Embed Size (px)
Citation preview
SEC 203
Steve RileySr. Security StrategistMicrosoft Trustworthy Computing Group
[email protected]://blogs.technet.com/steriley
Making the Tradeoff:Be Secure or
Get Work Done
Old vs. new
Traditional approaches vs. contemporary attacksHow have bad-guy methods changed?What motivates them now?
What’s changing?
Largeglobalevents
Massiveworms
Makingheadlines
Identity theft,financial fraud
Spyware
Exploitenterprises
Makingmoney
Meta-trend
Identitytheft
SpammingPhishingExtortion
So what’s going on?
Increasingly sophisticated
Poly- and metamorphic
Evading anti-virus software
Act as vulnerability assessment tools
Use search engines for reconnaissance
Better targeting
Don’t advertise presence
Common to modify existing proven attack codeMore variants of successful wormsMight result in new and hidden entry points
Criminals hire attackersCriminals reuse their codeHuge market in unknown vulnerabilitiesCapitalizing on shrinking window of exposure
Malware becomesmore sophisticated
Attacks are usefulfor longer times
Vulnerabilitieshave street value
Direct losses
How bad is it?
$13,000
small company, modest infection
(FBI 2005 Computer Crime Survey)
$83,000(Counterpane Internet Security)
grows with frequency, extent, severity
$millions
Indirect losses
$? reputation, customer trust
Counterpane Internet Security and MessageLabs
Trojan attacksTop 5 by industry
0
5
10
15
20
25
30
35
40
Financial services,banking
Materials,manufacturing
Entertainment,media
Parmaceutical,healthcare
Travel,transportation
Counterpane Internet Security and MessageLabs
Probes and enumerationsTop 5 by industry
0
5
10
15
20
25
30
35
Financial services,banking
Pharmaceutical,healthcare
Insurance, realestate
Travel,transportation
Retail, wholesale
Counterpane Internet Security and MessageLabs
SpywareTop 5 by industry
0
10
20
30
40
50
60
Pharmaceuticals,healthcare
Insurance, realestate
Utilites, power,energy
Retail, wholesale Materials,maufacturing
Counterpane Internet Security and MessageLabs
Direct attacksTop 5 by industry
0
5
10
15
20
25
30
Insurance, realestate
Pharmaceuticals,healthcare
Materials,manufacturing
Retail, wholesale Government,education
Counterpane Internet Security and MessageLabs
Security's link to economics
An economic opportunity lurks inside every security problemLearn how to express security issues in economic termsLook for ways to shift the balance in your favor
Spyware is costing you big
$72,000 User annual salary
260 Working days per year
2 Time to fix (hours)
2 People involved (user, tech)
138$day per hours 8hours 2 people 2
days 260000,72$
1,000 Employees in organization
5% Infection rate, per month
800,82$138$12%)51000(
Network World Magazine
A law firm
$600 Hourly rate for a partner
260 Working days per year
2 Time to fix (hours)
1 Partner
1200$day per hours 8hours 2 partner 1
days 2602080 600$
1,000 Employees in organization
5% Infection rate, per month
000,720$1200$12%)51000(
Network World Magazine
Is email even useful anymore?
Postini
Is email even useful anymore?
Postini
Is email even useful anymore?
Postini
Is email even useful anymore?
Postini
An affiliates program
“Our first program pays you $0.50 for every validated free-trial registrant your website sends to [bleep]. Commissions are quick and easy because we pay you when people sign up for our three-day free-trial. Since [bleep] doesn't require a credit card number or outside verification service to use the free trial, generating revenue is a snap.
The second program we offer is our pay per sign-up plan. This program allows you to earn a percentage on every converted (paying) member who joins [bleep]. You could make up to 60% of each membership fee from people you direct to join the site.
Lastly, [bleep] offers a two tier program in addition to our other plans. If you successfully refer another webmaster to our site and they open an affiliate account, you begin earning money from their traffic as well! The second tier pays$0.02 per free-trial registrant or up to 3% of their sign-ups.”
Let’s do the math
10% Read email and clicked link 10,000,000
SoBig spammed 100,000,000 mailboxes. What if…
1% Signed up for a three-day trial 100,000$0.50
$50,000
1% Enrolled for 1 year 1,000$144
$144,000
Would you do it???
