the dumbest ideas in computer security · the dumbest ideas in computer security marcus j. ranum...
TRANSCRIPT
![Page 1: The Dumbest Ideas In Computer Security · The Dumbest Ideas In Computer Security Marcus J. Ranum CSO, Tenable Network Security, Inc. ... •If A trusts B and B trusts C-A trusts C](https://reader034.vdocuments.us/reader034/viewer/2022042401/5f1069897e708231d448fb93/html5/thumbnails/1.jpg)
The Dumbest Ideas In Computer Security
Marcus J. RanumCSO, Tenable Network Security, Inc.
[email protected]@tenablesecurity.com
![Page 2: The Dumbest Ideas In Computer Security · The Dumbest Ideas In Computer Security Marcus J. Ranum CSO, Tenable Network Security, Inc. ... •If A trusts B and B trusts C-A trusts C](https://reader034.vdocuments.us/reader034/viewer/2022042401/5f1069897e708231d448fb93/html5/thumbnails/2.jpg)
Who am I
• CSO of Tenable Network Security– Makes innovative vulnerability detection and
security event management tools– Develops and supports the Nessus
vulnerability scanner project– Works with lots of MSPs and customers
• CyberTrust• V-1 SmartWall• Network Flight Recorder• Trusted Information Systems
![Page 3: The Dumbest Ideas In Computer Security · The Dumbest Ideas In Computer Security Marcus J. Ranum CSO, Tenable Network Security, Inc. ... •If A trusts B and B trusts C-A trusts C](https://reader034.vdocuments.us/reader034/viewer/2022042401/5f1069897e708231d448fb93/html5/thumbnails/3.jpg)
Intro – Who is Tenable?
• We run the Nessus project– More than 85,000 organizations world-wide– We develop 99.9% of the plugins– Develop and test all of Nessus 3– Still do a lot of work on and for Nessus 2
• Enterprise Security Vendor– Single vendor to offer enterprise security
management solutions for:• Vulnerability Management• Compliance Monitoring & Reporting• Security Event Management• Network Behavioral Anomaly Detection• Passive and Active Asset discovery
– More than 500 enterprise customers
![Page 4: The Dumbest Ideas In Computer Security · The Dumbest Ideas In Computer Security Marcus J. Ranum CSO, Tenable Network Security, Inc. ... •If A trusts B and B trusts C-A trusts C](https://reader034.vdocuments.us/reader034/viewer/2022042401/5f1069897e708231d448fb93/html5/thumbnails/4.jpg)
What is Dumb??
Depending on which analysts you believe*the computer security market is billions ofdollars, annually
* never a good idea
1995 1997 2001 2005
$200m
$6 b
![Page 5: The Dumbest Ideas In Computer Security · The Dumbest Ideas In Computer Security Marcus J. Ranum CSO, Tenable Network Security, Inc. ... •If A trusts B and B trusts C-A trusts C](https://reader034.vdocuments.us/reader034/viewer/2022042401/5f1069897e708231d448fb93/html5/thumbnails/5.jpg)
Dumb is Wasting Money
The number of systems penetrated continuesto increase to the point where nobody evencounts, anymore
Source: dept of made-up statistics
1995 1997 2001 2005
some
lots
too many
ridiculouslytoo many
CERT throws inthe towel and stopstracking machines
compromised
![Page 6: The Dumbest Ideas In Computer Security · The Dumbest Ideas In Computer Security Marcus J. Ranum CSO, Tenable Network Security, Inc. ... •If A trusts B and B trusts C-A trusts C](https://reader034.vdocuments.us/reader034/viewer/2022042401/5f1069897e708231d448fb93/html5/thumbnails/6.jpg)
Chartology
Red = bad thingGreen = effort/expense
A chart like this representsa hard-fought but ultimately effective effort
![Page 7: The Dumbest Ideas In Computer Security · The Dumbest Ideas In Computer Security Marcus J. Ranum CSO, Tenable Network Security, Inc. ... •If A trusts B and B trusts C-A trusts C](https://reader034.vdocuments.us/reader034/viewer/2022042401/5f1069897e708231d448fb93/html5/thumbnails/7.jpg)
Chartology
Red = bad thingGreen = effort/expense
A chart like this representsa rear-guard action
![Page 8: The Dumbest Ideas In Computer Security · The Dumbest Ideas In Computer Security Marcus J. Ranum CSO, Tenable Network Security, Inc. ... •If A trusts B and B trusts C-A trusts C](https://reader034.vdocuments.us/reader034/viewer/2022042401/5f1069897e708231d448fb93/html5/thumbnails/8.jpg)
Chartology
Red = bad thingGreen = effort/expense
A chart like this representsa sucking chest-wound
![Page 9: The Dumbest Ideas In Computer Security · The Dumbest Ideas In Computer Security Marcus J. Ranum CSO, Tenable Network Security, Inc. ... •If A trusts B and B trusts C-A trusts C](https://reader034.vdocuments.us/reader034/viewer/2022042401/5f1069897e708231d448fb93/html5/thumbnails/9.jpg)
OK, so what’s wrong?
