Medium 9780596527488

Beautiful Security: Leading Security Experts Explain How They Think

Views: 1452
Ratings: (0)

Although most people don't give security much attention until their personal or business systems are attacked, this thought-provoking anthology demonstrates that digital security is not only worth thinking about, it's also a fascinating topic. Criminals succeed by exercising enormous creativity, and those defending against them must do the same.

Beautiful Security explores this challenging subject with insightful essays and analysis on topics that include:

  • The underground economy for personal information: how it works, the relationships among criminals, and some of the new ways they pounce on their prey
  • How social networking, cloud computing, and other popular trends help or hurt our online security
  • How metrics, requirements gathering, design, and law can take security to a higher level
  • The real, little-publicized history of PGP

This book includes contributions from:

  • Peiter "Mudge" Zatko
  • Jim Stickley
  • Elizabeth Nichols
  • Chenxi Wang
  • Ed Bellis
  • Ben Edelman
  • Phil Zimmermann and Jon Callas
  • Kathy Wang
  • Mark Curphey
  • John McManus
  • James Routh
  • Randy V. Sabett
  • Anton Chuvakin
  • Grant Geyer and Brian Dunphy
  • Peter Wayner
  • Michael Wood and Fernando Francisco

All royalties will be donated to the Internet Engineering Task Force (IETF).

List price: $31.99

Your Price: $25.59

You Save: 20%

 

16 Slices

Format Buy Remix

1. Psychological Security Traps

ePub

During my career of attacking software and the facilities they power, many colleagues have remarked that I have a somewhat nonstandard approach. I tended to be surprised to hear this, as the approach seemed logical and straightforward to me. In contrast, I felt that academic approaches were too abstract to realize wide success in real-world applications. These more conventional disciplines were taking an almost completely random tack with no focus or, on the opposite end of the spectrum, spending hundreds of hours reverse-engineering and tracing applications to (hopefully) discover their vulnerabilities before they were exploited out in the field.

Now, please do not take this the wrong way. Im not condemning the aforementioned techniques. In fact I agree they are critical tools in the art of vulnerability discovery and exploitation. However, I believe in applying some shortcuts and alternative views to envelope, enhance, andsometimesbypass these approaches.

In this chapter Ill talk about some of these alternative views and how they can help us get inside the mind of the developer whose code or system we engage as security professionals.

 

2. Wireless Networking: Fertile Ground for Social Engineering

ePub

By now, everyone has heard the security concerns about wireless devices. They have been an area of concern for many security professionals since the original Wi-Fi release in 2000. As early as 2001, the standard Wired Equivalent Privacy (WEP) access protocol, designed to keep unwanted users from accessing the device, was discovered to have fundamental flaws that allowed security to be bypassed within a couple of minutes. Although security was greatly increased in 2003 with the release of Wi-Fi Protected Access (WPA), most paranoid system administrators still had their doubts. Sure enough, with time new exploits were discovered in WPA as well. Although it is not nearly as dangerous as WEP, it left many administrators feeling justified in their concerns.

However, while one camp has remained skeptical, others have seen the operational benefits that come with wireless and have embraced the technology. For example, handheld devices carried throughout a department store allow employees to accomplish inventory-related tasks while communicating directly with the organizations servers. This can save a tremendous amount of time and increase customer service satisfaction. Wi-Fi has reinvigorated the use of public spaces from cafs to parks around the world. Unfortunately, several attack scenarios remain largely unknown and could feed an epidemic of corporate and personal identity theft.

 

3. Beautiful Security Metrics

ePub

When you can measure what you are speaking about, and express it in numbers, you know something about it; but when you cannot measure it, when you cannot express it in numbers, your knowledge is a meager and unsatisfactory kind; it may be the beginning of knowledge, but you have scarcely, in your thoughts, advanced to the state of science.

The revolutionary idea that defines the boundary between modern times and the past is the mastery of risk; the notion that the future is more than a whim of the gods and that men and women are not passive before nature. Until human beings discovered a way across that boundary, the future was a mirror of the past or the murky domain of oracles and soothsayers who held a monopoly over knowledge of anticipated events.

The two quotes that start this chapter capture the essence of beauty in measurement and its primary deliverable: metrics. Lord Kelvins message is that there is no science without metrics. Peter Bernsteins statement is about risk, which is conceptually related to security. Dr. Bernstein states that metrics free you from the morass of being a prisoner of the past or, even worse, dependent upon fortune tellerscertainly key objectives of science, in general.

