hardware to blunt hack attack
TRANSCRIPT
![Page 1: Hardware to blunt hack attack](https://reader035.vdocuments.us/reader035/viewer/2022072116/575023a81a28ab877eab0699/html5/thumbnails/1.jpg)
Ever since 1988, when the Morris worm cut
down 10 per cent of the Internet's
computers, the number of cyber "incidences"
and reported vulnerabilities has grown
exponentially. The cost of the disruption to
business, of the reduction in confidence and
of repairing the systems is no longer tolerable.
Moreover, the increasing connectedness of
users, via a growing variety of devices and
applications, means that the IT industry can
no longer ignore the cyber attack problem.
The large number of vulnerabilities is due,
in part, to the complexity of modern
systems. A typical Unix or Windows system,
including major applications, has of the
order of 100 million lines of code. Recent
studies show that a typical software product
has roughly one security-related bug per
thousand lines of source code. Therefore an
average system gives a hacker potentially
100,000 weak spots to attack.
The rate at which researchers discover
weak points makes it hard for security
managers to keep up with the necessary
patches, assuming they are available.
Therefore most systems will have at least one
known vulnerability. Hackers now use
combination attacks to test for these weak
spots, and to exploit them.
Live CERTFollowing the Morris worm incident, the
US Defense Advanced Research Projects
Agency asked the Software Engineering
Institute, a federally
funded research
and development
centre at Carnegie
Mellon University,
to coordinate
communication
among experts
during security
emergencies and to help prevent future
incidents. This became CERT.
The number of incidents reported to
CERT has risen from six in 1988 to 137,529
last year. The number of computers affected
runs into the millions.
Each attack may compromise the data on
each system. The theft, alteration or
destruction of commercially valuable
personal or enterprise data is a real risk.
Secondly, theft of identity and/or
authentication information can give hackers
access to other systems and accounts,
thereby compounding the damage.
Thirdly, as users become more mobile, the
risk rises that data and identity information
may be compromised by physical theft or
loss of the access device. Fourthly, as mobile
access relies increasingly on radio
technologies, the risk grows that third parties
overhear sensitive data.
It is becoming more obvious that software-
only security mechanisms are not enough to
protect information assets. Even the firewalls
that protect intranets do not provide much
comfort; many attacks originate from users
inside these firewalls, and may also bypass
these firewalls in e-mail attachments. This
adds impetus to the move to use hardware-
based embedded security subsystems to
protect information assets.
Standard trustThe Trusted Computing Group (TCG) has
been formed to respond to this challenge (see
table of members). TCG aims to develop,
define, and promote open, vendor-neutral
industry standards for trusted computing.
These include specifications for hardware
and software interfaces for multiple
platforms and operating environments.
User and IT benefits Security chips based on TCG's
specification for the Trusted Platform
Module (TPM) are now in millions of
desktop and notebook PCs and working with
many applications. Their benefits include:
• More secure storage of files, personally
identifiable information, and digital
secrets.
• More secure user authentication by
protection of keys used by authentication
processes such as 802.1x, S-MIME e-mail,
and VPNs.
Hardware to blunt hack attack
42
Info
security To
day
July/August 2004
co
lu
mn
Jim WardSoftware security is for wimps; enter the hard guys of hardware
0
1000
2000
3000
4000
5000
1995 1996 1997 1998 1999 2000 2001 2002
No.
of
Vuln
erab
ilitie
s
Growth in reported vulnerabilities since 1995
Ward: complexity breedsvulnerabilities
![Page 2: Hardware to blunt hack attack](https://reader035.vdocuments.us/reader035/viewer/2022072116/575023a81a28ab877eab0699/html5/thumbnails/2.jpg)
In last few years the number of
vulnerabilities published in the public
domain has mushroomed. This book is, as
it title says, a wake-up call for web
programmers. It provides practical worked
examples that take the reader through a
number of types of attack. What is
interesting is that this is a book which talks
about security, but does not spend ages
talking about encryption or buffer
overflows. This book has been written by a
developer for developers in a language that
developers will understand. The aim of the
book is to provide a developer with the
years of experience that are necessary to
develop a secure web site that meets the
needs of its users.
In more detail, this book is designed and
aimed at programmers who are building web
sites, and so it does not address the design
and deployment of infrastructure. This book
does not focus on client-side technologies,
such as Active-X or Java Applets; rather it
focuses us on server-side programming, in
particular SQL Injection, User Input
Manipulation, Authentication and Cross Site
Scripting. In short, if you are a server side
web developer then you simply must read
this book. If you are a web techie then you
will love this book. I did.
43
Info
security To
day
July/August 2004
• Lower-cost and stronger user
authentication by using the TPM as a
security token together with other types
of authentication such as passphrases,
fingerprint readers, keyfobs, smartcards,
proximity badges, and SIMs.
Extra benefits that will accrue over time
include:
• More secure platform authentication
through protection of an identity key that
is associated with the platform.
• Platform authentication with multiple
anonymous trusted identities which,
when combined with user authentication,
will enable additional remote access
security while protecting privacy.
• More secure data protection through
confirmation of platform integrity prior
to decryption.
TCG is exhibiting at Infosecurity Europe
2005, Europe's premier IT security
exhibition. The event brings together IT
security professionals from around the
globe with suppliers of security
hardware, software and consultancy
services. Now in its 10th year, the show
features Europe's most comprehensive
free education programme, and over 200
exhibitors at the Grand Hall at Olympia
from 26 to 28 April 2005.
Further information about Infosecurity
Europe 2005 is available at
http://www.infosec.co.uk. Information on
TCG and how to join is at
www.trustedcomputinggroup.org.
Jim Ward is the President of the Trusted
Computing Group
References:
CERT Web Site:
http://www.cert.org/archive/pdf/attack_tr
ends.pdf [Overview of Attack Trends]
CERT Web Site:
www.cert.org/stats/cert_stats.html
[CERT/CC Statistics]
co
lu
mn
Innocent Code: aSecurity Wake-Up Callfor Web ProgrammersAndrew Blyth
Sverre H. HusebyJohn Wiley & Sons; (January23, 2004) ISBN: 0470857447
re
vi
ew
an average system gives a hackerpotentially 100,000 weak spots to attack.