• Computer security is off-course and has been for a long time– Since the “discovery” of security as a “market”
it’s a big-money business– “Solutions” (I.e.: expen$ive product$) rule
over common sense– Well marketed-to customers continually lurch
from one “complete solution” that doesn’t work to the next
![Page 10: The Dumbest Ideas In Computer Security · The Dumbest Ideas In Computer Security Marcus J. Ranum CSO, Tenable Network Security, Inc. ... •If A trusts B and B trusts C-A trusts C](https://reader034.vdocuments.us/reader034/viewer/2022042401/5f1069897e708231d448fb93/html5/thumbnails/10.jpg)
?
• What are the properties of secure systems?
![Page 11: The Dumbest Ideas In Computer Security · The Dumbest Ideas In Computer Security Marcus J. Ranum CSO, Tenable Network Security, Inc. ... •If A trusts B and B trusts C-A trusts C](https://reader034.vdocuments.us/reader034/viewer/2022042401/5f1069897e708231d448fb93/html5/thumbnails/11.jpg)
Fundamental Security Problems
• Trusted Systems Design• Assurance• Code Quality• Transitive Trust• Authorization v. Authentication
![Page 12: The Dumbest Ideas In Computer Security · The Dumbest Ideas In Computer Security Marcus J. Ranum CSO, Tenable Network Security, Inc. ... •If A trusts B and B trusts C-A trusts C](https://reader034.vdocuments.us/reader034/viewer/2022042401/5f1069897e708231d448fb93/html5/thumbnails/12.jpg)
Trusted System Design
• Understand the components of the system that must be trusted– Compartmentized design– Understand trusted paths in inputs and code
• Top-to-bottom approach– Can’t “secure the network” and not the host– Can’t “secure the host” and not the network– Can’t “secure the data” and not the O/S
![Page 13: The Dumbest Ideas In Computer Security · The Dumbest Ideas In Computer Security Marcus J. Ranum CSO, Tenable Network Security, Inc. ... •If A trusts B and B trusts C-A trusts C](https://reader034.vdocuments.us/reader034/viewer/2022042401/5f1069897e708231d448fb93/html5/thumbnails/13.jpg)
Assurance
• Assurance is the degree of confidence you have that the system functions as it is designed to– (Read Feynman on Challenger disaster)
• Assurance is a property of a system design– It is not an add-on feature to be “built in
later” (Sorry, Microsoft)
![Page 14: The Dumbest Ideas In Computer Security · The Dumbest Ideas In Computer Security Marcus J. Ranum CSO, Tenable Network Security, Inc. ... •If A trusts B and B trusts C-A trusts C](https://reader034.vdocuments.us/reader034/viewer/2022042401/5f1069897e708231d448fb93/html5/thumbnails/14.jpg)
Code Quality
• Code quality is necessary to be assured that a system functions as designed– Software as an engineering discipline– Security and reliability needs to be:
• Factored into design• Considered in code lay-out• Checked in code review• Test in QA• Considered in maintenance
![Page 15: The Dumbest Ideas In Computer Security · The Dumbest Ideas In Computer Security Marcus J. Ranum CSO, Tenable Network Security, Inc. ... •If A trusts B and B trusts C-A trusts C](https://reader034.vdocuments.us/reader034/viewer/2022042401/5f1069897e708231d448fb93/html5/thumbnails/15.jpg)
Transitive Trust
• If A trusts B and B trusts C - A trusts Cand doesn’t know it– indeed A trusts everyone C trusts
• Dealing with transitive trust is a “hard problem” and may not be tractable– Hackers basically ignore transitive trust also
because most systems are so weak transitive trust attacks are unnecessary!
