Proprietary Security New Trends New Issues 1022020 Proprietary

  • Slides: 38
Download presentation
Proprietary Security New Trends, New Issues 10/2/2020

Proprietary Security New Trends, New Issues 10/2/2020

Proprietary Context Historical view of threats n Emerging view of threats n Segue: n

Proprietary Context Historical view of threats n Emerging view of threats n Segue: n – n Concept of scale Introducing asymmetric threat challenges Mc. Afee Research 10/2/2020 2

Proprietary 10/2/2020 Traditional Views of Computer & Network Security

Proprietary 10/2/2020 Traditional Views of Computer & Network Security

Proprietary 10/2/2020 4 Threat Evolution: Malicious Code Human response impossible Automated response required, i.

Proprietary 10/2/2020 4 Threat Evolution: Malicious Code Human response impossible Automated response required, i. e. , automated remediation and automated attribution Seconds Minutes Hours Days Weeks or months “Flash” “Sasser” Human response impossible Automated response unlikely Threats, Proactive blocking possible i. e. , Sasser “Warhol” threats Human response difficult/impossible Blended Automated response possible threats e-mail Worms Human response possible Macro Viruses File Viruses Time Mc. Afee Research Early 1990 s Boot, Com Infectors Mid 1990 s Late 1990 s 2000 2003 2004

Proprietary 10/2/2020 5 Attack Types - by Vulnerability Category Social Engineering Logic Error Data

Proprietary 10/2/2020 5 Attack Types - by Vulnerability Category Social Engineering Logic Error Data Injection Data Modification Data Extraction Inappropriate Trust Malicious Code System Disruption Network Disruption Configuration Errors Mc. Afee Research Policy Oversight Weakness Authentication Host Access Protection Bypass

Proprietary 10/2/2020 6 Vulnerability Exploits - Examples Social Engineering impersonation of authority via phone

Proprietary 10/2/2020 6 Vulnerability Exploits - Examples Social Engineering impersonation of authority via phone or via Windows Messging / IM / IRC email Logic Error malicious code injection through buffer overflow data cache corruption workload amplification request/response source spoofing insider information theft ambiguous / weak / no information disclosure policy Policy Oversight Mc. Afee Research MS-Office macro virii / worms cross-site HTML scripting null / fixed / weak passwords null authentication poor certificate infrastructure Weakness authentication bypass improper/no software integrity verification weak / no information access controls capture of unsecured communications exploit via "unpatched" software

Proprietary Network Incidents are Increasing Source: CMU Computer Emergency Response Team Last updated January

Proprietary Network Incidents are Increasing Source: CMU Computer Emergency Response Team Last updated January 22, 2004 Mc. Afee Research 10/2/2020 7

Proprietary Discovered Virus Threats per Day Source: Mc. Afee AVERT Mc. Afee Research 10/2/2020

Proprietary Discovered Virus Threats per Day Source: Mc. Afee AVERT Mc. Afee Research 10/2/2020 8

Proprietary 10/2/2020 Machines Infected per Hour at Peak Source: Mc. Afee AVERT Mc. Afee

Proprietary 10/2/2020 Machines Infected per Hour at Peak Source: Mc. Afee AVERT Mc. Afee Research 9

Proprietary 10/2/2020 The Speed of Attacks Accelerates SQL Slammer: n Blended threat exploits known

Proprietary 10/2/2020 The Speed of Attacks Accelerates SQL Slammer: n Blended threat exploits known vulnerability n Payload was single 404 byte UDP packet n Doubled every 8. 5 seconds n Achieved full scanning rate (over 55 million scans per second) after approximately 3 minutes n Infected 90% vulnerable hosts worldwide within 10 minutes Mc. Afee Research 10

Proprietary 10/2/2020 Incident Response Cost is Increasing In billions [1] Blaster cost includes the

Proprietary 10/2/2020 Incident Response Cost is Increasing In billions [1] Blaster cost includes the cost of the near simultaneous Sobig. F virus Source: Net. Worm. org Mc. Afee Research 11

Proprietary 10/2/2020 12 Application Vulnerabilities are Increasing Source: CMU Computer Emergency Response Team Last

Proprietary 10/2/2020 12 Application Vulnerabilities are Increasing Source: CMU Computer Emergency Response Team Last updated August 3, 2004 Mc. Afee Research

