1 / 26

Root Causes of Cyber Security Problems: Why a Community-based Approach is Needed

Root Causes of Cyber Security Problems: Why a Community-based Approach is Needed. Xinming (Simon) Ou Department of Computing and Information Sciences Kansas State University. Center for Information and Systems Assurance (CISA) at Kansas State University.

ekram
Download Presentation

Root Causes of Cyber Security Problems: Why a Community-based Approach is Needed

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Root Causes of Cyber Security Problems: Why a Community-based Approach is Needed Xinming (Simon) Ou Department of Computing and Information Sciences Kansas State University Mid America Cybersecurity Conference (MACC)

  2. Center for Information and Systems Assurance (CISA) at Kansas State University A National Center of Academic Excellence in Information Assurance Research (CAE-R) http://www.cisa.k-state.edu/

  3. What are the root causes of cybersecurity problem? • Why security in the cyber space is in such a dismal state • Cyber space is essentially the Wild West where bad guys wreak havoc • What is the right solution? • Technological: automation is the key to win the asymmetric cyber-security warfare • But is this a pure technology problem?

  4. We all hear of computer malware • Viruses, Worms, Bots, Rootkits, Spyware, … • Malware is just computer programs with malicious intent (Malicious-softWare) • But how do they get onto your computer?

  5. First path: You installed them! • Common-sense Test 1: • You got an email with the subject line: “You received a greeting card from Hallmark!”, and an attachment file “Card.jpg .exe”. • Should you open the attachment?

  6. First path: You installed them! • Common-sense Test 2: • You browsed to the website of company A and wanted to watch a video posted there. When you clicked the link, a window popped up which said : “In order to view this movie, you need to install the Wonderful video player provided by company A.”, and there were two buttons bellow: “Install” and “Cancel”. • Which button would you click?

  7. First path: You installed them! • Common-sense Test 3: • You wanted to install a free PDF printer driver found on the Web. At the beginning of the installation, a license agreement dialog popped up and there is this sentence in the agreement: “In installing this software, you agree that a browser toolbar will be installed which will collect certain usage information…”. • Do you want to agree to the EUL?

  8. Key Points • When you run a program, you are essentially giving out everything you can do on your computer to the program • It is like giving someone the key to your house, and wait for him to return the key to you when he is done!

  9. Second Path: You are hacked! • Common-sense Test 4: • You got an email with the subject line: “You received a greeting card from Hallmark!”, and an attachment file “Card.jpg”. • Should you open the attachment?

  10. Second Path: You are hacked! • Common-sense Test 5: • In light of the death of Michael Jackson, you searched the Web for his songs. You found one at a website with a link to a music file which can be opened by your music player. • Shall you open the music file?

  11. Second Path: You are hacked! • Common-sense Test 6: • You went to a website, on which there is a link to something you are interested in. • Shall you click on that link?

  12. Key Points • You can get malware even without invoking a malicious executable file • There may be vulnerabilities in your computer’s software—operating system or applications • Software vulnerabilities can be exploited when exposed to malicious input • If a vulnerable but otherwise benign program receives a malicious input, it can cause malicious code to be executed with your privilege

  13. Demonstration

  14. Drive-by Download • What you have just seen is called “drive-by download” • Your computer gets compromised while browsing the Web through a vulnerability in the browser, one of its plugins, or some other program that is invoked automatically on downloaded files • A successful exploit gives an attacker full privilege on a computer, which can enable him to • change your computer’s settings • install other malicious programs • steal your personal information • use your computer to attack other computers • and many more…

  15. Perhaps we shall stay at “good” websites? 1.3% of the incoming search queries to Google’s search engine returned at least one malicious URL in the result page. Provos, et al., 2008

  16. How about anti-malware software? Provos, et al., 2008

  17. There is a theoretical limit on how well you can detect malicious content The von Neumann architecture, 1945. Prevailing model of modern computers, which to some degree is an implementation of Turing Machine Turing machine, 1936. Mathematical model of computing

  18. The difficulty of detecting malware automatically • Undecidability of the Halting Problem: • No Turing Machine can figure out the behavior of an arbitrary Turing Machine • Implication for us: • There can be no general mechanized process for determining what a piece of code may do

  19. Total #vulnerabilities reported in NVD

  20. What we can do to reduce the risk • Keep your firewall on • Keep your software up-to-date • Do not browse the web until you have updated your system • Have some anti-malware system could help reduce the attack surface • But do not think you are safe and can do whatever you want • Every end user needs to take part!

  21. But why are there so many vulnerabilities, anyway? Excerpts from Microsoft Windows XP Home Edition (retail) End-user License Agreement • Shouldn’t the vendors be responsible? • “Microsoft warrants that the Software will perform substantially in accordance with the accompanying materials for a period of ninety (90) days from the date of receipt…AS TO ANY DEFECTS DISCOVERED AFTER THE NINETY-DAY PERIOD, THERE IS NO WARRANTY OR CONDITION OF ANY KIND…. Any supplements or updates to the Software, including without limitation, any (if any) service packs or hot fixes provided to you after the expiration of the ninety day Limited Warranty period are not covered by any warranty or condition, express, implied or statutory. • Except for any refund elected by Microsoft, YOU ARE NOT ENTITLED TO ANY DAMAGES, INCLUDING BUT NOT LIMITED TO CONSEQUENTIAL DAMAGES, if the Software does not meet Microsoft's Limited Warranty,… This Limited Warranty is void if failure of the Software has resulted from accident, abuse, misapplication, abnormal use or a virus.

  22. Wouldn’t the vendors care about their reputation? • They will if this can translate into better revenue. • Consumers generally reward vendors for adding features and for being first to market. • The software market is a “market for lemons” • [Akerloff 1966] Market for “Lemons”: when the seller knows (much) more about the good than the buyer, this drives down the price of the good below the fair value.

  23. Can software’s security (quality) be certified? • Yes • But such rigorous certification only happens in a tiny subset of software industry, namely “high-assurance” software • No such certification exists for consumer software • It is costly • It will significantly delay time-to-market • It is hard to measure the “security quality”

  24. It is not a pure technical problem • The software vulnerability problem, and cybersecurity problem at large, is the result of a failed market model. • The parties best placed to address the problem have no incentives (and get penalized) to do so. • Need to re-align the economic interest so that the right people can be motivated to address the problem. • A community-based effort is essential

  25. Cybersecurity is an asymmetric warfare

  26. Thank you! Questions?

More Related