The Dumbest Ideas In Computer Security

Marcus J. RanumCSO, Tenable Network Security, Inc.

mjr@ranum.commjr@tenablesecurity.com

Who am I

• CSO of Tenable Network Security– Makes innovative vulnerability detection and

security event management tools– Develops and supports the Nessus

vulnerability scanner project– Works with lots of MSPs and customers

• CyberTrust• V-1 SmartWall• Network Flight Recorder• Trusted Information Systems

Intro – Who is Tenable?

• We run the Nessus project– More than 85,000 organizations world-wide– We develop 99.9% of the plugins– Develop and test all of Nessus 3– Still do a lot of work on and for Nessus 2

• Enterprise Security Vendor– Single vendor to offer enterprise security

management solutions for:• Vulnerability Management• Compliance Monitoring & Reporting• Security Event Management• Network Behavioral Anomaly Detection• Passive and Active Asset discovery

– More than 500 enterprise customers

What is Dumb??

Depending on which analysts you believe*the computer security market is billions ofdollars, annually

* never a good idea

1995 1997 2001 2005

$200m

$6 b

Dumb is Wasting Money

The number of systems penetrated continuesto increase to the point where nobody evencounts, anymore

Source: dept of made-up statistics

1995 1997 2001 2005

some

lots

too many

ridiculouslytoo many

CERT throws inthe towel and stopstracking machines

compromised

Chartology

Red = bad thingGreen = effort/expense

A chart like this representsa hard-fought but ultimately effective effort

Chartology

Red = bad thingGreen = effort/expense

A chart like this representsa rear-guard action

Chartology

Red = bad thingGreen = effort/expense

A chart like this representsa sucking chest-wound

OK, so what’s wrong?

• Computer security is off-course and has been for a long time– Since the “discovery” of security as a “market”

it’s a big-money business– “Solutions” (I.e.: expen$ive product$) rule

over common sense– Well marketed-to customers continually lurch

from one “complete solution” that doesn’t work to the next

?

• What are the properties of secure systems?

Fundamental Security Problems

• Trusted Systems Design• Assurance• Code Quality• Transitive Trust• Authorization v. Authentication

Trusted System Design

• Understand the components of the system that must be trusted– Compartmentized design– Understand trusted paths in inputs and code

• Top-to-bottom approach– Can’t “secure the network” and not the host– Can’t “secure the host” and not the network– Can’t “secure the data” and not the O/S

Assurance

• Assurance is the degree of confidence you have that the system functions as it is designed to– (Read Feynman on Challenger disaster)

• Assurance is a property of a system design– It is not an add-on feature to be “built in

later” (Sorry, Microsoft)

Code Quality

• Code quality is necessary to be assured that a system functions as designed– Software as an engineering discipline– Security and reliability needs to be:

• Factored into design• Considered in code lay-out• Checked in code review• Test in QA• Considered in maintenance

Transitive Trust

• If A trusts B and B trusts C - A trusts Cand doesn’t know it– indeed A trusts everyone C trusts

• Dealing with transitive trust is a “hard problem” and may not be tractable– Hackers basically ignore transitive trust also

because most systems are so weak transitive trust attacks are unnecessary!

– Smart pen testers use transitive trust

Authorization V. Authentication

• Authentication: knowing who you are dealing with

• Authorization: knowing what a user is allowed to do

• Many fancy authentication systems (public key, etc) but authorization is a “hard problem”– What do you do when an authorized user

does an inappropriate thing?

OK, So Life Sucks!

• These are extremely hard (and therefore $$$$) problems to deal with

• What’s the industry’s answer?– Attractive-sounding manure

A-SB: Antivirus

• Exhaustively list all the viruses on earth– stop them when they get onto your computer

or try to execute

• 175,000 different viruses and spyware*– Fewer than 7,000 commonly-used business

apps*

• Why list the bad stuff? List the goodstuff! (trust-no-exe, program execution control, etc)

* approximately

A-SB: Intrusion Prevention

• Make a dictionary of “signatures” that match various network-based hacks as they traverse your network– Have a boundary device attempt to detect

them fast enough to block them (put it in-line so it’s a nice single point of failure!)

• This is very similar to antivirus, including how stupid an idea it is

A-SB: Intrusion Prevention(cont)

• A “new trend” some talk about is “network compartmentalization”*– Identify segments of the network and enforce

separation between them except fro necessary services• I.e.: “database network” only traffic allowed in/out is

oracle to server; backup servers and utility systems are screened

• I.e.: “mail hub - Email only sent/delivered to/from a central port 25/IMAP-SSL server

* New? I have PowerPoint slides from 1989 that teach how to do it...

A-SB: Outsourcing Security

• Premise: anything that is not a “core competency” should be done by someone else, who can do it cheaper– Problem: If you never develop any knowledge

of the problem how do you know if they are doing a good job?

– You know this: if your business thinks IT is not part of its core business, you’ll be clobbered by an competitor in 10 years*

*exception: gravel pits

A-SB: Rent-a-hacker

• pen-testing is the exact opposite of assurance by design– tells you one of two things:

• You’re screwed• We don’t know if you’re screwed

– Trying to prove a system can’t be hacked by trying to hack it is attempting to prove a negative• More effective: external design review early and

implementation validation

The 90’s

• Netscape IPO: the greatest disaster is software history– Demonstrated incontrovertibly that the path to

fortune in silicon valley is to throw shovelwareover the fence

– Triggered “the 10 year beta-test”– Dogmatized as “extreme programming” (I.e.:

“write code now and figure out what you were trying to accomplish later”)

The 90’s (cont)

• What will it take to turn software development into an engineering discipline? (people who call the nonsense we do today “software engineering” need to be beaten)

• Network engineering and management are the next pain points

The 2010’s

• The next big frontier is going to be system administration– The death of general-purpose computing

• PDAs become more powerful embedded appliances?• Disposable computing?• Ubiquitous computing?• Operating systems that don’t suck?

Windows Sys Administration

Time

Systemsunderadmin.

Every man, woman,and child on earth(over the age of 6)will be a Windows

system administrator

• 2020AD: The Infocalypse

2020AD

EarthPopulation

Summary:

• Danger signs: If you are -– Listing lots of cases of bad stuff– Constantly patching your code– Running networks with open topologies– Running networks with no idea what traffic

crosses them– Ignoring security in design process

… You may be in security hell

Summary 2:

Remember, it’s always much easier to not do something dumb than it is to do something smart

QUESTIONS ??

blog.tenablesecurity.com