 

4. The Underground Economy of Security Breaches

ePub

The latest statistic from NetCraft puts todays Internet at 185,497,213 sites. Though the absolute number suffered some loss lately due to the late economic downturn, the Internet growth at mid-2008 was measured at over 130,000 sites per day! It is estimated that the worldwide Internet user population will reach 500 million some time soon. The Internet is fast becoming one of the most significant markets in our modern economy.

Not surprisingly, just like its physical counterpart, the Internet is fostering one of the biggest underground economies.

As one might expect, this cyber underground has one main goal: money. The actors in this economy employ a wide array of digital ammunitionsincluding malware, botnets, and spamto help them achieve this goal.

Unlike the physical world, where behavior can be held in check in most places by laws and regulations, the laws that govern the digital universe are, for all intents and purposes, ill-defined and poorly enforced. As a result, the cyber underground flourishes. In recent years, cyber attacks have graduated from the ad hoc, script-kiddie attacks to large-scale, organized crimes.

 

5. Beautiful Trade: Rethinking E-Commerce Security

ePub

Information security has always been one of the largest barriers to e-commerce. Those of us who spend most of our waking moments thinking of new and different ways to secure these systems and applications know it starts with the data. After all, its information that we are trying to protect.

One of the primary challenges in e-commerce security is coming up with practical ways to secure payment transaction data. This term means a lot of different things to a lot of different applications, but for the purpose of this writing, lets focus on credit card data such as account numbers, security and CV2 codes, PIN numbers, magnetic stripe data, and expiration and issue dates. We will also include extra data we deem necessary to make this process more secure, such as to authenticate or authorize a transaction.

Lets look at the possible points of failure for credit card information. When a consumer makes a purchase using his credit or debit account where a card is not involved, whether online or offline in a scenario such as a phone purchase, he supplies this data to the merchant in order to prove he has the resources or credit to pay for the merchandise. This data passes through various systems within and beyond the merchant environment through payment gateways, back-office applications, acquiring banking networks and systems, issuing banks, and card association networks.

 

6. Securing Online Advertising: Rustlers and Sheriffs in the New Wild West

ePub

Read the news of recent computer security guffaws, and its striking how many problems stem from online advertising. Advertising is the bedrock of websites that are provided without charge to end users, so advertising is everywhere. But advertising security gaps are equally widespread: from malvertisement banner ads pushing rogue anti-spyware software, to click fraud, to spyware and adware, the security lapses of online advertising are striking.

During the past five years, I have uncovered hundreds of online advertising scams defrauding thousands of usersnot to mention all the Webs top merchants. This chapter summarizes some of what Ive found, and what users and advertisers can do to protect themselves.

Users are the first victimsand typically the most direct onesof online advertising attacks. From deceptive pop-up ads to full-fledged browser exploits, users suffer the direct costs of cleanup. This section looks at some of the culprits.

In March 2004, spam-king-turned-spyware-pusher Sanford Wallace found a way to install software on users computers without users permission. Wallace turned to security vulnerabilitiesdefects in Windows, Internet Explorer, or other software on a users computerthat let Wallace take control of a users computer without the user granting consent. Earlier intruders had to persuade users to click on an executable file or open a virus-infected documentsomething users were learning to avoid. But Wallaces new exploit took total control when the user merely visited a websitesomething we all do dozens of times a day.

 

7. The Evolution of PGP’s Web of Trust

ePub

When Pretty Good Privacy (PGP) first arrived in 1991, it was the first time ordinary people could use strong encryption that was previously available only to major governments.

PGP led to new opportunities for human rights organizations and other users concerned with privacy around the world, along with some oft-misunderstood legal issues that well touch on later.

One of the most influential aspects of PGP is its solution to the problem of connecting people who have never met and therefore never had a chance to exchange secure keys. This solution quickly earned the moniker Web of Trust, which describes the way the system operates about as accurately as any phrase.

The trust mechanism in PGP has evolved a lot since the early releases. Its worth examining the reasons for the trust model and the way PGP has evolved to provide more robustness.

The Web of Trust also offers an interesting historical angle because it was an early peer-to-peer design, and arguably one of the first social networks.

 

8. Open Source Honeyclient: Proactive Detection of Client-Side Exploits

ePub

Client software vulnerabilities are currently being exploited at an increasing rate. Based on a September 2004 survey, Dell Computers estimates that 90% of Windows PCs harbor at least one spyware program. Microsofts Internet Explorer browser has had over 50 vulnerabilities in the past six months, according to the Common Vulnerabilities and Exposures (CVE) database. By taking advantage of client software vulnerabilities, attackers are able to infect and control systems that are protected by firewalls or otherwise inaccessible.

