Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
(IN)SECURITY, RISK & THE LIFECYCLE OF VULNERABILITIES
Dr. Stefan Frei Security Architect at Swisscom [email protected] Twitter @stefan_frei
NetSec 2015 Slide 2
Cyber & Networking Security
§ Networking security has become critical issue for all types of industries
§ But in many aspects, cyber security differs fundamentally from past challenges
NetSec 2015 Slide 3
What makes the cyber world special?
§ Communication between people, machines and devices
§ Increase of computing performance
§ Price erosion
§ Software eats the world
NetSec 2015 Slide 4
Technology & Innovation
In just two decades, new technologies and the Internet transformed society and businesses alike We had little time to learn or adopt – as individuals, society or industry We have to adopt to permanent change and high dynamics
1 Million Years
50 Years
NetSec 2015 Slide 5
The Environment
Internet usage has grown to more than three billion users The number of targets, revenue per target and type of exploitation has also evolved rapidly:
§ Networking evolved from dedicated point to point connections to ubiquitous communication between people, platforms, and applications
§ Vulnerabilities in applications and devices are now globally exposed and accessible
NetSec 2015 Slide 6
Why is network security an issue?
Infinite Interactions, Protocols, Service, Apps § Economy and our life increasingly depend on the
Internet § Distributed information systems have become critical
infrastructures Open Systems § technology is standardized and is no longer a secret Insecurity driven by organized adversaries § Entirely new «business models»
NetSec 2015 Slide 7
Security has become critical
§ Security § Security is one of the hidden building blocks of the Internet § The limits of security imply the limits of the Internet
§ Growing online business attracts attackers § Attackers increase the cost of doing business online § But the business opportunities of being on the Internet far
outweigh the risks
Early Adoption (mid 90s)
Hype (late 90s)
Trough of Disillusionment (2000-2003)
Serious Use (since 2000)
Market acceptance
of Internet
Time
NetSec 2015 Slide 8
Internet Security Evolution
Figure courtesy Engin Kirda, Northwestern University
NetSec 2015 Slide 9
The Threat Environment
Vandalism
Author of
Tools
Theft Personal Gain
Personal Fame
Curiosity
Script- Kiddy
Hobbyist Hacker
Expert
Tools created by experts are used by less-skilled
criminals, for personal gain
Fast growing segment
Mot
ivat
ion
Attackers’ Expertise
• complexity and interaction between systems is growing continously
• complexity is the worst enemy of security
complexity
NetSec 2015 Slide 11
Network of People, Devices, and Services
The increasing number of new ways of interaction also create novel attack paths which are not predictable by definition
NetSec 2015 Slide 12
Complex Adaptive System (CAS)
§ Connectivity A decision on one part will affect all other related parts
§ Co-Evolution Elements can change based on their interaction between one another and the environment
§ Sensitive Dependence Sensitivity to initial conditions (non-linearity, cascades)
§ Emergent Order Potential for emergent and unpredictable behaviour
Source: http://web.mit.edu/esd.83/www/notebook/Complex%20Adaptive%20Systems.pdf
NetSec 2015 Slide 13
Strategies to Handle Unpredictability
Men § Predict and model risks
§ Relies on accuracy of models and probabilities
§ Optimization: short term gain, efficiency
> fragile
Nature, Evolution § No attempt to predict risks
§ Relies on redundancy and robustnes
§ Absorption: long term survival, diversity
> anti-fragile
Prevent Shocks Absorb Shocks
Source: Antifragile: Things That Gain from Disorder, by Nassim Nicholas Taleb
NetSec 2015 Slide 14
Innovation & Price Erosion
§ Continued miniaturisation and price erosion
§ Today’s transistors are 90,000x more efficient and 60,000x cheaper than in 1971
§ A car today would cost USD 0.25 and consume 0.2 ml/100 km of fuel
Source: The Economist, The End of Moore's Law
attackers can afford functionality and tools that were beyond their reach a
decade ago
today
NetSec 2015 Slide 16
Innovation & Price Erosion
15 Years
USD 500,000
Revalidate security assumptions based on the
(A) limited availability, (B) unaffordability, or (B) limited performance
of a technology
USD 500
Nonexistent or previously unavailable technologies become common goods
Software Defined Radio
NetSec 2015 Slide 17
Examples of new Attack Vectors
§ Software Defined Radios (SDR) § All radio communication and protocols without hard crypto
protection are highly exposed
§ Drones § Drones easily bypass perimeters to sniff or insert eavesdropping
devices
§ Robots § Robots can access areas not accessible by humans. Remotely
controlled to manipulate, monitor, or take other actions
NetSec 2015 Slide 18
Playground for Software Defined Radios (SDR)
§ Unsecured communication and networks are exposed
WHO ARE THE ATTACKERS?
