The Digital Crime Scene: A Software Perspective

1
The Digital Crime Scene A Software Perspective

• Written By David Aucsmith
• Presented By Maria Baron

2
Introduction

• Nature of the internet is particularly suited for
  crime
• Anonymity And Mobility
• Security is imposed by software on the internet
• Who will win the war between entrepreneurial
  cyber criminals and software developers?

3
Attacks And Attackers

• Asynchronous attacks
• Hackers
• Significant but localized damage
• Trojan Horses
• Attackers build back doors into programs
• Mass Distribution Attacks
• Bots or Zombies
• Making Money on the internet
• Utilize a wide network of compromised computers

4
Vulnerabilities

• Three things must be true for attack to be
  successful
• Software has an inherent vulnerability
• Software was not configured properly
• Users were fooled into taking some action
• Reasons for vulnerabilities
• Security not a design goal
• Emerging threats not considered when software was
  developed
• Legacy software systems still in place

5
Vulnerabilities (cont.)

• Poor Coding Practice
• Security as a requirement
• Designing for todays threats
• Living with Legacy
• Complexity and tools

6
Secure By Design

• Creating secure software must start with a formal
  design process that verifies the security
  properties of the software at each stage of
  construction
• Designers and developers must be trained to
  create secure software

7
Secure By Design (cont.)

• Threat Based Design Process
• Analysis of potential threats at each stage of
  the design is required
• Examples
• OCTAVE
• Threat Trees

8
Secure By Design (cont.)

• Microsoft Threat Based Security Process
• Brainstorm known threats
• Rank Threats by decreasing risk
• Choose techniques to mitigate threats
• Choose the appropriate technologies from the
  identified techniques
• Use STRIDE to focus on how the input of each
  module may be manipulated to compromise the
  security model
• Spoofing identity
• Tampering with data
• Repudiation
• Information disclosure
• Denial of service

9
Secure By Design (cont.)

• All User input must be validated, but is this
  really possible?
• Tools
• Code analysis tools
• Process source code and look for some insecure
  construct
• Can only find known bad things
• Compiler protection
• Helps to thwart buffer overflow exploits

10
Secure By Default

• Users and system administrators must knowingly
  make decisions to change the system in a way that
  might reduce security
• Reduce Attack Surface Area
• Reduces possible avenues of attack
• Turning Services Off
• Least Privilege

11
Secure In Deployment

• Training and configuration
• Updating Code
• Defense-In-Depth
• Multiple, different security technologies are
  used simultaneously each protecting a different
  interface
• Intrusion detection system
• Anti-Virus protection
• Behavior blocking protection
• Vulnerability assessment
• Configuration managers

12
Secure In Deployment (cont.)

• Network Segmentation
• Cascade failure or domino effect
• How systems are connected
• Segment the connectivity of systems and establish
  flow controls at the intersection of segments

13
Looking Ahead

• Deterrence
• Cyber criminals are rarely identified
• Provide incentives to police to pursue cyber
  criminals
• Mutual legal assistance
• Police forces must have the technical expertise
  required
• Sentencing needs to reflect the severity of the
  crime

14
Looking Ahead (cont.)

• Legal Requirements
• Certification
• Certification of the security of software
• How do you certify against constantly evolving
  threats and new environments?
• Liability
• There is no definitive measure of the security of
  a system
• Disclosure
• Favors attackers over defenders

15
Looking Ahead (cont.)

• Long Term Technical Solutions
• Strong Identity
• Smart cards and PINs (for example) to remove
  anonymity from financial transactions
• Hardware Mediated Security
• Include security features in hardware to protect
  those features from being changed over the
  internet

16
Questions OrComments?