Future of Security
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
771
On Slideshare
770
From Embeds
1
Number of Embeds
1

Actions

Shares
Downloads
10
Comments
0
Likes
0

Embeds 1

http://www.slideshare.net 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Image from http://www.cert.org/congressional_testimony/Carpenter_testimony_Aug29.html
  • http://honeyblog.org/junkyard/reports/botnet-china-TR.pdf
  • Graph from The IT Payoff: Measuring the Business Value of Information Technology Investments
  • Graph from The IT Payoff: Measuring the Business Value of Information Technology Investments

Transcript

  • 1. CIT 380: Securing Computer Systems Future of Security CIT 380: Securing Computer Systems Slide #
  • 2. Topics
    • Future Threats
    • Security in Hardware
    • Software Security
    • Economics of Security
    • Security and Usability
    • Privacy
    CIT 380: Securing Computer Systems Slide #
  • 3. Increasing Attack Sophistication CIT 380: Securing Computer Systems Slide #
  • 4. More Data Breaches CIT 380: Securing Computer Systems Slide #
  • 5. Threats: Malware
    • Chinese honeypot project collected malware
      • 2000-4000 samples/day from botnets
    • For samples seen the first time,
      • 5 of 9 anti-virus detected 70% or less.
      • 1 anti-virus (Kaspersky) detected 92%
    • For samples 30 days old,
      • No anti-virus detected more than 94%
    • Botnet activities
      • 28% spreading to new victims
      • 25% DDOS
      • 10% information theft
      • 14% self-update
    CIT 380: Securing Computer Systems Slide #
  • 6. Threats: Virtual Attacks
    • Second Life denial of service attack Nov 19
      • Rings multiplied when interacted with.
      • Heavy database load resulted in DoS attack.
    CIT 380: Securing Computer Systems Slide #
  • 7. Threats: Virtual Attacks
    • Third attack since September 2006.
    • Incident response faster than in prior attacks.
    CIT 380: Securing Computer Systems Slide #
  • 8. Threats: Offline Impact
    • Davis-Besse nuclear power plant
      • Slammer infected Plant Process Computer and Safety Parameter Display System (Jan 2003.)
      • Analog backups unaffected.
      • Infected contractor’s network, then moved through T1 line that bypassed plant firewall.
    • Seattle 911 system
      • Slammer disabled computer systems.
      • Dispatchers reverted to manual systems.
    • 2003 Blackout
      • Blaster infected First Energy systems.
    CIT 380: Securing Computer Systems Slide #
  • 9. Threats: Spear Phishing
    • Context-aware phishing attacks
    • Establish credibility by knowledge of data
      • Use personal data from social networks.
      • Use stolen data from Monster.com, TJMaxx.
      • IU study, 72% responded to targeted attack, only 16% responded to msg from a random IU user.
    CIT 380: Securing Computer Systems Slide #
  • 10. Threats: Spear Phishing
    • Create an opportunity
      • DoS user account with too many failed logins.
      • Contact user to help them “fix” the problem.
    CIT 380: Securing Computer Systems Slide #
  • 11. Threats: Vishing
    • Voice Phishing
      • Send e-mail with phone number. Call into software voice mail system which uses recordings of real bank’s voice mail system.
        • Free PBX software makes this easy to do.
        • E-mails are targeted, including customer’s name.
    CIT 380: Securing Computer Systems Slide #
  • 12. Threats: Vishing
      • Call victims directly using VOIP for cheap, anonymous international calls.
        • Caller-ID spoofing.
        • Attacker often knows CC number, wants 3-digit.
    CIT 380: Securing Computer Systems Slide #
  • 13. Underground Economy
    • Specialization and division of labor
      • Botherd (Botnet manager/renter)
      • Developer
      • Phishers and Spammers
      • Cashers and Confirmers
    • Marketplaces
      • $500 for CC number + PIN
      • $80-300 for personal info (SSN, etc.)
      • Millions of CCs, bank accounts, IDs traded.
    CIT 380: Securing Computer Systems Slide #
  • 14. Hardware Security: Biometrics
    • Biometrics will become more common.
      • Laptop fingerprint readers to login.
