(IN)SECURITY, RISK & THE LIFECYCLE OF VULNERABILITIES · 2019-07-01 · 1. What assets are we trying to protect? 2. What are the risks to those assets? 3. How well does the security

(IN)SECURITY, RISK & THE LIFECYCLE OF VULNERABILITIES

Dr. Stefan Frei Security Architect at Swisscom [email protected] Twitter @stefan_frei

NetSec 2015 Slide 2

Cyber & Networking Security

§ Networking security has become critical issue for all types of industries

§ But in many aspects, cyber security differs fundamentally from past challenges

NetSec 2015 Slide 3

What makes the cyber world special?

§ Communication between people, machines and devices

§ Increase of computing performance

§ Price erosion

§ Software eats the world

NetSec 2015 Slide 4

Technology & Innovation

In just two decades, new technologies and the Internet transformed society and businesses alike We had little time to learn or adopt – as individuals, society or industry We have to adopt to permanent change and high dynamics

1 Million Years

50 Years

NetSec 2015 Slide 5

The Environment

Internet usage has grown to more than three billion users The number of targets, revenue per target and type of exploitation has also evolved rapidly:

§  Networking evolved from dedicated point to point connections to ubiquitous communication between people, platforms, and applications

§  Vulnerabilities in applications and devices are now globally exposed and accessible

NetSec 2015 Slide 6

Why is network security an issue?

Infinite Interactions, Protocols, Service, Apps §  Economy and our life increasingly depend on the

Internet §  Distributed information systems have become critical

infrastructures Open Systems §  technology is standardized and is no longer a secret Insecurity driven by organized adversaries §  Entirely new «business models»

NetSec 2015 Slide 7

Security has become critical

§ Security §  Security is one of the hidden building blocks of the Internet §  The limits of security imply the limits of the Internet

§ Growing online business attracts attackers §  Attackers increase the cost of doing business online §  But the business opportunities of being on the Internet far

outweigh the risks

Early Adoption (mid 90s)

Hype (late 90s)

Trough of Disillusionment (2000-2003)

Serious Use (since 2000)

Market acceptance

of Internet

Time

NetSec 2015 Slide 8

Internet Security Evolution

Figure courtesy Engin Kirda, Northwestern University

NetSec 2015 Slide 9

The Threat Environment

Vandalism

Author of

Tools

Theft Personal Gain

Personal Fame

Curiosity

Script- Kiddy

Hobbyist Hacker

Expert

Tools created by experts are used by less-skilled

criminals, for personal gain

Fast growing segment

Mot

ivat

ion

Attackers’ Expertise

•  complexity and interaction between systems is growing continously

•  complexity is the worst enemy of security

complexity

NetSec 2015 Slide 11

Network of People, Devices, and Services

The increasing number of new ways of interaction also create novel attack paths which are not predictable by definition


Complex Adaptive System (CAS)

§ Connectivity A decision on one part will affect all other related parts

§ Co-Evolution Elements can change based on their interaction between one another and the environment

§ Sensitive Dependence Sensitivity to initial conditions (non-linearity, cascades)

§ Emergent Order Potential for emergent and unpredictable behaviour

Source: http://web.mit.edu/esd.83/www/notebook/Complex%20Adaptive%20Systems.pdf


Strategies to Handle Unpredictability

Men §  Predict and model risks

§  Relies on accuracy of models and probabilities

§  Optimization: short term gain, efficiency

> fragile

Nature, Evolution §  No attempt to predict risks

§  Relies on redundancy and robustnes

§  Absorption: long term survival, diversity

> anti-fragile

Prevent Shocks Absorb Shocks

Source: Antifragile: Things That Gain from Disorder, by Nassim Nicholas Taleb


Innovation & Price Erosion

§ Continued miniaturisation and price erosion

§ Today’s transistors are 90,000x more efficient and 60,000x cheaper than in 1971

§ A car today would cost USD 0.25 and consume 0.2 ml/100 km of fuel

Source: The Economist, The End of Moore's Law

attackers can afford functionality and tools that were beyond their reach a

decade ago

today


Innovation & Price Erosion

15 Years

USD 500,000

Revalidate security assumptions based on the

(A) limited availability, (B) unaffordability, or (B) limited performance

of a technology

USD 500

Nonexistent or previously unavailable technologies become common goods

Software Defined Radio


Examples of new Attack Vectors

§ Software Defined Radios (SDR) §  All radio communication and protocols without hard crypto

protection are highly exposed

§ Drones §  Drones easily bypass perimeters to sniff or insert eavesdropping

devices

§ Robots §  Robots can access areas not accessible by humans. Remotely

controlled to manipulate, monitor, or take other actions


Playground for Software Defined Radios (SDR)

§  Unsecured communication and networks are exposed

WHO ARE THE ATTACKERS?


