why is internet security so hard n.
Skip this Video
Download Presentation
Why is Internet Security So Hard?

Loading in 2 Seconds...

play fullscreen
1 / 26

Why is Internet Security So Hard? - PowerPoint PPT Presentation

  • Uploaded on

Why is Internet Security So Hard?. Dr. Stephen Kent Chief Scientist- Information Security. Internet Security. Security for the Internet includes both security for network operations and security for network users

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Why is Internet Security So Hard?' - wolfe

Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
why is internet security so hard

Why is Internet Security So Hard?

Dr. Stephen Kent

Chief Scientist- Information Security

internet security
Internet Security
  • Security for the Internet includes both security for network operations and security for network users
  • The former is usually the purview of ISPs, the latter is a shared responsibility among users, ISPs, and vendors
  • For network users, there is a need to secure information on computers and in transit across the Internet
  • This presentation focuses on security for Internet users
what is security
What is Security?
  • ISO 7498-2 defines five security services
    • Confidentiality (secrecy)
    • Authentication (identify verification)
    • Integrity
    • Access control
    • Non-repudiation (not “taking back” what one “said”)
  • Users also would likely include
    • Preventing spam
    • Preventing denial of service
    • Privacy
information security disciplines
Information Security Disciplines
  • Physical security
  • Procedural security
  • Personnel security
  • Compromising emanations security
  • Operating system security
  • Communications security