As is well known, client-side exploits can be used by the attacker for many other malicious activities once a victim machine is compromised. The exploit could steal valuable information, such as the users online banking credentials. Among other things, the attacker could hijack the victim machine and add it to growing bot networks, in which each bot becomes part of a distributed denial of service (DDoS) attack or a spam delivery system.

How will attackers utilize client software vulnerabilities? As far back as 2002, a paper titled How to 0wn the Internet In Your Spare Time[67] came up with a disturbing possible scenario: a contagion worm exploit that targets both server and client vulnerabilities. First, the attack uses typical Web server security flaws, such as buffer overflows or SQL injection, to upload malicious code that is then downloaded whenever a targeted browser visits the website. Then, the downloaded code exploits vulnerabilities on the browser client.

 

9. Tomorrow’s Security Cogs and Levers

ePub

Without changing our patterns of thought, we will not be able to solve the problems that we created with our current patterns of thought.

Information security is not just about technology. It is about people, processes, and technology, in that orderor more accurately, about connecting people, processes, and technology together so that humans and entire systems can make informed decisions. It may at first seem rather odd to start a chapter in a book about the future of security management technology with a statement that puts the role of technology firmly in third place, but I felt it was important to put that stake in the ground to provide context for the rest of this chapter.

This doesnt mean that I belittle the role of technology in security. I firmly believe that we are at the very beginnings of an information technology revolution that will affect our lives in ways few of us can imagine, let alone predict. Its easy to dismiss futuristic ideas; many of us still laugh at historical predictions from the 1970s and 1980s portraying a future where self-guided hovercars will whisk us to the office in the mornings and where clunky humanoid robots will mix us cocktails when we get home from work, yet fundamental technological breakthroughs are emerging before our eyes that will spark tomorrows technological advances.

 

10. Security by Design

ePub

"Beautyistruth,truthbeauty,"thatisall
Yeknowonearth,andallyeneedtoknow.

Beauty is not skin deep. True beauty is a reflection of all aspects of a person, object, or system. In security, beauty appears in simplicity and graceful design, a product of treating security as a critical goal early in the system design lifecycle. In properly designed systems, security is an integral attribute of the system, designed, built, and tested; it is lightweight and adaptive, allowing the overall system to remain agile in the face of evolving requirements. When security is treated as an afterthought, or developed independently from the overall system design requirements, it is most often ugly and inflexible.

Several experiences during my career have had a profound impact on my views on information security and my overall system development philosophy. The first was at NASAs Langley Research Center. The second was a four-year period where I worked on software quality, reliability, usability, and security, first at Reliable Software Technologies (now known as Cigital) and then as the vice president of the Software Technology Center at Bell Labs. The lessons I learned and the fantastic teams I had the opportunity to work with demonstrated to me that security and all of the other important ilities (e.g., quality, reliability, availability, maintainability, and usability) are highly interrelated, and are achievable in a cost-effective way. The early experience at NASA helped me understand what would not work and why it wouldnt. The experiences at Cigital, Bell Labs, and a second stint at NASA helped me develop and refine a strategy for delivering high-quality, secure systems on schedule and on budget.

 

11. Forcing Firms to Focus: Is Secure Software in Your Future?

ePub

Beautiful security in software requires a fundamentally different business model from that which exists today. In fact, the current state of security in commercial software is rather distasteful, marked by embarrassing public reports of vulnerabilities and actual attacks, scrambling among developers to fix and release patches, and continual exhortations to customers to perform rudimentary checks and maintenance.

The solution is to embrace customer requirements for security controls in commercial software development. The business model for commercial software development firms has evolved to meet explicit customer requirements, but not implicit requirements, such as security. History has clearly shown that software providers are very good at delivering core functionality to meet customers time-to-market needs. But removing security vulnerabilities has never before been an explicit requirement. Is it possible to add it to the requirements model in a way that benefits both customers and software providers?

 

12. Oh No, Here Come the Infosecurity Lawyers!

ePub

Plus a change, plus cest la mme chose (the more things change, the more they stay the same).[84] In the area of information security, technology changes rapidly. As soon as the good folks catch up, the bad folks forge ahead with new attacks. In the area of information security, however, the saying holds true that the more things change, the more they stay the same.

