Dirty Little Secrets of IA Information Assurance - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

Dirty Little Secrets of IA Information Assurance

Description:

The iPod begat ITMS ... the security vendors knew security better, now MS does ... Just like how MS deals with software security may not work for anyone else ... – PowerPoint PPT presentation

Number of Views:101
Avg rating:3.0/5.0
Slides: 22
Provided by: BA29
Category:

less

Transcript and Presenter's Notes

Title: Dirty Little Secrets of IA Information Assurance


1
Dirty Little Secrets of IA(Information Assurance)
  • Why we might not be doing as
  • good as you would hope
  • Bruce Potter (gdead_at_shmoo.com)

2
Administrivia
  • What is SecurityGeeks?
  • Part learning, part information exchange, part
    social
  • How often should we meet?
  • Once a month?
  • Topics? Format?
  • Future location ideas?
  • List Charter?
  • More questions?

3
ShmooCon Pimpin
  • Tix are on sale (sorta)
  • More to go on sale Jan 1, Feb 1
  • CFP still open
  • Though we have a lot of submissions in already
    if youre thinking of submitting, do so soon
  • ShmooCon Labs
  • A limited set of folks that will set up the
    network and learn from experts (apply now)
  • Hacker Arcade
  • Hack or Halo

4
Dont Believe Anything I Say
  • "Do not believe in anything simply because you
    have heard it. Do not believe in anything simply
    because it is spoken and rumored by many. Do not
    believe in anything simply because it is found
    written in your religious books. Do not believe
    in anything merely on the authority of your
    teachers and elders. Do not believe in traditions
    because they have been handed down for many
    generations. But after observation and analysis,
    when you find that anything agrees with reason
    and is conducive to the good and benefit of one
    and all, then accept it and live up to it. -
    Buddha
  • Information Assurance is all about not trusting
    what you are hearing, seeing, or being sent to
    you
  • By Day, Senior Associate for Booz Allen Hamilton
  • Focusing on IC
  • Wireless Security, application assurance,
    information security strategy
  • By Night, Founder of The Shmoo Group and restorer
    of hopeless Swedish cars
  • Anyone know what a Volvo 1800 is?

5
IT Security Needs Pyramid
Honeypots
IDS
Sophistication and Operational Cost
Software Sec
ACLs
Firewalls
Auth / Auth
Patch Mgt
Op. Procedures
6
Secret 1 - Were not gaining on the attackers
  • For the last 4 decades, information assurance
    professionals have been attempting to solve the
    same problem
  • Another major problem is the fact that there
    are growing pressures to interlink separate but
    related computer systems into increasingly
    complex networks
  • Underlying most current users problems is
    the fact that contemporary commercially available
    hardware and operating systems do no provide
    adequate support for computer security
  • In addition to the experience of accidental
    disclosure, there has also been a number of
    successful penetrations of systems where the
    security was added on or claimed from fixing
    all known bugs in the operating system. The
    success of the penetrations, for the most part,
    has resulted from the inability of the system to
    adequately isolate a malicious user, and from
    inadequate access control mechanisms built into
    the operating system
  • Computer Security Technology Planning Study -
    October 1972, Electronic Systems Division, Air
    Force

7
Current InfoSec Trends
  • Anti-virus, Intrusion Detection, and Strong
    passwords
  • Defense in Depth aka layer enough protection
    mechanisms on, and something will stop the bad
    guys (is this a good idea?)
  • Microsoft is the root of all security evils (is
    this true?)
  • Most of the threat against your systems are from
    script kiddies who have more guts than brains (is
    this still the case?)
  • All these ideas are geared toward a threat model
    that existed 10 years ago
  • Lets look at attackers today

8
The Open Source Model of Security Research
  • Only in the last 15 years has public discussions
    of Information Security issues come into vogue
  • From obscure geeky bulletin boards to the front
    page of the NY Times
  • InfoSec is not really a science yet
  • Crypto is math. InfoSec is much, much more
  • Because of the specialized knowledge required,
    and the lack of a formal body of knowledge, a
    community has grown
  • Information on vulnerability research methods,
    specific vulnerability information and live
    exploits were publicly discussed
  • The idea of responsible disclosure was born
    (and debated at length)
  • But things have changed

9
Secret 2 - Existing Security Products are
Becoming Obsolete
  • Firewalls and IDSs were created for a different
    threat model
  • They are probably still necessary but no where
    near sufficient
  • At a recent conference, CIOs where ask if they
    would notice if their firewall and IDS logs went
    away, and most said no.
  • IDSs are best geared toward policy monitoring
    and enforcement
  • Host based security is becoming increasingly
    important
  • Lost laptops arent just a problem for the VA
  • Much easier to find attacks at the endpoints than
    in the infrastructure cept for all the noise
  • With the mobile workforce, laptops are often
    outside the sphere of protection of the
    enterprise security architectures
  • Anomaly detecting systems are also a wave of the
    future
  • But statistical analysis if a single dimension of
    data may be a better bet than multiple data
    source correlation or some manner of AI-based
    system
  • How do we secure SOA-based systems?

10
Secret 3 - Having trusted hardware can
completely change the face of information
assurance
  • Secure cryptographic operations
  • Secure key storage
  • Integrity attestation
  • By some accounts, can ultimately rid us of the
    problems of malware, viruses, etc..
  • Trusted boot - signed kernel - signed drivers
    -signed apps
  • Signed does not mean secure but it at least
    means what I intended
  • Why is now (finally) the time for trusted
    computing?

