I. Security Business ------------------------------------------ FOLLOW THE MONEY! To understand threats to secruity and evaluate their likelihood, we should understand how people make money from security threats and security products/services. ------------------------------------------ A. bad actors ------------------------------------------ BAD ACTORS: WHO ARE THEY? Criminals - collecting credit card information - stealing from online banking - stealing industrial secrets - ransomware Botnet herders: - delivering spam - generating fradulent ad clicks - generating revenue for 1-900 numbers - protection rackets (DDOS) They don't want you to: ------------------------------------------ ------------------------------------------ GOOGLE AS A SOURCE OF MONEY John Viega in Chapter 7 of "the myths of security": Google ads pay for "clicks" Click fraud = clicks that are not from real customers Click fraud can earn money 20 clicks a day x $10/click = $73K/yr ------------------------------------------ What security service does click fraud violate? ------------------------------------------ ONLINE BANKING AS A SOURCE OF MONEY Banks don't want fraud, certainly. But they want customers! so just a password protects the account Standard tradeoff: ------------------------------------------ What are other examples where we trade off usability and security? Is it always the case the security implies no usability and vice versa? B. good actors ------------------------------------------ GOOD ACTORS: WHO ARE THEY? Government: Dept. of Homeland Security (www.dhs.gov/topic/cybersecurity) FBI Antivirus companies McAfee, Symantec, ... Other security companies Raytheon (and its subsidiary MITRE)... ------------------------------------------ C. absolute security doesn't exist ------------------------------------------ ALL SECURITY IS RELATIVE We can just make attacks more expensive. E.g., you can buy a safe, install it in the wall of your home put a fence around the home hire a security company to track it. Is that absolute security for the safe's contents? ------------------------------------------ So what are we trying to do in this class with software security? II. varieties of attacks A. types of malware ------------------------------------------ MALWARE: CHARACTERISTIC MODES OF OPERATION self-replicating: agressively copies itself vs. passive/accidental copying by user population-growth: growing or stable parasitic: requires other software to exist ------------------------------------------ 1. logic bomb ------------------------------------------ LOGIC BOMB self-replicating: no population growth: 0 Parasitic: possibly 2 parts: trigger and payload ... if (condition()) { payload(); } ... ------------------------------------------ What could a logic bomb be used for? 2. trojan horse ------------------------------------------ TROJAN HORSE self-replicating: no population growth: 0 parasitic: yes (imitates behavior of other program) ------------------------------------------ What can a trojan horse be used for? 3. back door ------------------------------------------ BACK DOOR self-replicating: no population growth: 0 parasitic: possibly user = read_username(); pass = read_password(); if (user == "133t h4ck0r") { return ALLOW_LOGIN; } else if (check_login(user, pass)) { return ALLOW_LOGIN; } else { return DENY_LOGIN; } ------------------------------------------ What can a back door be used for? 4. virus ------------------------------------------ VIRUS self-replicating: yes population growth: positive parasitic: yes infect(); if (trigger()) { payload(); } ------------------------------------------ What is that like? What can a virus be used for? 5. worm ------------------------------------------ WORM self-replicating: yes population growth: positive parasitic: no propagate(); if (trigger()) { payload(); } ------------------------------------------ What does this look like? What can a worm be used for? 6. blended threats III. Threat modeling ------------------------------------------ THREAT MODELING Goal: develop security requirements handle each threat appropriately Looks at: - What the system is designed to protect - From whom it is to be protected Process: A. Enumerate all possible threats: 1. Characterize the system 2. Identify assets and access points 3. Identify threats B. For each possible theat: 1. How critical is it? (based on value of assets) 2. How likely is it? (based on who might gain from it) 3. What should be done? a. mitigate it, b. accept the risks ------------------------------------------ Why not just protect against all possible threats as well can be done? What do you get from the process described? A. Characterizing the system ------------------------------------------ CHARACTERIZING THE SYSTEM Depends on kind of system: - single computer app, use Data Flow Diagram - networked system, use network model ------------------------------------------ 1. Traditional Apps and Data Flow Diagrams ------------------------------------------ DATA FLOW DIAGRAM Nodes are Arrows represent E.g., payroll system ------------------------------------------ ------------------------------------------ PAYROLL SYSTEM THREAT ANALYSIS (1) What assets? What access points? ------------------------------------------ ------------------------------------------ PAYROLL SYSTEM THREAT ANALYSIS (2) def: *threats* are an What could be a threat? threat identification method: for each asset, how could a goal apply to it? What are the possible attacks? ------------------------------------------ ------------------------------------------ TECHNIQUES FOR THREAT IDENTIFICATION For each adversary's goal: - how can violate: confidentiality, integrity, availability? - can there be: spoofing, tampering, repudiation, informtion disclosure, denial of service, elevation of privilege? ------------------------------------------ How could those threats be mitigated? Is the payroll system susceptible to these threats? What is the risk for each threat? 2. Networked Systems and Network Models ------------------------------------------ NETWORK MODEL Key questions: - What are the - What are their E.g. Airline reservation system ------------------------------------------ ------------------------------------------ RESERVATION SYSTEM THREAT ANALYSIS What assets? What access points? What are the threats? ------------------------------------------ ------------------------------------------ FOR YOU TO DO For one asset, - enumerate possible attacks - rate the risk of that attack ------------------------------------------ Which attacks are the most likely? How could those risks be mitigated? Do any attacks have negligable risk? B. Summary of threat modeling ------------------------------------------ IMPORTANCE OF THREAT MODELING Why must threat modeling be systematic? What is the threat modeling process? ------------------------------------------