– Smart pen testers use transitive trust
![Page 16: The Dumbest Ideas In Computer Security · The Dumbest Ideas In Computer Security Marcus J. Ranum CSO, Tenable Network Security, Inc. ... •If A trusts B and B trusts C-A trusts C](https://reader034.vdocuments.us/reader034/viewer/2022042401/5f1069897e708231d448fb93/html5/thumbnails/16.jpg)
Authorization V. Authentication
• Authentication: knowing who you are dealing with
• Authorization: knowing what a user is allowed to do
• Many fancy authentication systems (public key, etc) but authorization is a “hard problem”– What do you do when an authorized user
does an inappropriate thing?
![Page 17: The Dumbest Ideas In Computer Security · The Dumbest Ideas In Computer Security Marcus J. Ranum CSO, Tenable Network Security, Inc. ... •If A trusts B and B trusts C-A trusts C](https://reader034.vdocuments.us/reader034/viewer/2022042401/5f1069897e708231d448fb93/html5/thumbnails/17.jpg)
OK, So Life Sucks!
• These are extremely hard (and therefore $$$$) problems to deal with
• What’s the industry’s answer?– Attractive-sounding manure
![Page 18: The Dumbest Ideas In Computer Security · The Dumbest Ideas In Computer Security Marcus J. Ranum CSO, Tenable Network Security, Inc. ... •If A trusts B and B trusts C-A trusts C](https://reader034.vdocuments.us/reader034/viewer/2022042401/5f1069897e708231d448fb93/html5/thumbnails/18.jpg)
A-SB: Antivirus
• Exhaustively list all the viruses on earth– stop them when they get onto your computer
or try to execute
• 175,000 different viruses and spyware*– Fewer than 7,000 commonly-used business
apps*
• Why list the bad stuff? List the goodstuff! (trust-no-exe, program execution control, etc)
* approximately
![Page 19: The Dumbest Ideas In Computer Security · The Dumbest Ideas In Computer Security Marcus J. Ranum CSO, Tenable Network Security, Inc. ... •If A trusts B and B trusts C-A trusts C](https://reader034.vdocuments.us/reader034/viewer/2022042401/5f1069897e708231d448fb93/html5/thumbnails/19.jpg)
A-SB: Intrusion Prevention
• Make a dictionary of “signatures” that match various network-based hacks as they traverse your network– Have a boundary device attempt to detect
them fast enough to block them (put it in-line so it’s a nice single point of failure!)
• This is very similar to antivirus, including how stupid an idea it is
![Page 20: The Dumbest Ideas In Computer Security · The Dumbest Ideas In Computer Security Marcus J. Ranum CSO, Tenable Network Security, Inc. ... •If A trusts B and B trusts C-A trusts C](https://reader034.vdocuments.us/reader034/viewer/2022042401/5f1069897e708231d448fb93/html5/thumbnails/20.jpg)
A-SB: Intrusion Prevention(cont)
• A “new trend” some talk about is “network compartmentalization”*– Identify segments of the network and enforce
separation between them except fro necessary services• I.e.: “database network” only traffic allowed in/out is
oracle to server; backup servers and utility systems are screened
• I.e.: “mail hub - Email only sent/delivered to/from a central port 25/IMAP-SSL server
* New? I have PowerPoint slides from 1989 that teach how to do it...
![Page 21: The Dumbest Ideas In Computer Security · The Dumbest Ideas In Computer Security Marcus J. Ranum CSO, Tenable Network Security, Inc. ... •If A trusts B and B trusts C-A trusts C](https://reader034.vdocuments.us/reader034/viewer/2022042401/5f1069897e708231d448fb93/html5/thumbnails/21.jpg)
A-SB: Outsourcing Security
• Premise: anything that is not a “core competency” should be done by someone else, who can do it cheaper– Problem: If you never develop any knowledge
of the problem how do you know if they are doing a good job?
