Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Roger Grimes How I Fixed The Internets


Published on

  • Be the first to comment

Roger Grimes How I Fixed The Internets

  1. 1. How I Fixed the Internets Mark Minasi Conference 2009 Roger A. Grimes e:
  2. 2. Roger’s BIO – CPA, CISSP, CEH, SSPP, CISA, TICSA, yada, yada – 22-year Windows security consultant, instructor, and author – Microsoft ACE Infosec Security Architect – Author or co-author of eight books on computer security, including: • Network Security: The Complete Reference (McGraw-Hill, co- author of chapters on Computer Defenses and IDSs) • Windows Vista Security: Security Vista Against Malicious Attacks (Wiley, 2007 co-author) • Professional Windows Desktop and Server Hardening (Dec. 2005) • Windows Server 2008 Security Resource Kit (contrib author) • Honeypots for Windows (Apress, December 2004) – Author of over 200 national magazine articles on computer security – Runs 8 honeypots tracking hacker and malware behavior – InfoWorld security columnist and Blogger
  3. 3. Roger’s Books
  4. 4. The views expressed here are only my own, and are not the views of my employer or Mark Minasi
  5. 5. On the Bright Side... Not everyone is hacked everyday
  6. 6. This presentation is based on my previous work... Fixing the Internet whitepaper and articles /Fixing_the_Internet_Final.pdf /2008/05/fixing_the_inte.html /2008/05/defending_fixin.html central/internet-fix-no-pipe-dream-452
  7. 7. How Bad Is It? Each year, over 1-in-3 US adults gets their identity information stolen over the Internet 1-in-9 have their identity stolen multiple times a year 1-in-9 have their stolen identity used in a given year
  8. 8. How Bad Is It? An average hacker can break into any Internet connected company relatively easy There is little you can do to stop hackers Break-ins are so common, than even when tens of millions of identities are stolen or millions of dollars are taken, it often doesn’t make the news cycle anymore
  9. 9. Crimeware 99% of all malware exists to steal your money The big criminal gangs make hundreds of millions of dollars each year McColo, Rockphish, Russian Business Network Not a single person from any of the major criminal gangs has been arrested or prosecuted
  10. 10. Every Internet Browser Has Many Exploits CanSecWest 3 top browsers exploited in an hour Every “secure” browser is lucky to last a day when it is released before it is exploited
  11. 11. How Bad Is It? Firewalls don’t work Antivirus software doesn’t work Fully patching your software doesn’t work Spam and phishing as bad as ever Spam is 70-90% of all email traffic 10% or more of all Internet traffic is malicious Why do we keep doing the same things and expecting different results??
  12. 12. How Bad Is It? Malware more sophisticated than ever Not one attack vector, but 20 + It’ hides now, doesn’t try to be cute Fast-fluxing Root-kit loading USB infecting Roving “mothership” web servers
  13. 13. Big Holes Still Being Found in the Internet Kaminsky DNS exploit Huge MPS/BGP exploit being announced at the next BlackHat Kinda kills the “many eyes” concept that supposedly makes our software secure Even DJBDNS’s software got hacked twice in a year
  14. 14. Can’t Be Perfect Even If You’re Perfect Even if all the software goes security vulnerability free, it won’t stop hacking Today, 99.999% of malicious hacking occurs because an end-user is tricked into installing trojan malware Antivirus 2008 anyone??
  15. 15. How Bad Is It? After everything every vendor has tried, pushed, and promoted, computer security has only gotten substantially worse over the last 10 years...and even worse over the last 3 years Nothing any vendor is doing appears likely to significantly improve computer security over the next 10 years
  16. 16. Problems with Current Solutions Whack-a-mole solutions Point-specific defenses (which hackers just move around to the next weak link) Security defenses develop slower than malware No one is trying to solve the underlying systematic security problems No single group dedicated to fixing Internet security
  17. 17. Why Does It Matter? Can’t we just live with the current state of things? I mean, we have survived so far without a major disruption to our global Internet society
  18. 18. Why Does It Matter? Because the Internet is becoming more and more mission critical for real-life It isn’t just for email and ASCII porn anymore Global society is becoming more reliant on the Internet for basic and mission critical services
  19. 19. Why Does It Matter? SQL Slammer (2003) showed us that most of the world’s most important, mission-critical networks are on the Internet Most major banks went down for multiple days Foreign hackers are routinely breaking into our most sensitive, secure, gov’t networks
  20. 20. Why Does It Matter? Where do you buy your airplane tickets? How did you buy your last concert tickets? I use web sites to make stock trades, schedule bulky garbage pick-ups, trip plans, pay college tuition for my daughters, Skype to call, etc. My InfoWorld column is only online How do you think your electronic funds transfer for your paycheck is transmitted?
