Application 2 – Annotated Bibliography

theweakestlinkrevisited.pdf

Home >Information Systems homework help >Application 2 – Annotated Bibliography

Attack Trends Editors: Iván Arce, [email protected]

security community would agree that a security architecture is only as strong as its weakest link. However, they usually cannot agree on what that is, and no expert risks making a definite statement about it.

We can argue that a security strategy’s weakest component will vary from one organization to an- other but perhaps we should com- pare past perceptions of what a weakest link is to what it could well be in the near future.

The weakest link timeline A retrospective look at informa- tion technologies, information se- curity trends, and threat models provides a few good guesses as to what the weakest links were in pre- vious decades.

The mainframe The mainframe and early time- sharing systems of the 1960s and 1970s had stringent mechanisms to enforce security at the operating system level. When coupled with physical access controls and secu- rity clearance requirements, these mechanisms presented a substantial barrier to opportunistic attackers or internal attack threats. Substan-

tial research efforts in secure oper- ating systems design and security mechanisms subversion,1,2 results of penetration-testing exercises,3,4

and the emergence of security- oriented subsystems such as IBM’s Resource Access Control Facility and Computer Associates’ ACF-2 and Top Secret (software packages that manage and enforce access control restrictions to mainframe resources) indicate that the pri- mary security concern was internal operating system security. There- fore, the weakest link could be de- fined as flaws in an operating sys- tem’s security controls or as procedural weaknesses in its devel- opment and deployment process. As Roger Schell, Peter Downey, and Gerald Popek outline in Pre- liminary Notes on the Design of Secure Military Computer Systems:

“Most contemporary shared computer systems are not se- cure because security was not a mandatory requirement of the initial hardware and software design. The military has rea- sonably effective physical, communication, and person- nel security, so that the nub of our computer security prob-

lem is the information access controls in the operating system and supporting hardware.”5

Successful exploitation of a main- frame assumed a both technically and financially resourceful attacker who could access the computing fa- cilities and had extensive knowledge of operating system internals and the technical expertise to develop com- plex attacks. The military, govern- ment, and large educational and re- search organizations of the ’60s and ’70s, as main users of mainframes and timesharing systems, could eas- ily associate the attackers’ profile to their IT infrastructure. In this way, they could focus their effort in pre- venting security breaches from de- termined intruders with access to the operating system either as legiti- mate users or through procedural flaws in the operating system devel- opment and deployment process.

The personal computer During the ’80s, extensive deploy- ment of PCs in companies and households not only revolutionized the work and leisure time of a new range of computer users, but also presented a new security problem: the computer virus.

While mainframes and Unix sys- tems continued to present challenges related to the traditional ’70s ap- proach to operating systems’ secu- rity, the growing number of PCs were completely open to a new form of attack because of the lack of secu- rity controls in hardware and soft- ware. The computer virus6 threat became the springboard for a multi- billion-dollar industry—Network Associates and Symantec entered the

IVÁN ARCE Core Security Technologies

I t is a common saying that a chain is only as strong as its

weakest link—a phrase information security officers, IT

managers, consultants, researchers, journalists, and opin-

ion makers reiterate ad nauseam when referring to an or-

ganization’s information security posture. Most in the information

The Weakest Link Revisited

Attack Trends

information security market as an- tivirus companies—and the princi- pal security concern of any PC user.

Researchers considered the com- puter virus a minor threat because it only affected isolated computers with limited spreading capabilities due to the spread mechanism’s low bandwidth and, in general, they deemed virus infection to be an im- plausible method for directly attack- ing specific targets.

However, with the introduction of hard-disk technology in the early ’80s and the usage of floppy disks to transfer information between com- puters, the virus threat became more evident and incidents multi- plied rapidly. A virus could infect files stored in the hard disk, make itself a persistent problem, and spread through files exchanged in floppy disks between otherwise isolated PCs. By the end of the ’80s and into the early ’90s, researchers identified the desktop computer and its susceptibility to computer viruses7,8 as the weakest link, and extensively documented and ana- lyzed numerous accounts of newly discovered viruses and virus infec- tion incidents.9

The networked organization In the 1990s, the security commu- nity focused its attention on net- work security. The interconnect- ing of multiple networks via a set of Internet protocol standards and the sudden realization that research, academic, and government and military organizations’ networks (which until then were somewhat isolated from untrusted users) were open to attack demanded addi- tional measures beyond traditional operating system security. Servers, not workstations, were the crown jewels to protect, but efficient con- trol of interconnected servers was not enough to prevent external at- tackers from breaching security. The firewall emerged as the de facto security device that separated

friends (internal, controlled net- works) from foes (all others on the outside) and effectively “sealed” the perimeter, the newly identified weakest link.

