CSC 382582 Computer Security Incident Response CSC 382582
- Slides: 29
CSC 382/582: Computer Security Incident Response CSC 382/582: Computer Security 1
Topics 1. 2. 3. 4. 5. 6. Future Threats Security in Hardware Software Security Economics of Security and Usability Privacy CSC 382/582: Computer Security 2
Increasing Attack Sophistication CSC 382/582: Computer Security 3
More Data Breaches CSC 382/582: Computer Security 4
Future Threats: Profitable Worms: Sobig – W 32 worm using email/network share vectors. – Contains upgrade mechanism • Worm checked sites every few minutes. • When site valid, downloaded code. • Later variants could update upgrade server list. – Downloaded payload from upgrade mechanism • Key logger. • Wingate proxy server (for spam proxying. ) CSC 382/582: Computer Security 5
Future Threats: Vishing Voice Phishing – Send e-mail with phone number. Call into software voice mail system which uses recordings of real bank’s voice mail system. • Free PBX software makes this easy to do. • E-mails are targeted, including customer’s name. – Call victims directly using VOIP for cheap, anonymous international calls. • Caller-ID spoofing. • Attacker often knowns CC number, wants 3 -digit. CSC 382/582: Computer Security 6
Future Threats: Offline Impact Davis-Besse nuclear power plant Slammer infected Plant Process Computer and Safety Parameter Display System (Jan 2003. ) Analog backups unaffected. Infected contractor’s network, then moved through T 1 line that bypassed plant firewall. Seattle 911 system Slammer disabled computer systems. Dispatchers reverted to manual systems. 2003 Blackout Blaster infected First Energy systems. CSC 382/582: Computer Security 7
Future Threats: Speed Fast Worms: Slammer – Attacked MS SQL servers. – Worm is single 404 -bye UDP packet. – Random-scan (PRNG bugs limited. ) – Limited by network bandwidth, not latency. – Observed scan rate of 26, 000 hosts/second. – Infected 90% of vulnerable hosts in 10 min. – Too fast for humans to react. CSC 382/582: Computer Security 8
Hardware Security: Biometrics will become more common. – Laptop fingerprint readers to login. – Voice print / eye scan used to login. – Disney: fingerprint-based Ticket. Tag system – Fingerprints used to check nightclub goers. CSC 382/582: Computer Security 9
Hardware Security: TC • Problem: You can’t trust the client. • Solution: Add hardware to give third parties power to enforce security policies on client against users’ wishes. – Hardware component: “Trusted” Computing – Software component: NGSCB CSC 382/582: Computer Security 10
Hardware Security Features 1. Memory Curtaining Hardware-enforced memory protection to prevent programs from accessing each others’ memory, including OS. 2. Secure I/O Secure path from keyboard to application that cannot be snooped on by keyloggers or spyware. 3. Sealed Storage 1. 2. 4. Generates keys based on program + hardware. Only that program on that computer can access data. Remote Attestation Hardware generation of certificate attesting to identity of software that currently runs on PC. CSC 382/582: Computer Security 11
Problems with Remote Attestation • Core Problem – If third parties know what software you’re using, they can refuse to interact with you if you’re running software they don’t want. • Examples – Web sites could force you to run IE. – Of a specific version vulnerable to their adware. – Vendor lock-in: prevent interoperability of IM clients or Samba with Windows servers. CSC 382/582: Computer Security 12
TC as a way of enforcing DRM • Secure I/O – Prevent text or images on screen from being printed or saved to a file. • Sealed Storage – Files encrypted on hard disk so only DRM client can access them. – Prevent files from being moved to new PC. • Remote Attestation – Prevents programs other than DRM client from ever receiving DRMed files. CSC 382/582: Computer Security 13
TC supports Remote Censorship • Applications can be designed to delete unauthorized documents by remote control. – Documents must have watermark or serial #. – DRM documents already include these features. • Other TC features can be used to require application gets regular Internet access. – App phones home to get list of bad documents. • App refuses to allow access to banned documents on any PC. CSC 382/582: Computer Security 14
Solution: Owner Override Attestation + Owner Override – Allows third parties to know if software on your PC has changed w/o your knowledge. – Illicit activities and malware can be detected. – You can install and run the software you want to use, independent of third party wishes. CSC 382/582: Computer Security 15
Software Security • The problem with security: Bad design, code. • Trinity of Trouble will expand – Connectivity: business critical processes will use wireless networking. – Complexity: software will continue to get larger. – Extensibility: more mobile code will be used, and SOA will be used for extensibility on server side. CSC 382/582: Computer Security 16
Economics of Security The problem with security: Bad incentives. – Systems are especially prone to failure when security person doesn’t experience cost of failure. – Security problems are an externality. – Security techniques can distort markets (DRM. ) – Hidden costs of ownership • $99 MS Windows + $99 Antivirus, firewall, etc. CSC 382/582: Computer Security 17