Attacker Motivation

§ Ego §  Show the world what one can do, impress peers §  To live some fantasy of omnipotence

§ Revenge, destruction, creation of fear §  Cyber warfare §  Terrorism §  Secret service activities (Stuxnet 2010, Snowden/NSA 2013) §  Revenge (e.g. a disgruntled employee)‏

§ Criminal intent §  Blackmail, racketeering (Schutzgelderpressung) §  Credit card fraud §  Infiltrating e-banking §  Spamming, phishing


What can attackers do?

§ Attack flow of information §  Send fake messages §  Replay messages §  Modify messages in transit

§ Denial of service (DOS) §  Overload system resources

§  Internet infrastructure §  DNS, BGP, ARP

§ Unauthorized access to services

§  Infiltrate security protocols or processes (e.g. MITM)

§ Abuse Systems §  Infiltrate system with attack code

§ Modify web pages §  change content §  place attack code

§ Hijack sessions §  E-banking

§  Identity theft § Social engineering § Break crypto § etc.


Where are the attack targets?

§ Local Attacks: Client-side attacks dominate §  Browser attacks targeting plug-ins §  IFrame based attacks are now prevalent

§ Attacks of all shapes and sizes §  Anti-virus worms §  Social networking attacks – Twitter & Facebook §  Phishing - banking industry is target #1 §  Web mines - www.goggle.com rather than www.google.com §  Documents - PDFs are not safe!

§ Data stored on end-points is often most valuable and the least protected!


Targ

eted

O

ppor

tuni

stic

Attacker Objectives Resources Proceeding

Nation States, Agencies

•  Information • Fighting Crime/

Terrorism • Espionage • Sabotage

• Enormous financial resources

• Focus on result, not cost

• Build & buy know-how • Persistent & well

hidden attacks • Subversion of supply

chain

Terrorists

• Damage • Attention • Manipulation of politics • Fear Uncertantity and

Doubt (FUD)

• Considerable financial resources

• Potentially large network of supporters

• Buy know-how on black market

• Physical attacks

(Organized) Crime

• Financial • Business • Make money in

long term • Profit/loss driven

• Exsisting gangs • Per case groups of

specialists • Bribery

Hacktivists, Groups

• Mass attention • Damage • Denounce

vulnerabilities in systems/organizations

• Minimal financial resources

• Large reach

• Highly motivated amateurs & specialists

• Develops unpredictable momentum

Vandals, Script Kiddies

• Fame • Reputation

• Minimal financial resources and know-how

• Available tools

Actors & Attackers


Actor: Nation States

§ Nation States §  Virtually unlimited resources §  The have a mandate by law to do certain things §  Access (technical or legal) to critical components of the Internet

infrastructure (like backbone) §  Attacks on the integrity of the supply chain §  Espionage and sabotage


Actor: Terrorists

§ Terrorists §  Maximize attention/publicity §  Spread Uncertainty Doubt and Fear (FUD) §  Misuse of services with large number of followers/large audience

(Twitter, Facebook, TV, ..) §  Targeting large events (Sports, conferences, ..)


Cyber | Crime – All New?

§ Crime & Organized Crime §  The first law code ever edited (code of

Hammurabi) documents that organized crime was very real 4000 years ago Long history of the dark that developed itself in the middle of people, and society

§ Cyber §  Term coined by Norbert Wiener in 1948, used in

reference to the control of complex systems §  Today: Mesh of computers, networks,

and lots of people Short history of new technologies

Code of Hammurabi

Cyber Threats


Usage of Technology & Innovation

§ Throughout history, new technologies have revolutionized crime and warfare alike, so has information technology

•  Chariot .. •  Gunpowder .. •  Cars .. •  Tanks .. •  ICT ..

§ Criminals proofed repeatedly to be very fast adopters of new technology §  Bonnot Gang: Notorious French anarchists, inventors of the motorized get-

away to outrun the police on horses (1911)

SECURITY CONCEPTS


What is the Objective?

C

I A

Confidentiality §  prevention of unauthorized

disclosure of information

Integrity §  prevention of unauthorized

modification or deletion of information

§ Availability §  prevention of unauthorized

withholding of information

And more: Authenticity, Accountability, Non repudiation, Privacy

confidentiality

integrity availability


Attack Classification

Classification due to Steve Kent, BBN Technologies


Secure communication using an insecure channel

Sender Receiver

Channel Security trans-

formation

Message

Secret Key 1

Attacker •  Has full access to the physical channel •  Knows all mechanisms and protocols •  Does not know any secret keys

Security trans-

formation

Message

Secret Key 2 encryption decryption

Kerckhoff’s design principles for military ciphers


What is a “Secure Channel”?

