1 / 22

A recent snapshot of network security: problems, policies, solutions, and unanswered questions

Saikat Chakrabarti saikat@netlab.uky.edu Graduate Student, Computer Science University of Kentucky. A recent snapshot of network security: problems, policies, solutions, and unanswered questions. Agenda. Threats, recent attacks, and experiments

rocco
Download Presentation

A recent snapshot of network security: problems, policies, solutions, and unanswered questions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Saikat Chakrabarti saikat@netlab.uky.edu Graduate Student, Computer Science University of Kentucky A recent snapshot of network security: problems, policies, solutions, and unanswered questions CS@UK Security Seminar

  2. CS@UK Security Seminar Agenda • Threats, recent attacks, and experiments • TJX incident, shutdown of anti-spam companies, mock attacks • Honeypot experiment • What are network security personnel @ CS.UK doing? • Context 1: Securing content-distribution systems • Context 2: Providing accountability in privacy-preserving systems • Context 3: Securing inter-domain routing protocols (secure-BGP) • Context 4: Securing source routing protocols in ad hoc networks • The “real world”: use of policies in information security • HIPAA, Sarbanes-Oxley, Are policies needed at all? • Conclusions (Questions)

  3. CS@UK Security Seminar Recent attacks • January 2007 • Reported by: TJX, owner of TJ Maxx and Marshall‘s • Hackers use long-range antennas to tap Wi-Fi networks of TJX • Hackers gain access to 45M users' credit card information • Theft cost more than $256 million

  4. CS@UK Security Seminar Recent attacks • May 2007 • Estonia's government relocates Soviet memorial in country's capital • Russian hackers launch DDoS attacks against Estonia’s government • Banking and media Web sites down for more than a week • No direct connection between hackers and Russian government found

  5. CS@UK Security Seminar Recent attacks • May 2006 • Blue Security Inc. developed a powerful anti-spam mechanism, Blue Frog • Blue Frog program sent messages back to the sender of any spam • Hackers aimed several denial-of-service attacks • Blue Security Inc. shutdown

  6. CS@UK Security Seminar Experiments • Staged attack reveals vulnerability in power grid • Department of Energy's Idaho lab • March 2007

  7. CS@UK Security Seminar BBC’s honeypot experiment • Malicious programs view honeypots like any other PC • Honeypots use variety of forensic tools to log what happens to them

  8. CS@UK Security Seminar Network Security Folks @ CS.UK • Context 1: Securing content-distribution systems • Context 2: Providing accountability in privacy-preserving systems • Context 3: Securing inter-domain routing protocols (secure-BGP) • Context 4: Securing source routing protocols in ad hoc networks

  9. CS@UK Security Seminar Securing content-distribution systems

  10. CS@UK Security Seminar Sub-context: reliable, group-oriented multicast applications • Problems • Source needs verify whether message was reliably delivered to intended receivers • Source needs verify whether message was reliably delivered to intended receivers • Source needs to verify all individual signatures • Solution does not scale: “Signed-Ack implosion problem” • Solution Overview: • Create aggregate signature: combine n signatures from n signers into a single signature, preserving length • Create aggregate public key: combine n public keys to create single public key. Use aggregate public key to verify aggregate signature

  11. CS@UK Security Seminar Authenticating feedback in multicast applications • Leaves: • Register PKs with TTP • Send (Ack, Sig) pair toward source • Internal nodes: • Verify incoming signatures • Aggregate PKs of children • Aggregate sigs • Register Aggregate PKs • Send (Ack, Sig) pair Multicast/Feedback Delivery Tree

  12. CS@UK Security Seminar Designing privacy-preserving accountability systems • Accountability • Who is responsible for the packet? • Authority needs to vouch for legitimacy of message • Need to preserve privacy • Keep ownership of message secret from authority • Existing proposals • Routers need to “mark” packets • Idea of an accountability provider

  13. CS@UK Security Seminar Designing privacy-preserving accountability systems • Idea: use blind signatures • Conventional blind signatures • Used in: E-Cash, Self-certified public keys, E-Voting schemes • Heavy-weight in nature • Observation: blind signatures have potential to form critical building blocks in privacy-preserving accountability protocols • Need to construct efficient blind signatures

  14. CS@UK Security Seminar Solution Overview • Signer (ISP) • Generate ephemeral key pair • Send ephemeral public key to owner of message (customer) • Owner (Customer): • Generate blinded hash of message • Send blinded message to signer • Signer • Sign blinded message • Send signature to owner • Owner: generate blind signature on original message • Transformed blind signature valid on original message under public key of ISP • ISP cannot associate (message, blind signature) pair with customer

  15. CS@UK Security Seminar The “real world”: Use of policies in information security • HIPAA: health care industry has embraced policies to take administrative, technical and physical safeguards • Ensure integrity and confidentiality of individually identifiable health information held or transferred by them • Protect against any reasonably anticipated threats, unauthorized use or disclosure • Ensure compliance by officers and employees • So what? I don’t work for a health care company! • People thought about protecting systems and information via policies • Other regulatory frameworks may try to piggyback off of the HIPAA model

  16. CS@UK Security Seminar The “real world”: use of policies in information security • Sarbanes-Oxley (SOX) • After Enron, Adelphia Communications and others showed there were flaws in current financial reporting requirements. Congress passed SOX • Purpose: to protect investors by improving accuracy and reliability of corporate disclosures made pursuant to security laws • IT Governance Institute has used frameworks to create specific IT control objectives for SOX • What do you have to do to comply with SOX? • Security policy and standards • Access and authentication • User account management • Network security • Monitoring • Segregation of duties • Physical security

  17. CS@UK Security Seminar The “real world”: use of policies in information security • Security Policy • For SOX, policies are key to demonstrating compliance • Auditors will look for: • Whether policies exist for appropriate information security topics • Whether policies have been approved at appropriate management levels • Whether policies are communicated effectively to personnel • See ISO 17799 and SANS Security Policy Project http://www.sans.org.resources/policy

  18. CS@UK Security Seminar The “real world”: use of policies in information security • Policies for access and authentication • Company must employ methods to validate that only authorized personnel can access system and perform activities within their level of authorization. • Methods could include • Biometric mechanisms • Password mechanisms: subject to policies regarding length, complexity, aging and reuse; prohibit password sharing

  19. CS@UK Security Seminar The “real world”: use of policies in information security • Policies for network security • Perimeter security with firewalls and IDS • Internal firewalls could be warranted to segregate sensitive areas of the internal network or wireless access points • Encryption should be used for sensitive information (SSL, PGP, etc. for financial information) • Anti-virus protection should be installed and regularly updated • Wireless security requires special assessment and could be segregated from remainder of network (Remember TJX incident!) • Regular penetration testing

  20. CS@UK Security Seminar The “real world”: use of policies in information security • Auditors will look for: • Whether standards exist for appropriate technology areas given the nature of your business and your environment • Whether standards have been approved at appropriate management levels • Whether standards are communicated effectively to personnel • Whether standards are followed • Process for error and exception handling • Process for modification of standards

  21. CS@UK Security Seminar Conclusions (Questions) • Are we aware, are we conscious? • Context: business world • Are policies needed at all? (Depends on context) • Enforcing policies increase cost. Companies are moving out of the US before going public • Do we protect the company more or the user more? • Context: academic world (overlaps with business world?) • Are traditional security courses enough? • Do graduate security courses need to include material on security policies? • How aware do students graduating and entering the “real world” need to be about security policies?

  22. Thank you Discussions CS@UK Security Seminar

More Related