      • USB drive fingerprint readers to access.
      • Voice print / eye scan used to login.
      • Disney: fingerprint-based TicketTag system
      • Fingerprints used to check nightclub goers.
    CIT 380: Securing Computer Systems Slide #
  • 15. Hardware Security Features
    • Memory Curtaining
      • Hardware-enforced memory protection to prevent programs from accessing each others’ memory, including OS.
    • Secure I/O
      • Secure path from keyboard to application that cannot be snooped on by keyloggers or spyware.
    • Sealed Storage
        • Generates keys based on program + hardware.
        • Only that program on that computer can access data.
    • Remote Attestation
      • Hardware generation of certificate attesting to identity of software that currently runs on PC.
    CIT 380: Securing Computer Systems Slide #
  • 16. Problems with Remote Attestation
    • Core Problem
      • If third parties know what software you’re using, they can refuse to interact with you if you’re running software they don’t want.
    • Examples
      • Web sites could force you to run IE.
      • Of a specific version vulnerable to their adware.
      • Vendor lock-in: prevent interoperability of IM clients or Samba with Windows servers.
    CIT 380: Securing Computer Systems Slide #
  • 17. Software Security
    • The problem with security: Bad design, code.
    • Trinity of Trouble will expand
      • Connectivity : business critical processes will use wireless networking.
      • Complexity : software will continue to get larger.
      • Extensibility : more mobile code will be used, and SOA will be used for extensibility on server side.
    CIT 380: Securing Computer Systems Slide #
  • 18. Economics of Security
    • The problem with security: Bad incentives.
      • Systems are especially prone to failure when security person doesn’t experience cost of failure.
      • Security problems are an externality.
      • Security techniques can distort markets (DRM.)
      • Hidden costs of ownership
        • $99 MS Windows + $99 Antivirus, firewall, etc.
    CIT 380: Securing Computer Systems Slide #
  • 19. Security Incentives
    • Banks
      • In US, banks liable for ATM fraud.
        • There is relatively little ATM fraud in US.
      • In UK, customers liable for ATM fraud.
        • Banks ignored security since customer complaints were assumed to be lies or mistakes.
    • Medical Records
      • Medical providers dislike security because it requires time and limits sharing.
      • Patients want their medical records private.
    CIT 380: Securing Computer Systems Slide #
  • 20. Security Incentives
    • Home Users
      • Should you pay for antivirus software when the virus likely won’t damage your data but instead attack someone else?
    CIT 380: Securing Computer Systems Slide #
  • 21. Security as Externality
    • Externality : Cost or benefit of an economic transfer that someone who is not a party to the transaction bears, e.g. air pollution, vaccination.
    • Security attacks often result in externalities.
      • Backscatter from DDOS attacks.
      • Botnet that does little damage to zombie PC can do extensive damage to its targets.
    CIT 380: Securing Computer Systems Slide #
  • 22. Network Externality
    • Network externality : the more users a network has, the more valuable it is.
      • Compatibility is more important than security in building a market.
      • Excessive security (DRM) can allow dominant player to lock in users.
    • Problem : How to migrate to more secure network protocols?
    CIT 380: Securing Computer Systems Slide #
  • 23. Security and Markets: Asymmetric Information
    • The Market for Lemons
      • Ex: Used Car Market
        • 50 good used cars worth $3000.
        • 50 lemons worth $1000 each.
        • Sellers know the difference, buyers do not.
        • What will price will the market bear?
      • Software market suffers from info asymmetry.
    CIT 380: Securing Computer Systems Slide #
  • 24. Security and Markets: Insurance
    • Computer security rarely applies insurance.
      • Different organizations IT risk is correlated with other organizations. A Microsoft Windows virus is like a major hurricane, affecting many networks at once.