  21. 21. Why Does It Matter? What was yesterday’s “nice-to-have” web site becomes today’s “use it or pay more” for a regular human Crackberries...anyone... The Iloveyou worm shutdown phone networks and delayed the delivery of newspapers
  22. 22. Why Does It Matter? The guy in charge of running the Whitehouse is bragging about using Gmail and Googledocs Your healthcare records are going online Stuff that should never be on the Internet (e.g. Nuclear power plants, electrical grids, 911 systems) are on the Internet!!
  23. 23. Why Does It Matter? Even the mission critical stuff that all the experts assure us isn’t on the on the Internet Even if it isn’t “on the Internet”, it usually shares the same physical telecom lines with the if the Internet implodes, so too, does the non-Internet stuff
  24. 24. Why Does It Matter? Somewhere, there is a tipping point event waiting to happen
  25. 25. So How Is the Internet Broken? Ask yourself, “Why do malicious hackers hack?”
  26. 26. So How Is the Internet Broken? Answer: Because we can’t catch them It’s low cost, low risk, and high return Rob a bank, get $5,000 (maybe), and 10 years in jail Rob off the Internet, make hundreds of millions, and never even get close to being caught
  27. 27. So How Is the Internet Broken? Answer: Because we can’t catch them I can’t think of a single Internet problem that doesn’t boil down to problems of identity and integrity
  28. 28. So How Is the Internet Broken? There is pervasive anonymity You really have no idea I am who I say I am There is a lack of accountability We can’t find the hackers to arrest them We have a hard time prosecuting all the companies that knowingly help criminals There is no way to tell the good companies from the bad
  29. 29. Summary We have to rebuild all software and hardware connected to the Internet to fix it Replace pervasive anonymity with pervasive identity Hold people and companies accountable for bad things and continued poor practices
  30. 30. Summary Dream Team of Security Experts Rebuild the Internet and everything connected to it New Internet-wide security services available to everyone (think DNS, but for security)
  31. 31. Summary Come up a global, open, group to provide solutions Will probably have to be gov’t sponsored Companies are motivated by greed There is no money in fixing the commons Most companies are very risk adverse It will take a “man-on-the-moon” project
  32. 32. Dream Team Executive Vendor/ Vendor/ Vendor/ Vendor/ Vendor/ Committee member member member member member Director Director Director Director Director (Strategic Decisions) Component Component Component Component Component Component Tactical Tactical Lead Tactical Lead Tactical Lead Tactical Lead Tactical Lead Leads Component Component Component Component Component Technical Technical Team Technical Team Technical Team Technical Team Technical Team Teams Members Members Members Members Members Public, End-User Shared Committee Participation
  33. 33. Dream Team (2 year max.) Made up of global vendors, gov’t, independent security experts, and public No single entity controls outcome One vote per member Open meetings, open discussions Any solutions are completely voluntary in nature Try to use more “carrot” and less “stick”
  34. 34. Dream Team What can be agreed upon is tabled, but majority rules Global participating Solutions are standard and protocols, not products Solutions are 100% open source, although vendors are welcome to develop commercial products and implementations
  35. 35. Dream Team - Challenges Global, but also decisive (the UN problem) How to convince vendors in their own self- interests to participate? How to make a global committee responsive? How to avoid balkanization, standard splits?
  36. 36. Possible Internet Security Solutions Global Security Service End-to-End Trust Using Existing Web Standards
  37. 37. Global Security Service Build a global Internet infrastructure service to provide coordination, advertising, and publication of the various global security initiatives Internet DNS UDDI IF-MAP Security Service
  38. 38. Global Security Service DNS-like - fault-tolerant, distributed “root” servers dedicated to directing querying clients to the appropriate security service server(s). UDDI – like -Each participating global, sub-root server would to serve up IP addresses to the corresponding needed security services (and to advertise and publish such services). IF-MAP-like - in that the existing sub-root servers would allow participating members to report and respond in a global, holistic, multi-service manner.
  39. 39. Global Security Service IF-MAP Standard If you are not familiar with IF-MAP, in a nutshell, the Trusted Computing Group’s ( IF-MAP standard ( /IFMAP_FAQ_april_28.pdf) allows participating devices to report security events and receive notifications from other security devices to be able to respond in a coordinated fashion.
