Kai Axford, CISSP, MCSE Sr. Security Strategist Microsoft Corporation SIA331 Complete an evaluation on CommNet and enter to win!
Download ReportTranscript Kai Axford, CISSP, MCSE Sr. Security Strategist Microsoft Corporation SIA331 Complete an evaluation on CommNet and enter to win!
Kai Axford, CISSP, MCSE Sr. Security Strategist Microsoft Corporation SIA331 Complete an evaluation on CommNet and enter to win! Threat Landscape Operating System 8.8% Browser 4.5% Apps 86.7% Password Stealers & Monitoring Tools, 9.7% Misc. Trojans, 33.5% Worms, 11.3% Adware, 19.9% Misc. Potentially Unwanted Software, 22.8% Trojan Downloaders & Droppers, 25.1% The End-to-End Trust Vision Imagine what the Internet could be… …if your experience were more secure from online threats …if your privacy were enhanced with ways to control how your personal information is acquired and used …if your devices and software enabled you to make choices about who and what to trust online The Elements Three key pieces to creating greater trust Trusted stack • Security rooted in hardware • Each element can be authenticated Managing claims • Process for passing identity/attribute claims • Authentication, authorization, access, audit Good alignment across disciplines • Technological, social, political, economic • Put users in control while preserving social values The Opportunity is Now Issues • Botnets • ID theft • Child safety Debates • Security and privacy • Align technology, society, politics, market Technologies • Public key infrastructures • Smart cards Microsoft’s Initial Security Strategy Trustworthy Computing Began in 2001, announced in 2002 Based on attributes of telephone Reliability Security Privacy protections IT ecosystem needed these same attributes for people to trust information technology Initial Focus: Security Outcome: SDL Security Development Lifecycle Training • Core training Requirements Design Implementation Verification • Analyze security • Threat modeling • Specify tools • Dynamic/fuzz and privacy risk • Attack surface testing • Enforce banned • Define quality analysis functions • Verify threat gates models/attack • Static analysis surface Release • Response plan • Final security review • Release archive Response • Response execution Mandatory policy for all products since 2004 “Stop ship” issued if product failed to pass Final Security Review Result: Success Vulnerability counts dropping continuously 2 60 20 4 50 2 18 16 15 40 14 7 12 30 10 20 35 8 19 6 4 10 2 17 0 0 Windows XP Critical Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 2000 2001 Q2 Q3 Q4 SP2 2002 Q1 Q2 Q3 Q4 Q1 Q2 2003 Q3 Windows Vista 2004 2005 2006 Important Moderate Low Microsoft SQL Server Q4 3 Initial Strategy: SD Secure by design • Consider how software might be abused • Guard against in design and development • Focus: reduce code vulnerabilities Secure by default • Disable features to reduce attack surface • Move to “standard user” operation • Focus : reduce configuration vulnerabilities Secure in deployment • Robust and timely response process • Effective tools for rapid updating Yet, Certain Inherent Limitations Secure by design • Systems becoming increasingly complex • Cannot reduce vulnerabilities to zero Secure by default • Can’t completely eliminate attack surface • Users still need features activated • Legacy software requires high privileges Secure in deployment • Attackers still reverse-engineer updates • Zero-day exploits on the rise • Challenge to manage multiple complex products in heterogeneous environments Next: Defense in Depth Provides additional layers of protection Recognizes some security efforts will fail Reduced vulnerabilities in code Disabled features by default Enabled the firewall by default in XP SP 2 and Vista Provided anti-malware tools for users Educated users about risks of unknown software Cleaned PCs with the Malicious Software Removal Tool Continual: Threat Mitigation Spam Targets humans, not software Who’d be willing to shut off email? Microsoft response Broad consumer education Phishing filters SenderID for email authentication Botnets Difficult to stop massive distributed denial of service attacks Microsoft response Work with law enforcement to identify botnet herders Evolving the Security Strategy Existing Measures are Tactical And are primarily defensive, causing attackers to move “up the stack” People Data Applications Computers Networks Buildings Foundations Evolve Improved static code analysis tools “Fuzz testing” to find unexpected behavior Virtualization benefits Sandbox code execution Contained web browsing Unknown code evaluation But where’s the deterrent to crime? Growing Demands Consumers and enterprises want both security and privacy Information for users to know— Who am I dealing with? What programs am I running? What devices am I connected to? What traffic am I receiving? Can I trust all of this? Trust Decisions are Difficult Binary? • No—can be complete, limited, or no trust Static or dynamic? • Typically static in the physical world—until some major event shakes trust • Often very dynamic in online world—PC is updated today, and still vulnerable to a zero-day exploit tomorrow Impact? • Actual and perceived concerns about erroneous decisions • Is this program sandboxed? Can this transaction be rolled back? Reliability? • Internet lacks visual and physical cues humans intuitively understand when dealing with others • Facial expressions and body language; verifiable and easy-to-use authentication Creating Trustworthiness Authenticated identity claim Ability to identify and prove source of actions • Examples: name, age, citizenship • Provides audit mechanism for determining accountability • Necessary as an effective deterrent • Enables required law enforcement tools • Provides foundation for political response The Trusted Stack Reasonable and effective trust decisions help achieve accountability and deterrence Trusted people Trusted data Trusted software Trusted hardware Questions About Identity Should Anonymity be Abolished? No. Anonymity should be preserved and enhanced Through technology and social policy User choice