Proprietary 10/2/2020 Emerging Views of Computer and Network Security

Proprietary 10/2/2020 Emerging Views of Computer and Network Security

Proprietary Phishing Attack Trends [1] Represents data for four days Source: Anti-Phishing Working Group

Proprietary Phishing Attack Trends [1] Represents data for four days Source: Anti-Phishing Working Group Mc. Afee Research 10/2/2020 14

Proprietary 10/2/2020 15 Timeline: W 32/Lov. San. worm & W 32/Nachi. worm Vulnerability discovered

Proprietary 10/2/2020 15 Timeline: W 32/Lov. San. worm & W 32/Nachi. worm Vulnerability discovered in DCOM RPC, Microsoft posts MS 03 -026 Jul 16 Jul 25 IRC-BBot remote access Trojan uses RPC vulnerability RPCSS Jul 29 Jul 31 Aug 2 X focus (Chinese hacking group) forwards attack source code to public security lists Mc. Afee Research Downloader-DM Trojan gets media attention . . . Unconfirmed incident of RPC exploit being used to execute NET SEND spam attack Aug 11 Nachi worm and Lovsan Killer Aug 18 Lovsan worm

Proprietary 10/2/2020 16 War for Bragging Rights Fueled by Vulnerability Bulletins Net. Sky. F

Proprietary 10/2/2020 16 War for Bragging Rights Fueled by Vulnerability Bulletins Net. Sky. F My. Doom. K Net. Sky. K My. Doom. G Net. Sky. B Net. Sky. G Aug 20? Jan 18 My. Doom. L Net. Sky. L Bagle. O ? ? ? Net. Sky. A Microsoft Security Bulletin MS 04 -011 Bagle. J Bagle. E Bagle. A Net. Sky. P ? ? ? My. Doom. P Bagle. L Bagle. G Bagle. B My. Doom. A ? ? ? My. Doom. F Microsoft Security Bulletin MS 03 -032 Bagle. P Bagle. K Bagle. F My. Doom. E Net. Sky. E My. Doom. J My. Doom. O Net. Sky. J Net. Sky. O Bagle. M Bagle. Q Bagle. H Bagle. C ? ? My. Doom. C My. Doom. M ? Net. Sky. C My. Doom. H Bagle. I ? My. Doom. D Mc. Afee Research Net. Sky. M Net. Sky. H Bagle. D My. Doom. I ? My. Doom. Q Bagle. N ? Net. Sky. D ? Net. Sky. I Sasser. A Apr 13 My. Doom. N Net. Sky. Q

Proprietary 10/2/2020 E-Crime. Watch Survery Results for 2003 n n n n Virus or

Proprietary 10/2/2020 E-Crime. Watch Survery Results for 2003 n n n n Virus or other malicious attack Denial of service attack Illegal generation of spam e-mail Unauthorized access by an insider Phishing Unauthorized access by an outsider Fraud Theft of intellectual property Theft of other proprietary info Sabotage by an insider Sabotage by an outsider Extortion by an insider Source: CSO E-Crime. Watch Survey Report May 24, 2004 Mc. Afee Research n n n n 77. 2% 43. 6% 38. 3% 35. 7% 31. 0% 27. 2% 21. 9% 20. 5% 16. 4% 10. 8% 3. 2% 2. 6% 17

Proprietary The Asymmetric Security Challenge 10/2/2020

Proprietary The Asymmetric Security Challenge 10/2/2020

Proprietary Orders of Magnitude Mc. Afee Research 10/2/2020 19

Proprietary Orders of Magnitude Mc. Afee Research 10/2/2020 19

Proprietary 10/2/2020 Problem Statement n It is currently not possible to secure very complex

Proprietary 10/2/2020 Problem Statement n It is currently not possible to secure very complex networks against attacks from outside the perimeter due to asymmetries in – Network Topology – Grids – Protocols – Time – Social/Organizational Structures – Vulnerability Detection and Response Techniques Mc. Afee Research 20

Proprietary Abilene as an Enterprise Network Mc. Afee Research 10/2/2020 21

Proprietary Abilene as an Enterprise Network Mc. Afee Research 10/2/2020 21

Proprietary Dimensions of the Asymmetric Security Problem n Dimension 1: n Dimension 2: n

