Post on 07-Oct-2020
CONCETTI BASE SULLA
SICUREZZA
1
Obiettivi
� Illustrare teorie, metodi, tecniche e strumenti
per rendere un sistema informatico più sicuro.
� Acquisire conoscenza tecnica per poter
decidere in maniera informata.
� Acquisire intuizioni per poter utilizzare � Acquisire intuizioni per poter utilizzare
concetti e valutare tecnologie rilevanti
� Acquisire scetticismo tecnologico
2
Security incidents reported
to CERT
3
Some numbers
� Economic impact of viruses, worms and Trojan horses $17.1 billion in 2000 ($8.75 billion due to the I Love You virus alone)
� In one study, one out of every 325 e-mails had a malicious Attachment
� In a recent EU study, one out of every two e-� In a recent EU study, one out of every two e-mails sent is unsolicited junk costing European businesses more than €2,5 billion a year in lost productivity
� In the first half of 2005 a record 1,862 new software vulnerabilities discovered, 60% of them in programs that run over the Internet
4
(Lack of) Security in the
Media
� “Computer Hacker Invades Web Site of the Justice Department”, NYT, 18 August 1996
� “Hacker Group Commandeers The New York Times Web Site”, NYT, 14 September19981998
� “Yahoo Blames a Hacker Attack for a Lengthy Service Failure”, NYT, 8 February 2000
� “A Hacker May Have Entered Egghead Site”, NYT, 23 December 2000
5
(Lack of) Security in the
Media
� “Stung by Security Flaws, Microsoft Makes
Software Safety a Top Goal”, NYT, 17 January
2002
� “Millions of Cisco Devices Vulnerable To � “Millions of Cisco Devices Vulnerable To
Attack”, Information Week, 18 July 2003
� “A method for shutting down networking
devices circulates on the Internet”
� “New Doomjuice Worm Emerges, Targets
Microsoft”, Reuters UK, 9 February 2004
6
(Lack of) Security in the
Media
� And countless other incidents that are not
publicized for fear of embarrassment
� Yet when a public incident occurs, security
experts and antivirus software vendors tend experts and antivirus software vendors tend
to exaggerate its costs
� In 2002, US companies spent more than $4.3
billion on antivirus software products alone
7
Changing face of attackers
� Shift from large, multipurpose attacks on the
network perimeter towards smaller, more
targeted attacks to desktop computers
� Shift from malicious “hacking” to criminal
attacks with economic motivesattacks with economic motives
� Identity theft
� Phishing
� Denial-of-service
8
Identity theft
� In April 2005, an intrusion into database of LexisNexis compromises personal information of about 310,000 persons
� In August 2004, an intrusion had compromised 1.4 million records of personal information at UC Berkeleypersonal information at UC Berkeley
� In August 2007, identity thieves who compromised Monster.com's database also made off with the personal information of 146,000 people who use USAJobs
9
Phising
� During the first half of 2005 the volume of
phishing e-mails grew from an average of
about 3 million a day to about 5.7 million
� One out of every 125 email messages is a
phishing attempt
10
phishing attempt
� 1% of US households were victims of
successful phishing attacks in 2004
Cyberextortion
� During the first half of 2005 Denial-of-Service
(DoS) attacks increased from an average of 119 a
day to 927
� 17% of US businesses surveyed report having
received shut-down threats by DoS attacks
� One company refusing to pay extortion spends
$100,000 annually to defend against DoS attacks
Burstnet informatica © 11
“Botnets” and “Zombies”
� SecurityFocus, 23 January 2006
In October 2005, Dutch authorities arrested three men
in the Netherlands who allegedly controlled a
network of more than 1.5 million compromised
computers
� International Herald Tribune, 10 November 2007
A computer security consultant accused of installing
malicious software to create an army of up to 250,000
"zombie“ Computers so he could steal identities and
access bank accounts will plead guilty to four federal
charges
Burstnet informatica © 12
Update
� New York Times, 25 September 2006
ChoicePoint, CardSystems Solutions, Time Warner and dozens
of universities have collectively revealed 93,754,333 private
records
The Commerce Department announced that between 2001
and the present, 1,137 laptops were lost, missing or had been and the present, 1,137 laptops were lost, missing or had been
stolen
� USA Today, 23 January 2009
Heartland Payment Systems disclosed that intruders hacked
into the computers it uses to process 100 million payment card
transactions per month for 175,000 merchants
13
Update
� Forbes.com, 2 February 2009
..., the cost of a data breach for companies has risen to $202
per lost record, up from $197 in the institute's 2007 study. For
the 47 companies audited in the study, those costs added up
to $6.6 million per incident
� PCWorld, 7 August 2009� PCWorld, 7 August 2009
The distributed denial of service attack on Thursday that
targeted Twitter, Facebook, LiveJournal, and several Google
sites may have been politically motivated
14
System management
Symantec Internet Security Threat Report
covering the first 6 months of 2006.
