Security Implications of Future Networking and Communications Systems Presented to: IEEE GlobeCom...
-
Upload
rodrigo-dimick -
Category
Documents
-
view
213 -
download
0
Transcript of Security Implications of Future Networking and Communications Systems Presented to: IEEE GlobeCom...
Security Implications ofFuture Networking and
Communications Systems
Presented to:IEEE GlobeCom 2005
St. Louis, MODecember 1, 2005
Joan Woodard, Ph.D.Executive Vice-President
Sandia National Laboratories
Laboratories
Introduction
Some Characteristics of Future Networking and Communication
Systems• More information, accessed
and processed faster• Increased Use of
reconfigurable logic (soft hardware) rather than “ASICs” or Software
• Quantum Information Technology – will improve cryptanalysis – improve encryption techniques – bring new challenges for
communication systems.
• More malicious code attacksSandia is working to improve our posture in all of these areas.
Shocking Facts about Information Security
• SCADA Attack – Malicious code implant caused
rupture of Gas pipeline in Siberia, largest non-nuclear explosion on record <3KT>, 1982
• NIPRNET Attack – SuperSlammer worm infected 60%
of NIPRNET computers in eight minutes.
• Nuclear Power Plant Attack – A recent worm infected business
network at Ohio’s Davis-Besse nuclear power plant, spread to process control network (fortunately off-line at the time).
• Botnet Attack – Used for Denial of Service– Potentially used for criminal activity
Our reliance on Information andInformation Technology is inconsistent
with our ability to protect it.
Two general approaches to address this problem
• Lower our dependence on information and information technology
• Improve our ability to protect information and information technology
How do we lower our dependence on secure information?
• To the extent that we can minimize reliance on the need for information in new systems designs, we should.
• However in general we expect our dependence on information to grow.
How do we improve our ability to protect information and information systems?
A: Improve basic processesB: Improve system protections
- Technological- People
C: Improve high assurance methodsD: Improve modeling/simulation
A: Improve Basic Processes
• Define security processes for:– Identifying information that is sensitive to unauthorized
disclosure, modification, denial of service, and misuse– Identifying those authorized for disclosure, modification,
reconfiguration (denial) of service– Preventing unauthorized access, monitor use, respond
appropriately– Accrediting information systems for protection of the
assets they contain
Assessment & Red Teaming Based on Threat Analysis
Attack graphs are used to understand options from a
threat perspective.
Red Team & Assessment Adversarial Modeling Process is used to refine definition of threat
B: Improve System Protections (Technological)
• Use a well-founded Risk Assessment Methodology*:– Identification of threats to specific assets– Map protections to these “threat-asset pairs” – Analyze “residual risk”– Iterate to achieve “acceptable” risk
(Better metrics will improve this process…)
• Better Protection Technology– better encryption– better configuration control– better access control– applying system of systems …– other technologies
*For example: “A Security Methodology for Computer Networks”, L. G. Pierson and E. L. Witzke,AT&T Technical Journal, May-June 1988
Better Protection Technology
High Speed Encryption
Communication Security Protocols
1996 R&D 100 Award:Scaling Encryption
B: Improve System Protections (People)
• Better Personnel assurance – Principle of Least Privilege– Minimize insider threat– Design in “deterrence”– Practice “Need-to-Know”– Security conscious users
report anomalies
C: Improve High Assurance Methods
• Today’s computers are designed to execute any arbitrary program (even malicious ones)
• Build “inherent security” into systems from the start, rather than “bolting on later”
• Need trusted systems built from trusted and untrusted components (composed from “COTS” elements)– Trusted Computing Group (TCG) – Microsoft’s Next Generation Secure Computing Base
(NGSCB)
D: Improve Modeling/Simulation
• Detect unknown vulnerabilities– Current stand-alone SCADA systems being
replaced with internet connected ones– More people have access – disruptions can be caused by hackers who
have no training in control systems engineering
– the use of the Internet exposes SCADA systems to all the inherent vulnerabilities of interconnected computer networks that are currently being exploited by hackers, organized crime, terrorists organizations, and nation states.
