CIT 380: Securing Computer Systems Future of Security CIT 380: Securing Computer Systems Slide #
Topics <ul><li>Future Threats </li></ul><ul><li>Security in Hardware </li></ul><ul><li>Software Security </li></ul><ul><li...
Increasing Attack Sophistication CIT 380: Securing Computer Systems Slide #
More Data Breaches CIT 380: Securing Computer Systems Slide #
Threats: Malware <ul><li>Chinese honeypot project collected malware </li></ul><ul><ul><li>2000-4000 samples/day from botne...
Threats: Virtual Attacks <ul><li>Second Life denial of service attack Nov 19 </li></ul><ul><ul><li>Rings multiplied when i...
Threats: Virtual Attacks <ul><li>Third attack since September 2006. </li></ul><ul><li>Incident response faster than in pri...
Threats: Offline Impact <ul><li>Davis-Besse nuclear power plant </li></ul><ul><ul><li>Slammer infected Plant Process Compu...
Threats: Spear Phishing <ul><li>Context-aware phishing attacks </li></ul><ul><li>Establish credibility by knowledge of dat...
Threats: Spear Phishing <ul><li>Create an opportunity </li></ul><ul><ul><li>DoS user account with too many failed logins. ...
Threats: Vishing <ul><li>Voice Phishing </li></ul><ul><ul><li>Send e-mail with phone number. Call into software voice mail...
Threats: Vishing <ul><ul><li>Call victims directly using VOIP for cheap, anonymous international calls. </li></ul></ul><ul...
Underground Economy <ul><li>Specialization and division of labor </li></ul><ul><ul><li>Botherd (Botnet manager/renter) </l...
Hardware Security: Biometrics <ul><li>Biometrics will become more common. </li></ul><ul><ul><li>Laptop fingerprint readers...
Hardware Security Features <ul><li>Memory Curtaining </li></ul><ul><ul><li>Hardware-enforced memory protection to prevent ...
Problems with Remote Attestation <ul><li>Core Problem </li></ul><ul><ul><li>If third parties know what software you’re usi...
Software Security <ul><li>The problem with security: Bad design, code. </li></ul><ul><li>Trinity of Trouble will expand </...
Economics of Security <ul><li>The problem with security: Bad incentives. </li></ul><ul><ul><li>Systems are especially pron...
Security Incentives <ul><li>Banks </li></ul><ul><ul><li>In US, banks liable for ATM fraud. </li></ul></ul><ul><ul><ul><li>...
Security Incentives <ul><li>Home Users </li></ul><ul><ul><li>Should you pay for antivirus software when the virus likely w...
Security as Externality <ul><li>Externality :  Cost or benefit of an economic transfer that someone who is not a party to ...
Network Externality <ul><li>Network externality :  the more users a network has, the more valuable it is. </li></ul><ul><u...
Security and Markets:  Asymmetric Information <ul><li>The Market for Lemons </li></ul><ul><ul><li>Ex: Used Car Market </li...
Security and Markets: Insurance <ul><li>Computer security rarely applies insurance. </li></ul><ul><ul><li>Different organi...
Security and Markets: DRM <ul><li>Security technologies can distort markets. </li></ul><ul><ul><li>Infinite supply of digi...
Economics of Privacy <ul><li>Tech increases ability to discriminate prices. </li></ul><ul><ul><li>Data mining can be used ...
Economics of Privacy <ul><li>Data breach law gives incentive for privacy. </li></ul><ul><ul><li>Stock prices fall after da...
Security and Usability <ul><li>The problem with security: Bad interfaces. </li></ul><ul><ul><li>Semantic attacks such as p...
Security and Usability CIT 380: Securing Computer Systems Slide #
passpet <ul><li>http://passpet.org/ </li></ul>CIT 380: Securing Computer Systems Slide # Figure 2. Passpet
Future of Privacy: Tracking <ul><li>The problem with privacy: Computers. </li></ul><ul><li>Portable computing devices => t...
Future of Privacy:  Wholesale Surveillance <ul><li>Don’t look at a suspicious person, look at everyone. </li></ul><ul><ul>...
References <ul><li>Ross Anderson and Tyler Moore, “Economics of Security,” Science, Oct 27, 2006. </li></ul><ul><li>Team C...
