1.Security Overview And Patching
-
Upload
phanleson -
Category
Technology
-
view
599 -
download
1
description
Transcript of 1.Security Overview And Patching
Course 1: Overview of Secure Programming, Section 1Pascal Meunier, Ph.D., M.Sc., CISSPMay 2004; updated August 24, 2004Developed thanks to support and contributions from Symantec Corporation, support from the NSF SFS Capacity Building Program (Award Number 0113725) and the Purdue e-Enterprise CenterCopyright (2004) Purdue Research Foundation. All rights reserved.
Course 1 Learning Plan
Security overview and patching Public vulnerability databases and resources Secure software engineering Security assessment and testing Shell and environment Resource management Trust management
Overarching Goals
Understand the security mindset
Understand security definitions
Understand the risk and impact on industry of insecure software products
Understand patching costs
Understanding the Security Mindset
Security as…– an enabler– a process– risk management– a puzzle– a multidisciplinary science
Security as an Enabler
Common perspective: Security is an inconvenient obstacle that forbids actions
Correct perspective: Security enables projects and enterprises that would otherwise be impractical, by lowering risks
Analogy:– Are the tracks that a train must follow a restriction, or an
enabler?
Question
Provide another example where something that can be seen as an inconvenience or a restriction makes something else practical by lowering risks
Question Sample Answers
Provide another example where something that can be seen as an inconvenience or a restriction makes something else practical by lowering risks
– Restraints in amusement park rides– Seat belts– Dual-signature checks
Security as a Process
“I got software X so I’m safe”
What would you think of a railroad company that laid railroads without checking and maintaining their integrity?
"Old software never dies; it just becomes insecure.“ (Author unknown)
Need design, configuration, inspection, maintenance, management, updates– Provide assurance that track quality is acceptable
– Basis for trust
Processes can provide guarantees
Security as a Process Exercise
Discuss why old software can become insecure
Security as a Process Exercise Sample Answers
Discuss why old software can become insecure– Security objectives or policies have changed
Laws have changed Business model changed Company processes changed
– Environment has changed Configuration is out of date Operating system has changed Risks are different Protections have changed (e.g., firewall rules) Employees, units responsibilities have changed
– Vulnerabilities have been found Exploits, worms, viruses exploit them
– Input has changed e.g., old application made to work online (with a wrapper) Protocol changed
Security as Risk Management
How much is an asset worth? How vulnerable is the asset? What are the risks?
– Financial costs (contracts, sales, remediation, etc...)– Reputation (that alone killed the Arthur Anderson
accounting firm in the Enron scandal) Part of building trust is building secure software
– Employee loyalty, productivity and well-being Morale, self-respect
Security as Risk Management Question
You maintain a customer credit card database for your business. Which security questions would you ask to help you manage the risks to the database?
Security as Risk Management Possible Answers
You maintain a customer credit card database for your business. Which security questions would you ask to help you manage the risks to the database?– How valuable is the database to an attacker, to your
customers, and to you?– Who (and what) has access to the database?– How is the database protected?
Is it on a shared or dedicated host? Is there a path to the internet from the database? How well is the software kept up-to-date with patches? Are there applicable risk mitigation strategies?
– How long is credit card information kept?– Do customers have the option of re-entering their credit card
information every time instead of having it stored?
Security as a Puzzle
What can a skilled attacker contrive?– Which assumptions are being made?
Are they always true? What guarantees the assumptions? Is indirect evidence relied upon?
– Who and what can be trusted? Who controls, controlled or could control it?
– What logic flaws exist? Are all cases handled? (a single hole may sink the ship) Is there a transformation that makes all the pieces fall apart?
– What resources are exposed?