Not confidential channel An attacker can eavesdrop on all information sent.

Confidential channel No eavesdropping possible on information sent.

Not authentic channel The receiver has no guarantee that the sender is the one he claims to be, and that the content is original.

Authentic channel The receiver can be assured that the sender of the information is the one he claims to be and that the content is original.

Channel type

Not confidential

confi-dential

Not authentic authentic

secure = authentic and confidential


Security on different layers

Application

Transport

Network

Application

Transport

Network

Application

Transport

Network

User Interface

User Interface

Quantum Cryptography

IPSEC

SSL

SSH

Link encryption

Auth Auth Auth

Intrusion detection/protection, spam filtering, economic incentives, legal enforcement,

forensics

Hardware & software platforms, environments

Physical Layer Physical Layer Physical Layer

RISK MANAGEMENT

Never interrupt your enemy when he is making a mistake Napoleon Bonaparte (1769-1821)


Security is a trade-off

§ There’s no such thing as absolute security, security always involves trade-offs §  If no airplanes flew, 9/11 couldn’t have happened. §  If your business is offline, you can’t be hacked.

§ We can have as much security as we want §  What are you willing to give up to get it? §  Trade-offs can be financial, social, functional, etc.

§ We make decisions every day about these trade-offs. §  Have you ever crossed a busy road?


Take risk at the right place


Risk Analysis – A Process

Methodology

1.  What assets are we trying to protect? 2.  What are the risks to those assets? 3.  How well does the security solution mitigate

those risks? 4.  What other risks does the security solution

cause? 5.  What costs and trade-offs does the security

solution impose?

Source: Bruce Schneier, BlackHat 2003

§  Finally: Is the trade-off worth it? Are the costs, risks and trade-offs caused by the security countermeasure worth the additional security?


Risk Management

§ Security is relative § Many risks and mitigations are possible. § Things fail all the time > manage risks. § Security is one of a number of competing objectives.

Against a profit driven attacker, it is sufficient to be a harder target than your compeditor.


Risk Management

§ Options § avoid risk (give up business, skip project, ..) § decrease risk (by technology, procedures) §  transfer risk (buy insurance) § accept risk

§ Security measures must make business sense

§ Risk < Opportunity


Reduce Risk and Evaluate

Avoid

Insure

Decrease

Accepted risk Opportunity Total risk


Dealing with Risks

Avoid decision to not

become involved, or action to withdraw

Reduce action to reduce

probability or impact

Transfer buy insurance

Accept accept loss or gain

Impact Low Medium Catastrophic

Very High

Very Low

Medium

Pro

babi

lity

"It is better to take risks you understand than to try to understand risks you are taking."!

Nassim N. Taleb, Author of The Black Swan

Avoid risks you do not understand


Example: Unnecessary Risk Taking

§  Do not connect a critical system to the outside unless you know exactly what the consequences are

§  Is connecting the inflight entertainment bus to the flight control bus worth the risk?

§  Can you even assess this risk? §  Are these systems truly separated? §  You are about to give passengers and the Internet

access to control systems (ask Fiat/Chrysler)

VULNERABILITY LIFECYCLE There is no security on this earth, only opportunity

Douglas MacArthur (1880-1964)


Software Complexity

Facts §  Software complexity is increasing §  There is no secure software

Thus, we need to §  handle vulnerabilities §  deploy software updates efficiently §  systematically test the security of critical systems


Vulnerabilities

§ Security vulnerability §  “refers to a weakness in a system allowing an attacker to violate

the confidentiality, integrity, availability of the system or the data and applications it hosts.”

§  many similar definitions exist

§ There may be disagreement in concrete cases §  “it’s a feature, not a vulnerability”, vendor may say

§ The security landscape is determined by vulnerabilities


CVE - standardized vulnerability names

§ Common Vulnerability Exposures (CVE) §  CVE aims to standardize the names for all publicly known

vulnerabilities and security exposures. §  CVE has become a de facto industry standard of vulnerability

identifiers. §  CVE-yyyy-nnnn, e.g. CVE-2007-0943

§ Any security issue of relevance will eventually get a CVE number assigned.

