Dirty Little Secrets of IA Information Assurance

1
Dirty Little Secrets of IA(Information Assurance)

• Why we might not be doing as
• good as you would hope
• Bruce Potter (gdead_at_shmoo.com)

2
Administrivia

• What is SecurityGeeks?
• Part learning, part information exchange, part
  social
• How often should we meet?
• Once a month?
• Topics? Format?
• Future location ideas?
• List Charter?
• More questions?

3
ShmooCon Pimpin

• Tix are on sale (sorta)
• More to go on sale Jan 1, Feb 1
• CFP still open
• Though we have a lot of submissions in already
  if youre thinking of submitting, do so soon
• ShmooCon Labs
• A limited set of folks that will set up the
  network and learn from experts (apply now)
• Hacker Arcade
• Hack or Halo

4
Dont Believe Anything I Say

• "Do not believe in anything simply because you
  have heard it. Do not believe in anything simply
  because it is spoken and rumored by many. Do not
  believe in anything simply because it is found
  written in your religious books. Do not believe
  in anything merely on the authority of your
  teachers and elders. Do not believe in traditions
  because they have been handed down for many
  generations. But after observation and analysis,
  when you find that anything agrees with reason
  and is conducive to the good and benefit of one
  and all, then accept it and live up to it. -
  Buddha
• Information Assurance is all about not trusting
  what you are hearing, seeing, or being sent to
  you
• By Day, Senior Associate for Booz Allen Hamilton
• Focusing on IC
• Wireless Security, application assurance,
  information security strategy
• By Night, Founder of The Shmoo Group and restorer
  of hopeless Swedish cars
• Anyone know what a Volvo 1800 is?

5
IT Security Needs Pyramid
Honeypots
IDS
Sophistication and Operational Cost
Software Sec
ACLs
Firewalls
Auth / Auth
Patch Mgt
Op. Procedures
6
Secret 1 - Were not gaining on the attackers

• For the last 4 decades, information assurance
  professionals have been attempting to solve the
  same problem
• Another major problem is the fact that there
  are growing pressures to interlink separate but
  related computer systems into increasingly
  complex networks
• Underlying most current users problems is
  the fact that contemporary commercially available
  hardware and operating systems do no provide
  adequate support for computer security
• In addition to the experience of accidental
  disclosure, there has also been a number of
  successful penetrations of systems where the
  security was added on or claimed from fixing
  all known bugs in the operating system. The
  success of the penetrations, for the most part,
  has resulted from the inability of the system to
  adequately isolate a malicious user, and from
  inadequate access control mechanisms built into
  the operating system
• Computer Security Technology Planning Study -
  October 1972, Electronic Systems Division, Air
  Force

7
Current InfoSec Trends

• Anti-virus, Intrusion Detection, and Strong
  passwords
• Defense in Depth aka layer enough protection
  mechanisms on, and something will stop the bad
  guys (is this a good idea?)
• Microsoft is the root of all security evils (is
  this true?)
• Most of the threat against your systems are from
  script kiddies who have more guts than brains (is
  this still the case?)
• All these ideas are geared toward a threat model
  that existed 10 years ago
• Lets look at attackers today

8
The Open Source Model of Security Research

• Only in the last 15 years has public discussions
  of Information Security issues come into vogue
• From obscure geeky bulletin boards to the front
  page of the NY Times
• InfoSec is not really a science yet
• Crypto is math. InfoSec is much, much more
• Because of the specialized knowledge required,
  and the lack of a formal body of knowledge, a
  community has grown
• Information on vulnerability research methods,
  specific vulnerability information and live
  exploits were publicly discussed
• The idea of responsible disclosure was born
  (and debated at length)
• But things have changed

9
Secret 2 - Existing Security Products are
Becoming Obsolete

• Firewalls and IDSs were created for a different
  threat model
• They are probably still necessary but no where
  near sufficient
• At a recent conference, CIOs where ask if they
  would notice if their firewall and IDS logs went
  away, and most said no.
• IDSs are best geared toward policy monitoring
  and enforcement
• Host based security is becoming increasingly
  important
• Lost laptops arent just a problem for the VA
• Much easier to find attacks at the endpoints than
  in the infrastructure cept for all the noise
• With the mobile workforce, laptops are often
  outside the sphere of protection of the
  enterprise security architectures
• Anomaly detecting systems are also a wave of the
  future
• But statistical analysis if a single dimension of
  data may be a better bet than multiple data
  source correlation or some manner of AI-based
  system
• How do we secure SOA-based systems?

10
Secret 3 - Having trusted hardware can
completely change the face of information
assurance

• Secure cryptographic operations
• Secure key storage
• Integrity attestation
• By some accounts, can ultimately rid us of the
  problems of malware, viruses, etc..
• Trusted boot - signed kernel - signed drivers
  -signed apps
• Signed does not mean secure but it at least
  means what I intended
• Why is now (finally) the time for trusted
  computing?