should be preserved Complete or partial anonymity Purpose-dependent Should There be National Identifiers? No. People often have several identities Passing claims is usually the real purpose Prove age without supplying name Make purchases without disclosing credit card Keep the focus on privacy Knowing about someone without knowing the actual person Numerous identities help to limit dissemination of personal data By design, this makes data aggregation difficult Should Huge PII Databases be Developed? No. Mega-databases that collect personal information remain dangerous Identity claims help reduce amount of aggregated data Auditing of use should remain distributed Audit data needs better protection than it currently receives Will this Affect Privacy? Somewhat. Privacy is a continuum • Complete anonymity • No tracking • Complete identity • Extensive monitoring Non-anonymity already understood Credit cards, online banking, profiles on social networking sites Adding more identity shifts the continuum New privacy risks demand new choices Is Such a System Free From Abuse? No. Any system can be abused And if it is determined that increased authentication results in serious abuse, we might decide against it Arguments against these ideas tend to be overstated A well-constructed regime is better than none at all How else to meet people’s security desires? Is Universal Adoption Necessary? No. Universal buy-in isn’t necessary Again, it’s about choices Provide ways for those who want greater safety to achieve it Allow trust decisions even if some data is missing or incomplete Benefits of a Trusted Stack Reducing Ecosystem Risk Authenticated and audited people, devices, software, data Empowers better trust decisions; holds people accountable for conduct Examples Auditing protects both sides of a transaction • Mutual authentication of bank and customer • Transaction records ensure validity Device-to-device authentication • Reduces external attacks • Unauthorized machines are ignored Audited access helps real-world mechanisms • Authentication provides context • Empowers law enforcement and politics More Examples Management tools provide rapid response and dynamic changes to data collected • Detect and thwart flooding/probing attacks Autonomous, automatic defense • Drop malicious packets that are reliably identified as coming from a malicious source Insider threats also mitigated • Better audit tools help identify suspicious access patterns Setting Reasonable Security Goals How to Handle Risk? Eliminate Manage Is the level of safety reasonable, given the cost and circumstances? Is there a corresponding ecosystem strategy and service strategy? Home Security Example Strategy • Lock doors and windows • Install alarm system Ecosystem • Watchful neighbors Service • Police response The Goal Not to create a “secure world” The physical world can never be 100% secure Online world should be reasonably safe In its context—e.g. social networks, online banks People should be able to make trust decisions that turn out to be right Should be limited in number Machines should apply personal preferences User interfaces should be meaningful and intuitively guide toward right answer The Path Forward Facilitating Trust Building the Trusted Stack Auditing Access Components that Facilitate Trust In-person proofing and enrollment • Superior to shared secrets • Not unlike what happens in outside online environments Claims-based authentication • To be someone, to possess an attribute, or to originate from a source • Should include mechanism for robust reputation Authorization policies • Formal or informal policy that permits or denies activity • Also consider who sets policies and authorizes changes Access control • Grant or deny access to a resource consistent with policy and verification of any additional required attributes Audit • All of the above must be documentable (as opposed to documented) • Regulations, costs will determine how much data to keep The trusted stack Trusted Hardware Root trust in hardware—where the software runs Example: Trusted Platform Module Machine-to-machine authentication rooted in TPM keys could prevent unapproved machines from accessing network resources Can be done while remaining compliant with privacy policies The trusted stack Trusted Software: Applications Digitally sign all code to identify its source Permits users to consider experiences and reputation before installing something Issues to resolve Maliciously bypassing the loader Verifying unknown signers Validating identities of those seeking signatures Signatures alone may not be sufficient for making trust decisions Few people would refuse to run only signed code The trusted stack Trusted Software: Operating System Verifiable based on keys stored in hardware— trusted boot Provides integrity protection to device High software quality remains key Prevent accidentally introduced vulnerabilities by users and developers Authentication restricts access to code Internal auditing permits rapid discovery and repair of bad code Continuously validate manifest of all installed software Prevent intentional rollback to vulnerable state The trusted stack Trusted Software: Applications (continued) Reputation platform provides additional data about publishers From expert reviewers, researchers, other users, reports of complaints Requires a remediation process to alter incorrect reputation decisions Unsigned code may still run anyway Provide sandboxed environment Provide ability to roll back transactions The trusted stack Trusted Data Applications should begin applying and reading signatures as data is written and read Management tools should allow users to create origin and integrity policies Authentication infrastructure allows users to restrict recipients and actions Must refocus on protecting data, rather than its container (the network) Data sandboxing helps to reduce harm from malicious content The trusted stack Trusted People Identities based on in-person proofing Directly or indirectly Eliminates requirement of shared secret Prime failure of traditional computer authentication methods