      • Software vendors aren’t responsible for risk of vulnerabilities in their software. Who would insure them if they were?
    CIT 380: Securing Computer Systems Slide #
  • 25. Security and Markets: DRM
    • Security technologies can distort markets.
      • Infinite supply of digital goods drives price to 0.
      • Copyright grants limited monopolies to prevent.
      • DRM gives owners complete market control.
        • Eliminate resale.
        • Eliminate transfer to other media.
        • Eliminate any use owner dislikes.
    CIT 380: Securing Computer Systems Slide #
  • 26. Economics of Privacy
    • Tech increases ability to discriminate prices.
      • Data mining can be used to individuals’ willingness to pay.
      • Features can be disabled easily to create a range of product prices to extract the most money.
      • Complex, changing prices for airlines, software.
    CIT 380: Securing Computer Systems Slide #
  • 27. Economics of Privacy
    • Data breach law gives incentive for privacy.
      • Stock prices fall after data breaches revealed.
    CIT 380: Securing Computer Systems Slide #
  • 28. Security and Usability
    • The problem with security: Bad interfaces.
      • Semantic attacks such as phishing depend on difference between how user perceives communication and the actual effect of the communication.
      • How can we bridge the gap between user’s mental model and the model of how systems actually work?
    CIT 380: Securing Computer Systems Slide #
  • 29. Security and Usability CIT 380: Securing Computer Systems Slide #
  • 30. passpet
    • http://passpet.org/
    CIT 380: Securing Computer Systems Slide # Figure 2. Passpet
  • 31. Future of Privacy: Tracking
    • The problem with privacy: Computers.
    • Portable computing devices => tracking
      • Cell phone: current location, path travelled
      • RFID tags
    • Ubiquitous video cameras => tracking
      • Average Londoner has picture taken 300/day
    CIT 380: Securing Computer Systems Slide #
  • 32. Future of Privacy: Wholesale Surveillance
    • Don’t look at a suspicious person, look at everyone.
      • NSA phone/email surveillance; Echelon
      • Satellite photography
      • Cameras + OCR track license plates in London.
      • Auto toll-pay systems and cell phones track cars.
      • Credit card and Paypal purchases
    • Quantity has a Quality all its own
      • Changes balance between police power and rights of the people.
      • Past compromises: random license plates instead of owner’s name.
    CIT 380: Securing Computer Systems Slide #
  • 33. References
    • Ross Anderson and Tyler Moore, “Economics of Security,” Science, Oct 27, 2006.
    • Team Cymru, “The Underground Economy: Priceless,” USENIX, http://www.usenix.org/publications/login/2006-12/openpdfs/cymru.pdf , 2006.
    • Jason Franklin and Vern Paxson, “An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants,” ACM CCS, http://www.cs.cmu.edu/~jfrankli/acmccs07/ccs07_franklin_eCrime.pdf , 2007.
    • Robert Lemos, “Second life plagued by 'grey goo' attack,” The Register http://www.theregister.co.uk/2006/11/24/secondlife_greygoo_attack/ , Nov 24, 2006.
    • Gary McGraw and Greg Hoglund, Exploiting Software: How to Break Code , Addison-Wesley, 2004.
    • Peter Neumann, (moderator), Risks Digest, http://catless.ncl.ac.uk/Risks/
    • Bruce Schneier, Beyond Fear , Copernicus Books, 2003.
    • Bruce Schneier, “Future of Privacy,” http://www.schneier.com/blog/archives/2006/03/the_future_of_p.html , 2006.
    • Seth Schoen, “Trusted Computing: Promise and Risk,” http://www.eff.org/Infrastructure/trusted_computing/20031001_tc.php , 2003.
    • Jon Schwartz, “Phishing attacks now using phone calls,” USA Today, Nov 26, 2006.
    • Ken Thompson, “Reflections on Trusting Trust”, Communication of the ACM , Vol. 27, No. 8, August 1984, pp. 761-763 ( http://www.acm.org/classics/sep95/ )
    • Jianwei Zhuge et. al., “Characterizing the IRC-based Botnet Phenomenon,” http://honeyblog.org/junkyard/reports/botnet-china-TR.pdf , 2007.
    CIT 380: Securing Computer Systems Slide #