1 / 62

Making the Tradeoff: Be Secure or Get Work Done

SEC 203. Making the Tradeoff: Be Secure or Get Work Done. Steve Riley Sr. Security Strategist Microsoft Trustworthy Computing Group steve.riley@microsoft.com http://blogs.technet.com/steriley. Old vs. new. Traditional approaches vs. contemporary attacks How have bad-guy methods changed?

luann
Download Presentation

Making the Tradeoff: Be Secure or Get Work Done

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SEC 203 Making the Tradeoff:Be Secure orGet Work Done Steve Riley Sr. Security Strategist Microsoft Trustworthy Computing Group steve.riley@microsoft.com http://blogs.technet.com/steriley

  2. Old vs. new • Traditional approaches vs. contemporary attacks • How have bad-guy methods changed? • What motivates them now?

  3. What’s changing? Largeglobalevents Massiveworms Makingheadlines Identity theft,financial fraud Spyware Exploitenterprises Makingmoney

  4. Meta-trend Identitytheft Spamming Phishing Extortion

  5. Increasingly sophisticated Poly- and metamorphic Evading anti-virus software Act as vulnerability assessment tools Use search engines for reconnaissance Better targeting Don’t advertise presence So what’s going on? Malware becomesmore sophisticated Attacks are usefulfor longer times Vulnerabilitieshave street value Common to modify existing proven attack code More variants of successful worms Might result in new and hidden entry points Criminals hire attackers Criminals reuse their code Huge market in unknown vulnerabilities Capitalizing on shrinking window of exposure

  6. How bad is it? Direct losses $13,000 grows with frequency, extent, severity (FBI 2005 Computer Crime Survey) $83,000 small company, modest infection (Counterpane Internet Security) $millions Indirect losses $? reputation, customer trust Counterpane Internet Security and MessageLabs

  7. Trojan attacksTop 5 by industry Counterpane Internet Security and MessageLabs

  8. Probes and enumerationsTop 5 by industry Counterpane Internet Security and MessageLabs

  9. SpywareTop 5 by industry Counterpane Internet Security and MessageLabs

  10. Direct attacksTop 5 by industry Counterpane Internet Security and MessageLabs

  11. Security's link to economics • An economic opportunity lurks inside every security problem • Learn how to express security issues in economic terms • Look for ways to shift the balance in your favor

  12. Spyware is costing you big Network World Magazine

  13. A law firm Network World Magazine

  14. Is email even useful anymore? Postini

  15. Is email even useful anymore? Postini

  16. Is email even useful anymore? Postini

  17. Is email even useful anymore? Postini

  18. “Our first program pays you $0.50 for every validated free-trial registrant your website sends to [bleep]. Commissions are quick and easy because we pay you when people sign up for our three-day free-trial. Since [bleep] doesn't require a credit card number or outside verification service to use the free trial, generating revenue is a snap.The second program we offer is our pay per sign-up plan. This program allows you to earn a percentage on every converted (paying) member who joins [bleep]. You could make up to 60% of each membership fee from people you direct to join the site.Lastly, [bleep] offers a two tier program in addition to our other plans.  If you successfully refer another webmaster to our site and they open an affiliate account, you begin earning money from their traffic as well! The second tier pays$0.02 per free-trial registrant or up to 3% of their sign-ups.” An affiliates program

  19. Let’s do the math SoBig spammed 100,000,000 mailboxes. What if… Would you do it???

  20. Postmarks—change the economics http://research.microsoft.com/research/sv/PennyBlack/

  21. Spam and spyware lead to bots Consider a 10,000-member botnet

  22. How to become a bot Low interest rates! Gimme credit cards! Extend your penis! Get abetter job! Cheap movie tickets!

  23. Edwin Pena: pioneering VoIP attacks

  24. Edwin’s stats

  25. The tradeoff • Security vs. usability • Security vs. usability vs. cost • Is the security worth the cost?

  26. Secure You get to pick any two! Usable Cheap

  27. Examples • Personal security • Event/city security • National security • Aviation security • Information security

  28. Personal security: bullet-proof vests • Claim: protects you from gunshot death • Costs • Weight • Comfort • Convenience • Lack of style • Risk + likelihood: very low • Analysis • Risk not worth the cost