  40. 40. Global Security Service IF-MAP Example: Your firewall detects an outbound email originating from a regular end-user workstation that does not typically use port 25 outbound Firewall notifies antivirus software to scan machine Antivirus software unable to clean computer or unable to find anything, tells NAC/NAP client to shutdown and 802.1x switch kills network port link
  41. 41. Global Security Service New Security Service: Be like local IF-MAP solution, but provide information globally
  42. 42. Global Security Service Global Internet Security Infrastructure Service Protocol/ Protocol/ Application Protocol/ Application specific Application global specific specific servers Network global servers global servers Network Security Security S Boundary S E E C Boundary C U U R R I I T Local Internet/ T Y regulated Y Local endpoints IF-MAP service Network IF-MAP D regulated D service E Cloud E F endpoints F E E N N S S E E S S
  43. 43. Global Security Service Examples: Your network or web server comes under attack by a DDoS attack. Your local IF-MAP security device could connect to a root Internet security server and get directed to one or more services to allow an efficient response and defense to the attack. Your network could get subscribed on-the-fly to an anti-DDoS service, fire up additional availability resources on new IP spaces, or lead all the other participating networks into shunting off the offending bot-infected computers.
  44. 44. Global Security Service Examples: Your company participates in a global whitelist/blacklist of IP addresses. Your company’s whitelist/blacklist servers/service could contact the global root servers to get instantaneous updates of the Russian Business Networks’ changing IP address space.
  45. 45. Global Security Service Examples: Your anti-spam device or anti-phishing filter can learn instantly when a massive new spam or phishing attack occurs instead of waiting for a vendor update or allowing only the already existing global email servicers to learn about the attack.
  46. 46. Global Security Service Examples: Supposed a MySQL-based Slammer type, zero-day, worm gets launched that can be successful against all existing, contactable MySQL servers on the Internet. Your firewall could be notified of the zero day attack and shut down the port until a better remedy is provided. SQL Slammer infected most SQL servers on the Internet in under 10 minutes. It went off at 1AM EST. By the time sysadmins were alerted, it was over
  47. 47. Global Security Service Global Internet Security Infrastructure Service Global Global Global Global Global Early security anti-malware phish list Black-list Warning server, etc. signatures System Internet, private entities, etc.
  48. 48. End to End Trust Solution Trust Components Hardware OS Boot Process and Loading Device and User Identity Network Stack and Protocols Applications Network Transmission Devices and Packets Communication Sessions
  49. 49. End to End Trust Solution Not Microsoft’s End-to-End Trust Based originally on Trusted Computing Group’s work
  50. 50. End-to-End Trust Make each Internet egress network responsible and accountable for the security and trust of the endpoints in their network. This applies to corporate environments, as well as, ISPs being responsible for the security of their end-user clients (to a variable degree). Each egress network access point would be known as a “trust network”, and the management and technical teams responsible and accountable for implementing improved security trust mechanisms (e.g. egress filtering, two-factor authentication, anti-malware, secure coding practices, etc.).
  51. 51. End-to-End Trust A world-wide community consortium of computer security experts would transparently decide what levels of trust are assigned to the various trust components and how various trust networks earn increasing levels of trust. Egress points with poorly demonstrated levels of security will be given a low trust rating, and that rating known to all participants (e.g. world-wide trust rating list). This should encourage trust networks to improve their security to be rated higher, and at the same time hold accountable questionable networks (e.g. Russian Business Network’s malicious IP space).
  52. 52. End-to-End Trust Trust Assurance Levels Various trust assurance level values are assigned to each trust component in the trust pathway Authentication + Infrastructure Trust + Identity Assurance = Aggregate Trust Assurance Level
  53. 53. End-to-End Trust Trust Assurance Levels Authentication Type Trust Assurance Level Assignment Simple user name and password Low Username, PIN, and Biometric / Medium Token Smartcard, Biometric and PIN High
  54. 54. End-to-End Trust Trust Assurance Levels Infrastructure Example Scenarios Trust Assurance Level Assignment Logon session originating from a known malicious IP Low address space Logon session originating from a trusted, classified High government network Smart card using “short” 1024-bit public key Medium Questionable Service Provider who has been “warned” Low about continued, past illegal activities Network packet with “too many” hops, indicating Low excessive routing Logon session originating from a shared wireless Low network available to the public or Internet cafe Logon session originating from static, unchanging IP Medium address
  55. 55. End-to-End Trust Trust Assurance Levels Aggregated Trust Level Example Scenarios Aggregated Trust Assurance Level Assignment Anonymous identity, password only, coming from an Lowest untrusted service provider True Identity with compromised biometrics coming from Low trusted service provider rd Anonymous identity with 3 party attestation, using Medium password on trusted origination point True identity of long-term, outstanding character, on High highly trusted service provider, using Smartcard + PIN
  56. 56. header header including crypto info including crypto info End-to-End Trust Overall Trust Overall Trust Ranking = 4 Ranking = 3 Trust Assurance Levels Network Trust Network Trust (at the packet level) Ranking = 3 Ranking = 2 Session Trust Session Trust Ranking = 4 Ranking = 3 Identity Trust Identity Trust Ranking =5 Ranking =2 Physical Trust Physical Trust Ranking = 3 Ranking = 4 Signed & Signed & Encrypted Data Encrypted Data Payload Payload
  57. 57. End-to-End Trust These global trust ratings would be sharable and available to each communicating trust network. Each receiving trust network can decide how to treat incoming traffic based on the originator’s trust rating; and even provide custom trust ratings to trusted private trading partners (regardless of the packet’s tagged trust). Traffic with higher ratings of trust should be inspected less and be delivered faster to end-points.