Choice of issuers—governments, employers, schools, organizations And these are true secrets, with public-private key pairs Allows devaluation of PII and thus reduces identity theft What is Audit? Audit trail Audit log Audit collection • Record of a sequence of events from which a history may be constructed • Set of data collected over a period of time for a specific component • Can be studied to determine patterns that highlight bad behavior or roll back harmful actions Audit Challenges No ecosystem audit strategy • No ability to rapidly share audit findings • No common operational understanding among parties No standards • No common policy languages • No standardized format of audit trails and logs • No thriving international standards body No industry-wide audit tools • No ability to correlate data sets across entities • No ability to analyze data and extract useful information An Optimal Audit System Instrument across products and services • All code collects base level of audit data • Management interfaces permit dynamic changes based on policy and current events • Maintained in distributed fashion by resource owner (user, organization, ISP, government) • Helps organizations prove they’ve fulfilled their obligations Support broad industry cooperation • Coordinated instrumentation across product teams • Validate appropriate information is collected • Flexibly support various audit goals • Enable correlation across multiple devices and audit trails Develop international standards • Must work across heterogeneous systems • Management and analysis tools must be platformagnostic • Define set of audit identifiers to identify “interesting” activities across multiple networks • Sharing governed by policy or regulation The Obvious Challenges Social and Political Economic Jurisdictional Things to Keep in Mind Social mores differ between countries Free speech Privacy Cultural values Complete harmonization isn’t achievable Contradictory laws and regulations Limits to globalization Technology must adapt Privacy Challenge: Anonymity The questions Will authentication eliminate anonymity? Will audited activity eliminate the benefits of anonymous activity? Anonymity is and remains useful Connecting without paying for identity promotes growth of the Internet Anonymity promotes free speech (even though it may cause harm) Government activity in the place you access the Internet— from home—may be unwelcome Privacy Challenge: Profiling The questions Will identifiers be aggregated and analyzed? Will audited activity enable profiling and targeting? Various factors mitigate the concerns Multiple identities reduce profiling risk Users choose when and what data to pass Social rules support anonymity in context Requesters follow principle of data minimization— collect only when justified Comparing Communications Technologies Internet’s multipurpose nature and power make comparisons dangerous Postal mail • Time and cost make postal spamming infeasible Voice networks • Serve only a single point-to-point purpose Television • Limited total channel bandwidth justifies regulating content Highways • People expect government involvement in public activities Multiple Privacy Interests Allow greater authentication to those who want to provide or consume it Allow anonymity for those who wish to seek it “I am free to send anonymously” “I am free to reject unknown communications” “If I accept unknown communications, I also accept the consequences” What's the Ultimate Objective? The option to authenticate won’t destroy the social values promoted by anonymity People have long shown an interest in and support for it Markets continue to support it (cash still exists) It could be ensured by regulation But anonymity isn’t the ultimate objective—real problems need solutions Identity theft Critical infrastructure attacks Events that require social response Economic Forces Drive Behaviors Often from decisions designed to stimulate economic activity or manage competing risks, sometimes at the cost of security Consider what happened when credit card associations removed consumer liability: $50 Is the merchant valid? $0 I don’t care Is my number secure? Probably not Will I suffer the loss? No Extended-Validation Certificates Merchant banks investigate online businesses Businesses approved to accept credit cards Consumers make purchases from businesses Why, then, don’t the banks issue the certs? Economic Realities: No Incentives Merchant banks Can’t monetize EV certificates Don’t want to make assurances Don’t want to accept risk of “card not present” transactions Online businesses Don’t want to pay for EV certificates Jurisdictional Issues Government role: to investigate and prosecute online crime Internet pays no attention to geography International agreements don’t cover the world Sovereign laws end at national borders Some countries won’t collect evidence Victims can be anywhere in the world Individual cases may never reach economic thresholds required for law enforcement The End Goal One Key Question As we become increasingly dependent on the Internet for all our daily activities, can we maintain a globally-connected, anonymous, untraceable Internet and rely on devices that run arbitrary code of unknown provenance? Yes No If the Answer is “No” Industry must create a more audited and authenticated Internet so people can make good trust decisions Substantially mitigate common risks to restore and enhance public faith in information technology Permit security professionals to spend less time on existing threats and focus on more intractable risks Increase the difficulty of committing computer crimes without getting caught Enable law enforcement to find more criminals and thus increase deterrence Thank You Resources www.microsoft.com/teched www.microsoft.com/learning Sessions On-Demand & Community Microsoft Certification & Training Resources http://microsoft.com/technet http://microsoft.com/msdn Resources for IT Professionals Resources for Developers www.microsoft.com/learning Microsoft Certification and Training Resources © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.