• Especially vulnerable is the electric power grid.– Complex systems– Interconnected infrastructures– Cascading failures
D: Improve Modeling/Simulation
System Dynamics Modeling• Characteristics
– Based on Stocks and Flows of Infrastructure Goods, Commodities, and Finances
– Performs Quick Simulations and Analyses of Aggregate, Dynamic Infrastructure Interactions
– Provides Systems-Wide View of Infrastructure Operations, Including Interdependencies Effects
• Uses– Quantified Consequences for Evaluating Risks– Limiting Factors Under Different Ambient Conditions, Hypothetical Events, Policies– Effects of Alternatives, Pathways, Redundancies, and Inventories– Potential Magnitude, Location and Timing of Disruptions that Propagate to Other
Infrastructures and Regions– Positive and Negative Feedbacks from Interdependencies and their Net Effect on the
Supply/Demand Balance
How do we protect against loss ofphysical assets (today)?
• Passive protection (fortification (concrete), disguise/hide)
• Armed guards and legal authority to use lethal force
• Monitoring/response (video cameras, sensors, response force)
• Insurance (measured value, characterized threat, risk management)
• Investigation (was there a theft? What was its value? Who did it?)
• Deterence?
Information assets differ from physical assets
• Can be given away and still kept• Can be stolen and not missed• Can be distributed almost instantly• Cannot easily tell if it is authentic or not• Complexity (system of systems)• Forensics
How do we protect against loss ofinformation assets today?
• Passive protection (firewall functions, proxy devices, encryption, etc)– Basic problem is discrimination between good and
bad/authorized or unauthorized access• Posting guards (N/A)• Monitoring/response (computer intrusion detection systems
an pagers to summon a system manager)• Insurance (backups protect against data corruption and
system failure, but it data valuation and threat characterization is hard)
• Investigation (logs, digital forensics tools, but complexity, large data, lack of computer awareness makes this hard)
• Hard to determine how much security is enough?• How to balance physical protective systems and cyber
protective systems in order to minimize risk and minimize overall cost for both protective systems.
Future View/Future ThreatFor example,• Game changing technologies• Composing Trusted Systems from both Trusted and Untrusted
components • Solutions for broad classes of problems rather than individual cases• Methods of detecting unknown malicious code rather than known
•More sophisticated threat with wider range of access points (wireless laptops, PDA’s, cell phones, etc.)
How much is enough?R
isk
Investment
User
Unskilled, Unorganized
SecurityPolicy
ImplementationEnforcement
Auditing
Total Systematic Risk
Threat Level
Security Engineering and Intelligence Function
Non
-Sys
tem
atic
T
hre
ats
Skilled, Unorganized
Skilled, Organized
Mitigationfor specific
threats
Acceptable RiskRegion
Hacker
Hacker Coalitions
Organized Crime
Terrorists, Nation State
Technologies that will “change the game”
• Reconfigurable Logic (soft hardware) is replacing ASIC technology in many markets… we will require new techniques to assure these devices are configured and maintained as intended (without introduction of “malware”, just as we have virus checkers, etc. today for software)
• Tamper-Resistant Cryptographic Authentication of hardware and software (continuously, as programs are executing) will turn low assurance systems into high assurance systems.
• Quantum Information Technology will improve cryptanalysis (rendering some encryption techniques obsolete) and also improve encryption techniques (introducing new challenges for communication systems, especially in long haul telecommunications).
Tamper-Resistant Cryptographic Authentication
• Problem: Current computing architectures are “inherently insecure” because they are designed to execute ANY arbitrary sequence of instructions therefore subject to subversion by malicious code.
• Goal: Produce a cryptographic method of “tamper-proofing” code over a large portion of the software/hardware life cycle by decrypting/authenticating each instruction within the CPU.