a failure in any of these areas can undermine the security of a system

security terminology
Security Terminology
  • Vulnerabilities
    • security flaws in systems
  • Attacks
    • means of exploiting vulnerabilities
  • Countermeasures
    • technical or procedural means of addressing vulnerabilities or thwarting specific attacks
  • Threats
    • motivated adversaries capable of mounting attacks which exploit vulnerabilities
adversaries the bad guys
Adversaries (The Bad Guys)
  • Hackers
  • Disgruntled employees
  • Industrial spies
  • Terrorists
  • Special interest groups
  • Journalists
  • Real spies
  • Criminals (organized or otherwise)
adversary characteristics
Adversary Characteristics
  • Capabilities
    • Network wiretapping
    • Remote attacks against operating systems or applications
    • “Social engineering” (e.g., SPAM)
    • Physical attacks
    • Personnel subversion
  • Resources
    • Personnel
    • Technology
    • Funds
  • Aversion to detection
  • The simple characterization of our problem is the existence of vulnerabilities in products
  • We face a two sorts of vulnerability problems:
    • Known vulnerabilities
    • Unknown vulnerabilities
  • For known vulnerabilities we can deploy specific countermeasures
  • For unknown vulnerabilities, at best we try to prevent/detect behavior that might be exploiting these vulnerabilities
sources of vulnerabilities
Sources of Vulnerabilities
  • Design flaws
    • operating system & application vulnerabilities
    • protocol design vulnerabilities
  • Implementation flaws
    • programming errors
    • undocumented system & application “features”
  • Mismanagement
    • unintended and/or residual authorizations
    • failure to deploy security bug fixes
security continuum
Security Continuum
  • There are no perfect, secure systems
  • Systems are "adequately secure" only relative to a perceived threat
  • Absence of obvious insecurities is not a good indication that a system is adequately secure
  • Risk analysis, if properly performed, provides a methodology for identifying what constitutes adequate security
the threshold effect
The Threshold Effect
  • Once a technical attack against a security technology has been "debugged" it can be executed by a wide range of (inexperienced) attackers
  • A technical attack that can be effected using inexpensive hardware or software is especially easy to transfer from sophisticated attackers to amateurs
  • Thus it is dangerous to dismiss an attack as "too complex or too technical" because the perceived attackers do not possess the technical capability to mount the attack
why are the bad guys winning
Why are the Bad Guys Winning?
  • Most vendor software has poor security characteristics
    • Too complex
    • Badly designed
    • Buggy
  • Most users are sloppy
    • Don’t install the latest patches
    • Easily tricked (social engineering)
    • Poor password choices, password reuse, …
  • Hackers value their time at 0, but user have other priorities in life!
common defense strategies
Common Defense Strategies
  • Firewalls
  • Intrusion Detection Systems
  • Anti-virus technology (in hosts and in mail gateways)
  • Anti-spam technology (in hosts and in mail gateways)
  • Periodic penetration testing (enterprise nets)
  • Centralized patch management (enterprise nets)
  • Anti-DOS mechanisms (ISPs)
  • Recently renamed Intrusion Prevention Devices (IPDs), probably to help sell more of them :-)
  • The term covers a wide range of technologies, from simple, stateless packet filtering, to application-specific devices
  • At the low end, these offer minimal protection against most adversaries
  • At the high end they are expensive and often interact badly with new applications
  • In all cases, management of the firewall rule sets is complex, time consuming, and thus imperfect
intrusion detection systems idss
Intrusion Detection Systems (IDSs)
  • An IDS attempts to:
    • Detect behavior that exploits known vulnerabilities
    • Detect behavior that might exploit some class of unknown vulnerabilities
    • Detect behavior that might be a precursor to an attack
  • IDS may attempt to:
    • Detect signatures of known attacks
    • Detect anomalous behavior
    • Do both
  • IDS’s tend to work poorly, because of the ambiguities associated with attempts to deal with unknown attacks or to define “normal” behavior
  • False positives (incorrect flagging of traffic as “evil” is common, and makes these systems hard to use
anti virus systems
Anti-virus Systems
  • These attempt to detect viruses (and worms), typically distributed via e-mail attachments or other forms of file transfer
  • Usually they are signature based, which means they know only about previously-detected viruses
  • A network manager or user has to acquire signature list updates periodically, or become vulnerable to newer viruses
  • These can be effective if properly managed, but people are sloppy, and virus writers are prolific
anti spam technology
Anti-spam Technology
  • The problem with spam is that it is impossible to distinguish from legitimate mail, in the worst case
  • Some anti-spam technology works on signatures, like anti-virus technology, but it is not very effective because spam generation software does not focus on software vulnerabilities, like viruses
  • Some anti-spam technology is based on Baysean filters (probabilistic measures), but it too is subject to false positive/false negative tuning problems
  • Spam is of value to its senders primarily because users are greedy or naïve; solving this is NOT a technical problem
penetration testing
Penetration Testing
  • This is an approach used by many enterprises, but rarely by individual users
  • At the low end it is automated, mostly a patch check on end systems and a firewall filer rules check
  • At the high end one pays “experts” to try to break into your system(s)
  • The low end is useful as a form of external checking re good housekeeping
  • The high end is very expensive
centralized patch management
Centralized Patch Management
  • The notion here is to enable an IT organization to check the status of end systems and to patch them before the systems are successfully attacked
  • Vendors like Cisco and Microsoft offer this as a service, part of “admission control” to a LAN
  • This is another form of “good housekeeping” checking, on a more frequent basis
  • It is analogous to low end penetration testing, a form of centrally managed anti-virus updating
  • BUT, an already-compromised system can avoid detection if the attacker is clever
anti dos technology
Anti-DoS Technology
  • Denial of service attacks seek to make resources unavailable, typically through overloading network access lines with lots of traffic
  • The problem is that it is hard to tell good traffic from bad traffic out in the Internet (vs. at an end system)
  • Some systems try to look at traffic flows and discard packets if the flow to a given destination is “too high” BUT, good traffic is often discarded as well as bad!
  • We know that some DoS hackers have thousands of “zombie” systems available to them, dispersed over the Internet, to launch attacks, which makes it almost impossible to counter such attacks without causing problems for legitimate users as well
abstraction and attacks
Abstraction and Attacks
  • One strategy for an adversary is to attack below the layer of abstraction at which security measures are defined, or via ill-defined interfaces
  • Complex applications and operating systems like Windows have many ill-defined interfaces
  • Security measures implemented in applications (or middleware) embody high levels of abstraction
  • The trend is to create more opportunities for an attacker as we use more complex, high level application development environments, e.g., web services
security in products functionality vs assurance
Security in Products: Functionality vs. Assurance
  • Security functions: usually visible, security-relevant features that provide the means by which security is invoked and managed
  • Security assurance: often invisible means by which one develops confidence in the correct operation of security features
  • Many products now advertise lots of security functions (because today, security sells), but the products offer little or no assurance!
security assurance
Security Assurance
  • Product security assurance techniques
    • penetration testing
    • detailed code review
    • use of formal specifications
    • security evaluation criteria
  • Unfortunately, these techniques are either very expensive or very haphazard
  • As a result, we have few products for which we have a good idea of their security quality
security privacy a quick look


Uniform identification

Extensive auditing

Correlation of audit data

Centralized management

Mediated access to all data



Use of diverse identifiers

Limited data collection

No sharing of records

Distributed autonomy

Mediated access to records that affect privacy

Security & Privacy: A Quick Look

Security and privacy need not be in conflict, but it takes a lot of effort to balance the two

  • Internet security is hard because:
    • Its hard to counter unknown vulnerabilities in products
    • Even security products themselves often have unknown vulnerabilities
    • The utility of an IDS is limited by feature rich environments
    • Most CIOs can’t even track all the systems in their nets
    • There is no methodology for designing a secure system from secure components (and we have few secure components anyway)
    • Abstraction favors the adversary
    • Some problems (e.g., spam) are not technical in nature
    • People are sloppy, greedy, and sometimes naïve