Proprietary Dimensions of the Asymmetric Security Problem n Dimension 1: n Dimension 2: n Dimension 3: n Dimension 4: n Dimension 5: n Dimension 6: Mc. Afee Research Network Topology Grids Protocols Time Social/Organizational Attacks 10/2/2020 22

Proprietary Dimension 1: Network Topology Multiple Paths; Multiple Providers yields complex backbone topologies n

Proprietary Dimension 1: Network Topology Multiple Paths; Multiple Providers yields complex backbone topologies n Events need to be detected, shared, and understood across multiple topologies n GEO Grid LEO Grid Theater Grid Tactical Grid Fixed Grid Tactical Grid Mc. Afee Research 10/2/2020 23

Proprietary Dimension 2: Grids Do. D’s GIG includes a layered view of grids, based

Proprietary Dimension 2: Grids Do. D’s GIG includes a layered view of grids, based on physical limitations of transport mechanisms n GEO Grid LEO Grid Theater Grid Tactical Grid Fixed Grid Tactical Internet Mc. Afee Research 10/2/2020 24

Proprietary Dimension 3: Protocols Benign transfers utilizing multiple protocols, e. g. SMTP, HTTP, TCP,

Proprietary Dimension 3: Protocols Benign transfers utilizing multiple protocols, e. g. SMTP, HTTP, TCP, UDP with latent assembly can trigger attack n Events need to be shared/detected across multiple protocols n HTTP SSL TCP IP IP Mc. Afee Research Ethernet 10/2/2020 25

Proprietary Dimension 4: Time The net works fast… faster than a speeding bullet n

Proprietary Dimension 4: Time The net works fast… faster than a speeding bullet n Events need to be detected, shared, understood, and blocked at varying chronons n Seconds Milli Sec Micro Sec Nano Sec Pico Sec Mc. Afee Research 10/2/2020 26

Proprietary 10/2/2020 Dimension 5: Social Organizations Human organize people and things into social organizations

Proprietary 10/2/2020 Dimension 5: Social Organizations Human organize people and things into social organizations to provide abstractions for dealing with complex problems n In developing management abstractions, we introduce decision latencies that inhibit deployment of security solutions n Mc. Afee Research 27

Proprietary Dimension 6: Vulnerabilities Malicious transfers exploiting multiple vulnerabilities, e. g. SMTP, HTTP, TCP,

Proprietary Dimension 6: Vulnerabilities Malicious transfers exploiting multiple vulnerabilities, e. g. SMTP, HTTP, TCP, UDP with latent assembly can trigger attack n Mc. Afee Research 10/2/2020 28

Proprietary 10/2/2020 29 Network Physics 1 Deterministic Internetworking Inside A Outside B Deterministic Internet

Proprietary 10/2/2020 29 Network Physics 1 Deterministic Internetworking Inside A Outside B Deterministic Internet Connection: Host A and Host B can exchange packets, which are routed through THE gateway (red line) between Inside and Outside. Mc. Afee Research Non-Deterministic Internetworking Inside A Outside B Non-Deterministic Internet Connection: Host A sends Host B a packet, which must be routed through 1 of 3 gateways (red lines) between Inside and Outside. But we can’t tell which one!

Proprietary 10/2/2020 30 Network Physics 2 n It doesn’t matter! – – Routers don’t

Proprietary 10/2/2020 30 Network Physics 2 n It doesn’t matter! – – Routers don’t examine contents, only headers; don’t maintain state Genius of the Internet is that it works regardless of whether the network is deterministic or nondeterministic Stateless core scales well, condenses into hardware n Endpoints maintain state, core maintains routes, each oblivious to the other n Mc. Afee Research Routing Experts Only; All Others Keep Out! A Inside Interconnected set of all routers in NIPRnet Abilene and Internet Outside B TCP state Hosts A and B communicate by sending IP packets. These IP packets will usually belong to a TCP connection that A and B establish.

