Mitigating the Risk of Cyber Attack - PowerPoint PPT Presentation

1 / 44
About This Presentation
Title:

Mitigating the Risk of Cyber Attack

Description:

David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford. ... David M. Nicol, Michael Liljenstam. Presentation at IMA Workshop, January 12, 2004 ... – PowerPoint PPT presentation

Number of Views:326
Avg rating:3.0/5.0
Slides: 45
Provided by: davidal6
Category:

less

Transcript and Presenter's Notes

Title: Mitigating the Risk of Cyber Attack


1
Mitigating the Riskof Cyber Attack
  • David Alderson, PhD
  • California Institute of Technology
  • alderd_at_cds.caltech.edu
  • MSE 193/293
  • November 17, 2004

2
Agenda
  • Monday
  • Critical Infrastructures
  • Recent Failures
  • Rise of the Internet
  • The Potential Threat
  • Policy Introduction
  • Homework
  • PBS Frontline Video Cyberwar!
  • Wednesday
  • Case Study Internet Worms and Viruses
  • Threat Mitigation U.S. Federal Policy
  • Conclusions
  • Open Questions
  • Research Topics
  • Potential Paper Topics

3
Motivating Questions
  • What are critical infrastructures, and how does
    our dependence on them make us vulnerable to
    accidents, failures, and attacks?
  • To what extent does the open and insecure nature
    of the Internet and related cyber infrastructure
    pose a threat to national security?
  • What are the current vulnerabilities, and what
    can be done in the short term to mitigate against
    them?
  • Where would we like to be in the future with
    regard to the Internet and the critical
    infrastructures, and what needs to be done to get
    there?

We dont have all the answers yet!
4
Acknowledgements
  • Caltech John Doyle
  • UCB Vern Paxson
  • UCSD Stefan Savage
  • EPRI (now UMN) Massoud Amin
  • CISAC Kevin Soo Hoo, Keith Coleman, Dan
    Wendlandt, Martin Casado, Mike May, David
    Elliott, William Perry
  • Stanford Student Cybersecurity Group
  • http//cybersecurity.stanford.edu

5
Critical Infrastructures
  • Definition an infrastructure so vital that its
    incapacity or destruction would have a
    debilitating impact on our defense and national
    security.

Source Critical Foundations Protecting
Americas Infrastructures
  • Examples
  • Information and Communications
  • PTN, TV/Radio, CATV, Internet, Satellite,
    Wireless
  • Energy Systems
  • Electrical Power Systems
  • Gas and Oil Production, Storage and
    Transportation
  • Banking and Finance
  • Physical Distribution
  • Transportation
  • Water Supply Systems
  • Vital Human Services
  • Emergency Services
  • Government Services
  • Military Services

More information available from Critical
Infrastructure Assurance Office (CIAO)
www.ciao.gov
6
The Internet has become a critical information
infrastructure.
  • The Internet has become a type of public utility
    (like electricity or phone service) that
    underlies many important public and private
    services.
  • Internet disruptions have a ripple effect
    across the economy.
  • The Internet is a control system for monitoring
    and controlling our physical environment.
  • Hijacking the Internet can be even more
    devastating than interrupting it.

7
Best Practices in Security
  • Most attacks occur through known vulnerabilities
  • Most attacks could be prevented if the victim had
    been using best practices for cyber security
  • Latest software patches for known bugs
  • Virus protection software with up-to-date virus
    definition files
  • Frequently changed passwords of proper syntax
  • Firewalls
  • More than one layer of protection All of the
    above!
  • SANS/FBI publishes a list of top 20
    vulnerabilities, updated annually
    (www.sans.org/top20)
  • But evidence repeatedly suggests that best
    practices are not followed consistently

8
Misalignment of Incentives
  • Protection is costly and inconvenient
  • Business imperative is competition
    (profitability, cost management, new markets, new
    technologies), not protection
  • Users are not accustomed to bearing any direct
    costs of protecting infrastructures
  • Direct (immediate) benefits of protection are
    unknown (difficult to measure)
  • Exploitation is cheap and convenient
  • tools (laptop and network connection) are
    inexpensive
  • training is easily obtained or downloaded
  • prosecution is difficult
  • Exploitation is potentially highly-rewarding
  • money, power, prestige

9
An Ongoing Debate
  • Does the vulnerability of the Internet pose a
    threat to national security?
  • Why Is This A Hard Question?
  • There is a lack of public evidence
  • Strong disincentives for companies to share
    information about incidents
  • Strong disincentives for the government to share
    information about vulnerabilities
  • Measurement is a challenge
  • How to quantify the consequences of an incident?
  • Who has time to gather data during an incident?

