Embed Size (px)
Citation preview
Course 1 Learning Plan Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment and testing Resource management Trust management
Overarching Goals Understand the security mindset
Understand security definitions
Understand the risk and impact on industry of insecure software products
Understand patching costs
Understanding the Security MindsetSecurity as…
an enablera processrisk managementa puzzlea multidisciplinary science
Security as an Enabler Common perspective: Security is an
inconvenient obstacle that forbids actions
Correct perspective: Security enables projects and enterprises that would otherwise be impractical, by lowering risks
Analogy: Are the tracks that a train must follow a restriction, or an
enabler?
Question Provide another example where
something that can be seen as an inconvenience or a restriction makes something else practical by lowering risks
Question Sample Answers Provide another example where
something that can be seen as an inconvenience or a restriction makes something else practical by lowering risksRestraints in amusement park ridesSeat beltsDual-signature checks
Security as a Process “I got software X so I’m safe”
What would you think of a railroad company that laid railroads without checking and maintaining their integrity?
"Old software never dies; it just becomes insecure.“ (Author unknown)
Need design, configuration, inspection, maintenance, management, updates Provide assurance that track quality is acceptable Basis for trust
Processes can provide guarantees
Security as a Process Exercise Discuss why old software can become insecure
Security as a Process Exercise Sample Answers Discuss why old software can become insecure
Security objectives or policies have changed Laws have changed Business model changed Company processes changed
Environment has changed Configuration is out of date Operating system has changed Risks are different Protections have changed (e.g., firewall rules) Employees, units responsibilities have changed
Vulnerabilities have been found Exploits, worms, viruses exploit them
Input has changed e.g., old application made to work online (with a wrapper) Protocol changed
Security as Risk Management How much is an asset worth? How vulnerable is the asset? What are the risks?
Financial costs (contracts, sales, remediation, etc...) Reputation (that alone killed the Arthur Anderson
accounting firm in the Enron scandal) Part of building trust is building secure software
Employee loyalty, productivity and well-being Morale, self-respect
Security as Risk Management Question You maintain a customer credit card database for
your business. Which security questions would you ask to help you manage the risks to the database?
Security as Risk Management Possible Answers You maintain a customer credit card database for your business.
Which security questions would you ask to help you manage the risks to the database? How valuable is the database to an attacker, to your
customers, and to you? Who (and what) has access to the database? How is the database protected?
Is it on a shared or dedicated host? Is there a path to the internet from the database? How well is the software kept up-to-date with patches? Are there applicable risk mitigation strategies?
How long is credit card information kept? Do customers have the option of re-entering their credit
card information every time instead of having it stored?
Security as a Puzzle What can a skilled attacker contrive?
Which assumptions are being made? Are they always true? What guarantees the
assumptions? Is indirect evidence relied upon?
Who and what can be trusted? Who controls, controlled or could control it?
What logic flaws exist? Are all cases handled? (a single hole may sink the
ship) Is there a transformation that makes all the pieces
fall apart? What resources are exposed?
Security as a Puzzle Exercise Give an example of an incorrect assumption
made by an application that inhibits security Example: some email clients assume that the standard
ports for IMAP, POP and SMTP protocols will always be used, and so it rejects server specifications with a port number:
127.0.0.1:1143 is rejected Consequence: the use of encryption through ssh
tunneling is discouraged
Security as a Puzzle Exercise Answers Give an example of an incorrect security
assumption made by an application. Assuming that the file extension and the MIME type are
the same Decide to download something using the file
extension, but the file is processed according to another mime type
IE 5, 6 CAN-2001-0712
Decide how to handle an email attachment based on the MIME type, but the attachment really is an executable that gets launched!
IE 5 CAN-2001-0154
Security as a Multidisciplinary ScienceSocial Engineering Social engineering is used to exploit human trust
through deception Poor user interface design may facilitate social
engineering Example: In some email programs, someone could be fooled
into thinking that an attachment was a safe file, and open it. What appeared as "resume.txt" was in reality
"resume.txt .exe" User interface design affects the security of
applications!
Security as a Multidisciplinary Science Social Engineering You get a phone call from the CFO, on a trip, "I
can't remember the VPN password, and I need a document now!"
Your account will be terminated tomorrow unless you take action, as described in this attachment!
Please help me get my money out of this crazy country!
Oh, no, I forgot my key/badge/token! Please, hold the door, I have my hands full!
Thanks!
Security as a Multidisciplinary ScienceSocial Engineering Most problems are related to identification
without authentication By phone Online
Identification by impression and persuasion Social mechanisms
Helpfulness Ingratiation (a.k.a. "brown-nosing") Conformity, peer pressure Diffusion of responsibility Friendliness
Employees can do it even if they know they shouldn't!
Security as a Multidisciplinary ScienceSocial Engineering (continued) Physical Security
Dumpster diving Recon for attack
Phone books, calendars, etc... Backdoors, tailing someone through a door Stealing documents...
