Perspectives on Internet Security
Rob Kolstad
Berkeley Software Design
Email: kolstad@bsdi.com
Abstract
The worlds of computer and network security are often viewed as
the mysterious and exotic worlds of colourful crackers. Magazines
hype `the terror of the net' while news commentators lament the
stealing of billions of dollars by computer fraud.
This talk tries to cut through the hype to examine the real value
of data, abuse of data and computers, data protection costs, trends,
commerce, and issues surrounding the culture and politics of using the
computers and the Internet.
Overview
- The hype
- Data's real value
- Abuse of data and computers
- Costs of protecting data
- USA security trends and focus
- Electronic commerce
- Cultural and political issues
- Prescription
The Hype
- Security fears are a marketer's dream
- Fear, uncertainty, and doubt are cornerstones of marketing
- Lots of dollars drive marketing
- Media hypes computer break-ins
- Morris worm
- Cuckoo's Egg, etc.
- Viruses
- Never says, '5,5 million sites were not broken into today'.
The Hype
- Netscape, for example, constantly refers to security
- But credit card losses in USA are capped to US$50
- Netscape sells security options at higher prices
- Even the word 'security' is poorly defined
- Many viewpoints by different people
- Difficult to measure
- Often viewed as desirable at any cost.
How Valuable is Data?
- Some online data has virtually infinite value
- Nuclear secrets
- Large financial institutions
- Germ warfare, military secrets, etc.
- Much online data has much lower value
- Pizza restaurant advertising
- BSDI web pages
- Much online data has medium value
- Credit card numbers
- Medical data (privacy value - not high economic value)
- Corporate strategies
How Are Computers and Data Abused?
- Stolen data
- Credit card numbers/banking information: theft
- Medical data: subtle blackmail, insurance denial
- Corporate strategies: unexpected counterattacks
- Vandalism
- Mutilating data: destroying all tax records for a country
- Slightly changing data (my payrate goes to 1,000,000/year)
- VandaliSing data ('Pizza made with puppies')
- Shutting down systems (for example, air traffic control)
- Shutting down networks (automated teller network)
- Phantom purchase/payment/payroll orders (theft of equipment or money)
How Can Data Be Compromised?
- Network intrusions
- Overt theft
- Covert theft
- Accidents/procedural errors
- Kidnapping/bribery
- Less-illegal coercion (for example, hiring away employees)
- 'Inside jobs'
- Viruses
- Probably other ways as well
How Much Can It Cost To Protect Data?
- Only true security is physical security
- Multiple guards
- 'Tempest' rooms
- Military organiSations exploit these schemes
- 'Relatively high' security comes at less cost
- Greater chance of compromise
- 'Calculated risk'
- It is rarely worth spending more money to protect data than the data is worth!
Alternatives to Ultimate Security
- Ensure cost-of-compromise goes very low
- Automated recovery system
- No priceless data
- Takes the fun out of vandalism
- Partition data into `high value' and `really not that high value' data and protect each portion appropriately
- Use modern security measures to minimise `calculated risk'
- Firewalls
- PC virus countermeasures
- BE RATIONAL about data's value!
Security: Convenience and Functionality
- Security x Convenience = K
- Security impinges functionality, too
- Corporate productivity concerns sometimes wear `security' clothing
- Sometimes security concerns override services altogether
USA Security Knowledge and Goals
- Layman knowledge level is very low
- Heightened concerns about infinite threats (credit cards, financial records, `the computer')
- Misperceptions about data, communications, and connectivity
- High desire for infinite security in all aspects of life (including employment, crime, health, retirement)
Observations of USA Security Perceptions
- Large corporation MIS directors often adopt `zero tolerance'
security policies - which keep their corporations off the Internet
- Sometimes technical issues far exceed technical skills of decision makers
- Fear of catastrophic consequences is high
- Rampant viruses raise fear level (for example, MSWord)
- Will spend money - large quantities - for guarantees
- Many consultants will take the money
- Few guarantees are forthcoming
- No standards and certifications currently available for network security - this might be good or bad (slows evolution)
Marcus Ranum's Hot List
- Vendors don't supply secure (systems) software by default
- Out-of-box configurations are a problem
- Sun is improving slowly; Microsoft is truly problemmatical
- Windows/NT has world-writable root filesystem out of the box
- Third party software relies on this fact
- Even vendor features like immutable files are not in widespread use
- All firewalls can be configured as wide-open or very narrow (a `dial')
- Setting the dial is important
- Bad firewall configurations are worse than no firewalls!