10
Case StudyThe Threat of Internet Worms
11
Viruses and Worms
  • Definition A computer virus is a small program
    written to alter the way a computer operates,
    without the permission or knowledge of the user.
    (Symantec Website www.symantec.com)
  • Network worms are sometimes called automated
    intrusion systems because, unlike viruses, they
    do not require action by a human (via a host
    file). They contain 3 basic parts
  • Exploit (the means by which a computer is
    compromised)
  • Propagation (the means by which the worm moves
    from one machine to another)
  • Payload (what the worm does to the computer,
    other than self-replicate)
  • These parts are modular and independent
  • Exploits take advantage of well-known, insecure
    open services
  • Toolkits are readily available online

12
References
  • How to 0wn the Internet in Your Spare Time
  • Stuart Staniford, Vern Paxson, Nicholas Weaver.
    Proceedings of the USENIX Security Symposium
    2002.
  • (Vern Paxsons Home Page, http//www.icir.org/vern
    )
  • Internet Quarantine Requirements for Containing
    Self Propagating Code
  • David Moore, Colleen Shannon, Geoffrey M.
    Voelker, Stefan Savage
  • IEEE Infocom, April 2003
  • Inside the Slammer Worm
  • David Moore, Vern Paxson, Stefan Savage, Colleen
    Shannon, Stuart Staniford. IEEE Security
    Privacy, July/August 2003.
  • (Stefan Savages Home Page, http//www.cs.ucsd.edu
    /savage/)
  • Models of Internet Worm Defense
  • David M. Nicol, Michael Liljenstam
  • Presentation at IMA Workshop, January 12, 2004
  • http//www.ima.umn.edu/talks/workshops/1-12-16.200
    4/nicol/talk.pdf

13
Brief History(courtesy Stefan Savage)
  • Early Worm Development
  • Science fiction references Brunner describes
    tapeworm program in novel Shockwave Rider
    (1972)
  • Shoch Hupp coin term worm for programs that
    self-propagate to perform some (benign) task
    (1982)
  • Morris Worm (1988) exploits buffer overflow
    vulnerabilities and infects a few thousand hosts
    (10 of Internet)
  • Then nothing for 13 years
  • until a recent renaissance in worm activity
  • CodeRed (Summer 2001)
  • CodeRed II, NIMDA (Fall 2001)
  • Sapphire/Slammer (Winter 2003)

14
Code Red
  • CRv1 (originally identified on July 13, 2001)
  • Spread by compromising a Microsoft IIS
    vulnerability (that had been cataloged on June
    18, 2001)
  • (Sometimes) defaced the web server
  • After infection, it attempted to compromise other
    machines identified by generating a sequence of
    random IP addresses (but flawed RNG had a fixed
    seed, so same sequence of random numbers used
    everywhere ? growth was linear)
  • CRv2 (observed on July 18, 2001)
  • Fixed the RNG bug
  • No more web site defacements, but added a DDOS
    payload targeting the IP address for
    www.whitehouse.gov
  • More successful Infected 360,000 hosts in 10
    hours
  • This version is commonly called Code Red
  • Another bug, caused it to die after 20th day of
    month (initial release only 1 days)
  • But, incorrect computer clocks allowed the worm
    to persist and reactivate itself on August 1,
    2001 (and its still going!)