11
Guess what? DRM is Cool

• According to a recent survey, iPods are cooler
  than beer
• Apple made DRM sexy and cool
• The iPod begat ITMS
• ITMS was made possible because Apple came up with
  a rights management scheme that the content
  providers could deal with at a 1 a pop
• In Feb 2006, the 1 billionth song was downloaded
  from ITMS
• 1 billion songs means people things ITMS is cool
• Through transitivity, Apple made DRM cool
• What does Apple have to do with Trusted Hardware?

or
12
Funny You Should Ask

• Apple just made trusted hardware sexy and cool
  (And you didnt even realize)
• Enter the MacBook Pro
• When Apple switched to Intel, the developed
  Rosetta an emulator that dynamically translates
  PPC opcodes to x86
• Apple is using the TPM to protect Rosetta from
  starting unless the TPM is there
• Ensures Apple proprietary SW only runs on Apple
  HW
• Maxxuss repeatedly bypassed this protection

Intel Processor
Legacy PPC App
App Translated to x86
Rosetta
TPM
13
IA Trend - Trusted Hardware

• Many other vendors also working to integrate
  trusted hardware
• A variety of impacts on field operations
• Can make decryption of encrypted data VERY
  difficult
• Can make compromising a targets computer more
  difficult
• Provides security throughout the network, not
  just at a system level.. This is FANTASTIC for
  device authentication
• Trusted Network Connect
• Key management is not just for strong crypto
  anymore
• More info http//www.trustedcomputing.org/

14
Secret 4 - Decreased exploit development
timeframe and mercenary exploit dev are
empowering the individual attackers

• Patches have two major uses
• Secure a system that has a known vulnerability
• Determine what vulnerability was patched in order
  to develop an exploit
• In the last several years, there has been an
  incredible decrease in the amount of time between
  patch release and creation of a successful
  exploit
• Microsofts Patch Tuesday has been great for both
  attackers and defenders alike
• The moral? Patch disclosure is essentially the
  same as vulnerability disclosure
• Many security companies now offer money in
  exchange for exclusive rights to exploits from
  mercenary exploit developers
• Tipping Points Zero Day Initiative (ZDI)
• iDefenses Vulnerability Contributor Program
  (VCP)
• Etc
• These programs have rewards programs, as well
  as other incentives
• This has TOTALLY changed the full disclosure
  argument

Vuln Disc.
Patch Rel.
High Risk for Large Scale and Highly Targeted
Attacks
Exploit Rel.
Majority Patched
V u l n e r a b I l I t y T i m e l i n e
15
Secret 5 - For Operational Security, Microsoft
may be your best bet

• Operational security is just as much about
  scalability, monitorability, and manageability as
  it is about the technical security of the
  product
• MS got it wrong for a LONG time it allowed a
  HUGE industry to develop around it that provided
  security products to the consumer and enterprise
• Also, other operating systems were viewed as
  more secure for a variety of reasons
• But now MS has spent more money on security than
  many countries spend on IT
• Even if they get most of it wrong, theyre moving
  in the right direction Theyre talking about MLS
  by 10
• Unlike OSS, with MS, you have a product roadmap,
  you have a coherent integration of many business
  apps, you have security woven through the entire
  OS and application layers, AND you have a patch
  process that basically makes sense
• Ultimately, the premise has changed while before
  the security vendors knew security better, now MS
  does
• Causing obvious problems with 64-bit Vista
• http//www.shmoo.com/gdead/ for more info on
  operational security and MS

16
Secret 6 What is the best mechanism for finding
attackers in your networks?
17
(No Transcript)
18
Administrators are the first responders

• they should be armed as such
• Networks are dynamic critters. The systems and
  network administrators know them better than any
  monitoring software will
• For networks without administrators (sensor nets,
  local networks in airframes, etc) specific
  monitoring procedures need to be developed. But
  these networks tend to be closed systems with
  easily profilable behaviors.
• What gets one off (dangerous) attackers caught?
• Bandwidth increases
• Running out of disk space
• Patches not applying properly
• Change management failures
• CRAZY syslog entries (huge binary blobs in syslog
  entries, for instance)
• In summary things sysadmins and NOC operators
  will notice. Hard for automated systems to
  recognize whether these are security issues or not

19
Secret 7 Most organizations dont have staff
dedicated to monitoring the security of their
networks and systems

• What works for securing DoD may never work for
  anyone else
• Just like how MS deals with software security may
  not work for anyone else
• 800 lbs gorillas are not good examples
• Youre lucky to find staff dedicated to security
  configuration, let alone security monitoring

20
Secret 8 There are several proactive detective
mechanisms that work without breaking the bank or
your staff

• Host integrity monitoring
• Looking for changes in the end hosts, esp in
  system directories can be very successful
• Network services monitoring
• Scanning internal networks looking for open ports
  will at least find new TCP services great for
  change management control as well
• Monitoring defacement archives and other open
  source locations for your assets
• If the Internet knows youre p0wned, shouldnt
  you?
• If you dont get these right why do more?

21
Questions?