Upcoming SlideShare
Loading in …5
×

Future of Security

679 views
601 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
679
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Image from http://www.cert.org/congressional_testimony/Carpenter_testimony_Aug29.html
  • http://honeyblog.org/junkyard/reports/botnet-china-TR.pdf
  • Graph from The IT Payoff: Measuring the Business Value of Information Technology Investments
  • Graph from The IT Payoff: Measuring the Business Value of Information Technology Investments
  • Future of Security

    1. 1. CIT 380: Securing Computer Systems Future of Security CIT 380: Securing Computer Systems Slide #
    2. 2. Topics <ul><li>Future Threats </li></ul><ul><li>Security in Hardware </li></ul><ul><li>Software Security </li></ul><ul><li>Economics of Security </li></ul><ul><li>Security and Usability </li></ul><ul><li>Privacy </li></ul>CIT 380: Securing Computer Systems Slide #
    3. 3. Increasing Attack Sophistication CIT 380: Securing Computer Systems Slide #
    4. 4. More Data Breaches CIT 380: Securing Computer Systems Slide #
    5. 5. Threats: Malware <ul><li>Chinese honeypot project collected malware </li></ul><ul><ul><li>2000-4000 samples/day from botnets </li></ul></ul><ul><li>For samples seen the first time, </li></ul><ul><ul><li>5 of 9 anti-virus detected 70% or less. </li></ul></ul><ul><ul><li>1 anti-virus (Kaspersky) detected 92% </li></ul></ul><ul><li>For samples 30 days old, </li></ul><ul><ul><li>No anti-virus detected more than 94% </li></ul></ul><ul><li>Botnet activities </li></ul><ul><ul><li>28% spreading to new victims </li></ul></ul><ul><ul><li>25% DDOS </li></ul></ul><ul><ul><li>10% information theft </li></ul></ul><ul><ul><li>14% self-update </li></ul></ul>CIT 380: Securing Computer Systems Slide #
    6. 6. Threats: Virtual Attacks <ul><li>Second Life denial of service attack Nov 19 </li></ul><ul><ul><li>Rings multiplied when interacted with. </li></ul></ul><ul><ul><li>Heavy database load resulted in DoS attack. </li></ul></ul>CIT 380: Securing Computer Systems Slide #
    7. 7. Threats: Virtual Attacks <ul><li>Third attack since September 2006. </li></ul><ul><li>Incident response faster than in prior attacks. </li></ul>CIT 380: Securing Computer Systems Slide #
    8. 8. Threats: Offline Impact <ul><li>Davis-Besse nuclear power plant </li></ul><ul><ul><li>Slammer infected Plant Process Computer and Safety Parameter Display System (Jan 2003.) </li></ul></ul><ul><ul><li>Analog backups unaffected. </li></ul></ul><ul><ul><li>Infected contractor’s network, then moved through T1 line that bypassed plant firewall. </li></ul></ul><ul><li>Seattle 911 system </li></ul><ul><ul><li>Slammer disabled computer systems. </li></ul></ul><ul><ul><li>Dispatchers reverted to manual systems. </li></ul></ul><ul><li>2003 Blackout </li></ul><ul><ul><li>Blaster infected First Energy systems. </li></ul></ul>CIT 380: Securing Computer Systems Slide #
    9. 9. Threats: Spear Phishing <ul><li>Context-aware phishing attacks </li></ul><ul><li>Establish credibility by knowledge of data </li></ul><ul><ul><li>Use personal data from social networks. </li></ul></ul><ul><ul><li>Use stolen data from Monster.com, TJMaxx. </li></ul></ul><ul><ul><li>IU study, 72% responded to targeted attack, only 16% responded to msg from a random IU user. </li></ul></ul>CIT 380: Securing Computer Systems Slide #
    10. 10. Threats: Spear Phishing <ul><li>Create an opportunity </li></ul><ul><ul><li>DoS user account with too many failed logins. </li></ul></ul><ul><ul><li>Contact user to help them “fix” the problem. </li></ul></ul>CIT 380: Securing Computer Systems Slide #