� The Symantec Probe Network detected
157,477 unique phishing messages
� Botnets have become a major part of the � Botnets have become a major part of the
underground economy
� An average of 6,110 denial-of-service
attacks per day
15
Update
16
Symantec report of the
Underground Economy – June
2008
17
Security in context
� Security has to be custom tailored to individual needs, much like a suit or a dental prothesis
� There is no “one-size-fits-all” solution
� Security is a complex and extensive area that permeates all levels of computing systems permeates all levels of computing systems including their physical environment
� Hardware-OS-Application-Network-Operator
� And like security in any other context, computer security is as strong as its weakest link
18
Security in context
� We will study the technical issues related to security in a non-technical context
� “If you work with computer and network security long enough, you realize that the biggest problem is people: the people who design the software, the people who deploy it, the peoplesoftware, the people who deploy it, the peoplewho use the systems, the people who abuse the systems, and sometimes the people who guard the systems. There are certainly many technological challenges to be met, but the biggest problems still come back to people.” Gene Spafford
19
Network Information Systems
We will cast our study of security in the context
of Network Information Systems
Networked Information Systems (NIS)
integrate:integrate:
� computers,
� communications, and
� people (as users and as operators)
20
Network Information Systems
These systems are increasingly pervasive in
everyday life:
� Public telephone system
� Electrical power grid
� Internet
� Banking and finance
� E-Business
� Ballistic missile defense
Yet they are not trustworthy
21
Network Information Systems
Provide new opportunities
� Increase speed/bandwidth of interaction
� New modes for interaction with customers
� New services
Introduce new risksIntroduce new risks
� Dependence on complex hardware/software infrastructures
� Attacks from anywhere
� Sharing with anyone
� Automated infection
� Hostile code
22
Network Information Systems:
software charateristics
� Substantial legacy content
� Documentation missing or incomplete
� Difficult to modify or port
� Grows by accretion and agglomeration� Grows by accretion and agglomeration
� No master plan or architect
� Nobody understands how/why the system works
� Uses commercial off the shelf (COTS)
components and COTS middleware
23
Some relevant business
trends
� Organizations driven to operate faster / more
efficiently (e.g. JIT production and services)
due to increased competitiveness
� Climate of deregulation (e.g. power, telecom) � Climate of deregulation (e.g. power, telecom)
requires cost control and product
enhancements
� Rise of electronic commerce
24
NIS as a response
NIS affects costs and products
� Enables outsourcing of suppliers
� Enables product enhancements, but
complexity is increased so result is flaws and complexity is increased so result is flaws and
surprising behavior
Burstnet informatica © 25
Trustworthiness
� NIS is trustworthy when it works correctly
despite
� Malicious/hostile attacks
� Design and implementation errors (bugs)
� Human user and operator errors� Human user and operator errors
� Environmental disruptions
(in increasing order of frequency)
Burstnet informatica © 26
Trustworthiness
� Trustworthiness is an example of a
nonfunctional requirement
� System satisfies functional requirements if it
does what it is supposed to do: inputs
produce correct outputsproduce correct outputs
� System satisfies nonfunctional requirements
(in a given context) if it does no more or no
less than its functional requirements
Burstnet informatica © 27
Trustworthiness
� By their nature, attacks/errors/bugs are
unpredictable and cannot be formalized; to
do so would rule out possible scenarios, and
thus would be incorrect
� Trustworthiness cannot be added to an � Trustworthiness cannot be added to an
existing system as an afterthought
28
Trustworthiness
� All aspects of trustworthiness can be seen as
perturbations in the system. Are they all the
same?
� Environmental disruptions are typically
independent, thus replication can be effectiveindependent, thus replication can be effective
� Attacks and errors are not independent, thus
replication is not effective
� Software bugs are probably the worst as they
may have arbitrary privileges
29
What if NIS is not Trustworthy?
� Information disclosure (stored or transmitted)
� personal embarrassment
� compromise of corporate strategy
� compromise of national security
� Information alteration� Information alteration
� affect government or corporate operations
� New forms of warfare
� disable capacity without physical destruction
� attack without physical penetration by attacker
� “time bomb” and undetectable attacks
30
Real world security
� Security in the real world is based on� Value
� Locks
� Punishment
� Bad guys who break in are caught and � Bad guys who break in are caught and punished often enough to make crime unattractive
� Ability to punish implies existence of a “police” force and a judiciary
� Locks must add minimum interference to life
31
Real world security
� All locks are not the same
� Different keys
� Different strengths
� Environment dependent
� Individual security needs based on perception
� Pay for what you believe you need
� Locks do not provide absolute security but
prevent casual intrusion by raising the
threshold of for a break-in
32
Real world security
� Perfect defense against theft: put all of your personal belongings in a safe deposit box
� Problem: expensive and inconvenient
� Practical security balances cost of � Practical security balances cost of protection and risk of loss (cost of recovery times probability of loss)
� If cost of protection is higher than the risk of loss, it is better to accept it as “cost of doing business” (Auto insurance, Banks, credit card companies do this all the time)
33
NIS Security
� With computers, security is mainly about
software, which is cheap to manufacture,
never wears out, cannot be attacked with
drills or explosives
� Computer security ≈ Cryptography� Computer security ≈ Cryptography
� Since cryptography can be nearly perfect, so
can computer security
� This reasoning is flawed for several reasons
34
Why trustworthy NIS do not
exist?