NetSec 2015 Slide 20
Attacker Motivation
§ Ego § Show the world what one can do, impress peers § To live some fantasy of omnipotence
§ Revenge, destruction, creation of fear § Cyber warfare § Terrorism § Secret service activities (Stuxnet 2010, Snowden/NSA 2013) § Revenge (e.g. a disgruntled employee)
§ Criminal intent § Blackmail, racketeering (Schutzgelderpressung) § Credit card fraud § Infiltrating e-banking § Spamming, phishing
NetSec 2015 Slide 21
What can attackers do?
§ Attack flow of information § Send fake messages § Replay messages § Modify messages in transit
§ Denial of service (DOS) § Overload system resources
§ Internet infrastructure § DNS, BGP, ARP
§ Unauthorized access to services
§ Infiltrate security protocols or processes (e.g. MITM)
§ Abuse Systems § Infiltrate system with attack code
§ Modify web pages § change content § place attack code
§ Hijack sessions § E-banking
§ Identity theft § Social engineering § Break crypto § etc.
NetSec 2015 Slide 22
Where are the attack targets?
§ Local Attacks: Client-side attacks dominate § Browser attacks targeting plug-ins § IFrame based attacks are now prevalent
§ Attacks of all shapes and sizes § Anti-virus worms § Social networking attacks – Twitter & Facebook § Phishing - banking industry is target #1 § Web mines - www.goggle.com rather than www.google.com § Documents - PDFs are not safe!
§ Data stored on end-points is often most valuable and the least protected!
NetSec 2015 Slide 23
Targ
eted
O
ppor
tuni
stic
Attacker Objectives Resources Proceeding
Nation States, Agencies
• Information • Fighting Crime/
Terrorism • Espionage • Sabotage
• Enormous financial resources
• Focus on result, not cost
• Build & buy know-how • Persistent & well
hidden attacks • Subversion of supply
chain
Terrorists
• Damage • Attention • Manipulation of politics • Fear Uncertantity and
Doubt (FUD)
• Considerable financial resources
• Potentially large network of supporters
• Buy know-how on black market
• Physical attacks
(Organized) Crime
• Financial • Business • Make money in
long term • Profit/loss driven
• Exsisting gangs • Per case groups of
specialists • Bribery
Hacktivists, Groups
• Mass attention • Damage • Denounce
vulnerabilities in systems/organizations
• Minimal financial resources
• Large reach
• Highly motivated amateurs & specialists
• Develops unpredictable momentum
Vandals, Script Kiddies
• Fame • Reputation
• Minimal financial resources and know-how
• Available tools
Actors & Attackers
NetSec 2015 Slide 24
Actor: Nation States
§ Nation States § Virtually unlimited resources § The have a mandate by law to do certain things § Access (technical or legal) to critical components of the Internet
infrastructure (like backbone) § Attacks on the integrity of the supply chain § Espionage and sabotage
NetSec 2015 Slide 25
Actor: Terrorists
§ Terrorists § Maximize attention/publicity § Spread Uncertainty Doubt and Fear (FUD) § Misuse of services with large number of followers/large audience
(Twitter, Facebook, TV, ..) § Targeting large events (Sports, conferences, ..)
NetSec 2015 Slide 26
Cyber | Crime – All New?