    11. 11. Threats: Vishing <ul><li>Voice Phishing </li></ul><ul><ul><li>Send e-mail with phone number. Call into software voice mail system which uses recordings of real bank’s voice mail system. </li></ul></ul><ul><ul><ul><li>Free PBX software makes this easy to do. </li></ul></ul></ul><ul><ul><ul><li>E-mails are targeted, including customer’s name. </li></ul></ul></ul>CIT 380: Securing Computer Systems Slide #
    12. 12. Threats: Vishing <ul><ul><li>Call victims directly using VOIP for cheap, anonymous international calls. </li></ul></ul><ul><ul><ul><li>Caller-ID spoofing. </li></ul></ul></ul><ul><ul><ul><li>Attacker often knows CC number, wants 3-digit. </li></ul></ul></ul>CIT 380: Securing Computer Systems Slide #
    13. 13. Underground Economy <ul><li>Specialization and division of labor </li></ul><ul><ul><li>Botherd (Botnet manager/renter) </li></ul></ul><ul><ul><li>Developer </li></ul></ul><ul><ul><li>Phishers and Spammers </li></ul></ul><ul><ul><li>Cashers and Confirmers </li></ul></ul><ul><li>Marketplaces </li></ul><ul><ul><li>$500 for CC number + PIN </li></ul></ul><ul><ul><li>$80-300 for personal info (SSN, etc.) </li></ul></ul><ul><ul><li>Millions of CCs, bank accounts, IDs traded. </li></ul></ul>CIT 380: Securing Computer Systems Slide #
    14. 14. Hardware Security: Biometrics <ul><li>Biometrics will become more common. </li></ul><ul><ul><li>Laptop fingerprint readers to login. </li></ul></ul><ul><ul><li>USB drive fingerprint readers to access. </li></ul></ul><ul><ul><li>Voice print / eye scan used to login. </li></ul></ul><ul><ul><li>Disney: fingerprint-based TicketTag system </li></ul></ul><ul><ul><li>Fingerprints used to check nightclub goers. </li></ul></ul>CIT 380: Securing Computer Systems Slide #
    15. 15. Hardware Security Features <ul><li>Memory Curtaining </li></ul><ul><ul><li>Hardware-enforced memory protection to prevent programs from accessing each others’ memory, including OS. </li></ul></ul><ul><li>Secure I/O </li></ul><ul><ul><li>Secure path from keyboard to application that cannot be snooped on by keyloggers or spyware. </li></ul></ul><ul><li>Sealed Storage </li></ul><ul><ul><ul><li>Generates keys based on program + hardware. </li></ul></ul></ul><ul><ul><ul><li>Only that program on that computer can access data. </li></ul></ul></ul><ul><li>Remote Attestation </li></ul><ul><ul><li>Hardware generation of certificate attesting to identity of software that currently runs on PC. </li></ul></ul>CIT 380: Securing Computer Systems Slide #
    16. 16. Problems with Remote Attestation <ul><li>Core Problem </li></ul><ul><ul><li>If third parties know what software you’re using, they can refuse to interact with you if you’re running software they don’t want. </li></ul></ul><ul><li>Examples </li></ul><ul><ul><li>Web sites could force you to run IE. </li></ul></ul><ul><ul><li>Of a specific version vulnerable to their adware. </li></ul></ul><ul><ul><li>Vendor lock-in: prevent interoperability of IM clients or Samba with Windows servers. </li></ul></ul>CIT 380: Securing Computer Systems Slide #
    17. 17. Software Security <ul><li>The problem with security: Bad design, code. </li></ul><ul><li>Trinity of Trouble will expand </li></ul><ul><ul><li>Connectivity : business critical processes will use wireless networking. </li></ul></ul><ul><ul><li>Complexity : software will continue to get larger. </li></ul></ul><ul><ul><li>Extensibility : more mobile code will be used, and SOA will be used for extensibility on server side. </li></ul></ul>CIT 380: Securing Computer Systems Slide #
    18. 18. Economics of Security <ul><li>The problem with security: Bad incentives. </li></ul><ul><ul><li>Systems are especially prone to failure when security person doesn’t experience cost of failure. </li></ul></ul><ul><ul><li>Security problems are an externality. </li></ul></ul><ul><ul><li>Security techniques can distort markets (DRM.) </li></ul></ul><ul><ul><li>Hidden costs of ownership </li></ul></ul><ul><ul><ul><li>$99 MS Windows + $99 Antivirus, firewall, etc. </li></ul></ul></ul>CIT 380: Securing Computer Systems Slide #