Security as a Puzzle Exercise
Give an example of an incorrect assumption made by an application that inhibits security– Example: some email clients assume that the standard
ports for IMAP, POP and SMTP protocols will always be used, and so it rejects server specifications with a port number: 127.0.0.1:1143 is rejected Consequence: the use of encryption through ssh tunneling is
discouraged
Security as a Puzzle Exercise Answers
Give an example of an incorrect security assumption made by an application.– Assuming that the file extension and the MIME type are
the same Decide to download something using the file extension, but
the file is processed according to another mime type– IE 5, 6
» CAN-2001-0712 Decide how to handle an email attachment based on the
MIME type, but the attachment really is an executable that gets launched!
– IE 5» CAN-2001-0154
Security as a Multidisciplinary ScienceSocial Engineering
Social engineering is used to exploit human trust through deception– Poor user interface design may facilitate social
engineering Example: In some email programs, someone could be fooled into
thinking that an attachment was a safe file, and open it. What appeared as "resume.txt" was in reality
– "resume.txt .exe"
User interface design affects the security of applications!
Security as a Multidisciplinary Science Social Engineering
You get a phone call from the CFO, on a trip, "I can't remember the VPN password, and I need a document now!"
Your account will be terminated tomorrow unless you take action, as described in this attachment!
Please help me get my money out of this crazy country!
Oh, no, I forgot my key/badge/token! Please, hold the door, I have my hands full! Thanks!
Security as a Multidisciplinary ScienceSocial Engineering
Most problems are related to identification without authentication– By phone– Online
Identification by impression and persuasion– Social mechanisms
Helpfulness Ingratiation (a.k.a. "brown-nosing") Conformity, peer pressure Diffusion of responsibility Friendliness
– Employees can do it even if they know they shouldn't!
Security as a Multidisciplinary ScienceSocial Engineering (continued)
Physical Security– Dumpster diving
Recon for attack– Phone books, calendars, etc...
– Backdoors, tailing someone through a door– Stealing documents...
Reverse Social Engineering– Instead of asking for information and help, you provide it
initially– Of course they need help because of something the
attacker did
Read more: Granger S. (2001, 2002) Security Focus "Infocus" articles
Security as a Multidisciplinary ScienceExercise: Social Engineering
Team up in groups of 2 or 3 and make up a skit to demonstrate a social engineering technique; your "victim" will be another student in the audience who will "fall for it". Follow it up with a second version showing the correct response. Do try to obtain the most outrageous results possible (while being convincing). After the skit, explain the preparation you would have needed to conduct the attack.– You can get inspiration from the table of correct responses
(Granger 2002): http://www.securityfocus.com/infocus/1533
Security as a Multidisciplinary SciencePsychological Effects
Security features (or the lack thereof) have psychological effects– SPAM: loss of value and control over an important
communication medium– Panoptical effects (feeling of being watched)
Can affect motivation, focus People perform differently
– Intellectual performance is typically lower under surveillance
Exercises
Identify a user interface limitation that may allow social engineering
Identify a security mechanism that may cause users to feel that they are being watched
Example Answers
Identify a user interface limitation that may allow social engineering– Phishing email scams
Look-alike web sites that capture passwords
Identify a security mechanism that may cause users to feel that they are being watched– Windows login banners– "Possibly" recorded phone calls to help centers
Overarching Goals
Understand the security mindset
Understand security definitions
Understand the risk and impact on industry of insecure software products
Understand patching costs
Vulnerability
A flaw in a system that allows a policy to be violated Example policy: the content on a web site is
restricted to authenticated users. Vulnerability: the web site relies on JavaScript to
be executed on the client browser for access control
Exploit: Disable JavaScript An abundance of vulnerable sites exist
Exploit
An exploit is the act of exercising a vulnerability Also used to refer to an actual program, binary or
script that automates an attack
Latent Vulnerabilities
Sometimes, a vulnerability can be protected by a change that leaves the vulnerable code in place:– some change external to the application (firewall)– a configuration change (disabling an option)– a code wrapper that blocks exploit attempts
A vulnerability that is not exploitable at the moment is a latent vulnerability
Potential Vulnerabilities
Bad practices, quality defects and other flaws that could result in vulnerabilities in a different code context are potential vulnerabilities
Exploitability
Difficult to establish whether a vulnerability is exploitable, latent or potential in complex systems
A latent or potential vulnerability can become exploitable when – The software is used in a different context sometime after
its design– The configuration is changed– The code is changed– Someone thinks of something you didn't
Is a memory leak exploitable?– It depends!