• Accomplishments: Demonstrated “shrink-wrapping” of applications running in reconfigurable processor and now increasing cryptographic protection. Initial “security analysis” completed. Next step would incorporate chip level physical tamper-proofing techniques and apply to specific applications.
Cryptographically Enabled CPU
Code distribution
Trusted facility
- Ascertain code correctness- Compile and “shrinkwrap” code- Apply copy protections, ifnecessary
ObjectFile
Memory
Object 1
Code
Data
K1,c
K1,d
Object 2
Code
Data
K2,c
K2,d
Object n
Code
Data
Kn,c
Kn,d
Key-agile Encryptor/decryptor
Code and DataSegment pointers
Address Data orInstructions
Address Data orInstructions
CPU
Protected Volume
(Trusted Facility)
*“Secure Computing using Cryptographic Assurance of Execution Correctness”, in Proceedings, 2004 International Carnahan Conference on Security Technology
Scope of Protection in the Software Lifecycle: Security Analysis
• Objective: Protect against introduction of malicious code over a large portion of the software life cycle
Requirements Design Code Compile Package Distribute Install Execute
Load Fetch Decode
exploit exploit exploitexploit
Quantum Information Technology
• Security of current key exchange systems is based on inability to factor large numbers*
• A quantum computer is inherently well suited to this problem (Shor’s algorithm provides exponential speedup)– May threaten security of current cryptosystems
• Recent physics experiments have demonstrated feasibility of QC concept on small scale (few qubits)
From D. P. DiVincenzo, Quant. Inf. Comp. 1 (Special), 1 (2001)
*Bouwmeester, et al., The Physics of Quantum Information, 2000.
• Quantum Cryptography (Quantum Encoding for Secrecy) will improve this situation
-- Currently slow, short distances, not applicable to storage
Trusted systems from trusted &untrusted components
• Certification of highly trusted COTS elements• Need methodology to combine trusted and less
trusted components so as to improve the security of an infrastructure
• Goal: Increase infrastructure security, reduce cost of security
• Virtualized Architecture
Improve security of infrastructure composed of trusted and less trusted components.
Current Situation
• Current computing architectures are “inherently insecure” -- they are designed to execute ANY arbitrary sequence of instructions.– Need to modify computing architecture– Achieve modification by incorporating encryption and
authentication into the fetching of the instruction stream– Careful revision of computing architecture can accomplish
this while preserving huge investment in software/hardware infrastructure
– First applications will be “high consequence” ones that can sustain the performance degradation of the cryptographic overhead
– Combine these more trusted components with less trusted components to achieve a more secure infrastructure at manageable cost.
Technical Problem
• Problem: Current methods of enforcing security policy depend on security patches, anti-virus protections, and configuration control in the end user’s computer at ever increasing intervals.
• Goal: To “harden” computer infrastructure with a combination of high assurance and low assurance (and higher performing) components. (at a lower cost than replacing the entire infrastructure with high assurance components)
Infrastructure Security
Req
uire
d Se
curit
y Pe
rson
nel
Current Methodology
Scalability Goal
Improve security of infrastructure composed of trusted and less trusted components.
Challenges to Industry
• “Sell security” (insert “inherently secure” requirements into business model)– Assure vs “Assure Against”– Security vs time-to-market
»vs cost»vs ease of use»vs information richness
– Collective Security vs Personal Autonomy• Adopt security methodology countering
“incremental security”• Human factors engineering
Challenges to Research Community
Focus on cyber security technology Increase government and academic partnerships
Challenges To All
• Facilitate information sharing on threats, vulnerabilities
Concluding Thoughts
• Systems are increasingly complex and interconnected
• Threat is becoming more sophisticated• New technologies will impact security • The attackers are far ahead of the defenders
Paradigm shift: We need a quantum leap in security by designing inherently secure information systems.
Questions?