CONCETTI BASE SULLA

SICUREZZA

1

Obiettivi

� Illustrare teorie, metodi, tecniche e strumenti

per rendere un sistema informatico più sicuro.

� Acquisire conoscenza tecnica per poter

decidere in maniera informata.

� Acquisire intuizioni per poter utilizzare � Acquisire intuizioni per poter utilizzare

concetti e valutare tecnologie rilevanti

� Acquisire scetticismo tecnologico

2

Security incidents reported

to CERT

3

Some numbers

� Economic impact of viruses, worms and Trojan horses $17.1 billion in 2000 ($8.75 billion due to the I Love You virus alone)

� In one study, one out of every 325 e-mails had a malicious Attachment

� In a recent EU study, one out of every two e-� In a recent EU study, one out of every two e-mails sent is unsolicited junk costing European businesses more than €2,5 billion a year in lost productivity

� In the first half of 2005 a record 1,862 new software vulnerabilities discovered, 60% of them in programs that run over the Internet

4

(Lack of) Security in the

Media

� “Computer Hacker Invades Web Site of the Justice Department”, NYT, 18 August 1996

� “Hacker Group Commandeers The New York Times Web Site”, NYT, 14 September19981998

� “Yahoo Blames a Hacker Attack for a Lengthy Service Failure”, NYT, 8 February 2000

� “A Hacker May Have Entered Egghead Site”, NYT, 23 December 2000

5

(Lack of) Security in the

Media

� “Stung by Security Flaws, Microsoft Makes

Software Safety a Top Goal”, NYT, 17 January

2002

� “Millions of Cisco Devices Vulnerable To � “Millions of Cisco Devices Vulnerable To

Attack”, Information Week, 18 July 2003

� “A method for shutting down networking

devices circulates on the Internet”

� “New Doomjuice Worm Emerges, Targets

Microsoft”, Reuters UK, 9 February 2004

6

(Lack of) Security in the

Media

� And countless other incidents that are not

publicized for fear of embarrassment

� Yet when a public incident occurs, security

experts and antivirus software vendors tend experts and antivirus software vendors tend

to exaggerate its costs

� In 2002, US companies spent more than $4.3

billion on antivirus software products alone

7

Changing face of attackers

� Shift from large, multipurpose attacks on the

network perimeter towards smaller, more

targeted attacks to desktop computers

� Shift from malicious “hacking” to criminal

attacks with economic motivesattacks with economic motives

� Identity theft

� Phishing

� Denial-of-service

8

Identity theft

� In April 2005, an intrusion into database of LexisNexis compromises personal information of about 310,000 persons

� In August 2004, an intrusion had compromised 1.4 million records of personal information at UC Berkeleypersonal information at UC Berkeley

� In August 2007, identity thieves who compromised Monster.com's database also made off with the personal information of 146,000 people who use USAJobs

9

Phising

� During the first half of 2005 the volume of

phishing e-mails grew from an average of

about 3 million a day to about 5.7 million

� One out of every 125 email messages is a

phishing attempt

10

phishing attempt

� 1% of US households were victims of

successful phishing attacks in 2004

Cyberextortion

� During the first half of 2005 Denial-of-Service

(DoS) attacks increased from an average of 119 a

day to 927

� 17% of US businesses surveyed report having

received shut-down threats by DoS attacks

� One company refusing to pay extortion spends

$100,000 annually to defend against DoS attacks

Burstnet informatica © 11

“Botnets” and “Zombies”

� SecurityFocus, 23 January 2006

In October 2005, Dutch authorities arrested three men

in the Netherlands who allegedly controlled a

network of more than 1.5 million compromised

computers

� International Herald Tribune, 10 November 2007

A computer security consultant accused of installing

malicious software to create an army of up to 250,000

"zombie“ Computers so he could steal identities and

access bank accounts will plead guilty to four federal

charges

Burstnet informatica © 12

Update

� New York Times, 25 September 2006

ChoicePoint, CardSystems Solutions, Time Warner and dozens

of universities have collectively revealed 93,754,333 private

records

The Commerce Department announced that between 2001

and the present, 1,137 laptops were lost, missing or had been and the present, 1,137 laptops were lost, missing or had been

stolen

� USA Today, 23 January 2009

Heartland Payment Systems disclosed that intruders hacked

into the computers it uses to process 100 million payment card

transactions per month for 175,000 merchants

13

Update

� Forbes.com, 2 February 2009

..., the cost of a data breach for companies has risen to $202

per lost record, up from $197 in the institute's 2007 study. For

the 47 companies audited in the study, those costs added up

to $6.6 million per incident

� PCWorld, 7 August 2009� PCWorld, 7 August 2009

The distributed denial of service attack on Thursday that

targeted Twitter, Facebook, LiveJournal, and several Google

sites may have been politically motivated

14

System management

Symantec Internet Security Threat Report

covering the first 6 months of 2006.

