Dumb Ideas in Computer Security

Dr Charles P PfleegerPfleeger Consulting Group19 July 2011chuck@pfleeger.com

© Pfleeger Consulting Group 2011

Marcus Ranum’s Six Dumbest Ideas

“The Six Dumbest Ideas in Computer Security” (2005) http://www.ranum.com/security/computer_security/editorials/dumb/

Default permitEnumerating badnessPenetrate and patchHacking is coolEducating usersAction is better than inaction

Dumb Ideas in Computer Security 219 Jul 2011

Struck a Nerve

Results 1-10 of about 2,030,000 for dumb ideascomputer security.Or … there are lots of dumb ideas related to computer security

Dumb Ideas in Computer Security 319 Jul 2011

Marcus Is Right … But I Have Another List

1. We’ll do security later2. We’ll do privacy later3. Encryption cures all4. {Tool} cures all5. Security has to be perfect6. It’s easy—we can do it ourselves

Dumb Ideas in Computer Security 419 Jul 2011

We’ll Do Security Later

Dumb Ideas in Computer Security 519 Jul 2011

You Can’t Retrofit Security

Defense Science Board report (1972)“It is virtually impossible to verify that a large software system is completely free of errors and anomalies.”“System failure modes are not thoroughly understood, catalogued, or protected against.”

Systems grow increasingly complexPatches abound—and continuePenetrate and patch doesn’t work

References: Anderson; Karger and Schell

Dumb Ideas in Computer Security 619 Jul 2011

We’ll Do Privacy Later

Dumb Ideas in Computer Security 719 Jul 2011

You Can’t Retrofit Privacy

Facebook, other social mediaPrivate data aggregatorsElectronic medical dataAnonymity, pseudonymity“Fair Information Practices” 1973Banking, medical, education, government mishmash

References: Ware, Sweeney

Dumb Ideas in Computer Security 819 Jul 2011

Encryption Cures All

Dumb Ideas in Computer Security 919 Jul 2011

Encryption is Overrated

Key managementImplementation flawsAlgorithm weaknessesWork factor vs. computing powerHard problems solvableData in the clear

ArchitectureInsiders

Dumb Ideas in Computer Security 1019 Jul 2011

{Pick a Tool} Cures All

Dumb Ideas in Computer Security 1119 Jul 2011

Effective Security Tools Are Specialized

No silver bulletDifferent environments: threats–vulnerabilities–countermeasuresDifferent objectives: prevent, deter, diminish, detect, recoverIntegration, overlap, coverage issues

Dumb Ideas in Computer Security 1219 Jul 2011

Security Has To Be Perfect

Dumb Ideas in Computer Security 1319 Jul 2011

Security Is a Continuum

Impossible to counter all threatsCannot let the perfect be the enemy of the goodResidual risk remainsNeed

Metrics to measure riskJustification for stopping pointCreative architecture to maximize coverage for money spent

Dumb Ideas in Computer Security 1419 Jul 2011

It’s Easy—We Can Do Security Ourselves

Dumb Ideas in Computer Security 1519 Jul 2011

Program Complexity Inhibits Security

“By the time machines are able to do such things we shan’t know how they do it.” --Turing

Applications, utilities, infrastructure, and operating system mixedWeb data delivery, display, fetch mixedSkype reboot problem, Sony rootkitIP stack in cell phones, PDAs, gaming consoles, refrigerators, thermostats

References: Hoglund & McGraw, Whitaker & Thompson

Dumb Ideas in Computer Security 1619 Jul 2011

How the eCampus Differs from a Brick Campus

No perimeter to defendNew threats:

Financial: organized crimePolitical: nations/groupsInter- and multinational

Unprotected workstation as a staging platform, or a botWeb interconnectedness

Dumb Ideas in Computer Security 1719 Jul 2011

How to Proceed

Secure the environmentSecure the systemSecure the applicationsSecure the networkSecure the users

Dumb Ideas in Computer Security 1819 Jul 2011

Secure the Environment

Perimeter defense outdatedLaptops and smart phones extend perimeter to outer space

Who would attack a university?Target: a machine or address

Classify and separate

Dumb Ideas in Computer Security 1919 Jul 2011

Secure the System

Segmentation, separationHard to do with Internet

Cloud computingAppealing for sharingBut controlled sharing is a challenge

Stuxnet infection shows ability to penetrate

Dumb Ideas in Computer Security 2019 Jul 2011

Secure the Applications

Functionality trumps securityWho vets apps?

Reliable source: code signingMalware appearance getting more sophisticated

Fewer typosClickjacking

Dumb Ideas in Computer Security 2119 Jul 2011

Secure the Network

Everybody connected to everybodyFormal and informal connections (USB stick, computer sharing)

Tools helpAlso human review and interaction

Vigilence—and insight

Dumb Ideas in Computer Security 2219 Jul 2011

Secure the Users

User awareness is necessary—but not sufficient

New attacks emerge and expand: phishing, drive-by downloadNew users appear: social media and kidsUsers may not understand threat

“I am not a target”

“Think like an attacker” dayPolicy, audit, and enforcement

Dumb Ideas in Computer Security 2319 Jul 2011

A Final Word …

Dumb Ideas in Computer Security 2419 Jul 2011

Questions?

Dumb Ideas in Computer Security 2519 Jul 2011

References

Anderson, J., “Computer Security Technology Planning Study, csrc.nist.gov/publications/history/ande72.pdf

Hoglund, G. and McGraw, G., Exploiting Software: How to Break Code, Addison-Wesley, 2004

Karger, P. and Schell, R., “Thirty Years Later: Lessons from the Multics Security Evaluation,” IBM Research Report RC22543, 2002.

Morris, R. and Thompson, K., “Password Security: A Case History,” Communications of the ACM, v22 n11 Nov 1979

Saltzer, J. and Schroeder, M. “The Protection of Information in Computer Systems,” Proceedings of the IEE, v63 n9 Sep 1975

Sweeney, L., Finding Lists of People on the Web,” ACM Computers and Security, v37 n1 Apr 2004

Ware, W. (ed.) “Records, Computers and the Rights of Citizens,” RAND Report P-5077, 1973.

Whitaker, J. and Thompson, H., How to Break Software,Pearson Education, 2003

Dumb Ideas in Computer Security 2619 Jul 2011