Security Incentives • Banks – In US, banks liable for ATM fraud. • There is relatively little ATM fraud in US. – In UK, customers liable for ATM fraud. • Banks ignored security since customer complaints were assumed to be lies or mistakes. • Medical Records – Medical providers dislike security because it requires time and limits sharing. – Patients want their medical records private. • Home Users – Should you pay for antivirus software when the virus likely won’t damage your data but instead attack someone else? CSC 382/582: Computer Security 18
Security as Externality • Externality: Cost or benefit of an economic transfer that someone who is not a party to the transaction bears, e. g. air pollution, vaccination. • Security attacks often result in externalities. – Backscatter from DDOS attacks. – Botnet that does little damage to zombie PC can do extensive damage to its targets. CSC 382/582: Computer Security 19
Network Externality • Network externality: the more users a network has, the more valuable it is. – Compatibility is more important than security in building a market. – Excessive security (DRM) can allow dominant player to lock in users. • Problem: How to migrate to more secure network protocols? CSC 382/582: Computer Security 20
Security and Markets: Asymmetric Information The Market for Lemons – Ex: Used Car Market • • 50 good used cars worth $3000. 50 lemons worth $1000 each. Sellers know the difference, buyers do not. What will price will the market bear? – Software market suffers from info asymmetry. CSC 382/582: Computer Security 21
Security and Markets: Insurance Computer security rarely applies insurance. – Different organizations IT risk is correlated with other organizations. A Microsoft Windows virus is like a major hurricane, affecting many networks at once. – Software vendors aren’t responsible for risk of vulnerabilities in their software. Who would insure them if they were? CSC 382/582: Computer Security 22
Security and Markets: DRM • Security technologies can distort markets. – Infinite supply of digital goods drives price to 0. – Copyright grants limited monopolies to prevent. – DRM gives owners complete market control. • Eliminate resale. • Eliminate transfer to other media. • Eliminate any use owner dislikes. CSC 382/582: Computer Security 23
Economics of Privacy • Technology increases ability to discriminate in pricing. – Data mining can be used to individuals’ willingness to pay. – Complex, changing prices for airlines, software. • Data breach law gives incentive for privacy. – Stock prices fall after data breaches revealed. CSC 382/582: Computer Security 24
Security and Usability The problem with security: Bad interfaces. – Semantic attacks such as phishing depend on difference between how user perceives communication and the actual effect of the communication. – How can we bridge the gap between user’s mental model and the model of how systems actually work? CSC 382/582: Computer Security 25
Security and Usability Figure 2. Passpet CSC 382/582: Computer Security 26
Future of Privacy: Tracking The problem with privacy: Computers. • Portable computing devices => tracking – Cell phone: current location, path travelled – RFID tags • Ubiquitous video cameras => tracking – Average Londoner has picture taken 300/day CSC 382/582: Computer Security 27
Future of Privacy: Wholesale Surveillance • Don’t look at a suspicious person, look at everyone. – – – NSA phone/email surveillance; Echelon Satellite photography Cameras + OCR track license plates in London. Auto toll-pay systems and cell phones track cars. Credit card and Paypal purchases • Quantity has a Quality all its own – Changes balance between police power and rights of the people. – Past compromises: random license plates instead of owner’s name. CSC 382/582: Computer Security 28
References 1. 2. 3. 4. 5. 6. 7. 8. Ross Anderson and Tyler Moore, “Economics of Security, ” Science, Oct 27, 2006. Gary Mc. Graw and Greg Hoglund, Exploiting Software: How to Break Code, Addison-Wesley, 2004. Peter Neumann, (moderator), Risks Digest, http: //catless. ncl. ac. uk/Risks/ Bruce Schneier, Beyond Fear, Copernicus Books, 2003. Bruce Schneier, “Future of Privacy, ” http: //www. schneier. com/blog/archives/2006/03/the_future_of_p. html, 2006. Seth Schoen, “Trusted Computing: Promise and Risk, ” http: //www. eff. org/Infrastructure/trusted_computing/20031001_tc. php, 2003. Jon Schwartz, “Phishing attacks now using phone calls, ” USA Today, Nov 26, 2006. Ken Thompson, “Reflections on Trusting Trust”, Communication of the ACM, Vol. 27, No. 8, August 1984, pp. 761 -763 (http: //www. acm. org/classics/sep 95/) CSC 382/582: Computer Security 29
- Cyber security playbooks
- Computer security incident handling guide
- 382582
- Csc
- Incident objectives that drive incident operations
- Private securty
- Splunk case study critique
- Principles of incident response and disaster recovery
- Ibm xforce iris
- Incident response technologies
- Splunk vs wire shark
- Odot incident response
- Writing a personal narrative episode 4
- Osquery
- Gems estate management
- The watchman style of policing emphasizes
- Principles of incident response and disaster recovery
- Cscattt methane
- Openioc format
- Incident response trailer
- Net witness
- Security incident database
- Security incident taxonomy
- Security incident investigation
- Natural response and forced response
- Natural response and forced response example
- A subsequent
- Microsoft security response center
- Juniper security threat response managers
- Osi security services