Source Stanison, Paxson, Weaver. How to 0wn the
Internet in Your Spare Time.
15
Code Red II
  • Released on Saturday, August 4, 2001
  • Contained comment calling itself Code Red II,
    but the code base was different from Code Red I
  • Exploited the same vulnerability in Microsoft IIS
  • Payload installed a root backdoor allowing
    unrestricted remote access to the infected host
  • Kills Code Red I
  • BUT, only worked on Windows2000 (crashed on NT)
  • Used a localized strategy to choose IP addresses
  • From local class B network (probability 3/8)
  • From local class A network (probability 1/2)
  • From entire Internet (probability 1/8)
  • Very rapid local infection, once through a
    firewall
  • Died by design on October 1, 2001

Source Stanison, Paxson, Weaver. How to 0wn the
Internet in Your Spare Time.
16
NIMDA
  • Began on September 18, 2001
  • A multi-vector wormspread by five methods
  • Infecting web servers from clients by exploiting
    a (different) Microsoft IIS vulnerability
  • Bulk emailing itself as an attachment to
    addresses obtained from the infected machine
  • Copying itself across shared network file systems
  • Adding exploit code to web pages in order to
    infect web clients that browse the page
  • Exploiting backdoors left behind by Code Red II
  • Combination of methods bypassed current security
  • As email payload, passed many firewalls
  • Many infections before anti-virus signatures in
    place

Source Stanison, Paxson, Weaver. How to 0wn the
Internet in Your Spare Time.
17
NIMDA Virulence
Source Stanison, Paxson, Weaver. How to 0wn the
Internet in Your Spare Time. Courtesy Vern Paxson.
18
An Ecosystem of Worms
Source Stanison, Paxson, Weaver. How to 0wn the
Internet in Your Spare Time. Courtesy Vern Paxson.
19
Sapphire/Slammer Worm
  • Observed on January 25, 2003
  • Buffer overflow vulnerability in Microsoft SQL
    Server (documented in July 2002)
  • Worm fit in a single UDP packet (404 bytes
    total)
  • Key insight decouple scanning from target
    behavior
  • Sapphire Growth
  • First 1min behaves like random scanning worm
  • Doubling time of 8.5 seconds
  • Code Red doubled every 40mins
  • 1min worm starts to saturate access bandwidth
  • Some hosts issue 20,000 scans/sec
  • Self-interfering (no congestion control)
  • Peaks at 3min (55million IP scans/sec)
  • 90 of Internet scanned in
  • Infected 100k hosts (conservative due to PRNG
    errors)
  • No malicious payload, but caused severe network
    congestion and disabled many database servers.

Source Moore, Paxson, Savage, Shannon, and
Staniford. Inside the Slammer Worm.
20
Worm Evolution
  • Cooperative Association for Internet Data
    Analysis (CAIDA)
  • http//www.caida.org/analysis/security/code-red/
  • http//www.caida.org/dynamic/analysis/security/nim
    da/
  • http//www.caida.org/analysis/security/sapphire/

21
The Worm Threat
  • Proposition worms are among the most serious
    threats today to Internet infrastructure
  • Evidence
  • Millions of susceptible hosts
  • Easy to write
  • Can cause serious damage (damage hosts,
    expose/corrupt information, DoS attacks)
  • Rapid time scales make defense difficult
  • How to quantify the threat as well as the
    effectiveness of possible defense strategies?
  • Threat Capability x Intent
  • Vulnerability Threat x Consequence

22
Epidemiological Model
Courtesy Stanison, Paxson, Weaver.
  • For a fixed population size N
  • I(t) infected population at time t
  • i(t) fraction of infected population
    (i(t)I(t)/N)
  • K (constant) contact rate per host
  • T starting time of outbreak

Logistic growth equation. Ref Boyce and
DePrima. Elementary Differential Equations and
Boundary Value Problems.
23
Comparing Models
S-I Model N initial size of susceptible
pop. I(t) infected population at time
t i(t) fraction of infected population
(i(t)I(t)/N) K contact rate per host
  • Assumptions
  • Homogenous mixing
  • No natural births/deaths

24
How to Mitigate the Worm Threat?
  • S(0) N
  • ? ? / M
  • probe rate of worm
  • M total population (232 IPv4)
  • ? removal rate

