems (including voice systems) as defined in Section 5131 of the Information Technology Management Reform Act of 1996, Public Law 104-106. This standard shall be used in designing and implementing cryptographic modules that Federal departments and agencies operate or are operated for them under contract. Cryptographic modules that have been approved for classified use may be used in lieu of modules that have been validated against this standard. The adoption and use of this standard is available to private and commercial organizations.
Legislature & Regulation
• Caveat: You may end up being fully responsible
– FIPS 140-2 Certification can take 2 years and a million dollars
The Security Trojan Horse
The Trojan Horse Approach There is always something in security that… • …helps the business
– E.g., IP Protection/Anti Counterfeiting
• …someone with influence is scared of – E.g., Cyberterrorism
• This is your Trojan horse to get the resources to protect against the real threat
Causes of Information Damage Common Causes of
damage
52%
10%
10%
15%
10%3%
Human error
Dishonest people
Technical sabotage
Fire
Water
Terrorism
Who causes
damage
81%
13%
6%
Current employees
Outsiders
Former employees
Types of computer crime
44%
16%
16%
12%
10%2%
Money theft Damage of software
Theft of information Alteration of data
Theft of serv ices Trespass
Where you can give
• Technology Innovation – Develop technologies that make security cheaper
• Specialization – The more precise the use case, the less resources you
need – Yes, I know I’m contradicting myselfs here
• Application Innovation – Put security somewhere where it doesn’t hurt
• Compromise – Live with less security to allow doing something
Technology Innovation
• Develop new technology that allow to solve security issues without overhead
• Example: Zero-Knowledge Protocols in Smart Energy to enforce privacy
Smart Energy Zero Knowledge Protocol
(A) Certified readings & policy (B) ZK proof of bill & verification
Meter (Electricity, time)
User
Utility Provider
Certified Policy Dynamic rates per ½ hour
(Non-linear rates -- taxation)
Certified Electricity readings per ½ hour Certified Bill
& Zero-knowledge Proof of correctness
Specialisation
• Most security solutions are relatively generic and overpowered
• This is a good thing!
• Still, sometimes it helps to use special assumptions of the concrete usecase (e.g., lifetime of a key) to allow for optimized solutions.
ZigBee Key management: Considerations in the Healthcare Profile Basic need:
Any two devices in the hospital need to be able communicate securely
Boundary Conditions:
– Must not interfere with hospital workflow
• No visible delay
• No additional user interaction
– No assumption of always-present infrastructure
– Dynamic settings, devices may change partners frequently
– Hundreds of devices, but only a small set communicating at any time
– Minimal maintenance, but some setup effort tolerable
– Individual devices may get lost or stolen
– Must work on very small devices
Possible Compromises: – Professional Initialization of new devices, infrequent maintenance possible
– Loss of devices will eventually be detected
– Upper limit on number of devices
Solution:Blundo's polynomial key predistribution technique
Need: Method for any two devices to establish a private secret key bivatiate polynomial f(x,y) = f(y,x) only known to trusted key distribution center. On initialization, each participant gets f evaluated in one variable:
If the devices want to communicate, they individually compute FA(IDB) = f(IDA, IDB) = f(IDB, IDA)= FB(IDA)
FA(x) = f(IDA ,x) FB(x) = f(IDB ,x)
IDA
IDB
Application Innovation If one part of the system is hard to secure…
Put the security somewhere else
Application Security Why is this a good security system ?
Application Security Why is this a good security system ?
It only assists the primary security systems, which is legal (proof of criminal intend) and your insurance!
Compromise
Sometimes we have to accept limited security
• Assure the reasons why are documented
• Assure if the reasons go away, something better is implemented
• Make it a conscious risk-decision
Example Compromise
New Internet Service with access control
• Security issue that could harm producer (mostly harmless for customer)
• Issue: There where 2 weeks till code freeze
• Solution: Accept security vulnerability in the early phase with few users, assure compatibility with future better solutions