Extensive study of the security of networking protocols and infra- structure components identified new security problems such as secu- rity design flaws in the Internet pro- tocols, weak user authentication sys- tems, and buffer overflow conditions in the most common publicly acces- sible network services and proposed new solutions. Meanwhile, the use of LANs to connect PCs (which were previously isolated) to internal corporate networks (which were protected only at the perimeter), highlighted a problem that became evident by the mid ’90s with the full adoption of the World Wide Web and the Internet as a means to con- duct daily business.

In short, by the end of the decade, the weakest link became a moving target. While still strug- gling to secure the perimeter and server systems with solutions such as firewalls, cryptographically strong authentication systems, network and host-based intrusion detection systems, VPN devices, and cryp- tography additions to networking protocols, organizations then faced a new threat—a blurring perimeter that made it almost impossible to differentiate friends from foes and internal users from external attack- ers and vice versa.

The community’s immediate re- action to the threat called for in- creased attention to server security, operating system controls, patch ma- nagement, and additional peri-meter defenses, not only to protect the orga- nization from external attacks but also to detect and react to incidents.

http://computer.org/security/ � IEEE SECURITY & PRIVACY 73

IL LU

ST R A

T IO

N B

Y R O

B ER

T S

T A

C K

Attack Trends

The weakest workstation: A new beginning? Information security—both as a practical discipline and as an acade- mic field—has steadily increased in

complexity since the 1950s. A wider range of problems must now be con- sidered to devise effective security architectures for today’s organiza- tions. Security solutions should ac- count for our IT infrastructure’s technological challenges and the particular aspects of human and or- ganizational behavior. It is in this context that we can identify our cur- rent weakest link: the workstation.

Efforts to implement and moni- tor workstation security during the 1990s are negligible compared to the immense resource allocation at- tempting to protect internal and ex- ternal servers, network devices, and the network perimeter today. Once the community dealt with the virus threat in the 1980s (unsuccessfully, we might add), interest in worksta- tion security evaporated when desktop operating systems began incorporating basic security mech- anisms that made them suitable to operate in a networked environ- ment, such as centralized user au- thentication and access control fa- cilities. But by 2000, new ways of conducting business and new tech- nologies had directly affected activ- ities performed at the workstation; subsequently, a dormant set of secu- rity issues surfaced.

Extensive Web browser usage, instant messaging, email client soft- ware, peer-to-peer networking,

digital media players, and a wide range of software packages that in- teract directly or indirectly with in- ternal networks and the Internet are an information security offi- cers’ nightmares. To effectively

mitigate risk, the security officer now must to identify vulnerabilities and assess their impact in a large set of software packages from multiple vendors ranging from small to large software companies, in-house de- velopment teams, and third-party integrators with various degrees of maturity in their development process, technical support infra- structure, and response time to pro- vide security fixes. To make things even worse, the security officer often does not directly control the deployment of these packages or the operation of workstations.

Additionally, the complex task of managing security patches and secu- rity policies across thousands of workstations (possibly with different configurations) as opposed to hun- dreds of servers with standardized configurations introduces severe scalability considerations that com- panies must account for to achieve a minimally successful information se- curity strategy.

Perhaps it is evident that the workstation is the most vulnerable component in a threat model fo- cused on protecting an organization from inside attacks, but proposing it as the security architecture’s weakest link and presenting it as the new tar- get in attack trends for the future re- quires demonstration that external attackers also view it as such.

Several indicators point to the workstation being the new weak- est link.

The human factor An organization’s IT assets are ulti- mately managed and operated by humans, and an IT asset’s manage- ment and operational roles typically are not assigned to the same indi- vidual. Generally, those who have the most security training in the or- ganization manage and operate se- curity infrastructure components. IT staff with various degrees of ex- pertise manage and operate internal and publicly accessible servers as well as mission-critical applications, and are tasked to maintain and en- force an organization’s information security policy.

At the end of the line comes man- aging workstations and workstation security. Although this responsibility hopefully falls with IT staff, usually it falls to end users—perhaps the least trained, experienced, or security- aware individuals in an organization. Therefore, desktop operating sys- tems and the individuals operating them become the most obvious vul- nerable avenues of attack for internal and external threats.