11
Guess what? DRM is Cool
  • According to a recent survey, iPods are cooler
    than beer
  • Apple made DRM sexy and cool
  • The iPod begat ITMS
  • ITMS was made possible because Apple came up with
    a rights management scheme that the content
    providers could deal with at a 1 a pop
  • In Feb 2006, the 1 billionth song was downloaded
    from ITMS
  • 1 billion songs means people things ITMS is cool
  • Through transitivity, Apple made DRM cool
  • What does Apple have to do with Trusted Hardware?

or
12
Funny You Should Ask
  • Apple just made trusted hardware sexy and cool
    (And you didnt even realize)
  • Enter the MacBook Pro
  • When Apple switched to Intel, the developed
    Rosetta an emulator that dynamically translates
    PPC opcodes to x86
  • Apple is using the TPM to protect Rosetta from
    starting unless the TPM is there
  • Ensures Apple proprietary SW only runs on Apple
    HW
  • Maxxuss repeatedly bypassed this protection

Intel Processor
Legacy PPC App
App Translated to x86
Rosetta
TPM
13
IA Trend - Trusted Hardware
  • Many other vendors also working to integrate
    trusted hardware
  • A variety of impacts on field operations
  • Can make decryption of encrypted data VERY
    difficult
  • Can make compromising a targets computer more
    difficult
  • Provides security throughout the network, not
    just at a system level.. This is FANTASTIC for
    device authentication
  • Trusted Network Connect
  • Key management is not just for strong crypto
    anymore
  • More info http//www.trustedcomputing.org/

14
Secret 4 - Decreased exploit development
timeframe and mercenary exploit dev are
empowering the individual attackers
  • Patches have two major uses
  • Secure a system that has a known vulnerability
  • Determine what vulnerability was patched in order
    to develop an exploit
  • In the last several years, there has been an
    incredible decrease in the amount of time between
    patch release and creation of a successful
    exploit
  • Microsofts Patch Tuesday has been great for both
    attackers and defenders alike
  • The moral? Patch disclosure is essentially the
    same as vulnerability disclosure
  • Many security companies now offer money in
    exchange for exclusive rights to exploits from
    mercenary exploit developers
  • Tipping Points Zero Day Initiative (ZDI)
  • iDefenses Vulnerability Contributor Program
    (VCP)
  • Etc
  • These programs have rewards programs, as well
    as other incentives
  • This has TOTALLY changed the full disclosure
    argument

Vuln Disc.
Patch Rel.
High Risk for Large Scale and Highly Targeted
Attacks
Exploit Rel.
Majority Patched
V u l n e r a b I l I t y T i m e l i n e
15
Secret 5 - For Operational Security, Microsoft
may be your best bet
  • Operational security is just as much about
    scalability, monitorability, and manageability as
    it is about the technical security of the
    product
  • MS got it wrong for a LONG time it allowed a
    HUGE industry to develop around it that provided
    security products to the consumer and enterprise
  • Also, other operating systems were viewed as
    more secure for a variety of reasons
  • But now MS has spent more money on security than
    many countries spend on IT
  • Even if they get most of it wrong, theyre moving
    in the right direction Theyre talking about MLS
    by 10
  • Unlike OSS, with MS, you have a product roadmap,
    you have a coherent integration of many business
    apps, you have security woven through the entire
    OS and application layers, AND you have a patch
    process that basically makes sense
  • Ultimately, the premise has changed while before
    the security vendors knew security better, now MS
    does
  • Causing obvious problems with 64-bit Vista
  • http//www.shmoo.com/gdead/ for more info on
    operational security and MS

16
Secret 6 What is the best mechanism for finding
attackers in your networks?
17
(No Transcript)
18
Administrators are the first responders
  • they should be armed as such
  • Networks are dynamic critters. The systems and
    network administrators know them better than any
    monitoring software will
  • For networks without administrators (sensor nets,
    local networks in airframes, etc) specific
    monitoring procedures need to be developed. But
    these networks tend to be closed systems with
    easily profilable behaviors.
  • What gets one off (dangerous) attackers caught?
  • Bandwidth increases
  • Running out of disk space
  • Patches not applying properly
  • Change management failures
  • CRAZY syslog entries (huge binary blobs in syslog
    entries, for instance)
  • In summary things sysadmins and NOC operators
    will notice. Hard for automated systems to
    recognize whether these are security issues or not

19
Secret 7 Most organizations dont have staff
dedicated to monitoring the security of their
networks and systems
  • What works for securing DoD may never work for
    anyone else
  • Just like how MS deals with software security may
    not work for anyone else
  • 800 lbs gorillas are not good examples
  • Youre lucky to find staff dedicated to security
    configuration, let alone security monitoring

20
Secret 8 There are several proactive detective
mechanisms that work without breaking the bank or
your staff
  • Host integrity monitoring
  • Looking for changes in the end hosts, esp in
    system directories can be very successful
  • Network services monitoring
  • Scanning internal networks looking for open ports
    will at least find new TCP services great for
    change management control as well
  • Monitoring defacement archives and other open
    source locations for your assets
  • If the Internet knows youre p0wned, shouldnt
    you?
  • If you dont get these right why do more?

21
Questions?
Write a Comment
User Comments (0)
About PowerShow.com