information security trends the information security process information security trends emiliano...
TRANSCRIPT
Info
rmat
ion
Sec
urity
Tre
nds
The Information Security Process
Information Security Trends
Emiliano Kargieman
Info
rmat
ion
Sec
urity
Tre
nds
Agenda
• The briefest introduction to IS you’ve ever seen
• Cybercrime indicators, threats and trends
• Where is this going?
• What do we do about it?
Info
rmat
ion
Sec
urity
Tre
nds
Information Security
• The Context: The information Age
• The Fundamentals– Privacy– Authenticity and Integrity– Disponibility– Non-Repudiation
• The Purpose– Dissuasion– Prevention– Auditing
IT
Transport/Logistics.
Production
Sales
Admin.
IT
Production
Log./ Trans.
Sales.Admin.
Intro
Info
rmat
ion
Sec
urity
Tre
nds
Current Scenario: “if it ain’t broken, don’t fix it”.
• Complexity and flexibility of information systems increases, security decreases.
• Legacy systems are not maintained or audited• Low level of awareness in decision makers• Lack of security focus from Software/HW vendors and
Integrators.• Lack of a global framework to analyze and understand security• Lack of Security “Best Practices”
And Then…
• Unforseen vulnerabilities• High risk, high level of exposure• High administrative efforts• Risk is managed reactively, it’s all damage control.
Intro
Info
rmat
ion
Sec
urity
Tre
nds
“Cybercrime”: Indicators and Trends
Info
rmat
ion
Sec
urity
Tre
nds
Indicators
• Indicators of cybercrime are historically hard to find.• Incidents are not usually reported
– Most common reasons for not reporting a security incidentaccording to a survey by the FBI/CSI
9075
0
20
40
60
80
100
Neg
ativ
eP
ub
licit
y
It c
ou
ldb
e u
sefu
l fo
r co
mp
etit
ors
1996
1997
1998
1999
2000
2001
Cybercrime
Info
rmat
ion
Sec
urity
Tre
nds
Indicators
• To be reported, attacks need to be detected first!– A 1996 Survey of the Defense Information Systems Agency,
showed the following results on a systematic attack against government targets:
– This is still true: Most attacks go undetected!
Attacks38.000
Success.24,700(65%)
Detected988 (4%)
Reported267 (0,7%)
NOT DETECTED23.712(96%)
Cybercrime
Info
rmat
ion
Sec
urity
Tre
nds
Sources of information
• 2001/2002 CSI/FBI Computer Crime and Security Surveywww.gocsi.com
• Information Security Magazine 2001 Industry Surveywww.infosecuritymag.com
• GAO/AIMD-96-84 (DISA)www.gao.gov, www.disa.mil
• Honeynet projectwww.project.honeynet.org
• Bugtraq mailing listwww.securityfocus.com
• ARISwww.securityfocus.com
• CERTwww.cert.org
• SANS Incidentswww.incidents.org
• Dshield projectwww.dshield.org
Info
rmat
ion
Sec
urity
Tre
nds
CSI/FBI Survey 2002Recent Indicators
• 2002 CSI/FBI Computer Crime and Security Survey
• Performed by– Computer Security Institute– San Francisco FBI’s Computer Intrusion
Squad
• Results for the years 1996 – 2002 are analized
Info
rmat
ion
Sec
urity
Tre
nds
• 538 surveyed
• USA
• Public and Privatesectors
• 24% 10000+ employes
• 37% $1 000 000 000+ revenues
Others32%
Financ.19%
Hi Tech19%
Govern.19%
Manuf.11%
Recent Indicators
CSI/FBI Survey 2002 (cont.)
Info
rmat
ion
Sec
urity
Tre
nds
CSI/FBI Survey 2002 (cont.)Recent Indicators
Info
rmat
ion
Sec
urity
Tre
nds
Recent Indicators
CSI/FBI Survey 2002 (cont.)
