the dumbest ideas in computer security · the dumbest ideas in computer security marcus j. ranum...
TRANSCRIPT
The Dumbest Ideas In Computer Security
Marcus J. RanumCSO, Tenable Network Security, Inc.
[email protected]@tenablesecurity.com
Who am I
• CSO of Tenable Network Security– Makes innovative vulnerability detection and
security event management tools– Develops and supports the Nessus
vulnerability scanner project– Works with lots of MSPs and customers
• CyberTrust• V-1 SmartWall• Network Flight Recorder• Trusted Information Systems
Intro – Who is Tenable?
• We run the Nessus project– More than 85,000 organizations world-wide– We develop 99.9% of the plugins– Develop and test all of Nessus 3– Still do a lot of work on and for Nessus 2
• Enterprise Security Vendor– Single vendor to offer enterprise security
management solutions for:• Vulnerability Management• Compliance Monitoring & Reporting• Security Event Management• Network Behavioral Anomaly Detection• Passive and Active Asset discovery
– More than 500 enterprise customers
What is Dumb??
Depending on which analysts you believe*the computer security market is billions ofdollars, annually
* never a good idea
1995 1997 2001 2005
$200m
$6 b
Dumb is Wasting Money
The number of systems penetrated continuesto increase to the point where nobody evencounts, anymore
Source: dept of made-up statistics
1995 1997 2001 2005
some
lots
too many
ridiculouslytoo many
CERT throws inthe towel and stopstracking machines
compromised
Chartology
Red = bad thingGreen = effort/expense
A chart like this representsa hard-fought but ultimately effective effort
Chartology
Red = bad thingGreen = effort/expense
A chart like this representsa rear-guard action
Chartology
Red = bad thingGreen = effort/expense
A chart like this representsa sucking chest-wound
OK, so what’s wrong?
• Computer security is off-course and has been for a long time– Since the “discovery” of security as a “market”
it’s a big-money business– “Solutions” (I.e.: expen$ive product$) rule
over common sense– Well marketed-to customers continually lurch
from one “complete solution” that doesn’t work to the next
?
• What are the properties of secure systems?
Fundamental Security Problems
• Trusted Systems Design• Assurance• Code Quality• Transitive Trust• Authorization v. Authentication
Trusted System Design
• Understand the components of the system that must be trusted– Compartmentized design– Understand trusted paths in inputs and code
• Top-to-bottom approach– Can’t “secure the network” and not the host– Can’t “secure the host” and not the network– Can’t “secure the data” and not the O/S
Assurance
• Assurance is the degree of confidence you have that the system functions as it is designed to– (Read Feynman on Challenger disaster)
• Assurance is a property of a system design– It is not an add-on feature to be “built in
later” (Sorry, Microsoft)
Code Quality
• Code quality is necessary to be assured that a system functions as designed– Software as an engineering discipline– Security and reliability needs to be:
• Factored into design• Considered in code lay-out• Checked in code review• Test in QA• Considered in maintenance
Transitive Trust
• If A trusts B and B trusts C - A trusts Cand doesn’t know it– indeed A trusts everyone C trusts
• Dealing with transitive trust is a “hard problem” and may not be tractable– Hackers basically ignore transitive trust also
because most systems are so weak transitive trust attacks are unnecessary!
– Smart pen testers use transitive trust
Authorization V. Authentication
• Authentication: knowing who you are dealing with
• Authorization: knowing what a user is allowed to do
• Many fancy authentication systems (public key, etc) but authorization is a “hard problem”– What do you do when an authorized user
does an inappropriate thing?
OK, So Life Sucks!
• These are extremely hard (and therefore $$$$) problems to deal with
• What’s the industry’s answer?– Attractive-sounding manure
A-SB: Antivirus
• Exhaustively list all the viruses on earth– stop them when they get onto your computer
or try to execute
• 175,000 different viruses and spyware*– Fewer than 7,000 commonly-used business
apps*
• Why list the bad stuff? List the goodstuff! (trust-no-exe, program execution control, etc)
* approximately
A-SB: Intrusion Prevention
• Make a dictionary of “signatures” that match various network-based hacks as they traverse your network– Have a boundary device attempt to detect
them fast enough to block them (put it in-line so it’s a nice single point of failure!)
• This is very similar to antivirus, including how stupid an idea it is
A-SB: Intrusion Prevention(cont)
• A “new trend” some talk about is “network compartmentalization”*– Identify segments of the network and enforce
separation between them except fro necessary services• I.e.: “database network” only traffic allowed in/out is
oracle to server; backup servers and utility systems are screened
• I.e.: “mail hub - Email only sent/delivered to/from a central port 25/IMAP-SSL server
* New? I have PowerPoint slides from 1989 that teach how to do it...
A-SB: Outsourcing Security
• Premise: anything that is not a “core competency” should be done by someone else, who can do it cheaper– Problem: If you never develop any knowledge
of the problem how do you know if they are doing a good job?
– You know this: if your business thinks IT is not part of its core business, you’ll be clobbered by an competitor in 10 years*
*exception: gravel pits
A-SB: Rent-a-hacker
• pen-testing is the exact opposite of assurance by design– tells you one of two things:
• You’re screwed• We don’t know if you’re screwed
– Trying to prove a system can’t be hacked by trying to hack it is attempting to prove a negative• More effective: external design review early and
implementation validation
The 90’s
• Netscape IPO: the greatest disaster is software history– Demonstrated incontrovertibly that the path to
fortune in silicon valley is to throw shovelwareover the fence
– Triggered “the 10 year beta-test”– Dogmatized as “extreme programming” (I.e.:
“write code now and figure out what you were trying to accomplish later”)
The 90’s (cont)
• What will it take to turn software development into an engineering discipline? (people who call the nonsense we do today “software engineering” need to be beaten)
• Network engineering and management are the next pain points
The 2010’s
• The next big frontier is going to be system administration– The death of general-purpose computing
• PDAs become more powerful embedded appliances?• Disposable computing?• Ubiquitous computing?• Operating systems that don’t suck?
Windows Sys Administration
Time
Systemsunderadmin.
Every man, woman,and child on earth(over the age of 6)will be a Windows
system administrator
• 2020AD: The Infocalypse
2020AD
EarthPopulation
Summary:
• Danger signs: If you are -– Listing lots of cases of bad stuff– Constantly patching your code– Running networks with open topologies– Running networks with no idea what traffic
crosses them– Ignoring security in design process
… You may be in security hell
Summary 2:
Remember, it’s always much easier to not do something dumb than it is to do something smart
QUESTIONS ??
blog.tenablesecurity.com