Postmarks—change the economics
http://research.microsoft.com/research/sv/PennyBlack/
Spam and spyware lead to bots
Attack Requests/bot Botnet total Resource exhausted
Bandwidth flood (uplink)
186 kbps 1.86 Gbps T1, T3, OC-3, OC-12
Bandwidth flood (downlink)
450 kbps 4.5 Gbps T1, T3, OC-3, OC-12, OC-48 (2.488Gbps)50% of Taiwan/US backbone
SYN flood 450 SYNs/sec
4.5M SYNs/sec
4 dedicated Cisco Guard ($90k) or 20 tuned servers
Static http get (cached)
93/sec 929,000/sec 15 servers
Dynamichttp get
93/sec 929,000/sec 310 servers
SSL handshake 10/sec 100,000/sec 167 servers
Consider a 10,000-member botnet
How to become a bot
Low interest rates!
Gimme credit cards!
Extend your penis!
Get abetter job!
Cheap movie tickets!
Edwin’s stats
18 months Duration of scam
10,000,000 Minutes fraudulently sold
$20,000 Paid to buddy
15 VoIP providers attacked
$300,000 Interconnect charges providers had to pay
Lavishly How Edwin spent his takings, until…
Failed To meet bond conditions and fled
35 years Prison time
$1,250,000 Fines
The tradeoff
Security vs. usabilitySecurity vs. usability vs. cost
Is the security worth the cost?
Secure
Usable Cheap
You get to pick any two!
Examples
Personal securityEvent/city securityNational securityAviation securityInformation security
Personal security: bullet-proof vests
Claim: protects you from gunshot deathCosts
WeightComfortConvenienceLack of style
Risk + likelihood: very lowAnalysis
Risk not worth the cost
Personal security:children and strangers
Claim: talking to strangers is dangerousCosts
Fear of asking for helpDefault stance of distrustReduction in civil society
Risk + likelihood: quite lowAnalysis
More children will suffer
Event/city security:cameras and face recognition
Claim: watch crowds everywhere, find criminalsCosts
MoneyPrivacyHigh error rate
Risk + likelihood: questionableAnalysis
Did the costs actually help find criminals?Tampa: no
National security: war on terror
Claim: protect United States from terroristsCosts
MoneyLivesAmerican reputationPersonal freedoms and liberties
Risk + likelihood: extremely lowAnalysis
Did we get the most security possible, given the costs?Is there any return in exchange for liberties?
Speaking of war…
Aviation security: how much screening?
Claim: identity + inspection = intentCosts
Privacy (plus embarrassment)Time (plus convenience)Restrictions (liquids, pointy things)Liberties (guilty first, massive profiling databases)Money
Risk + likelihood: lowAnalysis
Does any of it actually make airplanes more secure?Can you pick bad guys out of a crowd?
Aviation security: too much?Transmission x-ray
Aviation security: too much?Backscatter x-ray
Aviation security: too much?Passive-millimeter wave scanner
Information security
PerformanceFreedom and location of accessEase or frequency of usePortabilityTimeCostPrivacy
Will you exchange these?
Tradeoff: complete security
Information security
Passwords: remembering vs. writing downRFID: inventory tracking vs. monitoring locationsSystem config: locked down vs. wild and freeAccess control: strict vs. looseEncryption: privacy vs. lossEmail: availability vs. integrity
Security admin vs. network adminSecurity staff vs. executive management
Virtual keyboards
Seems to be effective…
Screen recordersSteal session after logonCapture credentials from HTTP stream before SSL encryptionHassle factor: forces user to select a short password
So maybe it’s less secure!
Not worth the tradeoff—slow and clunky
Addresses symptom (stolen credential) vs. root cause (malware)Threat scenario is too specific
Privacy tradeoffs
Have a private face-to-face conversation?Drive from A to B without anyone knowing?Fly?Be totally invisible in a crowd?But still leave your cell phone turned on?Make purchases without revealing your identity?Online?Embed tracking devices in pets?In people?Surf the Internet anonymously?Send email anonymously?
Are we designed to make tradeoffs?
YesWhen threats are visible, obvious, immediate, recentBut common threats we forget about
NoWhen threats are invisible, nonobvious, delayed, historicalBut rare threats we tend to hype
Applying the tradeoff
Don’t spend more on mitigation than the asset is worth!Don’t destroy the asset in the processSome risks you have to tolerate
Make the loss cost lessTransfer risk to someone elseOr simply ignore
Everything we do is risk management
Should you apply the patch?Did you make that setting?Did you get rid of Wintendo?How did you configure the firewall?What’s the ACL?