  58. 58. End-to-End Trust Trust Gateways Each trusted network should implement a trust gateway device (which can be a separate component or integrated into other egress/ingress point devices and software The trust gateway device is responsible for tagging egress traffic with a community decided upon trust rating, and appropriately handling (and handing off) incoming traffic based upon the trust rating with which it is marked.
  59. 59. End-to-End Trust Global Internet Security Infrastructure Service Community Community Trust Community Rating Trust Rating Server Trust Network Server Rating Server Network Trust Trust S Boundary S E E C Boundary C U U R R I I T Internet/ T Y Y Trust Gateway Network Trust Gateway D regulated D E Cloud E F endpoints F E E N N S S E E S S
  60. 60. End-to-End Trust - In Conclusion Thus, a roving malware network, with constantly changing IP addresses could be tracked and identified by the global trust servers. No longer could malware writers hide behind fast-fluxing IP and DNS domain name changes.
  61. 61. End-to-End Trust - In Conclusion Another example, could be a previously highly trusted network or web site becomes infiltrated by malware. During the active attack, the compromised network or host could be assigned a lower trust rating, and that lower trust rating communicated to all participating parties. Once the malware was cleaned up and the network or host running clean again, its trust rating could be improved, maybe slowly at first. But certainly after a set period of time, it could regain its original trust rating, or actually improve it beyond the original if newer, more secure practices were used.
  62. 62. End-to-End Trust - In Conclusion Currently, there is no way for the Internet community, globally, to be aware that a particular, popular host or network is compromised. With more and more legitimate sites being used to host malware, we need some sort of warning system.
  63. 63. Use Existing Web Standards The Best Part?? All of the previously mentioned stuff can be implemented using web service standards that exist today! We need only agree upon a solution
  64. 64. Use Existing Web Standards IPv6 DNSSec x.500 Directories x.509 digital certificates Trusted Network Connect Trusted Platform Module (TPM) chip Network Access Control (e.g. NAP, etc.)
  65. 65. Use Existing Web Standards WS-* (Web Service Extensions) WS-Security WS-Federation WS-Trust OpenID RADIUS SAML 2.0
  66. 66. Use Existing Web Standards Basic Components Content Provider Authentication website Providers (AP) Cloud Services End-User
  67. 67. Use Existing Web Standards You, your company, your client...can be all three components at some point
  68. 68. Basic Layers Auditors Authentication Authentication Authentication AP Provider Provider Provider Layer Content Provider Content Provider Content Provider CP Layer End-User End-User End-User End-User Layer
  69. 69. Use Existing Web Standards Your company can provide the authentication service You can run an authentication/trust gateway device Or you can buy into an authentication service that does all the heavy lifting
  70. 70. Basic Layers Legacy Non-Compliant Password Authentication System System AP Authentication Authentication Layer Authentication Authentication Gateway Gateway Provider Provider Service Server Content Provider Content Provider Content Provider CP Layer End-User
  71. 71. Not a Pipe Dream Many national/regional infrastructures are already headed down this path model Singapore’s National Authentication Framework Italian Inter-Regional Identity Federation (ICAR-INF3) European STORK project ( United States Federal Bridge Certification Authority ( * But none focused global, none focusing purely on security and how to “fix” the Internet
  72. 72. Likelihood For Internet Fix To Happen? Not likely until a tipping point event happens Then we’ll collectively run around with our heads in the sand and wonder how we could have let this happen (See global financial crisis, 9-11, etc.) We are not very good at proactive defenses until the big damage has occurred
  73. 73. The End Fixing the Internet It’s just that easy. Or if you don’t like my plan, how would you fix it? Questions?