Reverse Social Engineering Instead of asking for information and help, you provide it
initially Of course they need help because of something the
attacker did Read more: Granger S. (2001, 2002) Security Focus
"Infocus" articles
Security as a Multidisciplinary ScienceExercise: Social Engineering Team up in groups of 2 or 3 and make up a skit to
demonstrate a social engineering technique; your "victim" will be another student in the audience who will "fall for it". Follow it up with a second version showing the correct response. Do try to obtain the most outrageous results possible (while being convincing). After the skit, explain the preparation you would have needed to conduct the attack. You can get inspiration from the table of correct
responses (Granger 2002): http://www.securityfocus.com/infocus/1533
Security as a Multidisciplinary SciencePsychological Effects Security features (or the lack thereof) have
psychological effects SPAM: loss of value and control over an important
communication medium Panoptical effects (feeling of being watched)
Can affect motivation, focus People perform differently
Intellectual performance is typically lower under surveillance
Exercises Identify a user interface limitation that may allow
social engineering
Identify a security mechanism that may cause users to feel that they are being watched
Example Answers Identify a user interface limitation that may allow
social engineering Phishing email scams
Look-alike web sites that capture passwords
Identify a security mechanism that may cause users to feel that they are being watched Windows login banners "Possibly" recorded phone calls to help centers
Overarching Goals Understand the security mindset
Understand security definitions
Understand the risk and impact on industry of insecure software products
Understand patching costs
Vulnerability A flaw in a system that allows a policy to be
violated Example policy: the content on a web site is
restricted to authenticated users. Vulnerability: the web site relies on JavaScript to
be executed on the client browser for access control
Exploit: Disable JavaScript An abundance of vulnerable sites exist
Exploit An exploit is the act of exercising a vulnerability Also used to refer to an actual program, binary or script
that automates an attack
Latent Vulnerabilities Sometimes, a vulnerability can be protected by a
change that leaves the vulnerable code in place: some change external to the application (firewall) a configuration change (disabling an option) a code wrapper that blocks exploit attempts
A vulnerability that is not exploitable at the moment is a latent vulnerability
Potential Vulnerabilities Bad practices, quality defects and other flaws
that could result in vulnerabilities in a different code context are potential vulnerabilities
Exploitability Difficult to establish whether a vulnerability is exploitable, latent or potential in complex systems
A latent or potential vulnerability can become exploitable when The software is used in a different context sometime
after its design The configuration is changed The code is changed Someone thinks of something you didn't
Is a memory leak exploitable? It depends!
Exercise Evaluate your security stance and risk tolerance.
For each potential, latent and exploitable vulnerability you find, would you:
a) Ignore the problem to save money and development time
b) Add a "REVISIT" type of comment in the code or create an entry in the bug tracking database
c) Bring immediate attention to the problem
Exercise Typical Answera) Ignore the problem to save money and
development time
b) Add a "REVISIT" type of comment in the code or create an entry in the bug tracking database
c) Bring immediate attention to the problem Option c) should be done first and serves as an
assessment step. Then, both b) and a) may also be done for the same issue. Ignoring the problem (temporarily?) can be justified depending on its severity and business circumstances (e.g., support for an end-of-life product ends sooner than the time required for a fix).
Exposure An exposure is an information leak that may
assist an attacker. Examples:
Software identification and version number released when connecting to a service, which may be used to select the most effective attack.
When web pages display SQL error messages When an IT person is having trouble (e.g., with their
firewall) and posts questions to public mailing lists with their company's email address
Sun's "tar" utility disclosed part of the password file
Exercise Identify other examples of information leaks that
may assist an attacker
Exercise Sample Answers Identify other examples of information leaks that
may assist an attacker Finger may release information about who is online, e.g.,
administrators Source code leaks (if the code contains vulnerabilities) Directory listings Wireless networks that broadcast their existence
Security Objective A security objective is a high-level description of
what the program or system must accomplish. Federal regulations drive many of these objectives
HIPAA (Health Insurance Portability and Accountability Act)
etc... Examples:
all money transfers must be legal the system must pass EAL4 Common Criteria
certification
Policy Policies specify which activities, states and
processes are allowed. Examples:
All users must be authenticated Money transfers can only be requested by the
account owner Also refers to security models that specify rules Famous policies (e.g., see Bishop 2002):
The Bell-LaPadula confidentiality model The Biba integrity model The Clark-Wilson integrity model
Risks to Confidentiality, Integrity and Availability Confidentiality is threatened when information
can be revealed in violation of a policy Examples: eavesdropping and inadequate access control
Integrity is threatened when information can be manipulated by an attacker. Example: "man-in-the-middle" attack
Availability is threatened when a resource can be disabled or made unavailable.
Assets can be classified according to these
Example An FTP server is read-only. If passwords are sent
in clear text, what is threatened if transmissions are captured? Confidentiality of the passwords
Confidentiality of the documents on the FTP server Confidentiality, Integrity and Availability of other
resources that use the same password!