§ Crime & Organized Crime § The first law code ever edited (code of
Hammurabi) documents that organized crime was very real 4000 years ago Long history of the dark that developed itself in the middle of people, and society
§ Cyber § Term coined by Norbert Wiener in 1948, used in
reference to the control of complex systems § Today: Mesh of computers, networks,
and lots of people Short history of new technologies
Code of Hammurabi
Cyber Threats
NetSec 2015 Slide 27
Usage of Technology & Innovation
§ Throughout history, new technologies have revolutionized crime and warfare alike, so has information technology
• Chariot .. • Gunpowder .. • Cars .. • Tanks .. • ICT ..
§ Criminals proofed repeatedly to be very fast adopters of new technology § Bonnot Gang: Notorious French anarchists, inventors of the motorized get-
away to outrun the police on horses (1911)
SECURITY CONCEPTS
NetSec 2015 Slide 29
What is the Objective?
C
I A
Confidentiality § prevention of unauthorized
disclosure of information
Integrity § prevention of unauthorized
modification or deletion of information
§ Availability § prevention of unauthorized
withholding of information
And more: Authenticity, Accountability, Non repudiation, Privacy
confidentiality
integrity availability
NetSec 2015 Slide 30
Attack Classification
Classification due to Steve Kent, BBN Technologies
NetSec 2015 Slide 31
Secure communication using an insecure channel
Sender Receiver
Channel Security trans-
formation
Message
Secret Key 1
Attacker • Has full access to the physical channel • Knows all mechanisms and protocols • Does not know any secret keys
Security trans-
formation
Message
Secret Key 2 encryption decryption
Kerckhoff’s design principles for military ciphers
NetSec 2015 Slide 32
What is a “Secure Channel”?
Not confidential channel An attacker can eavesdrop on all information sent.
Confidential channel No eavesdropping possible on information sent.
Not authentic channel The receiver has no guarantee that the sender is the one he claims to be, and that the content is original.
Authentic channel The receiver can be assured that the sender of the information is the one he claims to be and that the content is original.
Channel type
Not confi- dential
confi-dential
Not authentic authentic
secure = authentic and confidential
NetSec 2015 Slide 33
Security on different layers
Application
Transport
Network
Application
Transport
Network
Application
Transport
Network
User Interface
User Interface
Quantum Cryptography
IPSEC
SSL
SSH
Link encryption
Auth Auth Auth
Intrusion detection/protection, spam filtering, economic incentives, legal enforcement,
forensics
Hardware & software platforms, environments
Physical Layer Physical Layer Physical Layer
RISK MANAGEMENT
Never interrupt your enemy when he is making a mistake Napoleon Bonaparte (1769-1821)
NetSec 2015 Slide 35
Security is a trade-off
§ There’s no such thing as absolute security, security always involves trade-offs § If no airplanes flew, 9/11 couldn’t have happened. § If your business is offline, you can’t be hacked.
§ We can have as much security as we want § What are you willing to give up to get it? § Trade-offs can be financial, social, functional, etc.
§ We make decisions every day about these trade-offs. § Have you ever crossed a busy road?
NetSec 2015 Slide 36
Take risk at the right place
NetSec 2015 Slide 37
Risk Analysis – A Process
Methodology
1. What assets are we trying to protect? 2. What are the risks to those assets? 3. How well does the security solution mitigate
those risks? 4. What other risks does the security solution
cause? 5. What costs and trade-offs does the security
solution impose?
Source: Bruce Schneier, BlackHat 2003
§ Finally: Is the trade-off worth it? Are the costs, risks and trade-offs caused by the security countermeasure worth the additional security?
NetSec 2015 Slide 38
Risk Management
§ Security is relative § Many risks and mitigations are possible. § Things fail all the time > manage risks. § Security is one of a number of competing objectives.
Against a profit driven attacker, it is sufficient to be a harder target than your compeditor.