Exercise
Evaluate your security stance and risk tolerance. For each potential, latent and exploitable vulnerability you find, would you:
a) Ignore the problem to save money and development time
b) Add a "REVISIT" type of comment in the code or create an entry in the bug tracking database
c) Bring immediate attention to the problem
Exercise Typical Answer
a) Ignore the problem to save money and development time
b) Add a "REVISIT" type of comment in the code or create an entry in the bug tracking database
c) Bring immediate attention to the problem Option c) should be done first and serves as an
assessment step. Then, both b) and a) may also be done for the same issue. Ignoring the problem (temporarily?) can be justified depending on its severity and business circumstances (e.g., support for an end-of-life product ends sooner than the time required for a fix).
Exposure
An exposure is an information leak that may assist an attacker.
Examples:– Software identification and version number released when
connecting to a service, which may be used to select the most effective attack.
– When web pages display SQL error messages– When an IT person is having trouble (e.g., with their
firewall) and posts questions to public mailing lists with their company's email address
– Sun's "tar" utility disclosed part of the password file
Exercise
Identify other examples of information leaks that may assist an attacker
Exercise Sample Answers
Identify other examples of information leaks that may assist an attacker– Finger may release information about who is online, e.g.,
administrators– Source code leaks (if the code contains vulnerabilities)– Directory listings– Wireless networks that broadcast their existence
Security Objective
A security objective is a high-level description of what the program or system must accomplish.– Federal regulations drive many of these objectives
HIPAA (Health Insurance Portability and Accountability Act) etc...
– Examples: all money transfers must be legal the system must pass EAL4 Common Criteria certification
Policy
Policies specify which activities, states and processes are allowed.– Examples:
All users must be authenticated Money transfers can only be requested by the account
owner
Also refers to security models that specify rules Famous policies (e.g., see Bishop 2002):
– The Bell-LaPadula confidentiality model– The Biba integrity model– The Clark-Wilson integrity model
Risks to Confidentiality, Integrity and Availability
Confidentiality is threatened when information can be revealed in violation of a policy – Examples: eavesdropping and inadequate access control
Integrity is threatened when information can be manipulated by an attacker. – Example: "man-in-the-middle" attack
Availability is threatened when a resource can be disabled or made unavailable.
– Assets can be classified according to these
Example
An FTP server is read-only. If passwords are sent in clear text, what is threatened if transmissions are captured?– Confidentiality of the passwords
Confidentiality of the documents on the FTP server Confidentiality, Integrity and Availability of other resources
that use the same password!
Question
Privacy fits best into which category?
a) Confidentiality
b) Integrity
c) Availability
Question
Privacy fits best into which category?
a) Confidentiality (not a perfect fit)
b) Integrity
c) Availability
Note that some organizations prefer to put emphasis on privacy separately from CIA (e.g., Purdue University's Security and Privacy office). Also, privacy advocates consider it important to be able to verify the integrity of personal information, especially when that information can be used against them (e.g., credit reports).
Overarching Goals
Understand the security mindset
Understand security definitions
Understand the risk and impact on industry of insecure software products
Understand patching costs
Security Organizations
Security companies and organizations are held to a higher standard of security
– Reputation
Would you buy from an HVAC company that has broken A/C equipment in their offices?
Employees are responsible to protect the credibility of the company
Exercise
Name an industry sector, and something that would make you avoid a company working in that sector.
People Want Software That:
Is produced with security assurance
– Analogy: some applications exposed to the internet are like disguised cartons of eggs on the sidewalk
Lowers security risks – To comply with laws mandating low security risks
HIPAA GLBA (Gramm-Leach Bliley) FERPA
– To protect trade secrets and other valuable company information
Has fewer maintenance headaches (patching) and costs
Protects their reputation
Exercise
Identify risks that would cause you to stop using a product. Be specific.