Quantifiable loss in the last 12 months
100137 124
266
369
0
100
200
300
400
1997 1998 1999 2000 2001
Mill
ion
s
• 2001: 78% admited loss, but only 37% could quantify it
• 2002: 80% admitted loss, 44%could quantify it 455
2002
Info
rmat
ion
Sec
urity
Tre
nds
Recent Indicators
CSI/FBI Survey 2002 (cont.)
Info
rmat
ion
Sec
urity
Tre
nds
Recent Indicators
CSI/FBI Survey 2002 (cont.)
Info
rmat
ion
Sec
urity
Tre
nds
The Honeynet projectRecent Indicators
• “Know your enemy...”
• Decoy network of 8 computers running• Linux• Solaris• Windows
• No efforts to atract attackers
• Monitored from april 2000 to february 2001
Info
rmat
ion
Sec
urity
Tre
nds
The Honeynet projectSome Results
• The estimated lifetime for a Linux RedHat default install is less than 72 hours.
• Some systems were compromised less than 15 minutes after being pluged to the network.
• The estimated lifetime for a default install of windows 98 is less than 24 hours.
• During february 2001, 206 complete port-scans were registered.
Recent Indicators
Info
rmat
ion
Sec
urity
Tre
nds
Top Ten Attacks Q1 2002
1. Code Red - MS Indexing Server/Indexing Services ISAPI Buffer Overflow Attack
2. Nimda – Microsoft IIS 4.0/5.0 Extended UNICODE Directory Traversal Attack
3. Matt Wright Formmail attack
4. WU-FTPD File Globbing Heap Corruption Attack
5. SSH CRC32 Compenation Detection Attack
6. Generic CDE dtspcd Buffer Overflow Attack
7. Generic System V Derived Login Buffer Overflow Attack
8. Generic SNMP PROTOS Test Suite Attacks
9. Shaft DDoS Client To Handler Attack
10. PHP Post File Upload Buffer Overflow Attack
Info
rmat
ion
Sec
urity
Tre
nds
Example worm spread (Code Red / Nimda)
Info
rmat
ion
Sec
urity
Tre
nds
Attack technology evolution
• Attack frameworks– Easy to use malicious code– Reduces knowledge needed to attack– Allows for coordinated multiparty attacks
• Attack automation– Distributed DOS / Very complex worms /
Directed Virus– Faster target acquisition– Large scale attacks with low resources– Brute-force attack paths
Info
rmat
ion
Sec
urity
Tre
nds
The “War Games” Scenario
• Fully automated attack tools
• Fully automated responsive tools
• A zero-sum game?
Info
rmat
ion
Sec
urity
Tre
nds
Where do we go from here?
Info
rmat
ion
Sec
urity
Tre
nds
The perception of risk
• There is no real security.
• Security is only the perception of risk.
• Security management is risk management.
• To increase security, risk needs to be:
– Modeled
– Quantified
– Minimized over time
Defense Strategy
Info
rmat
ion
Sec
urity
Tre
nds
Information Flow
• Model the flow of information in an organization, where players communicate, process and store information.
ModelingRisk
Info
rmat
ion
Sec
urity
Tre
nds
Entry points
• Each of these actions and interactions possesses its own risk.
ModelingRisk
Ri
Ri
Ri
RiRi
Ri
Ri
Ri
Ri
Ri
Info
rmat
ion
Sec
urity
Tre
nds
Risk quantificationModelingRisk
Risk = Threats x Vulnerabilities x ImpactCountermeasures
Attacker profile,Resources available
Software flaws,Biased Policies,Bad Protocols,
Etc.
Loss,Atractiveness
Practices andtechnologies
Ri
Info
rmat
ion
Sec
urity
Tre
nds
A risky gameModelingRisk
Risk = Ri
I.F.⌠⌡T
<< mT
Info
rmat
ion
Sec
urity
Tre
nds
There are no recipes
• The Information infrastructure and the information flow are unique to each organization.