Question Privacy fits best into which category?a) Confidentialityb) Integrityc) Availability
Question Privacy fits best into which category?a) Confidentiality (not a perfect fit)b) Integrityc) Availability
Note that some organizations prefer to put emphasis on privacy separately from CIA (e.g., Purdue University's Security and Privacy office). Also, privacy advocates consider it important to be able to verify the integrity of personal information, especially when that information can be used against them (e.g., credit reports).
Overarching Goals Understand the security mindset
Understand security definitions
Understand the risk and impact on industry of insecure software products
Understand patching costs
Security Organizations Security companies and organizations are held to
a higher standard of security
Reputation
Would you buy from an HVAC company that has broken A/C equipment in their offices?
Employees are responsible to protect the credibility of the company
Exercise Name an industry sector, and something that
would make you avoid a company working in that sector.
People Want Software That: Is produced with security assurance
Analogy: some applications exposed to the internet are like disguised cartons of eggs on the sidewalk
Lowers security risks To comply with laws mandating low security risks
HIPAA GLBA (Gramm-Leach Bliley) FERPA
To protect trade secrets and other valuable company information
Has fewer maintenance headaches (patching) and costs
Protects their reputation
Exercise Identify risks that would cause you to stop using
a product. Be specific.
Exercise Example Answers Frequencies of vulnerabilities and patches Absence of patches (or slow turnover) for known
issues Severity of vulnerabilities Criticality of the application Unreliability of patches
Patches that break previous fixes Patches that are incompatible with other software Downtime while applying patches
Unreliable file systems (non-journaled) Which matter most (for whom)?
Your motivation as a participant in software development How important is quality?
Quality assurance is inclusive of secure programming techniques
How much design?
Information assurance happens by design
How risk-averse?
Security problems in your projects and code can hurt your reputation as well as your employer's
Overarching Goals Understand the security mindset
Understand security definitions
Understand the risk and impact on Symantec of insecure software products
Understand patching costs
Cost of Patching Cost of evaluating vulnerability claims Cost of patch development and testing Cost of patch notification and download system NIST recommendation on applying patches (s.p.
800-40) Patch and Vulnerability Group (customer's cost)
test patches notify administrators monitor application of patches by system
administrators Vulnerability scanning to verify or enforce
Question Patches incur costs to?a) the vendorb) the customerc) both
Question Patches incur costs to?a) the vendorb) the customerc) both
Cost of Patching vs Preventing Flaws Security bugs are introduced at 3 different
stages: Design and architecture
Implementation
Operations
Fixing security bugs with a patch costs 60 times more than catching them at design time*
*: IBM System Sciences Institute statistics, cited by Kevin Soo Hoo, Andrew W. Sudbury and Andrew R. Jaquith in "Tangible ROI through Secure Software Engineering," Secure Business Quarterly, Volume 1, Issue 2.
Question If it costs $100,000 to issue each security patch,
approximately how much could have been saved by correcting the problem at design time?
a) $9,800b) $98,000c) $980
Question If it costs $100,000 to issue each security patch,
approximately how much could have been saved by correcting the problem at design time?
a) $9,800b) $98,000c) $980
• Note: It isn’t possible to catch all security flaws at design time.
Results from Current Software Engineering Methods >1000 reported vulnerabilities each year
About 50% of vulnerabilities are commonly repeated mistakes
About 25% of vulnerabilities could be avoided by applying secure design principles at design time
Need new methods
Patches created using the same development methods that created the buggy software, are likely buggy themselves!
“We can't solve problems by using the same kind of thinking we used when we created them.” (Albert Einstein)
Question Approximately what percentage of documented
vulnerabilities are common repeated mistakes?a) 25%b) 50%c) 75%
Question Approximately what percentage of documented
vulnerabilities are common repeated mistakes?a) 25%b) 50%c) 75%
Question (guess) How much money does a developer for a large
software project typically save a company when catching and fixing a vulnerability during development instead of patching?
a) $1,000b) $10,000c) $100,000
A vulnerability fixed before release may take one hour, compared to weeks of several people's time to fix it after release.
Answer c) $100,000
Without counting 1) costs to customers
Especially if revenue-generating activities are interrupted!
2) intangible costs
Motivation and Definitions: End
Scrabble copyright Hasbro
About These Slides You are free to copy, distribute, display, and perform the work;
and to make derivative works, under the following conditions. You must give the original author and other contributors credit The work will be used for personal or non-commercial educational uses
only, and not for commercial activities and purposes For any reuse or distribution, you must make clear to others the terms
of use for this work Derivative works must retain and be subject to the same conditions,
and contain a note identifying the new contributor(s) and date of modification
For other uses please contact the Purdue Office of Technology Commercialization.
Developed thanks to the support of Symantec Corporation
Pascal [email protected]
Contributors: Jared Robinson, Alan Krassowski, Craig
Ozancin, Tim Brown, Wes Higaki, Melissa Dark, Chris Clifton, Gustavo Rodriguez-Rivera