Focus of USA Internet Security Efforts
- Complete data partitioning (internal net versus Internet)
- Many companies have very extensive internal nets and just one connection to Internet
- Firewalls
- End-to-end encryption (not widely used yet)
- Security policies
Focus of USA Internal Security Efforts
- Not as much focus as on network security but growing
- Procedural errors rampant (for example, WWW page)
- Virus scanners and strong rules about importing software
- RBK opinion: 'inside jobs' still main problem (exacerbated by
poor policies and implementations)
- White collar crime prosecution slowly increasing - but companies
don't prosecute because of `embarrassment'
- RBK experience: corporate security experts too often focus on `rules of thumb' rather than problem understanding (for example, east coast bank and
bridge-firewall with Unix)
Costs of Security Perceptions and Focus
- More hardware at higher cost
- More software at higher cost
- Dark perception of lurkers, hackers, and molesters
- Perception of infinite potential damage cost
- Fear of joining the net (postpones available services)
Current Firewall Technology
- Packet filters
- Check packet type, source, destination for all packets
- Drop `disallowed' packets on floor
- Proxy systems
- Daemons process packets for each `allowed' service
- `Disallowed' services' packets not forwarded
- Integrated server/firewall with security domains
- Border Technologies, Canada
- One box for both server and firewall
- Security domains isolated from each other; no cascading of security problems after security failure
Comments on Electronic Commerce [Ranum]
- Money moving is somewhat important
- But non-repudiatable transactions is the big deal
- Transactions must have authorisation for sender and date
- Both entities in transaction must trust other to act appropriately
- Verification/authentication
- Traditionally performed through credit card IDs
- Digital certificates will verify identities in the not too distant future
- Maybe smart cards will be a popular medium for remembering the 2KB of data
More Comments on Electronic Commerce
- Who do you trust?
- Transitive trust is a tough issue
- Weakest link in chain can destroy entire train of security trust
- Delegating security policy issues to third parties can make them master of your company's security domain
- Firewalls end up being trust boundaries
- Encryption doesn't quite solve the problem!
- There is no notion of `checking programs before running programs'
- So viruses have a transmission scheme
- Java attacks this, maybe
- Multiple communication protocols complicate security issues
Cultural Issues Surrounding Security
- Desire for absolute security guarantees
- Luddites, fear of technology in general, fear of change
- Use of technology to address social or political issues (like
surfing sexually explicit WWW pages from a business)
- Ownership of backbone communication methods
- Countrys' economic systems (reward security or quick-profit?)
Political Issues
- Internet represents quickly changing technology
- `Change' raises warning flags for politicos
- Luddites always feel threatened by whizzy new technology
- Phone regulations don't work for Internet
- Entrenched competition can feel threatened
- Government regulation of encryption (exports, civilian use)
- Communication regulations
- Organisational politics
- Technical Skill level of politicians
- Desire to legislate morality or repel invaders
- Desire to control information
Prescription for the Security-Minded
- The battle with hackers is an arms race! It's never over!
- Join a CERT mailing list
- Help management and others learn the real costs of data in addition to capabilities of today's computer systems
- Try to foster rational discourse without hype whenever possible
- Keep security and privacy in mind when designing or implementing
networks or data systems
Return to Conference Proceedings