NetSec 2015 Slide 39
Risk Management
§ Options § avoid risk (give up business, skip project, ..) § decrease risk (by technology, procedures) § transfer risk (buy insurance) § accept risk
§ Security measures must make business sense
§ Risk < Opportunity
NetSec 2015 Slide 40
Reduce Risk and Evaluate
Avoid
Insure
Decrease
Accepted risk Opportunity Total risk
NetSec 2015 Slide 41
Dealing with Risks
Avoid decision to not
become involved, or action to withdraw
Reduce action to reduce
probability or impact
Transfer buy insurance
Accept accept loss or gain
Impact Low Medium Catastrophic
Very High
Very Low
Medium
Pro
babi
lity
"It is better to take risks you understand than to try to understand risks you are taking."!
Nassim N. Taleb, Author of The Black Swan
Avoid risks you do not understand
NetSec 2015 Slide 42
Example: Unnecessary Risk Taking
§ Do not connect a critical system to the outside unless you know exactly what the consequences are
§ Is connecting the inflight entertainment bus to the flight control bus worth the risk?
§ Can you even assess this risk? § Are these systems truly separated? § You are about to give passengers and the Internet
access to control systems (ask Fiat/Chrysler)
VULNERABILITY LIFECYCLE There is no security on this earth, only opportunity
Douglas MacArthur (1880-1964)
NetSec 2015 Slide 44
Software Complexity
Facts § Software complexity is increasing § There is no secure software
Thus, we need to § handle vulnerabilities § deploy software updates efficiently § systematically test the security of critical systems
NetSec 2015 Slide 45
Vulnerabilities
§ Security vulnerability § “refers to a weakness in a system allowing an attacker to violate
the confidentiality, integrity, availability of the system or the data and applications it hosts.”
§ many similar definitions exist
§ There may be disagreement in concrete cases § “it’s a feature, not a vulnerability”, vendor may say
§ The security landscape is determined by vulnerabilities
NetSec 2015 Slide 46
CVE - standardized vulnerability names
§ Common Vulnerability Exposures (CVE) § CVE aims to standardize the names for all publicly known
vulnerabilities and security exposures. § CVE has become a de facto industry standard of vulnerability
identifiers. § CVE-yyyy-nnnn, e.g. CVE-2007-0943
§ Any security issue of relevance will eventually get a CVE number assigned.
Source http://cve.mitre.org/about/index.html http://nvd.nist.gov
NetSec 2015 Slide 47
There Is No Secure Software
In spite of increased investment, the software industry at large is still unable to produce secure code
(red: top-10 software vendors)
Source: http://techzoom.net/BugBounty/SecureSoftware
Security Vulnerabilities (# published per month)
Insecure code gets exposed with the growth of Internet
NetSec 2015 Slide 48
Software Complexity & Security
Tren
d 5
yrs
vs. l
ast y
ear (
as o
f Aug
201
5)
We need to handle and fix software vulnerabilities - and deploy updates effectively
Only two of the top-10 software vendors reduced vulnerabilities over 5 year period - they employ the best computer scientists and engineers
Source: http://techzoom.net/BugBounty/SecureSoftware
NetSec 2015 Slide 49
Lyfecycle of a Vulnerability
Source: http://www.techzoom.net/security-ecosystem
NetSec 2015 Slide 50
Risk exposure
§ Pre-disclosure risk (exogenous) § Time from discovery to disclosure § Only a closed group is aware of the vulnerability. This group could
be anyone from hackers, organized crime or responsible security researchers/vendors
§ Post-disclosure risk (exogenous) § Time from disclosure to patch § User waits for the vendor to issue a patch. Public is aware of this
risk but has not yet received remediation from vendor
§ Post-patch risk (endogenous) § The time from patch availability to patch installation
NetSec 2015 Slide 51
Discovery, Exploit, Patch
§ x-axis: public disclosure date of vulnerability § y-axis: num. of days event happened before (-) or after (+)
disclosure
NetSec 2015 Slide 52
From discovery to disclosure
§ Measure of pre-disclosure risk § 50% of vulns known to insiders 30 or more days before
disclosure (less-than-zero-day).