Risk management deals with threats
Not risk management
“We have to enable NTLMv2”“Another patch? Let’s switch platforms”“Another patch? OK, deploy it”“All systems should be secure by default”
One size does not fit all
Every environment is uniqueThe risks differ for each environmentRisk tolerance differsProducts are designed based on assumptionsNo product provides optimal security
Lemma: You cannot design an optimal security strategy without a thorough understanding of the usage and risks
Risk assessment
Low High
Ris
k
Asset Value
High
Risk tolerance
What?Me worry?
Yes!We worry!
It’s got to cover all layers
People, policies, and process
Physical security
Perimeter
Internal network
Host
Application
Data
Sample classification schemesPhysical Where is the asset? How is access obtained?
Public areaEmployee-onlyControlled
Available during business hoursCard-key readersCard-key, PIN, and palm print
Network Access from where? How to authenticate?
Wired corpnetWireless corpnet
VPNKiosksInternet
Domain logon (human and PC)Domain logon plus certificates(human and computer)Domain logon, smartcard, quarantineDisallowedDisallowed except from corp PC
Valuing assets
Primary factors Annual value
Overall value to the organizationWeb site, runs 24/7, $2,000/hr revenue
$17,520,000
Immediate financial impact of lossUnavailable for six hours: 0.0685% per year(Example ignores time of day, day of week, season, marketing campaigns)
–$12,000
Indirect business impact of lossAttack: $10,000 to counteract negative publicity; 1% lost annual sales: $175,200
–$185,200
Tradeoff: patching
Applying every patch is typically a poor strategyIrritate end usersBurnout patch management team
Some patches are more important than othersScrutinize the Mitigating Factors section of the bulletinUnderstand the risk equation and the burden curve
Risk equation
Where:Access = Degree of access to an asset that an attacker could gain via the vulnerabilityValue = Value of the assetDifficulty = Difficulty of carrying out a successful attack
Risk ≈ Access * Value
Difficulty
ISO-Risk chart
Difficulty
Ac
ces
s
Critic
al
High
Moder
ate
Low
BlasterBlaster with Mitigations
Cost curve
Time
Bu
rden
Crisisdeployment
Maintenance
Upgrade
Upgrade +1
Annualized cost
DREAD
Damage potential How great is the damage if the vulnerability is exploited?
Reproducibility How easy is it to reproduce the attack?
Exploitability How easy is it to launch the attack?
Affected users As a rough percentage, how many users are affected?
Discoverability How easy is it to find the vulnerability?
Sample threat ratings
Rating High (3) Medium (2) Low (1)
Damage potential
The attacker can subvert the security system; get full trust authorization; run as administrator; upload content
Leaking sensitive information Leaking trivial information
Reproducibility The attack can be reproduced every time and does not require a timing window
The attack can be reproduced, but only with a timing window and a particular race situation
The attack is very difficult to reproduce, even with knowledge of the security hole
Exploitability A novice programmer could make the attack in a short time
A skilled programmer could make the attack, then repeat the steps
The attack requires an extremely skilled person and in-depth knowledge every time to exploit
Affected users All users, default configuration, key customers
Some users, non-default configuration
Very small percentage of users, obscure feature; affects anonymous users
Discoverability Published information explains the attack. The vulnerability is found in the most commonly used feature and is very noticeable
The vulnerability is in a seldom-used part of the product, and only a few users should come across it. It would take some thinking to see malicious use
The bug is obscure, and it is unlikely that users will work out damage potential
Our job as infosec experts
No!
Avoid tweaking somethingjust because you can
But try these, just in case…HKLM\Software\Microsoft\Windows NT\CurrentVersion\DisableHackers=1 (REG_DWORD)
HKLM\Wetware\Users\SocialEngineering\Enabled=no (REG_SZ)
HKCU\Wetware\Users\CurrentUser\PickGoodPassword=1 (REG_BINARY)
HKLM\Hardware\CurrentSystem\FullyPatched=yes (REG_SZ)
HKLM\Software\AllowBufferOverflows=no (REG_SZ)
New definition: security professional
It’s all about moneySave money…
Identify and mitigate riskEnsure compliance
Make money…Translate annoyances into differentiators
Select the trade-offs that balance security with business goals
Steve [email protected]
http://blogs.technet.com/steriley
www.protectyourwindowsnetwork.com
Thanksvery much!
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
