Computers Under Attack Internet Security Trends - PowerPoint PPT Presentation

1 / 30
About This Presentation
Title:

Computers Under Attack Internet Security Trends

Description:

ease of use and increased utility are driving a dramatic explosion in use ... low cost of communications, ease of connection, and power of products engineered ... – PowerPoint PPT presentation

Number of Views:38
Avg rating:3.0/5.0
Slides: 31
Provided by: richp2
Category:

less

Transcript and Presenter's Notes

Title: Computers Under Attack Internet Security Trends


1
Computers Under AttackInternet Security Trends
  • Rich PethiaSoftware Engineering
    InstituteCarnegie Mellon UniversityPittsburgh,
    PA 15213
  • This work is sponsored by the U.S. Department of
    Defense.

2
CERT Coordination Center
  • The SEI established the Computer Emergency
    Response Team Coordination Center in 1988.
  • The CERT/CCs mission is to respond to security
    emergencies on the Internet, serve as a focal
    point for reporting security vulnerabilities,
    serve as a model to help others establish
    incident response
  • teams, and raise awareness of
  • security issues.

3
Activity
  • Since 1988, the CERT/CC has responded to over
    100,000 security incidents that have affected
    hundreds of thousands of Internet sites has
    worked over 5000 reported vulnerabilities, and
    has issued hundreds of advisories and bulletins.
    In addition, the CERT/CC has helped foster the
    creation of over 90 other incident response
    teams.

4
The Internet has Become Indispensable to Business
  • The Internet allows organizations to
  • conduct electronic commerce
  • provide better customer service
  • collaborate with partners
  • reduce communications costs
  • improve internal communication
  • access needed information rapidly

5
The Risks
  • While computer networks revolutionize the way
    you do business, the risks computer networks
    introduce can be fatal to a business.
  • Network attacks lead to lost
  • money
  • time
  • products
  • reputation
  • lives
  • sensitive information

6
Incidents Reported to CERT/CC
7
Surveyed Companies Identify Risks -1
Attacks
Source - Computer Security Institute/FBI Survey
8
Surveyed Companies Identify Risks -2
Attacks
Source - Computer Security Institute/FBI Survey
9
How Did We Get Here?

10
The Problem
  • In the rush to benefit from using the Internet,
    organizations often overlook significant risks.
  • the engineering practices and technology used by
    system providers do not produce systems that are
    immune to attack
  • network and system operators do not have the
    people and practices to defend against attacks
    and minimize damage
  • policy and law in cyber-space are immature and
    lag the pace of change

11
Strain on System Administrators - 1
  • There is continued movement to complex,client-serv
    er, peer to peer, and heterogeneous
    configurations with distributed management.
  • There is little evidence of security improvements
    in most products new vulnerabilities are found
    routinely.
  • Comprehensive security solutions are lacking
    current tools address only parts of the problem.

12
Strain on System Administrators - 2
  • Engineering for ease of use has not been matched
    by engineering for ease of secure administration
  • ease of use and increased utility are driving a
    dramatic explosion in use
  • system administration and security administration
    are more difficult than a decade ago
  • this growing gap brings increased vulnerability

13
Other Reasons for Concern
  • Many security audits and evaluations only skim
    the surface of the organization and its
    technology major risks are often overlooked.
  • Lack of understanding leads to reliance on
    partial solutions.

14
More Sophisticated Intruders
  • Intruders are
  • building technical knowledge and skills
  • gaining leverage through automation
  • exploiting network interconnections and moving
    easily through the infrastructure
  • becoming more skilled at masking their behavior

15
Attack Sophistication vs. Intruder Technical
Knowledge
Tools
stealth / advanced scanning techniques
High
packet spoofing
denial of service
DDOS attacks
sniffers
www attacks
Intruder Knowledge
sweepers
automated probes/scans
GUI
back doors
network mgmt. diagnostics
disabling audits
hijacking sessions
burglaries
Attack Sophistication
exploiting known vulnerabilities
password cracking
self-replicating code
Attackers
password guessing
Low
1980
1985
1990
1995
2000
16
So What?

17
Its going to get worse - 1
  • Explosive growth of the Internet continues
  • continues to double in size every 10-12 months
  • where will all the capable system administrators
    come from?
  • Market growth will drive vendors
  • time to market, features, performance, cost are
    primary
  • invisible quality features such as security are
    secondary

18
Its going to get worse - 2
  • More sensitive applications connected to the
    Internet
  • low cost of communications, ease of connection,
    and power of products engineered for the Internet
    will drive out other forms of networking
  • hunger for connectivity, data and benefits of
    electronic interaction will continue to push
    widespread use of Internet technology

19
Its going to get worse - 3
  • The death of the firewall
  • traditional approaches depend on complete
    administrative control and strong perimeter
    controls
  • todays business practices and wide area networks
    violate these basic principles
  • no central point of network control
  • more interconnections with customers, suppliers,
    partners
  • more network applications
  • the network is the computer
  • whos an insiderand whos an outsider

20
Low Quality Software is One Root Cause of the
Problem

21
Vulnerabilities Reports are Increasing
22
Cyber attackers routinely exploit defects in
commercial software.
Reference Computerworld, 7/31/2000, www.cnn.com
Additional reference S, Hernan, Business Week,
2/28/2000 www.businessweek.com
23
And...
The public is beginning to understand that poor
quality software is the cause of many problems.
Reference Cover of 12/6/1999 business week,
www.businessweek.com
24
Vulnerability classes
  • Majority of the problem from 8 fault classes
  • 31-Trusting untrustworthy information
  • 15 - Buffer overflows
  • 7 - Insecure default configurations
  • 5 - Flawed protocol definition
  • 4 - Inheriting insecure arguments
  • 2 - Program hard to configure safely
  • 2 - Protocol definition ambiguous
  • 2 - Logic error

25
Legislating low quality is the wrong
answerUniform Computer Information Transactions
Act
26
The SEIs Vision for Software Engineering
  • The right software,
  • delivered defect free,
  • on time, every time

27
The Right Software
  • Meets users needs and expectations
  • Satisfies system requirements (including
    security)
  • No surprises
  • Affordable and appropriate cost

28
Delivered Defect Free
State of Practice
Development Integration and System
Test
60 - 80 of effort and cost
Reduce time to market by eliminating rework
A Better Way
Standish Group, www.standishgroup.com, 1996
29
Beacon of Hope
  • 100B in transaction volume/day
  • SEI started working with EBS in November of
    1998.
  • launched first TSP team in
  • April1999
  • launched multi-team project in August 1999
  • - 4 teams
  • - 50 managers and engineers
  • Multiple team project finished in August 2000.
  • only 3 weeks behind schedule
  • no installation problems


30
CERT Contact Information
24-hour hotline 1 412 268
7090 CERT personnel answer 830 a.m. 800
p.m. EST(GMT-5) / EDT(GMT-4), and are on call
for emergencies during other hours. Fax 1
412 268 6989 Anonymous FTP archive
ftp//info.cert.org/pub/ Web site http//www.
cert.org/ Electronic mail cert_at_cert.org US
mail CERT Coordination Center Software
Engineering Institute Carnegie Mellon
University 4500 Fifth Avenue
Pittsburgh PA 15213-3890 USA
Write a Comment
User Comments (0)
About PowerShow.com