– You know this: if your business thinks IT is not part of its core business, you’ll be clobbered by an competitor in 10 years*
*exception: gravel pits
![Page 22: The Dumbest Ideas In Computer Security · The Dumbest Ideas In Computer Security Marcus J. Ranum CSO, Tenable Network Security, Inc. ... •If A trusts B and B trusts C-A trusts C](https://reader034.vdocuments.us/reader034/viewer/2022042401/5f1069897e708231d448fb93/html5/thumbnails/22.jpg)
A-SB: Rent-a-hacker
• pen-testing is the exact opposite of assurance by design– tells you one of two things:
• You’re screwed• We don’t know if you’re screwed
– Trying to prove a system can’t be hacked by trying to hack it is attempting to prove a negative• More effective: external design review early and
implementation validation
![Page 23: The Dumbest Ideas In Computer Security · The Dumbest Ideas In Computer Security Marcus J. Ranum CSO, Tenable Network Security, Inc. ... •If A trusts B and B trusts C-A trusts C](https://reader034.vdocuments.us/reader034/viewer/2022042401/5f1069897e708231d448fb93/html5/thumbnails/23.jpg)
The 90’s
• Netscape IPO: the greatest disaster is software history– Demonstrated incontrovertibly that the path to
fortune in silicon valley is to throw shovelwareover the fence
– Triggered “the 10 year beta-test”– Dogmatized as “extreme programming” (I.e.:
“write code now and figure out what you were trying to accomplish later”)
![Page 24: The Dumbest Ideas In Computer Security · The Dumbest Ideas In Computer Security Marcus J. Ranum CSO, Tenable Network Security, Inc. ... •If A trusts B and B trusts C-A trusts C](https://reader034.vdocuments.us/reader034/viewer/2022042401/5f1069897e708231d448fb93/html5/thumbnails/24.jpg)
The 90’s (cont)
• What will it take to turn software development into an engineering discipline? (people who call the nonsense we do today “software engineering” need to be beaten)
• Network engineering and management are the next pain points
![Page 25: The Dumbest Ideas In Computer Security · The Dumbest Ideas In Computer Security Marcus J. Ranum CSO, Tenable Network Security, Inc. ... •If A trusts B and B trusts C-A trusts C](https://reader034.vdocuments.us/reader034/viewer/2022042401/5f1069897e708231d448fb93/html5/thumbnails/25.jpg)
The 2010’s
• The next big frontier is going to be system administration– The death of general-purpose computing
• PDAs become more powerful embedded appliances?• Disposable computing?• Ubiquitous computing?• Operating systems that don’t suck?
![Page 26: The Dumbest Ideas In Computer Security · The Dumbest Ideas In Computer Security Marcus J. Ranum CSO, Tenable Network Security, Inc. ... •If A trusts B and B trusts C-A trusts C](https://reader034.vdocuments.us/reader034/viewer/2022042401/5f1069897e708231d448fb93/html5/thumbnails/26.jpg)
Windows Sys Administration
Time
Systemsunderadmin.
Every man, woman,and child on earth(over the age of 6)will be a Windows
system administrator
• 2020AD: The Infocalypse
2020AD
EarthPopulation
![Page 27: The Dumbest Ideas In Computer Security · The Dumbest Ideas In Computer Security Marcus J. Ranum CSO, Tenable Network Security, Inc. ... •If A trusts B and B trusts C-A trusts C](https://reader034.vdocuments.us/reader034/viewer/2022042401/5f1069897e708231d448fb93/html5/thumbnails/27.jpg)
Summary:
• Danger signs: If you are -– Listing lots of cases of bad stuff– Constantly patching your code– Running networks with open topologies– Running networks with no idea what traffic
crosses them– Ignoring security in design process
… You may be in security hell
![Page 28: The Dumbest Ideas In Computer Security · The Dumbest Ideas In Computer Security Marcus J. Ranum CSO, Tenable Network Security, Inc. ... •If A trusts B and B trusts C-A trusts C](https://reader034.vdocuments.us/reader034/viewer/2022042401/5f1069897e708231d448fb93/html5/thumbnails/28.jpg)
Summary 2:
Remember, it’s always much easier to not do something dumb than it is to do something smart
![Page 29: The Dumbest Ideas In Computer Security · The Dumbest Ideas In Computer Security Marcus J. Ranum CSO, Tenable Network Security, Inc. ... •If A trusts B and B trusts C-A trusts C](https://reader034.vdocuments.us/reader034/viewer/2022042401/5f1069897e708231d448fb93/html5/thumbnails/29.jpg)
QUESTIONS ??
blog.tenablesecurity.com