• Threats, vulnerabilities, impact, they all depend on the process we are trying to protect.
• All these variables and factors evolve over time, so does risk.
• Security emerges from the unique qualities of an information system.
• There are no silver bullets.
Info
rmat
ion
Sec
urity
Tre
nds
Security is a process
SecurityPolicy
RiskModeling
SecurityArchitecture
Visibility andControl
The role of the policy
Info
rmat
ion
Sec
urity
Tre
nds
Inside the Corporations
Info
rmat
ion
Sec
urity
Tre
nds
Industry Context
• Several years of technological legacy • Increasing dependency on IT for business• Need to accelerate the adoption of new technology in
order to compete
• Heterogeneous IT infrastructure• Difficulty in understanding the secondary effects
of new technologies
• Risk is managed reactively• Lack of a global framework to analyze and solve
security problems • Unforessen vulnerabilities, more risk and more
administrative efforts
Info
rmat
ion
Sec
urity
Tre
nds
The way for Industry
• Understanding– Risk Modeling and managing– Cultural paradigm shift– Security in terms of business processes– Strategic vision
• Interaction– To cope with the “holistic” security view and address the
emerging vulnerabilities.
• Enforceability and Manageability– Not only tools: frameworks
Info
rmat
ion
Sec
urity
Tre
nds
A product mapping
Firewalls
PKI
File system restrictions
App. Security
Risk Modeling
Network discovery
Pen testing
Info
rmat
ion
Sec
urity
Tre
nds
Product Implementations
Info
rmat
ion
Sec
urity
Tre
nds
Integration
• Point products solve punctual problems.
• To address the emerging security problems, we need the modules managing different security areas to communicate.
• Integration will reduce the administrative effort and the implementation effort.
• Integration is not just a cosmetic resemblance.
• The security modules should be able to change the behavior of all the security system.
Info
rmat
ion
Sec
urity
Tre
nds
DAC, MAC, RBAC
RBAC
Role-Based access control
MAC
Mandatory access control
DAC
Discretionary access control
Manageability
Flexibility
+
+-
-
Info
rmat
ion
Sec
urity
Tre
nds
Roles
• A player attains a function in the organization by participating in a series of processes.
• In each of these processes, the player has a specific, well defined role.
• To perform a role in a process, a player needs access to a well-defined set of resources in the organization.
RBAC
Info
rmat
ion
Sec
urity
Tre
nds
Managing the security policy graph
• The relationship between players, functions, roles and resources can be represented as a directed graph.
Player
Function
Role
Resource
Role
Role
Role
Resource
Resource
RBAC
Info
rmat
ion
Sec
urity
Tre
nds
Granularity
• The detail we obtain in the definition and control of the resources needed for performing a specific role gives us a measure of the granularity of the security policy.
• Granularity allows us to address emerging vulnerabilities.• Granularity allows us to close the gap between security and
flexibility.
Resource
Role
Resource
Resource
• Servers/services• Applications• Communications• Files• Devices• Transactions• Registry/configuration• etc.
RBAC
Info
rmat
ion
Sec
urity
Tre
nds
Accuracy
• The resources needed to perform each role are distinct.• The same player, should or shouldn’t be allowed access to a
given resource depending on the process she is participating in.• Failing to accomplish this will render our security policy
inaccurate
Resource
Role A
Resource
Resource
Role B
Resource
Resource
RBAC
Info
rmat
ion
Sec
urity
Tre
nds
Outside Corporations
Info
rmat
ion
Sec
urity
Tre
nds
Government Context
• As an information system, the government shares the problematic with the industry.