Proprietary 10/2/2020 31 Network Physics 3 Security requires looking inside the box! n –

Proprietary 10/2/2020 31 Network Physics 3 Security requires looking inside the box! n – Decision function: is this packet good (transmit) or bad (drop)? “Looking Inside” means parsing packets, following connection state n Endpoints paranoid of routing n – n Routers paranoid of endpoints – n Is this a Man-In-The-Middle attack? Is this packet dangerous? Inside Security confounds scalability – State explosion – Intolerance of dynamism – Violation of layering Typically delegate security close to endpoints Mc. Afee Research to decrease state burden n A Interconnected set of all routers in NIPRnet Abilene and Internet Outside B TCP state TCP State

Proprietary 10/2/2020 Media access details hidden from datagrams Asymmetries and Asynchronicities occur at all

Proprietary 10/2/2020 Media access details hidden from datagrams Asymmetries and Asynchronicities occur at all levels of abstraction n Hosts A and B transmit simultaneously to server S n Collisions on A-B network cause packets to be lost and require retransmission n S A Mc. Afee Research B 32

Proprietary 10/2/2020 Flows disappear as we zoom in & out Server resides on “backbone”

Proprietary 10/2/2020 Flows disappear as we zoom in & out Server resides on “backbone” of network n Backbone router interleaves requests from client networks due to asynchronicity of networks n Endpoints reassemble requests and responses n Mc. Afee Research 33

Proprietary 10/2/2020 34 Protocol Challenges Heterogeneous Protocol Implementation Strategies n Protocol Parsers n Protocol

Proprietary 10/2/2020 34 Protocol Challenges Heterogeneous Protocol Implementation Strategies n Protocol Parsers n Protocol State Engines n Protocol Application Scheduling n Reliance on Operating System Services n Vulnerabilities are penetratable as we move up and down protocol stacks n Mc. Afee Research IP Protocol Processor TCP Protocol Processor IP Header TCP Header SSL Header HTTP Data SSL Protocol Processor SSL Footer TCP Footer HTTP Protocol Processor IP Footer

Proprietary 10/2/2020 Sessions disappear as we zoom in & out Routes may change during

Proprietary 10/2/2020 Sessions disappear as we zoom in & out Routes may change during session without impact on client or server n Routes may differ from one request to next without impact n Routers may come and go without impact n Protocols, implemented at endpoints, provide guarantees (or not) of service. n Mc. Afee Research 35

Proprietary 10/2/2020 36 What do we mean by Secure? Robust Protocols n Access controls

Proprietary 10/2/2020 36 What do we mean by Secure? Robust Protocols n Access controls n All the normal anti-virus, antiintrusion, anti-spam, anti-scam techniques n Robustness - security implies availability n – deny DOS – minimize false positive Provide optimum safe level of service and connectivity Authentication Access Control Non-Repudiation Signature Availability n – Not always preventing, sometimes enabling connectivity Mc. Afee Research Data Integrity Confidentiality

Proprietary What is a Very Complex Network? n Network Complexity a function of –

Proprietary What is a Very Complex Network? n Network Complexity a function of – number of nodes, number of routers – Topological Complexity number of upstream peers, fractal complexity of peers, amount of bidirectional interaction with peers – Grid Complexity amount of state required to conduct conversations – Protocol Complexity speed of communications and distance of peers – Time Complexity sensitivity of information – Social Complexity – vulnerability of services – Attack Complexity – – Conceptually, the dot product of the complexity at each of the 6 dimensions n We suspect fractal geometry will be useful here n Fractals are defined formally based on dimension. n – We need similar formality Mc. Afee Research 10/2/2020 37

Proprietary 10/2/2020 Summary n n n n Traditional threats are real, varied, costly, and

Proprietary 10/2/2020 Summary n n n n Traditional threats are real, varied, costly, and increasing: – Viruses, trojans, and worms; Spam; Hackers; Intrusions; and Distributed denial of service (DDo. S) attacks. Electronic crimes are increasingly pervasive, destructive, and expensive Asymmetric nature of Internet introduces service anomalies Systematic examination of asymmetries reveals a host of vulnerabilities Intrusion detection and response requires increasingly complex combinations of functionality. Performance requirements are increasing to maintain throughput and latency in high-speed networks. Security functionality in high-speed networks presently requires arrays of servers and load balancers to handle the processing load. Current solutions based on ASICs have long development lead-time, do not generally scale with Moore’s Law, and are not programmable to meet new threats and needs. Mc. Afee Research 38