    19. 19. Security Incentives <ul><li>Banks </li></ul><ul><ul><li>In US, banks liable for ATM fraud. </li></ul></ul><ul><ul><ul><li>There is relatively little ATM fraud in US. </li></ul></ul></ul><ul><ul><li>In UK, customers liable for ATM fraud. </li></ul></ul><ul><ul><ul><li>Banks ignored security since customer complaints were assumed to be lies or mistakes. </li></ul></ul></ul><ul><li>Medical Records </li></ul><ul><ul><li>Medical providers dislike security because it requires time and limits sharing. </li></ul></ul><ul><ul><li>Patients want their medical records private. </li></ul></ul>CIT 380: Securing Computer Systems Slide #
    20. 20. Security Incentives <ul><li>Home Users </li></ul><ul><ul><li>Should you pay for antivirus software when the virus likely won’t damage your data but instead attack someone else? </li></ul></ul>CIT 380: Securing Computer Systems Slide #
    21. 21. Security as Externality <ul><li>Externality : Cost or benefit of an economic transfer that someone who is not a party to the transaction bears, e.g. air pollution, vaccination. </li></ul><ul><li>Security attacks often result in externalities. </li></ul><ul><ul><li>Backscatter from DDOS attacks. </li></ul></ul><ul><ul><li>Botnet that does little damage to zombie PC can do extensive damage to its targets. </li></ul></ul>CIT 380: Securing Computer Systems Slide #
    22. 22. Network Externality <ul><li>Network externality : the more users a network has, the more valuable it is. </li></ul><ul><ul><li>Compatibility is more important than security in building a market. </li></ul></ul><ul><ul><li>Excessive security (DRM) can allow dominant player to lock in users. </li></ul></ul><ul><li>Problem : How to migrate to more secure network protocols? </li></ul>CIT 380: Securing Computer Systems Slide #
    23. 23. Security and Markets: Asymmetric Information <ul><li>The Market for Lemons </li></ul><ul><ul><li>Ex: Used Car Market </li></ul></ul><ul><ul><ul><li>50 good used cars worth $3000. </li></ul></ul></ul><ul><ul><ul><li>50 lemons worth $1000 each. </li></ul></ul></ul><ul><ul><ul><li>Sellers know the difference, buyers do not. </li></ul></ul></ul><ul><ul><ul><li>What will price will the market bear? </li></ul></ul></ul><ul><ul><li>Software market suffers from info asymmetry. </li></ul></ul>CIT 380: Securing Computer Systems Slide #
    24. 24. Security and Markets: Insurance <ul><li>Computer security rarely applies insurance. </li></ul><ul><ul><li>Different organizations IT risk is correlated with other organizations. A Microsoft Windows virus is like a major hurricane, affecting many networks at once. </li></ul></ul><ul><ul><li>Software vendors aren’t responsible for risk of vulnerabilities in their software. Who would insure them if they were? </li></ul></ul>CIT 380: Securing Computer Systems Slide #
    25. 25. Security and Markets: DRM <ul><li>Security technologies can distort markets. </li></ul><ul><ul><li>Infinite supply of digital goods drives price to 0. </li></ul></ul><ul><ul><li>Copyright grants limited monopolies to prevent. </li></ul></ul><ul><ul><li>DRM gives owners complete market control. </li></ul></ul><ul><ul><ul><li>Eliminate resale. </li></ul></ul></ul><ul><ul><ul><li>Eliminate transfer to other media. </li></ul></ul></ul><ul><ul><ul><li>Eliminate any use owner dislikes. </li></ul></ul></ul>CIT 380: Securing Computer Systems Slide #
    26. 26. Economics of Privacy <ul><li>Tech increases ability to discriminate prices. </li></ul><ul><ul><li>Data mining can be used to individuals’ willingness to pay. </li></ul></ul><ul><ul><li>Features can be disabled easily to create a range of product prices to extract the most money. </li></ul></ul><ul><ul><li>Complex, changing prices for airlines, software. </li></ul></ul>CIT 380: Securing Computer Systems Slide #