The new vulnerability indicator During the past decade, the number of newly discovered vulnerabilities has steadily increased; of these, a growing proportion are no longer re- lated to server software. The growing number of software packages that end users employ at workstations to con- duct everyday business has attracted the attention of vulnerability re- searchers—who, from a security per- spective, feel that the packages are poorly developed. The two most popular Web browsers alone have had a combined total of 152 security vul- nerabilities since 1999 (see the Com- mon Vulnerabilities and Exposures dictionary at www.cve.mitre.org). Recent discoveries in software com- ponents used for image process-

74 IEEE SECURITY & PRIVACY � MARCH/APRIL 2003

Desktop operating systems and the

individuals operating them become the

most obvious vulnerable avenues of

attack for internal and external threats.

Attack Trends

ing,10,11 file compression,12,13 digital media playback,14 and file, email, and network encryption15 provide addi- tional clues about the increasing im- portance of security at workstations.

The exploit research indicator From a motivated attacker’s view- point, a successful attack on an orga- nization involves compromising spe- cific systems or otherwise achieving specific goals, such as obtaining con- fidential information or shutting down mission-critical servers. To perform directed attacks successfully, the attacker must overcome perime- ter security mechanisms and server and application security controls with a set of tools. The most impor- tant of these tools—exploit pro- grams—execute a known vulnera- bility condition and let the attacker subvert the exploited platform’s se- curity assumptions. Using highly re- liable exploit programs is a key re- quirement for a determined attacker; therefore the small community of professional penetration testers and ethical or unethical hackers put great effort into devising new exploitation techniques and methodologies.

In the past few years, most of the published work on exploit research and development has revealed a high degree of sophistication in exploit programs and the use of techniques that closely resemble those of the virus writers and researchers in the early ’80s. Reliable exploit code has become harder to develop,16 which forces researchers to better under- stand operating systems’ internals and application-layer security, as op- posed to just focusing on network security. The mixed requirement of an in-depth technical understanding combined with attackers who are ac- customed to targeted attacks (as compared to the generally undi- rected attacks in the virus threat model of the ’80s) outlines require- ments for a new breed of exploit programs targeted at workstation operating systems.

Use the front door, not the back door The term “backdoor” is used to refer to a hole in a security system deliberately left in place by the de- signers or maintainers (www.jar- gon.8hz.com/jargon_17.html# SEC24). The concept of using the legitimate (but rarely used by out- siders) network access points to gain control of an organization’s most valuable assets (the “front door” as opposed to an obscure “back door”) was brought to my attention by coworkers Luciano Notarfrancesco and Gerardo Richarte.

The workstation is naturally both the outlet for an organization’s most sensitive information and the most legitimate network compo- nent to access its IT assets. This makes the workstation the most ob- vious point of attack for a deter- mined attacker, provided that he or she can gather intelligence on workstation technology and con- figuration and users’ usage patterns and procedures.

The most sensitive components of any organization’s security infra- structure are the CEO’s, CFO’s, or even the Chief Security Officer’s or network administrator’s worksta- tions because they provide a direct path to controlling the organization and its assets. From this perspective, we can easily imagine workstation users as the target of hackers’ intelli- gence-gathering attacks that at- tempt to determine login times, email and Internet browsing habits, personal and professional interests, and any other detailed information that will help them compromise the user’s workstation and use it as an entry point to gain access to the in- ternal network.

T he increasing interest in work-station security solutions such as personal firewalls, host-based in- trusion detection and prevention systems, workstation access control software, file integrity checkers,

and patch management systems might provide additional support to accept our hypothesis that the workstation is the weakest link. But if we choose to do so, we must come to grips with reality: humans operate and control workstations, and no technological gadget alone will strengthen the weakest link if human and organizational behav- iors are not factored into a compre- hensive security strategy.

If we accept the workstation as the new weakest link, we can con- clude that from a technology view- point, an information security strat- egy can only succeed if it incorporates workstations and their users into an overall picture that today is dominated by network and server security paradigms.

References 1. P.A. Myers, Subversion: The Neglec-

ted Aspect of Computer Security, mas- ter’s thesis, Naval Postgraduate School, Monterey, Calif., 1980.

2. K. Thompson, “Reflections on Trusting Trust,” Comm. ACM, vol. 27, no. 8, 1984, pp. 761–763.

3. S.M. Goheen and R.S. Fiske, OS/360 Computer Security Penetra- tion Exercise, white paper WP-4467, MITRE, Bedford, Mass., 01730, 1972.

4. P.A. Karger and R.R. Schell, Mul- tics Security Evaluation: Vulnerability Analysis, tech. report ESD-TR-74- 193, vol. 2, Hanscom Air Force Base, Mass., 01731, 1974.