25
How quickly does each strategy need to react?
Address Blacklisting
Content Filtering
Infected (95th perc.)
Infected (95th perc.)
Reaction time (hours)
  • To contain worms to 10 of vulnerable hosts after
    24 hours of spreading at 10 probes/sec (CodeRed)
  • Address blacklisting reaction time must be minutes.
  • Content filtering reaction time must be hours
  • Reaction times must be fast when probe rates get
    high
  • 10 probes/sec reaction time must be (content filtering)
  • 1000 probes/sec reaction time must be minutes (content filtering)

Source Moore, Shannon, Voelker, and Savage.
2003. Internet Quarantine Requirements for
Containing Self Propagating Code. (Courtesy
Stefan Savage)
26
Modeling Cyber Epidemics
  • Interpreting quantities of interest in this new
    domain
  • Generation time, reproductive rate
  • Threshold criteria (worms on Macs?)
  • Limiting values (how and when to intervene?)
  • Understanding the relationship between model
    assumptions and details of application
  • Homogeneous mixing and virus/worm spread
  • Births/deaths and endemic persistence of worms
  • More realistic representation of worm behavior
  • Policy implications
  • Direction of technology investment
  • User behavior as well as technology
  • Opportunity modeling at the cutting edge of
    network research, with many contributions to be
    made.

27
What Does All This Mean?
  • The scale/speed of these attacks pose new
    challenges
  • Zero latency period, High infection rate, use
    Internet against itself
  • Human response is not possible
  • Significant technical challenges to reactive
    defense
  • Worms and viruses create the possibility of
    additional cyber attacks with incredible threat
    potential
  • Imagine What could you do if you 0wned 1M
    machines?
  • Massive, diffuse DDOS attacks
  • Against a single industry or infrastructure?
  • Subtle, hard to trace
  • Use the information on those machines
  • Passwords
  • Fraudulent credit card transactions, Identity
    theft
  • Corrupt the information on those machines
  • Rapidly evolving technology is fertile ground for
    new and more dangerous worms and viruses

28
(How) Can public policy assist in providing a
solution to this problem?
29
Abbreviated Timeline
30
Abbreviated Timeline (cont.)
31
National Strategy Initiatives
  • Information Sharing Information, including
    threat analysis and warning, should flow freely
    and in a timely manner among the stakeholders.
  • Incident Response and Recovery Government should
    facilitate timely warning and recovery to
    (imminent) attack.
  • Awareness All stakeholders (from large
    corporations to home users) must recognize and
    understand the problem.
  • Securing Governments Cyberspace Federal,
    state, and local government information systems
    should be better protected through enhanced
    threat and vulnerability assessment, updated and
    more secure technologies, and adherence to
    recognized operational best practices.
  • Training and Education Technical expertise
    necessary for securing the infrastructure must be
    cultivated.
  • Research and Development New technologies to
    help identify, prevent, and mitigate new
    vulnerabilities must be developed and implemented.

32
Abbreviated Timeline (cont.)
Richard Clarke resigns as chair of PCIPB. Howard
Schmidt (former Microsoft CSO) remains as vice
chair.
Feb 2003
33
DHS Organization
Office of the Secretary
Emergency Preparedness Response
Coast Guard
Citizenship Immigration Services
Management
Information Analysis Infrastructure
Protection
Border Transportation Security
Science Technology
Secret Service
Homeland Security Operations Center
Information Analysis
Infrastructure Protection
National Communication System
National Cyber Security Division
Infrastructure Coordination Division
Protective Security Division
source www.dhs.gov
34
Abbreviated Timeline (cont.)
Richard Clarke resigns as chair of PCIPB. Howard
Schmidt (former Microsoft CSO) remains as vice
chair.
Feb 2003
35
July 04 Report on DHS Progress
  • Conducted Dec 2003 Feb 2004
  • Objective to determine whether DHS efforts to
    implement the White Houses cyber strategyThe
    National Strategy to Secure Cyberspaceand to
    protect the nations critical infrastructure from
    a major cyber terrorist attack are adequate and
    effective.
  • Accomplishments
  • Launched US-CERT
  • National Cyber Alert System
  • National Cyber Security Summit (December 2003,
    Santa Clara, CA)
  • Establishing groups to strengthen Federal IT
    systems