  29. Personal security:children and strangers • Claim: talking to strangers is dangerous • Costs • Fear of asking for help • Default stance of distrust • Reduction in civil society • Risk + likelihood: quite low • Analysis • More children will suffer

  30. Event/city security:cameras and face recognition • Claim: watch crowds everywhere, find criminals • Costs • Money • Privacy • High error rate • Risk + likelihood: questionable • Analysis • Did the costs actually help find criminals? • Tampa: no

  31. National security: war on terror • Claim: protect United States from terrorists • Costs • Money • Lives • American reputation • Personal freedoms and liberties • Risk + likelihood: extremely low • Analysis • Did we get the most security possible, given the costs? • Is there any return in exchange for liberties?

  32. Speaking of war…

  33. Aviation security: how much screening? • Claim: identity + inspection = intent • Costs • Privacy (plus embarrassment) • Time (plus convenience) • Restrictions (liquids, pointy things) • Liberties (guilty first, massive profiling databases) • Money • Risk + likelihood: low • Analysis • Does any of it actually make airplanes more secure? • Can you pick bad guys out of a crowd?

  34. Aviation security: too much? • Transmission x-ray

  35. Aviation security: too much? • Backscatter x-ray

  36. Aviation security: too much? • Passive-millimeter wave scanner

  37. Information security Will you exchange these? • Performance • Freedom and location of access • Ease or frequency of use • Portability • Time • Cost • Privacy

  38. Tradeoff: complete security

  39. Information security • Passwords: remembering vs. writing down • RFID: inventory tracking vs. monitoring locations • System config: locked down vs. wild and free • Access control: strict vs. loose • Encryption: privacy vs. loss • Email: availability vs. integrity • Security admin vs. network admin • Security staff vs. executive management 

  40. Virtual keyboards • Seems to be effective… • Screen recorders • Steal session after logon • Capture credentials from HTTP stream before SSL encryption • Hassle factor: forces user to select a short password • So maybe it’s less secure! • Not worth the tradeoff—slow and clunky • Addresses symptom (stolen credential) vs. root cause (malware) • Threat scenario is too specific

  41. Privacy tradeoffs • Have a private face-to-face conversation? • Drive from A to B without anyone knowing? • Fly? • Be totally invisible in a crowd? • But still leave your cell phone turned on? • Make purchases without revealing your identity? • Online? • Embed tracking devices in pets? • In people? • Surf the Internet anonymously? • Send email anonymously?

  42. Are we designed to make tradeoffs? • Yes • When threats are visible, obvious, immediate, recent • But common threats we forget about • No • When threats are invisible, nonobvious, delayed, historical • But rare threats we tend to hype

  43. Applying the tradeoff • Don’t spend more on mitigation than the asset is worth! • Don’t destroy the asset in the process • Some risks you have to tolerate • Make the loss cost less • Transfer risk to someone else • Or simply ignore

  44. Everything we do is risk management • Should you apply the patch? • Did you make that setting? • Did you get rid of Wintendo? • How did you configure the firewall? • What’s the ACL? • Risk management deals with threats

  45. Not risk management • “We have to enable NTLMv2” • “Another patch? Let’s switch platforms” • “Another patch? OK, deploy it” • “All systems should be secure by default”

  46. One size does not fit all • Every environment is unique • The risks differ for each environment • Risk tolerance differs • Products are designed based on assumptions • No product provides optimal security Lemma: You cannot design an optimal security strategy without a thorough understanding of the usage and risks

  47. Risk assessment High Yes!We worry! Risk Risk tolerance What?Me worry? High Low Asset Value

  48. It’s got to cover all layers People, policies, and process Physical security Data Application Host Internal network Perimeter

  49. Sample classification schemes

More Related