Exercise Example Answers
Frequencies of vulnerabilities and patches Absence of patches (or slow turnover) for known
issues Severity of vulnerabilities Criticality of the application Unreliability of patches
– Patches that break previous fixes– Patches that are incompatible with other software– Downtime while applying patches
Unreliable file systems (non-journaled) Which matter most (for whom)?
Your motivation as a participant in software development
How important is quality?
– Quality assurance is inclusive of secure programming techniques
How much design?
– Information assurance happens by design
How risk-averse?
– Security problems in your projects and code can hurt your reputation as well as your employer's
Overarching Goals
Understand the security mindset
Understand security definitions
Understand the risk and impact on Symantec of insecure software products
Understand patching costs
Cost of Patching
Cost of evaluating vulnerability claims Cost of patch development and testing Cost of patch notification and download system NIST recommendation on applying patches (s.p.
800-40)– Patch and Vulnerability Group (customer's cost)
test patches notify administrators monitor application of patches by system administrators
Vulnerability scanning to verify or enforce
Question
Patches incur costs to?
a) the vendor
b) the customer
c) both
Question
Patches incur costs to?
a) the vendor
b) the customer
c) both
Cost of Patching vs Preventing Flaws
Security bugs are introduced at 3 different stages:
– Design and architecture
– Implementation
– Operations Fixing security bugs with a patch costs 60 times
more than catching them at design time*
*: IBM System Sciences Institute statistics, cited by Kevin Soo Hoo, Andrew W. Sudbury and Andrew R. Jaquith in "Tangible ROI through Secure Software Engineering," Secure Business Quarterly, Volume 1, Issue 2.
Question
If it costs $100,000 to issue each security patch, approximately how much could have been saved by correcting the problem at design time?
a) $9,800
b) $98,000
c) $980
Question
If it costs $100,000 to issue each security patch, approximately how much could have been saved by correcting the problem at design time?
a) $9,800
b) $98,000
c) $980
• Note: It isn’t possible to catch all security flaws at design time.
Results from Current Software Engineering Methods
>1000 reported vulnerabilities each year
About 50% of vulnerabilities are commonly repeated mistakes
About 25% of vulnerabilities could be avoided by applying secure design principles at design time
Need new methods
Patches created using the same development methods that created the buggy software, are likely buggy themselves! “We can't solve problems by using the same kind of
thinking we used when we created them.” (Albert Einstein)
Question
Approximately what percentage of documented vulnerabilities are common repeated mistakes?
a) 25%
b) 50%
c) 75%
Question
Approximately what percentage of documented vulnerabilities are common repeated mistakes?
a) 25%
b) 50%
c) 75%
Question (guess)
How much money does a developer for a large software project typically save a company when catching and fixing a vulnerability during development instead of patching?
a) $1,000
b) $10,000
c) $100,000
A vulnerability fixed before release may take one hour, compared to weeks of several people's time to fix it after release.
Answer
c) $100,000
Without counting 1) costs to customers
– Especially if revenue-generating activities are interrupted!
2) intangible costs
Motivation and Definitions: End
Scrabble copyright Hasbro
About These Slides
You are free to copy, distribute, display, and perform the work; and to
make derivative works, under the following conditions.
– You must give the original author and other contributors credit
– The work will be used for personal or non-commercial educational uses
only, and not for commercial activities and purposes
– For any reuse or distribution, you must make clear to others the terms of
use for this work
– Derivative works must retain and be subject to the same conditions, and
contain a note identifying the new contributor(s) and date of modification
– For other uses please contact the Purdue Office of Technology
Commercialization.
Developed thanks to the support of Symantec Corporation
Pascal [email protected]:Jared Robinson, Alan Krassowski, Craig Ozancin, Tim Brown, Wes Higaki, Melissa Dark, Chris Clifton, Gustavo Rodriguez-Rivera