36
July 04 Report on DHS Progress
  • According to the report, the NCSD has not
  • Prioritized its initiatives to address the
    recommendations in The National Strategy to
    Secure Cyberspace.
  • Identified the resources needed to ensure that
    it can identify, analyze, and reduce long-term
    cyber threats and vulnerabilities.
  • Developed strategic implementation plans,
    including performance measures and milestones,
    focusing on the divisions priorities,
    initiatives, and tasks.
  • Instituted a formal communications process
    within DHS, as well as the public, private, and
    international sectors.
  • Initiated and implemented a process to oversee
    and coordinate efforts to develop best practices
    and create cyber security policies with other
    government agencies and the private sector.
  • Reviewed or updated the actions and
    recommendations in The National Strategy to
    Secure Cyberspace.

37
Abbreviated Timeline (cont.)
Richard Clarke resigns as chair of PCIPB. Howard
Schmidt (former Microsoft CSO) remains as vice
chair.
Feb 2003
38
Where We Are
  • Significant assets now in place for dealing with
    cybersecurity incidents
  • Incident response and recovery
  • US-CERT
  • Cyber Alert Warning System
  • Law Enforcement
  • FBI
  • U.S. Secret Service Electronic Crimes Task Forces
  • But, substantial challenges remain
  • Technology hurdles software patches
  • Application of Best Practices by vendors,
    corporations, individuals
  • Alignment of economic incentives

39
Open Issues
To what extent is information deficit the root
cause of insecurity in the Internet? To what
extent is a misalignment of economic incentives
the root cause?
  • Worm exposes apathy, Microsoft flaws by Robert
    Lemos, CNET News.com, January 26, 2003
  • Microsoft fails Slammer's security test by
    Robert Lemos, CNET News.com, January 27, 2003

40
Open Issues
Is the monoculture of a Microsoft-based Internet
a significant threat to the security of
cyberspace?
  • CyberInsecurityThe Cost of Monopoly
  • Published by the Computer Communications
    Industry Association. September 2003.
  • http//www.ccianet.org/papers/cyberinsecurity.pdf
  • CyberInsecurity Much ado about nothing
  • By Mary Landesman, About.com.
  • http//antivirus.about.com/cs/allabout/a/cyberinse
    curity.htm
  • To Fix Software Flaws, Microsoft Invites Attack
  • By Steve Lohr, NY Times, Sept. 29, 2003

41
Open Issues Incentives
  • Will a government strategy based on voluntary
    information sharing and public-private
    partnership ever effectively address the
    potential threats to national security posed by
    internet vulnerability?
  • Should the government use regulation, taxation,
    and other methods of influence to correct the
    misalignment of incentives among Internet
    stakeholders?
  • Should software manufacturers be held liable for
    damages caused by distributing insecure software?
  • Should organizations and individuals be held
    liable for damages caused by failing to patch
    insecure software?
  • Will it take a cyber 9/11 (possibly caused by a
    worm) to move individuals, corporations, and the
    government into action?

42
Preliminary Conclusions
  • Problems of growing importance that affect
    everyone
  • There are no clears answers (yet)
  • Assessment of the scope of the problem
  • Identification of promising solutions
  • A problem at the intersection of technology and
    policy
  • An assessment of policy requires a good
    understanding of technology
  • Pursuit of technological solutions requires an
    understanding of policy implications
  • Many opportunities for valuable contributions
  • Independent research projects
  • Ongoing research programs here at Stanford
  • (CISAC, SNRC, Law School, and others)

43
Potential Paper Topics
  • Evaluating evidence is there a threat?
  • How should the Federal Government respond to
    evidence of an impending attack?
  • Evaluate a specific public-private partnership
    initiative for DHS support?
  • Is the Internet an appropriate platform for
    supporting critical infrastructures?
  • Should government systems diversify away from a
    Microsoft monoculture?

44
Additional Campus Resources
Questions? Comments?
alderd_at_cds.caltech.edu
  • Stanford Student Cybersecurity Group
  • http//cybersecurity.stanford.edu
  • Computer Science Security Lab http//crypto.stanfo
    rd.edu/seclab
  • Stanford Law SchoolCenter for Internet and
    Societyhttp//cyberlaw.stanford.edu/security/
Write a Comment
User Comments (0)
About PowerShow.com