Title: Dirty Little Secrets of IA Information Assurance
1Dirty Little Secrets of IA(Information Assurance)
- Why we might not be doing as
- good as you would hope
- Bruce Potter (gdead_at_shmoo.com)
2Administrivia
- What is SecurityGeeks?
- Part learning, part information exchange, part
social - How often should we meet?
- Once a month?
- Topics? Format?
- Future location ideas?
- List Charter?
- More questions?
3ShmooCon Pimpin
- Tix are on sale (sorta)
- More to go on sale Jan 1, Feb 1
- CFP still open
- Though we have a lot of submissions in already
if youre thinking of submitting, do so soon - ShmooCon Labs
- A limited set of folks that will set up the
network and learn from experts (apply now) - Hacker Arcade
- Hack or Halo
4Dont Believe Anything I Say
- "Do not believe in anything simply because you
have heard it. Do not believe in anything simply
because it is spoken and rumored by many. Do not
believe in anything simply because it is found
written in your religious books. Do not believe
in anything merely on the authority of your
teachers and elders. Do not believe in traditions
because they have been handed down for many
generations. But after observation and analysis,
when you find that anything agrees with reason
and is conducive to the good and benefit of one
and all, then accept it and live up to it. -
Buddha - Information Assurance is all about not trusting
what you are hearing, seeing, or being sent to
you - By Day, Senior Associate for Booz Allen Hamilton
- Focusing on IC
- Wireless Security, application assurance,
information security strategy - By Night, Founder of The Shmoo Group and restorer
of hopeless Swedish cars - Anyone know what a Volvo 1800 is?
5IT Security Needs Pyramid
Honeypots
IDS
Sophistication and Operational Cost
Software Sec
ACLs
Firewalls
Auth / Auth
Patch Mgt
Op. Procedures
6Secret 1 - Were not gaining on the attackers
- For the last 4 decades, information assurance
professionals have been attempting to solve the
same problem - Another major problem is the fact that there
are growing pressures to interlink separate but
related computer systems into increasingly
complex networks - Underlying most current users problems is
the fact that contemporary commercially available
hardware and operating systems do no provide
adequate support for computer security - In addition to the experience of accidental
disclosure, there has also been a number of
successful penetrations of systems where the
security was added on or claimed from fixing
all known bugs in the operating system. The
success of the penetrations, for the most part,
has resulted from the inability of the system to
adequately isolate a malicious user, and from
inadequate access control mechanisms built into
the operating system - Computer Security Technology Planning Study -
October 1972, Electronic Systems Division, Air
Force
7Current InfoSec Trends
- Anti-virus, Intrusion Detection, and Strong
passwords - Defense in Depth aka layer enough protection
mechanisms on, and something will stop the bad
guys (is this a good idea?) - Microsoft is the root of all security evils (is
this true?) - Most of the threat against your systems are from
script kiddies who have more guts than brains (is
this still the case?) - All these ideas are geared toward a threat model
that existed 10 years ago - Lets look at attackers today
8The Open Source Model of Security Research
- Only in the last 15 years has public discussions
of Information Security issues come into vogue - From obscure geeky bulletin boards to the front
page of the NY Times - InfoSec is not really a science yet
- Crypto is math. InfoSec is much, much more
- Because of the specialized knowledge required,
and the lack of a formal body of knowledge, a
community has grown - Information on vulnerability research methods,
specific vulnerability information and live
exploits were publicly discussed - The idea of responsible disclosure was born
(and debated at length) - But things have changed
9Secret 2 - Existing Security Products are
Becoming Obsolete
- Firewalls and IDSs were created for a different
threat model - They are probably still necessary but no where
near sufficient - At a recent conference, CIOs where ask if they
would notice if their firewall and IDS logs went
away, and most said no. - IDSs are best geared toward policy monitoring
and enforcement - Host based security is becoming increasingly
important - Lost laptops arent just a problem for the VA
- Much easier to find attacks at the endpoints than
in the infrastructure cept for all the noise - With the mobile workforce, laptops are often
outside the sphere of protection of the
enterprise security architectures - Anomaly detecting systems are also a wave of the
future - But statistical analysis if a single dimension of
data may be a better bet than multiple data
source correlation or some manner of AI-based
system - How do we secure SOA-based systems?
10Secret 3 - Having trusted hardware can
completely change the face of information
assurance
- Secure cryptographic operations
- Secure key storage
- Integrity attestation
- By some accounts, can ultimately rid us of the
problems of malware, viruses, etc.. - Trusted boot - signed kernel - signed drivers
-signed apps - Signed does not mean secure but it at least
means what I intended - Why is now (finally) the time for trusted
computing?