� The Symantec Probe Network detected

157,477 unique phishing messages

� Botnets have become a major part of the � Botnets have become a major part of the

underground economy

� An average of 6,110 denial-of-service

attacks per day

15

Update

16

Symantec report of the

Underground Economy – June

2008

17

Security in context

� Security has to be custom tailored to individual needs, much like a suit or a dental prothesis

� There is no “one-size-fits-all” solution

� Security is a complex and extensive area that permeates all levels of computing systems permeates all levels of computing systems including their physical environment

� Hardware-OS-Application-Network-Operator

� And like security in any other context, computer security is as strong as its weakest link

18

Security in context

� We will study the technical issues related to security in a non-technical context

� “If you work with computer and network security long enough, you realize that the biggest problem is people: the people who design the software, the people who deploy it, the peoplesoftware, the people who deploy it, the peoplewho use the systems, the people who abuse the systems, and sometimes the people who guard the systems. There are certainly many technological challenges to be met, but the biggest problems still come back to people.” Gene Spafford

19

Network Information Systems

We will cast our study of security in the context

of Network Information Systems

Networked Information Systems (NIS)

integrate:integrate:

� computers,

� communications, and

� people (as users and as operators)

20

Network Information Systems

These systems are increasingly pervasive in

everyday life:

� Public telephone system

� Electrical power grid

� Internet

� Banking and finance

� E-Business

� Ballistic missile defense

Yet they are not trustworthy

21

Network Information Systems

Provide new opportunities

� Increase speed/bandwidth of interaction

� New modes for interaction with customers

� New services

Introduce new risksIntroduce new risks

� Dependence on complex hardware/software infrastructures

� Attacks from anywhere

� Sharing with anyone

� Automated infection

� Hostile code

22

Network Information Systems:

software charateristics

� Substantial legacy content

� Documentation missing or incomplete

� Difficult to modify or port

� Grows by accretion and agglomeration� Grows by accretion and agglomeration

� No master plan or architect

� Nobody understands how/why the system works

� Uses commercial off the shelf (COTS)

components and COTS middleware

23

Some relevant business

trends

� Organizations driven to operate faster / more

efficiently (e.g. JIT production and services)

due to increased competitiveness

� Climate of deregulation (e.g. power, telecom) � Climate of deregulation (e.g. power, telecom)

requires cost control and product

enhancements

� Rise of electronic commerce

24

NIS as a response

NIS affects costs and products

� Enables outsourcing of suppliers

� Enables product enhancements, but

complexity is increased so result is flaws and complexity is increased so result is flaws and

surprising behavior

Burstnet informatica © 25

Trustworthiness

� NIS is trustworthy when it works correctly

despite

� Malicious/hostile attacks

� Design and implementation errors (bugs)

� Human user and operator errors� Human user and operator errors

� Environmental disruptions

(in increasing order of frequency)

Burstnet informatica © 26

Trustworthiness

� Trustworthiness is an example of a

nonfunctional requirement

� System satisfies functional requirements if it

does what it is supposed to do: inputs

produce correct outputsproduce correct outputs

� System satisfies nonfunctional requirements

(in a given context) if it does no more or no

less than its functional requirements

Burstnet informatica © 27

Trustworthiness

� By their nature, attacks/errors/bugs are

unpredictable and cannot be formalized; to

do so would rule out possible scenarios, and

thus would be incorrect

� Trustworthiness cannot be added to an � Trustworthiness cannot be added to an

existing system as an afterthought

28

Trustworthiness

� All aspects of trustworthiness can be seen as

perturbations in the system. Are they all the

same?

� Environmental disruptions are typically

independent, thus replication can be effectiveindependent, thus replication can be effective

� Attacks and errors are not independent, thus

replication is not effective

� Software bugs are probably the worst as they

may have arbitrary privileges

29

What if NIS is not Trustworthy?

� Information disclosure (stored or transmitted)

� personal embarrassment

� compromise of corporate strategy

� compromise of national security

� Information alteration� Information alteration

� affect government or corporate operations

� New forms of warfare

� disable capacity without physical destruction

� attack without physical penetration by attacker

� “time bomb” and undetectable attacks

30

Real world security

� Security in the real world is based on� Value

� Locks

� Punishment

� Bad guys who break in are caught and � Bad guys who break in are caught and punished often enough to make crime unattractive

� Ability to punish implies existence of a “police” force and a judiciary

� Locks must add minimum interference to life

31

Real world security

� All locks are not the same

� Different keys

� Different strengths

� Environment dependent

� Individual security needs based on perception

� Pay for what you believe you need

� Locks do not provide absolute security but

prevent casual intrusion by raising the

threshold of for a break-in

32

Real world security

� Perfect defense against theft: put all of your personal belongings in a safe deposit box

� Problem: expensive and inconvenient

� Practical security balances cost of � Practical security balances cost of protection and risk of loss (cost of recovery times probability of loss)

� If cost of protection is higher than the risk of loss, it is better to accept it as “cost of doing business” (Auto insurance, Banks, credit card companies do this all the time)

33

NIS Security

� With computers, security is mainly about

software, which is cheap to manufacture,

never wears out, cannot be attacked with

drills or explosives

� Computer security ≈ Cryptography� Computer security ≈ Cryptography

� Since cryptography can be nearly perfect, so

can computer security

� This reasoning is flawed for several reasons

34

Why trustworthy NIS do not

exist?

