Title: Computers Under Attack Internet Security Trends
1Computers Under AttackInternet Security Trends
- Rich PethiaSoftware Engineering
InstituteCarnegie Mellon UniversityPittsburgh,
PA 15213 - This work is sponsored by the U.S. Department of
Defense.
2CERT Coordination Center
- The SEI established the Computer Emergency
Response Team Coordination Center in 1988. - The CERT/CCs mission is to respond to security
emergencies on the Internet, serve as a focal
point for reporting security vulnerabilities,
serve as a model to help others establish
incident response - teams, and raise awareness of
- security issues.
3Activity
- Since 1988, the CERT/CC has responded to over
100,000 security incidents that have affected
hundreds of thousands of Internet sites has
worked over 5000 reported vulnerabilities, and
has issued hundreds of advisories and bulletins.
In addition, the CERT/CC has helped foster the
creation of over 90 other incident response
teams.
4The Internet has Become Indispensable to Business
- The Internet allows organizations to
- conduct electronic commerce
- provide better customer service
- collaborate with partners
- reduce communications costs
- improve internal communication
- access needed information rapidly
5The Risks
- While computer networks revolutionize the way
you do business, the risks computer networks
introduce can be fatal to a business. - Network attacks lead to lost
- money
- time
- products
- reputation
- lives
- sensitive information
6Incidents Reported to CERT/CC
7Surveyed Companies Identify Risks -1
Attacks
Source - Computer Security Institute/FBI Survey
8Surveyed Companies Identify Risks -2
Attacks
Source - Computer Security Institute/FBI Survey
9How Did We Get Here?
10The Problem
- In the rush to benefit from using the Internet,
organizations often overlook significant risks. - the engineering practices and technology used by
system providers do not produce systems that are
immune to attack - network and system operators do not have the
people and practices to defend against attacks
and minimize damage - policy and law in cyber-space are immature and
lag the pace of change
11Strain on System Administrators - 1
- There is continued movement to complex,client-serv
er, peer to peer, and heterogeneous
configurations with distributed management. - There is little evidence of security improvements
in most products new vulnerabilities are found
routinely. - Comprehensive security solutions are lacking
current tools address only parts of the problem.
12Strain on System Administrators - 2
- Engineering for ease of use has not been matched
by engineering for ease of secure administration - ease of use and increased utility are driving a
dramatic explosion in use - system administration and security administration
are more difficult than a decade ago - this growing gap brings increased vulnerability
13Other Reasons for Concern
- Many security audits and evaluations only skim
the surface of the organization and its
technology major risks are often overlooked. - Lack of understanding leads to reliance on
partial solutions.
14More Sophisticated Intruders
- Intruders are
- building technical knowledge and skills
- gaining leverage through automation
- exploiting network interconnections and moving
easily through the infrastructure - becoming more skilled at masking their behavior
15Attack Sophistication vs. Intruder Technical
Knowledge
Tools
stealth / advanced scanning techniques
High
packet spoofing
denial of service
DDOS attacks
sniffers
www attacks
Intruder Knowledge
sweepers
automated probes/scans
GUI
back doors
network mgmt. diagnostics
disabling audits
hijacking sessions
burglaries
Attack Sophistication
exploiting known vulnerabilities
password cracking
self-replicating code
Attackers
password guessing
Low
1980
1985
1990
1995
2000
16So What?
17Its going to get worse - 1
- Explosive growth of the Internet continues
- continues to double in size every 10-12 months
- where will all the capable system administrators
come from? - Market growth will drive vendors
- time to market, features, performance, cost are
primary - invisible quality features such as security are
secondary
18Its going to get worse - 2
- More sensitive applications connected to the
Internet - low cost of communications, ease of connection,
and power of products engineered for the Internet
will drive out other forms of networking - hunger for connectivity, data and benefits of
electronic interaction will continue to push
widespread use of Internet technology
19Its going to get worse - 3
- The death of the firewall
- traditional approaches depend on complete
administrative control and strong perimeter
controls - todays business practices and wide area networks
violate these basic principles - no central point of network control
- more interconnections with customers, suppliers,
partners - more network applications
- the network is the computer
- whos an insiderand whos an outsider
20Low Quality Software is One Root Cause of the
Problem
21Vulnerabilities Reports are Increasing
22Cyber attackers routinely exploit defects in
commercial software.
Reference Computerworld, 7/31/2000, www.cnn.com
Additional reference S, Hernan, Business Week,
2/28/2000 www.businessweek.com
23And...
The public is beginning to understand that poor
quality software is the cause of many problems.
Reference Cover of 12/6/1999 business week,
www.businessweek.com
24Vulnerability classes
- Majority of the problem from 8 fault classes
- 31-Trusting untrustworthy information
- 15 - Buffer overflows
- 7 - Insecure default configurations
- 5 - Flawed protocol definition
- 4 - Inheriting insecure arguments
- 2 - Program hard to configure safely
- 2 - Protocol definition ambiguous
- 2 - Logic error
25Legislating low quality is the wrong
answerUniform Computer Information Transactions
Act
26The SEIs Vision for Software Engineering
- The right software,
- delivered defect free,
- on time, every time
27The Right Software
- Meets users needs and expectations
- Satisfies system requirements (including
security) - No surprises
- Affordable and appropriate cost
28Delivered Defect Free
State of Practice
Development Integration and System
Test
60 - 80 of effort and cost
Reduce time to market by eliminating rework
A Better Way
Standish Group, www.standishgroup.com, 1996
29Beacon of Hope
- 100B in transaction volume/day
- SEI started working with EBS in November of
1998. - launched first TSP team in
- April1999
- launched multi-team project in August 1999
- - 4 teams
- - 50 managers and engineers
- Multiple team project finished in August 2000.
- only 3 weeks behind schedule
- no installation problems
30CERT Contact Information
24-hour hotline 1 412 268
7090 CERT personnel answer 830 a.m. 800
p.m. EST(GMT-5) / EDT(GMT-4), and are on call
for emergencies during other hours. Fax 1
412 268 6989 Anonymous FTP archive
ftp//info.cert.org/pub/ Web site http//www.
cert.org/ Electronic mail cert_at_cert.org US
mail CERT Coordination Center Software
Engineering Institute Carnegie Mellon
University 4500 Fifth Avenue
Pittsburgh PA 15213-3890 USA