11Guess what? DRM is Cool
- According to a recent survey, iPods are cooler
than beer - Apple made DRM sexy and cool
- The iPod begat ITMS
- ITMS was made possible because Apple came up with
a rights management scheme that the content
providers could deal with at a 1 a pop - In Feb 2006, the 1 billionth song was downloaded
from ITMS - 1 billion songs means people things ITMS is cool
- Through transitivity, Apple made DRM cool
- What does Apple have to do with Trusted Hardware?
or
12Funny You Should Ask
- Apple just made trusted hardware sexy and cool
(And you didnt even realize) - Enter the MacBook Pro
- When Apple switched to Intel, the developed
Rosetta an emulator that dynamically translates
PPC opcodes to x86 - Apple is using the TPM to protect Rosetta from
starting unless the TPM is there - Ensures Apple proprietary SW only runs on Apple
HW - Maxxuss repeatedly bypassed this protection
Intel Processor
Legacy PPC App
App Translated to x86
Rosetta
TPM
13IA Trend - Trusted Hardware
- Many other vendors also working to integrate
trusted hardware - A variety of impacts on field operations
- Can make decryption of encrypted data VERY
difficult - Can make compromising a targets computer more
difficult - Provides security throughout the network, not
just at a system level.. This is FANTASTIC for
device authentication - Trusted Network Connect
- Key management is not just for strong crypto
anymore - More info http//www.trustedcomputing.org/
14Secret 4 - Decreased exploit development
timeframe and mercenary exploit dev are
empowering the individual attackers
- Patches have two major uses
- Secure a system that has a known vulnerability
- Determine what vulnerability was patched in order
to develop an exploit - In the last several years, there has been an
incredible decrease in the amount of time between
patch release and creation of a successful
exploit - Microsofts Patch Tuesday has been great for both
attackers and defenders alike - The moral? Patch disclosure is essentially the
same as vulnerability disclosure - Many security companies now offer money in
exchange for exclusive rights to exploits from
mercenary exploit developers - Tipping Points Zero Day Initiative (ZDI)
- iDefenses Vulnerability Contributor Program
(VCP) - Etc
- These programs have rewards programs, as well
as other incentives - This has TOTALLY changed the full disclosure
argument
Vuln Disc.
Patch Rel.
High Risk for Large Scale and Highly Targeted
Attacks
Exploit Rel.
Majority Patched
V u l n e r a b I l I t y T i m e l i n e
15Secret 5 - For Operational Security, Microsoft
may be your best bet
- Operational security is just as much about
scalability, monitorability, and manageability as
it is about the technical security of the
product - MS got it wrong for a LONG time it allowed a
HUGE industry to develop around it that provided
security products to the consumer and enterprise - Also, other operating systems were viewed as
more secure for a variety of reasons - But now MS has spent more money on security than
many countries spend on IT - Even if they get most of it wrong, theyre moving
in the right direction Theyre talking about MLS
by 10 - Unlike OSS, with MS, you have a product roadmap,
you have a coherent integration of many business
apps, you have security woven through the entire
OS and application layers, AND you have a patch
process that basically makes sense - Ultimately, the premise has changed while before
the security vendors knew security better, now MS
does - Causing obvious problems with 64-bit Vista
- http//www.shmoo.com/gdead/ for more info on
operational security and MS
16Secret 6 What is the best mechanism for finding
attackers in your networks?
17(No Transcript)
18Administrators are the first responders
- they should be armed as such
- Networks are dynamic critters. The systems and
network administrators know them better than any
monitoring software will - For networks without administrators (sensor nets,
local networks in airframes, etc) specific
monitoring procedures need to be developed. But
these networks tend to be closed systems with
easily profilable behaviors. - What gets one off (dangerous) attackers caught?
- Bandwidth increases
- Running out of disk space
- Patches not applying properly
- Change management failures
- CRAZY syslog entries (huge binary blobs in syslog
entries, for instance) - In summary things sysadmins and NOC operators
will notice. Hard for automated systems to
recognize whether these are security issues or not
19Secret 7 Most organizations dont have staff
dedicated to monitoring the security of their
networks and systems
- What works for securing DoD may never work for
anyone else - Just like how MS deals with software security may
not work for anyone else - 800 lbs gorillas are not good examples
- Youre lucky to find staff dedicated to security
configuration, let alone security monitoring
20Secret 8 There are several proactive detective
mechanisms that work without breaking the bank or
your staff
- Host integrity monitoring
- Looking for changes in the end hosts, esp in
system directories can be very successful - Network services monitoring
- Scanning internal networks looking for open ports
will at least find new TCP services great for
change management control as well - Monitoring defacement archives and other open
source locations for your assets - If the Internet knows youre p0wned, shouldnt
you? - If you dont get these right why do more?
21Questions?