Source http://cve.mitre.org/about/index.html http://nvd.nist.gov


There Is No Secure Software

In spite of increased investment, the software industry at large is still unable to produce secure code

(red: top-10 software vendors)

Source: http://techzoom.net/BugBounty/SecureSoftware

Security Vulnerabilities (# published per month)

Insecure code gets exposed with the growth of Internet


Software Complexity & Security

Tren

d 5

yrs

vs. l

ast y

ear (

as o

f Aug

201

5)

We need to handle and fix software vulnerabilities - and deploy updates effectively

Only two of the top-10 software vendors reduced vulnerabilities over 5 year period - they employ the best computer scientists and engineers

Source: http://techzoom.net/BugBounty/SecureSoftware


Lyfecycle of a Vulnerability

Source: http://www.techzoom.net/security-ecosystem


Risk exposure

§ Pre-disclosure risk (exogenous) §  Time from discovery to disclosure §  Only a closed group is aware of the vulnerability. This group could

be anyone from hackers, organized crime or responsible security researchers/vendors

§ Post-disclosure risk (exogenous) §  Time from disclosure to patch §  User waits for the vendor to issue a patch. Public is aware of this

risk but has not yet received remediation from vendor

§ Post-patch risk (endogenous) §  The time from patch availability to patch installation


Discovery, Exploit, Patch

§ x-axis: public disclosure date of vulnerability § y-axis: num. of days event happened before (-) or after (+)

disclosure


From discovery to disclosure

§ Measure of pre-disclosure risk § 50% of vulns known to insiders 30 or more days before

disclosure (less-than-zero-day).

ECDF: Empirical Cumulative Distribution

Function



Assume you discover a high risk vulnerability in a prevalent product:

What are your options?



§ (Less than) zero day vulnerability §  Vulnerabilities not yet known to the public are systematically used

by cybercriminals, government agencies, ..

§ There is a market for new vulnerabilities §  ZeroDayInitiative of Tipping Point, iDefense §  Black market §  Pricing from 1,000 to > 200,000 USD

Check out: http://www.zerodayinitiative.com/advisories/upcoming http://labs.idefense.com/vcp

http://www.techzoom.net/security-ecosystem


Forbes article, 2012

Source: http://bit.ly/ForbsExploits by Forbes

“Each price assumes an exclusive sale, the most modern version of the software, and, of course, not alerting the software’s vendor. Some fees might even be paid in installments, with each subsequent payment depending on the vendor not patching the security vulnerabilities used by the exploit.”


From Exploit to Disclosure

§ High dynamics at the disclosure date (zero-day exploits) § Exploit availability jumps from 15% to 80% at disclosure § New exploits are readily assessed by advisory providers


Zero-day exploits and vulnerabilities

§ The zero-day: the day when a vulnerability becomes known §  By whom? (attacker, developer/vendor, public)? §  Our position: by the public

§ Zero-day exploit: Attack that exploits a previously unknown vulnerability §  Exploit may make vulnerability public §  Public announcement may make exploit possible

§ Terminology is not consistent in the security community


From disclosure to patch §  Measure of post-disclosure risk §  At disclosure, less than 50% of vulns have a patch §  A month after disclosure, still ~30% unpatched vulns §  zero day patch: disclosure date of the vulnerability - date when patch is

available = 0


Dynamics of (In)security

§ Difference between the exploit (red) and patch (green) curves shows the imbalance in favor of insecurity.

§ The bad are consistently faster than the good.


Dynamics of (In)security

§ Extremely high dynamics around the disclosure day §  Only around 50% of patches available at zero-day. §  Around 80% of exploits available at zero-day.

§ Security is slow §  Exploit availability stays higher than patch availability §  Many vulnerabilities are unpatched even 100 days after disclosure.

§  Insiders §  Many vulnerabilities known to closed group well before the

disclosure.

Conclusion Recommendations

CONCLUSIONS AND TAKE HOME MESSAGE


Take Home Message

§ Security is Interdisciplinary § Technology, Economics, Organization, Psychology, .. §  It‘s a complex adaptive system! § Complexity is our worst enemy § Security is a process, not a one-off thing

§ Risk Management § Security is a tradeoff § Risk management and analysis methodology § People and risk decisions § Don't take risks you don't understand


Take Home Message

§ Security Concepts § CIA Triad § Attacker classification § Security can be implemented on different OSI layers

§ Vulnerability Lifecycle

§ What is a vulnerability, CVE § Lifecycle events and risk-periods § Zero-day exploit/patch § Key numbers, global trends § Gap of insecurity


Take Home Message

§ Critical Communications § Critical communications must be secured

(authentication, confidetiality, integrity, availability) § Consider all unprotected network or radio

communication as highly exposed § Test the isolation between critical and non-critical

systems


Reader & References

§ Reader §  Security Ecosystem and Vulnerability Lifecycle

http://weis09.infosecon.net/files/103/paper103.pdf

§ References §  Common Vulnerabilities and Exposures (CVE)

http://cve.mitre.org

§  National Vulnerability Database (NVD) http://nvd.nist.gov

§  E. Levy, Approaching Zero IEEE Security and Privacy, vol.2, no.4, pp.65 2004 http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=1324603

(document only accessible from within ETH, or with established ETH VPN connection)