The Dumbest Ideas In Computer Security. Marcus J. Ranum

Transcription

1 The Dumbest Ideas In Computer Security Marcus J. Ranum CSO, Tenable Network Security, Inc.

2 Who am I CSO of Tenable Network Security Makes innovative vulnerability detection and security event management tools Develops and supports the Nessus vulnerability scanner project Works with lots of MSPs and customers CyberTrust V-1 SmartWall Network Flight Recorder Trusted Information Systems

3 Intro Who is Tenable? We run the Nessus project More than 85,000 organizations world-wide We develop 99.9% of the plugins Develop and test all of Nessus 3 Still do a lot of work on and for Nessus 2 Enterprise Security Vendor Single vendor to offer enterprise security management solutions for: Vulnerability Management Compliance Monitoring & Reporting Security Event Management Network Behavioral Anomaly Detection Passive and Active Asset discovery More than 500 enterprise customers

4 What is Dumb?? Depending on which analysts you believe* the computer security market is billions of dollars, annually $6 b $200m * never a good idea

5 Dumb is Wasting Money ridiculously too many The number of systems penetrated continues to increase to the point where nobody even counts, anymore too many lots CERT throws in the towel and stops tracking machines compromised some Source: dept of made-up statistics

6 Chartology Red = bad thing Green = effort/expense A chart like this represents a hard-fought but ultimately effective effort

7 Chartology Red = bad thing Green = effort/expense A chart like this represents a rear-guard action

8 Chartology Red = bad thing Green = effort/expense A chart like this represents a sucking chest-wound

9 OK, so what s wrong? Computer security is off-course and has been for a long time Since the discovery of security as a market it s a big-money business Solutions (I.e.: expen$ive product$) rule over common sense Well marketed-to customers continually lurch from one complete solution that doesn t work to the next

10 What are the properties of secure systems??

11 Fundamental Security Problems Trusted Systems Design Assurance Code Quality Transitive Trust Authorization v. Authentication

12 Trusted System Design Understand the components of the system that must be trusted Compartmentized design Understand trusted paths in inputs and code Top-to-bottom approach Can t secure the network and not the host Can t secure the host and not the network Can t secure the data and not the O/S

13 Assurance Assurance is the degree of confidence you have that the system functions as it is designed to (Read Feynman on Challenger disaster) Assurance is a property of a system design It is not an add-on feature to be built in later (Sorry, Microsoft)

14 Code Quality Code quality is necessary to be assured that a system functions as designed Software as an engineering discipline Security and reliability needs to be: Factored into design Considered in code lay-out Checked in code review Test in QA Considered in maintenance

15 Transitive Trust If A trusts B and B trusts C - A trusts C and doesn t know it indeed A trusts everyone C trusts Dealing with transitive trust is a hard problem and may not be tractable Hackers basically ignore transitive trust also because most systems are so weak transitive trust attacks are unnecessary! Smart pen testers use transitive trust

16 Authorization V. Authentication Authentication: knowing who you are dealing with Authorization: knowing what a user is allowed to do Many fancy authentication systems (public key, etc) but authorization is a hard problem What do you do when an authorized user does an inappropriate thing?

17 OK, So Life Sucks! These are extremely hard (and therefore $$$$) problems to deal with What s the industry s answer? Attractive-sounding manure

18 A-SB: Antivirus Exhaustively list all the viruses on earth stop them when they get onto your computer or try to execute 175,000 different viruses and spyware* Fewer than 7,000 commonly-used business apps* Why list the bad stuff? List the good stuff! (trust-no-exe, program execution control, etc) * approximately

19 A-SB: Intrusion Prevention Make a dictionary of signatures that match various network-based hacks as they traverse your network Have a boundary device attempt to detect them fast enough to block them (put it in-line so it s a nice single point of failure!) This is very similar to antivirus, including how stupid an idea it is

20 A-SB: Intrusion Prevention(cont) A new trend some talk about is network compartmentalization * Identify segments of the network and enforce separation between them except fro necessary services I.e.: database network only traffic allowed in/out is oracle to server; backup servers and utility systems are screened I.e.: mail hub - only sent/delivered to/from a central port 25/IMAP-SSL server * New? I have PowerPoint slides from 1989 that teach how to do it...

21 A-SB: Outsourcing Security Premise: anything that is not a core competency should be done by someone else, who can do it cheaper Problem: If you never develop any knowledge of the problem how do you know if they are doing a good job? You know this: if your business thinks IT is not part of its core business, you ll be clobbered by an competitor in 10 years* *exception: gravel pits

22 A-SB: Rent-a-hacker pen-testing is the exact opposite of assurance by design tells you one of two things: You re screwed We don t know if you re screwed Trying to prove a system can t be hacked by trying to hack it is attempting to prove a negative More effective: external design review early and implementation validation

23 The 90 s Netscape IPO: the greatest disaster is software history Demonstrated incontrovertibly that the path to fortune in silicon valley is to throw shovelware over the fence Triggered the 10 year beta-test Dogmatized as extreme programming (I.e.: write code now and figure out what you were trying to accomplish later )

24 The 90 s (cont) What will it take to turn software development into an engineering discipline? (people who call the nonsense we do today software engineering need to be beaten) Network engineering and management are the next pain points

25 The 2010 s The next big frontier is going to be system administration The death of general-purpose computing PDAs become more powerful embedded appliances? Disposable computing? Ubiquitous computing? Operating systems that don t suck?

26 Windows Sys Administration 2020AD: The Infocalypse Earth Population Every man, woman, and child on earth (over the age of 6) will be a Windows system administrator 2020AD Systems under admin. Time

27 Summary: Danger signs: If you are - Listing lots of cases of bad stuff Constantly patching your code Running networks with open topologies Running networks with no idea what traffic crosses them Ignoring security in design process You may be in security hell

28 Summary 2: Remember, it s always much easier to not do something dumb than it is to do something smart

29 QUESTIONS?? blog.tenablesecurity.com