ECDF: Empirical Cumulative Distribution
Function
NetSec 2015 Slide 53
From discovery to disclosure
Assume you discover a high risk vulnerability in a prevalent product:
What are your options?
NetSec 2015 Slide 54
From discovery to disclosure
§ (Less than) zero day vulnerability § Vulnerabilities not yet known to the public are systematically used
by cybercriminals, government agencies, ..
§ There is a market for new vulnerabilities § ZeroDayInitiative of Tipping Point, iDefense § Black market § Pricing from 1,000 to > 200,000 USD
Check out: http://www.zerodayinitiative.com/advisories/upcoming http://labs.idefense.com/vcp
http://www.techzoom.net/security-ecosystem
NetSec 2015 Slide 55
Forbes article, 2012
Source: http://bit.ly/ForbsExploits by Forbes
“Each price assumes an exclusive sale, the most modern version of the software, and, of course, not alerting the software’s vendor. Some fees might even be paid in installments, with each subsequent payment depending on the vendor not patching the security vulnerabilities used by the exploit.”
NetSec 2015 Slide 56
From Exploit to Disclosure
§ High dynamics at the disclosure date (zero-day exploits) § Exploit availability jumps from 15% to 80% at disclosure § New exploits are readily assessed by advisory providers
NetSec 2015 Slide 57
Zero-day exploits and vulnerabilities
§ The zero-day: the day when a vulnerability becomes known § By whom? (attacker, developer/vendor, public)? § Our position: by the public
§ Zero-day exploit: Attack that exploits a previously unknown vulnerability § Exploit may make vulnerability public § Public announcement may make exploit possible
§ Terminology is not consistent in the security community
NetSec 2015 Slide 58
From disclosure to patch § Measure of post-disclosure risk § At disclosure, less than 50% of vulns have a patch § A month after disclosure, still ~30% unpatched vulns § zero day patch: disclosure date of the vulnerability - date when patch is
available = 0
NetSec 2015 Slide 59
Dynamics of (In)security
§ Difference between the exploit (red) and patch (green) curves shows the imbalance in favor of insecurity.
§ The bad are consistently faster than the good.
NetSec 2015 Slide 60
Dynamics of (In)security
§ Extremely high dynamics around the disclosure day § Only around 50% of patches available at zero-day. § Around 80% of exploits available at zero-day.
§ Security is slow § Exploit availability stays higher than patch availability § Many vulnerabilities are unpatched even 100 days after disclosure.
§ Insiders § Many vulnerabilities known to closed group well before the
disclosure.
Conclusion Recommendations
CONCLUSIONS AND TAKE HOME MESSAGE
NetSec 2015 Slide 63
Take Home Message
§ Security is Interdisciplinary § Technology, Economics, Organization, Psychology, .. § It‘s a complex adaptive system! § Complexity is our worst enemy § Security is a process, not a one-off thing
§ Risk Management § Security is a tradeoff § Risk management and analysis methodology § People and risk decisions § Don't take risks you don't understand
NetSec 2015 Slide 64
Take Home Message
§ Security Concepts § CIA Triad § Attacker classification § Security can be implemented on different OSI layers
§ Vulnerability Lifecycle
§ What is a vulnerability, CVE § Lifecycle events and risk-periods § Zero-day exploit/patch § Key numbers, global trends § Gap of insecurity
NetSec 2015 Slide 65
Take Home Message
§ Critical Communications § Critical communications must be secured
(authentication, confidetiality, integrity, availability) § Consider all unprotected network or radio
communication as highly exposed § Test the isolation between critical and non-critical
systems
NetSec 2015 Slide 66
Reader & References
§ Reader § Security Ecosystem and Vulnerability Lifecycle
http://weis09.infosecon.net/files/103/paper103.pdf
§ References § Common Vulnerabilities and Exposures (CVE)
http://cve.mitre.org
§ National Vulnerability Database (NVD) http://nvd.nist.gov
§ E. Levy, Approaching Zero IEEE Security and Privacy, vol.2, no.4, pp.65 2004 http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=1324603
(document only accessible from within ETH, or with established ETH VPN connection)