    27. 27. Economics of Privacy <ul><li>Data breach law gives incentive for privacy. </li></ul><ul><ul><li>Stock prices fall after data breaches revealed. </li></ul></ul>CIT 380: Securing Computer Systems Slide #
    28. 28. Security and Usability <ul><li>The problem with security: Bad interfaces. </li></ul><ul><ul><li>Semantic attacks such as phishing depend on difference between how user perceives communication and the actual effect of the communication. </li></ul></ul><ul><ul><li>How can we bridge the gap between user’s mental model and the model of how systems actually work? </li></ul></ul>CIT 380: Securing Computer Systems Slide #
    29. 29. Security and Usability CIT 380: Securing Computer Systems Slide #
    30. 30. passpet <ul><li>http://passpet.org/ </li></ul>CIT 380: Securing Computer Systems Slide # Figure 2. Passpet
    31. 31. Future of Privacy: Tracking <ul><li>The problem with privacy: Computers. </li></ul><ul><li>Portable computing devices => tracking </li></ul><ul><ul><li>Cell phone: current location, path travelled </li></ul></ul><ul><ul><li>RFID tags </li></ul></ul><ul><li>Ubiquitous video cameras => tracking </li></ul><ul><ul><li>Average Londoner has picture taken 300/day </li></ul></ul>CIT 380: Securing Computer Systems Slide #
    32. 32. Future of Privacy: Wholesale Surveillance <ul><li>Don’t look at a suspicious person, look at everyone. </li></ul><ul><ul><li>NSA phone/email surveillance; Echelon </li></ul></ul><ul><ul><li>Satellite photography </li></ul></ul><ul><ul><li>Cameras + OCR track license plates in London. </li></ul></ul><ul><ul><li>Auto toll-pay systems and cell phones track cars. </li></ul></ul><ul><ul><li>Credit card and Paypal purchases </li></ul></ul><ul><li>Quantity has a Quality all its own </li></ul><ul><ul><li>Changes balance between police power and rights of the people. </li></ul></ul><ul><ul><li>Past compromises: random license plates instead of owner’s name. </li></ul></ul>CIT 380: Securing Computer Systems Slide #
    33. 33. References <ul><li>Ross Anderson and Tyler Moore, “Economics of Security,” Science, Oct 27, 2006. </li></ul><ul><li>Team Cymru, “The Underground Economy: Priceless,” USENIX, http://www.usenix.org/publications/login/2006-12/openpdfs/cymru.pdf , 2006. </li></ul><ul><li>Jason Franklin and Vern Paxson, “An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants,” ACM CCS, http://www.cs.cmu.edu/~jfrankli/acmccs07/ccs07_franklin_eCrime.pdf , 2007. </li></ul><ul><li>Robert Lemos, “Second life plagued by 'grey goo' attack,” The Register http://www.theregister.co.uk/2006/11/24/secondlife_greygoo_attack/ , Nov 24, 2006. </li></ul><ul><li>Gary McGraw and Greg Hoglund, Exploiting Software: How to Break Code , Addison-Wesley, 2004. </li></ul><ul><li>Peter Neumann, (moderator), Risks Digest, http://catless.ncl.ac.uk/Risks/ </li></ul><ul><li>Bruce Schneier, Beyond Fear , Copernicus Books, 2003. </li></ul><ul><li>Bruce Schneier, “Future of Privacy,” http://www.schneier.com/blog/archives/2006/03/the_future_of_p.html , 2006. </li></ul><ul><li>Seth Schoen, “Trusted Computing: Promise and Risk,” http://www.eff.org/Infrastructure/trusted_computing/20031001_tc.php , 2003. </li></ul><ul><li>Jon Schwartz, “Phishing attacks now using phone calls,” USA Today, Nov 26, 2006. </li></ul><ul><li>Ken Thompson, “Reflections on Trusting Trust”, Communication of the ACM , Vol. 27, No. 8, August 1984, pp. 761-763 ( http://www.acm.org/classics/sep95/ ) </li></ul><ul><li>Jianwei Zhuge et. al., “Characterizing the IRC-based Botnet Phenomenon,” http://honeyblog.org/junkyard/reports/botnet-china-TR.pdf , 2007. </li></ul>CIT 380: Securing Computer Systems Slide #

    ×