� Most security problems due to buggy code� Cryptography won’t help this at all
� Reported bugs are in cryptographic modules
� Security is complex and difficult to get right and set up correctlyup correctly
� Security is a pain and gets in the way of doing things
� Since the danger is small, people prefer to buy features over security
� Software and system market dominated by commercial off-the-shelf (COTS) components� Leverage huge economies of scale, interoperability,
reduced time-to-market but inherit lack of trustworthiness
35
Why trustworthy NIS do not
exist?
� Patent restrictions
� Government regulations (restrictions on export of cryptography technologies)
� Reliance on existing communicationinfrastructures (Internet)infrastructures (Internet)
� Everything is interconnected� Telephone and power companies use Internet
technology
� Their operational systems are linked to their corporate systems, which are linked to the Internet
� And the Internet requires power, and is largely built on top of Telephone circuits
36
Economics of Trustworthiness
� Few customers understand
� What trustworthiness buys
� What is risked by its absence (reliability is an
exception)
� Consumers seem to prefer functionality!� Consumers seem to prefer functionality!
� Producers/consumers cannot assess
� Trustworthiness of products
� Costs of having trustworthiness in products
� Costs of not having trustworthiness in products
37
Overview of NIS Security
Like any system, we can study security with
respect to:
� Specification: What is it supposed to do?
� Implementation: How does it do it?� Implementation: How does it do it?
� Correctness: Does it really work?
In security, these are called
� Policy (Specification)
� Mechanism (Implementation)
� Assurance (Correctness)
38
Overview of NIS Security
� Assurance is particularly important for
security since the system may be subject to
malicious attack
� Deployed systems may be perfectly
functional for ordinary users despite having functional for ordinary users despite having
thousands of bugs
� But attackers try to drive the system into
states that they can exploit, which increase as
the number of bugs increases
39
Definitions
� Vulnerability: A weakness that can be exploited to cause damage
� Attack: A method of exploiting a vulnerability
� Threat: A motivated, capable adversary that mounts an attackmounts an attack
Strategies:
� Identify and fix each vulnerability (bug)
� Identify threats and eliminate those vulnerabilities that those threats exploit
40
Shrinking
Vulnerability-to-Attack Time
� In 2005, the mean time between the
disclosure of a vulnerability and the release of
associated exploit code is 6.0 days
� In 2005, an average of 54 days elapsed � In 2005, an average of 54 days elapsed
between the appearance of a vulnerability
and the release of an associated patch by the
affected vendor
41
Vulnerabilities, attacks,
threats
Range of threats that NIS face:
� Inquisitive, unintentional blunders ( error)
� Hackers driven by technical challenges
� Disgruntled employees/customers seekingrevengerevenge
� Criminals interested in personal financial gain
� Organized crime with intent of financial gain
� Organized terrorist groups seeking isolated attacks
� Foreign espionage agents seeking information for economic, political, military purposes
42
Knowledge vs Damage
Severity of a threat is related to the resources
available for the attack
� Knowledge is a resource
� Money can buy anything, including knowledgeknowledge
� Easy access to “packaged” knowledge (e.g., SATAN for Unix systems) results in a discontinuity between the technical expertise of a particular threat and the severity of the damage
43
Google Hacking
� International Herald Tribune, 28 September
2006. “Hacking made easy: 'Secret' data just
a Google search away”:
� One widespread vulnerability can be exploited
through a practice that has come to be known as through a practice that has come to be known as
Google hacking. These hacks require no special
tools and little skill. All that is needed is a Web-
connected PC and a few keywords to look for, like
"filetype:sqlpassword" or "index.of.password.”
44
Security Policies
NIS security needs typically worry about
� Secrecy (confidentiality): controlling who gets
to read information
� Integrity: controlling how information changes � Integrity: controlling how information changes
or resources are used
� Availability: providing prompt access to
information and resources
� Accountability: knowing who has had access to
information or resources
45
Security Policies
What do locks, keys, values and the police have to
do with computer security?
� Locks: authorization, access control mechanisms
� Keys: authentication required to open a lock. Can Keys: authentication required to open a lock. Can
be something the user knows, has or is
� Police: same as the real world. Since attacks can
be launched remotely, equivalents of video
cameras are needed for convicting offenders
46
Gold standard of security
Any system claiming to be secure must contain
mechanisms for:
� Authentication
� Authorization� Authorization
� Auditing
47
Assurance vs Functionality
� Assurance is the ability to convince ourselves
that a system is trustworthy
� Increased functionality implies increased
complexity and complexity is the worst
enemy of securityenemy of security
48
Assurance vs Functionality
Two general principles to promote higher
assurance:
� Economy of Mechanism: small and simple
mechanisms whenever possiblemechanisms whenever possible
� Open Design: security of a mechanism
should not depend on attacker’s ignorance of
how the mechanism works or is built
� No “security through obscurity”
� Makes security harder but is necessary for
increased assurance
49