• It sets and negotiates a local framework– Standards– Regulations– Commercial/Penal Legislation– Export/Import Restrictions– Subsidies
• It creates and manages local security infrastructure– Like PKI, ERT, Legal advice, Law enforcement
• It negotiates international agreements
Info
rmat
ion
Sec
urity
Tre
nds
Some developments on the US
• Two historic failures– Export crypto regulations– Clipper Chip
• Two alarming examples– Digital Millenium Copyright Act– Anti-Terrorism Act
• Two interesting developments to follow– Pentest regulations for federal agencies– GovNet
Info
rmat
ion
Sec
urity
Tre
nds
IT/IS professionals and scientists
• IS is in a very early phase of development. Mainly an information gathering / experiment definition stage.
• We need to start asking certain fundamental questions.– What does the world look like?– What are the fundamental entities that make up this world?– What questions can be asked about them?
• Modeling, formalizing, experimenting, generalizing, theorizing…
• The industry had, has and will have a very influential position– How are the technologies that are being implemented
reducing risk?– To what extent does this technology protect our critical
resources and processes?– Does this reduction of risk justify the money spent? The
effort to implement and manage it?
Info
rmat
ion
Sec
urity
Tre
nds
Rua do Rócio 288 | 7º andar | Conj. 73 e 74Vila OlímpiaSão Paulo/SPCEP 04552-000Tel: (55 11) 3054-2534 / 35 [email protected]
Florida 141 | 2º cuerpo | 7º piso(C1005AAC) Buenos Aires Tel/Fax: (54 11) 4878-CORE (2673) [email protected]
44 Wall StreetNew York, NY 10005 | USATel: (212) 461-2345Fax: (212) 461-2346 [email protected]
USA
Argentina
Brasil
Thank you!
(If you ask a question you get a copy of the presentation!)
Info
rmat
ion
Sec
urity
Tre
nds
Threats
• Quantified by attacker profile, knowledge, financial resources, human resources, reach, interests:
– Amateur
– Hacker
– Hacker group
– Unsatisfied employee
– Competition
– Organized Crime
– Intelligence Agency
– Terrorist organizations
ModelingRisk
Info
rmat
ion
Sec
urity
Tre
nds
Threats evolve
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
1985 1988 1992 1996 2000 2005 2010
Terrorist groups
Intelligence agencies
Organized Crime
Competing companies
Groups of individuals
Individuals
Example of projected evolution of threat share by attacker profile
ModelingRisk
Info
rmat
ion
Sec
urity
Tre
nds
Vulnerabilities
• Design flaws
– Critical Information systems
– Networks
– Security Architecture
• Implementation flaws
– Operating system vulnerabilities
– Application vulnerabilities
– Hardware vulnerabilities
• Misuse or misconfiguration
• Policy weaknesses
• Unclear responsibilities
ModelingRisk
Info
rmat
ion
Sec
urity
Tre
nds
Impact
• Attack consequences, quantified by Financial loss, Negative publicity, etc.
– Loss of proprietary information
– Corruption of critical information
– Financial Fraud
– Interruption of critical processes
– Sabotage
– Telecommunication fraud
ModelingRisk
Info
rmat
ion
Sec
urity
Tre
nds
Countermeasures
• Security tools, software and mechanisms
– Network devices
– Crypto
– Access control
– Etc.
• Procedures
• Emergency response
• Auditing capabilities
• Visibility
• Training
• (We’ll go into more detail)
ModelingRisk
Info
rmat
ion
Sec
urity
Tre
nds
Risk Modeling
• Define scope
• Identify critical processes
• Identify critical resources
• Points of failure
• Set Milestones
• Test the policy
SecurityPolicy
RiskModeling
SecurityArchitecture
Visibility andControl
The role of the policy
Info
rmat
ion
Sec
urity
Tre
nds
Security Architecture
• Define policies based on your CURRENT capabilities
• Manage
• Enforce
SecurityPolicy
RiskModeling
SecurityArchitecture
Visibility andControl
The role of the policy
Info
rmat
ion
Sec
urity
Tre
nds
Visibility and Control
• Define policies you CAN control
• See your policy at work
• Provide feedback for tuning
• Identify next steps
SecurityPolicy
RiskModeling
SecurityArchitecture
Visibility andControl
The role of the policy