Security professionals deal perennially with well-known and systemic problems, including poor user practices, buggy software, and a deliberate lack of leadership at the national level (at least in the United States, which has taken a market-driven approach up to this point). The pervasiveness of the problems, the regularity with which incidents containing common elements occur, and the depth of cultural influences that determine their continued existence suggest that legal intervention can make a difference. Indeed, information technology and law have already collided and will continue to collide at an increasing pace. In this chapter, Ill offer some anecdotes and principles that will hopefully help you understand the positive potential of the interaction between law and information security.

 

13. Beautiful Log Handling

ePub

A well-thrashed maxim proclaims that knowledge is power, but where do we get our knowledge about the components of information technology (IT) for which were responsiblecomputers, networking gear, application frameworks, SOA web infrastructure, and even whatever future, yet-uninvented components come our way? The richest source of such information, almost always available but often unnoticed, are the logs and audit trails produced by the systems and applications. Through logs and audit trails, along with alerts, information systems often give signs that something is amiss or even allow us to look into the future and tell us that something will be amiss soon.

The logs might also reveal larger weaknesses, such as lapses in our controls that affect regulatory compliance. They even impinge on IT governance and, by extension, corporate governance, thus going even beyond the IT realm where they surfaced.

However, more often than not, such logs contain merely data (and sometimes junk data!) rather than information. Extra effortsometimes gargantuan effortis needed to distill that data into usable and actionable information about IT and our businesses.

 

14. Incident Detection: Finding the Other 68%

ePub

Midnight on Saturday, January 25, 2003and something devastating was about to happen across the Internet. Hundreds of thousands of computer systems across the globe in data centers, corporations, and even homes were exposed to the massive attack that would soon be launched. The worm would exploit a known vulnerability in Microsoft SQL Server first reported a full six months earlier on July 24, 2002.

From our point of view at Symantec on that quiet night, analysts at our Security Operations Centers went through their normal routines, analyzing security incidents from hundreds of customers worldwide and looking for signs of cyber attacks. But the quiet shift erupted into a sudden storm, with our analysts queues filling with tens of thousands of alerts within minutes. From the analysts view, the monitored intrusion detection systems were all concurrently alerting us of an SQL buffer overflow as the monitored firewalls were detecting a flood of traffic on port1434/udp.

 

15. Doing Real Work Without Real Data

ePub

The largest privacy breaches are caused by data thieves stealing the contents of corporate or government databases. Imagine a database that can do useful work without having any useful information in it. For instance, imagine a server that can answer questions about the items you purchased, your schedule for next Thursday, your favorite movies, or countless other details like other databases hooked up to the Internetbut if someone snuck through the firewalls, cracked the password layer, or found some way to get superuser control on the machine, he would find nothing he could use. Even if the evil hacker/ninja snuck into the server room and hooked the hard disk up to a forensic analyzer, there would be no juicy info available.

A database like this sounds impossible. How could the database answer questions about next Thursday without knowing something about whats going to happen next Thursday? Its got to have the data there somewhere, right?

Others have suggested suboptimal solutions to protecting sensitive data. But even if its locked away inside some electronic safe hidden in a virtual stonewalled chamber buried inside a cyber castle wrapped by an impenetrable software moat filled with digital acid that dissolves any bad bits that come in contact with it, the data is present and remains vulnerable to someone smart enough to simulate a privileged user.

 

16. Casting Spells: PC Security Theater

ePub

Storm clouds gather and there is unrest in the land; thieves wander the highway with impunity, monsters hide in every tree along the road, and wizards cast spells while handing travelers amulets for their protection. Believing in the power of the talismans, our hero strides forth, wrapped in his magical invincibility, confident he will be the master of any threat he encounters.

Our hero, however, has been deceived. The pratings of amulet peddlers were repeated endlessly by the untutored peasants around him, but he will soon discover that incantations and alchemy are poor substitutes for a real suit of armor, a sturdy sword by his side, and a good plan in his head.

Although this might seem like the start of a fantasy novel, it parallels the state of todays computer security.

The problem is not in the quality of the solutions we use to protect our computers; truly, many of todays security offerings are nothing short of wondrous, developed by dedicated, experienced, and uncommonly talented people. Yet when we look at the overall state of security, the achievements resemble misdirection and magic more than a responsible and effective strategy.

 

Details

Print Book
E-Books
Slices

Format name
ePub
Encrypted
No
Sku
9780596555542
Isbn
9780596555542
File size
0 Bytes
Printing
Not Allowed
Copying
Not Allowed
Read aloud
No
Format name
ePub
Encrypted
No
Printing
Allowed
Copying
Allowed
Read aloud
Allowed
Sku
In metadata
Isbn
In metadata
File size
In metadata