� Most security problems due to buggy code� Cryptography won’t help this at all

� Reported bugs are in cryptographic modules

� Security is complex and difficult to get right and set up correctlyup correctly

� Security is a pain and gets in the way of doing things

� Since the danger is small, people prefer to buy features over security

� Software and system market dominated by commercial off-the-shelf (COTS) components� Leverage huge economies of scale, interoperability,

reduced time-to-market but inherit lack of trustworthiness

35

Why trustworthy NIS do not

exist?

� Patent restrictions

� Government regulations (restrictions on export of cryptography technologies)

� Reliance on existing communicationinfrastructures (Internet)infrastructures (Internet)

� Everything is interconnected� Telephone and power companies use Internet

technology

� Their operational systems are linked to their corporate systems, which are linked to the Internet

� And the Internet requires power, and is largely built on top of Telephone circuits

36

Economics of Trustworthiness

� Few customers understand

� What trustworthiness buys

� What is risked by its absence (reliability is an

exception)

� Consumers seem to prefer functionality!� Consumers seem to prefer functionality!

� Producers/consumers cannot assess

� Trustworthiness of products

� Costs of having trustworthiness in products

� Costs of not having trustworthiness in products

37

Overview of NIS Security

Like any system, we can study security with

respect to:

� Specification: What is it supposed to do?

� Implementation: How does it do it?� Implementation: How does it do it?

� Correctness: Does it really work?

In security, these are called

� Policy (Specification)

� Mechanism (Implementation)

� Assurance (Correctness)

38

Overview of NIS Security

� Assurance is particularly important for

security since the system may be subject to

malicious attack

� Deployed systems may be perfectly

functional for ordinary users despite having functional for ordinary users despite having

thousands of bugs

� But attackers try to drive the system into

states that they can exploit, which increase as

the number of bugs increases

39

Definitions

� Vulnerability: A weakness that can be exploited to cause damage

� Attack: A method of exploiting a vulnerability

� Threat: A motivated, capable adversary that mounts an attackmounts an attack

Strategies:

� Identify and fix each vulnerability (bug)

� Identify threats and eliminate those vulnerabilities that those threats exploit

40

Shrinking

Vulnerability-to-Attack Time

� In 2005, the mean time between the

disclosure of a vulnerability and the release of

associated exploit code is 6.0 days

� In 2005, an average of 54 days elapsed � In 2005, an average of 54 days elapsed

between the appearance of a vulnerability

and the release of an associated patch by the

affected vendor

41

Vulnerabilities, attacks,

threats

Range of threats that NIS face:

� Inquisitive, unintentional blunders ( error)

� Hackers driven by technical challenges

� Disgruntled employees/customers seekingrevengerevenge

� Criminals interested in personal financial gain

� Organized crime with intent of financial gain

� Organized terrorist groups seeking isolated attacks

� Foreign espionage agents seeking information for economic, political, military purposes

42

Knowledge vs Damage

Severity of a threat is related to the resources

available for the attack

� Knowledge is a resource

� Money can buy anything, including knowledgeknowledge

� Easy access to “packaged” knowledge (e.g., SATAN for Unix systems) results in a discontinuity between the technical expertise of a particular threat and the severity of the damage

43

Google Hacking

� International Herald Tribune, 28 September

2006. “Hacking made easy: 'Secret' data just

a Google search away”:

� One widespread vulnerability can be exploited

through a practice that has come to be known as through a practice that has come to be known as

Google hacking. These hacks require no special

tools and little skill. All that is needed is a Web-

connected PC and a few keywords to look for, like

"filetype:sqlpassword" or "index.of.password.”

44

Security Policies

NIS security needs typically worry about

� Secrecy (confidentiality): controlling who gets

to read information

� Integrity: controlling how information changes � Integrity: controlling how information changes

or resources are used

� Availability: providing prompt access to

information and resources

� Accountability: knowing who has had access to

information or resources

45

Security Policies

What do locks, keys, values and the police have to

do with computer security?

� Locks: authorization, access control mechanisms

� Keys: authentication required to open a lock. Can Keys: authentication required to open a lock. Can

be something the user knows, has or is

� Police: same as the real world. Since attacks can

be launched remotely, equivalents of video

cameras are needed for convicting offenders

46

Gold standard of security

Any system claiming to be secure must contain

mechanisms for:

� Authentication

� Authorization� Authorization

� Auditing

47

Assurance vs Functionality

� Assurance is the ability to convince ourselves

that a system is trustworthy

� Increased functionality implies increased

complexity and complexity is the worst

enemy of securityenemy of security

48

Assurance vs Functionality

Two general principles to promote higher

assurance:

� Economy of Mechanism: small and simple

mechanisms whenever possiblemechanisms whenever possible

� Open Design: security of a mechanism

should not depend on attacker’s ignorance of

how the mechanism works or is built

� No “security through obscurity”

� Makes security harder but is necessary for

increased assurance

49