5. R.R. Schell, P.J. Downey, and G.J. Popek, Preliminary Notes on the Design of Secure Military Computer Systems, MCI-73-1, MITRE, Bed- ford, Mass., 01730, 1973.

6. F. Cohen, “Computer Viruses, Theory and Experiments,” Com- puters & Security, vol. 6, no. 1, 1987, pp. 22–35.

7. J.O. Kephart and S.R. White, How Prevalent Are Computer Viruses?, IBM T.J. Watson Research Center, 1992; www.research.ibm.com/ antivirus/SciPapers/Kephart/DPM A92/dpma92.html.

http://computer.org/security/ � IEEE SECURITY & PRIVACY 75

Attack Trends

8. S.R. White, J.O. Kephart, and D.M. Chess, “Computer Viruses: A Global Perspective,” Proc. 5th Virus Bulletin Int’l Conf. (VB 95), Virus Bulletin Ltd., Abingdon, England, 1995; www.research.ibm. com/antivirus/SciPapers/White/ VB95/vb95.distrib.html.

9. T. Polk, and L. Bassham, Guide to the Selection of Anti-Virus Tools and Techniques, tech. report 800-5, Nat’l Inst. of Standards and Tech., Gaithersburg, Md., 20899, 1992.

10. Security Focus Online, “LibPNG Incorrect Offset Calculation Buffer Overflow Vulnerability,” http://online.securityfocus.com/ bid/6431.

11. Security Focus Online, “Multiple Browser Zero Width GIF Image Memory Corruption Vulnerabil- ity,” http://online.securityfocus. com/bid/5665.

12. Security Focus Online, “WinZip Tar Hostile Destination Path Vul- nerability,” http://online.security focus.com/bid/6418.

13. Security Focus Online, “WinZip File Encryption Scheme Limited Key Space Vulnerability,” www. securityfocus.com/bid/6805.

14. Security Focus Online, “mpg123 Invalid MP3 Header Memory Cor- ruption Vulnerability,” http:// online.securityfocus.com/bid/6593.

15. Security Focus Online, “PGP Desk- top Filename Buffer Overflow Vul- nerability,” http://online.security focus.com/bid/5656.

16. G. Richarte and I. Arce, “Lessons Learned Writing Exploits,” Proc. CanSecWest Security Conf. 02, www. corest.com/common/showdoc.php? idx=226&idxseccion=13 &idx- menu=35.

Iván Arce is chief technology officer and cofounder of Core Security Technologies, an information security company based in Boston. Previously, he worked as vice president of research and development for a computer telephony integration company and as information security consultant and software developer for various government agencies and finan- cial and telecommunications companies. Contact him at [email protected].

76 IEEE SECURITY & PRIVACY � MARCH/APRIL 2003

Recruiting for IEEE Security & Privacy Magazine Conference Reporters

With so many security and privacy conferences these days, who can keep up with them all? IEEE Security & Privacy magazine would like to help its readers by providing concise, informative summaries of significant events at con- ferences and workshops. You can help by volunteering to provide summaries of important papers, discussions, and events from the meetings you attend. Here are some guidelines, if you or someone you know is interested.

• You are writing for the readers of a magazine. Think of yourself as a member of the audience—if you couldn’t attend the meeting, what would you like to know about it from a friend who was there? Put the most important things first and be brief. Write in the active voice.

• Most readers are interested in significant technical advances. For most of the meetings IEEE Security & Privacy will cover, however, it isn’t necessary to cover those details in depth because the IEEE Computer So- ciety usually publishes a proceedings containing all the technical papers,. The questions asked after a paper and un- minuted panel discussions usually deserve more space than a rehearsal of the papers’ abstracts. It is helpful to note what caught the audience’s interest (or what didn’t, if that’s significant).

• It’s helpful to let readers know how to acquire a copy of the proceedings—try to provide a reference; pointers to Web pages are good, if available.

• Details of the meeting outside the technical sessions can liven up the story. We aren’t looking for gossip, but who won the croquet tournament could be of interest. Was the attendance up or down from last year? What are the plans for next year—dates, location, points of contact?

• It takes some work, but it can be rewarding to you as well as to readers. Reporting on a meeting as a whole forces you to look at it with a somewhat broader perspective than if you were just listening for the points that directly affect your own research.

• Try to get your copy in as soon as possible. “News” ceases to be new when it gets old. I will edit your report and get it back to you for approval if there are any significant changes or additions.

• Thank you! Without contributions like yours, IEEE Security & Privacy could not continue.

Index:
index:
INDEX:
ind: