dumb ideas in computer security - institute for … · pfleeger consulting group 19 july 2011...
TRANSCRIPT
Dumb Ideas in Computer Security
Dr Charles P PfleegerPfleeger Consulting Group19 July [email protected]
© Pfleeger Consulting Group 2011
Marcus Ranum’s Six Dumbest Ideas
“The Six Dumbest Ideas in Computer Security” (2005) http://www.ranum.com/security/computer_security/editorials/dumb/
Default permitEnumerating badnessPenetrate and patchHacking is coolEducating usersAction is better than inaction
Dumb Ideas in Computer Security 219 Jul 2011
Struck a Nerve
Results 1-10 of about 2,030,000 for dumb ideascomputer security.Or … there are lots of dumb ideas related to computer security
Dumb Ideas in Computer Security 319 Jul 2011
Marcus Is Right … But I Have Another List
1. We’ll do security later2. We’ll do privacy later3. Encryption cures all4. {Tool} cures all5. Security has to be perfect6. It’s easy—we can do it ourselves
Dumb Ideas in Computer Security 419 Jul 2011
You Can’t Retrofit Security
Defense Science Board report (1972)“It is virtually impossible to verify that a large software system is completely free of errors and anomalies.”“System failure modes are not thoroughly understood, catalogued, or protected against.”
Systems grow increasingly complexPatches abound—and continuePenetrate and patch doesn’t work
References: Anderson; Karger and Schell
Dumb Ideas in Computer Security 619 Jul 2011
You Can’t Retrofit Privacy
Facebook, other social mediaPrivate data aggregatorsElectronic medical dataAnonymity, pseudonymity“Fair Information Practices” 1973Banking, medical, education, government mishmash
References: Ware, Sweeney
Dumb Ideas in Computer Security 819 Jul 2011
Encryption is Overrated
Key managementImplementation flawsAlgorithm weaknessesWork factor vs. computing powerHard problems solvableData in the clear
ArchitectureInsiders
Dumb Ideas in Computer Security 1019 Jul 2011
Effective Security Tools Are Specialized
No silver bulletDifferent environments: threats–vulnerabilities–countermeasuresDifferent objectives: prevent, deter, diminish, detect, recoverIntegration, overlap, coverage issues
Dumb Ideas in Computer Security 1219 Jul 2011
Security Is a Continuum
Impossible to counter all threatsCannot let the perfect be the enemy of the goodResidual risk remainsNeed
Metrics to measure riskJustification for stopping pointCreative architecture to maximize coverage for money spent
Dumb Ideas in Computer Security 1419 Jul 2011
Program Complexity Inhibits Security
“By the time machines are able to do such things we shan’t know how they do it.” --Turing
Applications, utilities, infrastructure, and operating system mixedWeb data delivery, display, fetch mixedSkype reboot problem, Sony rootkitIP stack in cell phones, PDAs, gaming consoles, refrigerators, thermostats
References: Hoglund & McGraw, Whitaker & Thompson
Dumb Ideas in Computer Security 1619 Jul 2011
How the eCampus Differs from a Brick Campus
No perimeter to defendNew threats:
Financial: organized crimePolitical: nations/groupsInter- and multinational
Unprotected workstation as a staging platform, or a botWeb interconnectedness
Dumb Ideas in Computer Security 1719 Jul 2011
How to Proceed
Secure the environmentSecure the systemSecure the applicationsSecure the networkSecure the users
Dumb Ideas in Computer Security 1819 Jul 2011
Secure the Environment
Perimeter defense outdatedLaptops and smart phones extend perimeter to outer space
Who would attack a university?Target: a machine or address
Classify and separate
Dumb Ideas in Computer Security 1919 Jul 2011
Secure the System
Segmentation, separationHard to do with Internet
Cloud computingAppealing for sharingBut controlled sharing is a challenge
Stuxnet infection shows ability to penetrate
Dumb Ideas in Computer Security 2019 Jul 2011
Secure the Applications
Functionality trumps securityWho vets apps?
Reliable source: code signingMalware appearance getting more sophisticated
Fewer typosClickjacking
Dumb Ideas in Computer Security 2119 Jul 2011
Secure the Network
Everybody connected to everybodyFormal and informal connections (USB stick, computer sharing)
Tools helpAlso human review and interaction
Vigilence—and insight
Dumb Ideas in Computer Security 2219 Jul 2011
Secure the Users
User awareness is necessary—but not sufficient
New attacks emerge and expand: phishing, drive-by downloadNew users appear: social media and kidsUsers may not understand threat
“I am not a target”
“Think like an attacker” dayPolicy, audit, and enforcement
Dumb Ideas in Computer Security 2319 Jul 2011
References
Anderson, J., “Computer Security Technology Planning Study, csrc.nist.gov/publications/history/ande72.pdf
Hoglund, G. and McGraw, G., Exploiting Software: How to Break Code, Addison-Wesley, 2004
Karger, P. and Schell, R., “Thirty Years Later: Lessons from the Multics Security Evaluation,” IBM Research Report RC22543, 2002.
Morris, R. and Thompson, K., “Password Security: A Case History,” Communications of the ACM, v22 n11 Nov 1979
Saltzer, J. and Schroeder, M. “The Protection of Information in Computer Systems,” Proceedings of the IEE, v63 n9 Sep 1975
Sweeney, L., Finding Lists of People on the Web,” ACM Computers and Security, v37 n1 Apr 2004
Ware, W. (ed.) “Records, Computers and the Rights of Citizens,” RAND Report P-5077, 1973.
Whitaker, J. and Thompson, H., How to Break Software,Pearson Education, 2003
Dumb Ideas in Computer Security 2619 Jul 2011