Vulnerabilities and Threats in Distributed Systems includes about From Vulnerabilities to Losses, Vulnerabilities and Threats, Vulnerabilities, Threats, Mechanisms to Reduce Vulnerabilities and Threats (Applying Reliability and Fault Tolerance Principles to Security Research, Using Trust in Role-based Access Control,...).
Trang 1Prof. Bharat Bhargava
Dr. Leszek Lilien Department of Computer Sciences and the Center for Education and Research in Information Assurance and Security (CERIAS )
Purdue University www.cs.purdue.edu/people/{bb, llilien}
Presented by Prof. Sanjay Madria Department of Computer Science University of MissouriRolla
Trang 2 He thanks the attendees, and regrets that he could not be present
He came to Bhubaneswar in 2001 and enjoyed it tremendously. He was looking forward to coming again
He will be willing to communicate about this research. Potential exists for research collaboration. Please send mail to bb@cs.purdue.edu
He will very much welcome your visit to Purdue University
Trang 3 Growing business losses due to vulnerabilities in distributed systems
Identity theft in 2003 – expected loss of $220 bln worldwide ; 300%(!) annual growth rate [csoonline.com, 5/23/03]
Computer virus attacks in 2003 – estimated loss of $55 bln worldwide [news.zdnet.com, 1/16/04]
Vulnerabilities occur in:
Hardware / Networks / Operating Systems / DB systems / Applications
Loss chain
Dormant vulnerabilities enable threats against systems
Potential threats can materialize as (actual) attacks
Successful attacks result in security breaches
Security breaches cause losses
Trang 5Control 3.3 Privacypreserving Data Dissemination 3.4 Fraud Countermeasure Mechanisms
Trang 7reliability domain
A flaw or a weakness in system security procedures, design, implementation, or internal controls
Can be accidentally triggered or intentionally exploited, causing security breaches
Trang 8 Shows how systems remains vulnerable long after security fixes
Vulnerability lifetime stages:
appears, discovered, disclosed, corrected, publicized, disappears
Trang 9 Verification techniques to check whether the abstract model satisfies the security properties
Trang 10 Some vulnerabilities are a side effect of a legitimate system feature
E.g., the setuid UNIX command creates vulnerabilities [14]
Need threat assessment to decide which vulnerabilities to remove first
Trang 12 Fraud involves abuse of trust [12, 29]
Fraudster strives to present himself as a trustworthy
individual and friend
The more trust one places in others the more vulnerable one becomes
Trang 13 Quantitative impact
E.g., economic loss, measurable cascade effects, time to recover
Characteristics of highrisk vulnerabilities can be learnt
Trang 14 Contributes to identification of related vulnerabilities,
including dangerous synergistic ones
Good model for a set of synergistic vulnerabilities can lead to uncovering gang attack threats or incidents
Trang 16 Evaluations/measurements of vulnerabilities at each
lifecycle stage
In system components / subsystems / of the system as a whole
Assist in most efficient discovery of vulnerabilities before they are exploited by an attacker or a failure
Assist in most efficient elimination / masking of vulnerabilities(e.g. based on principles analogous to faulttolerance)
OR:
Keep an attacker unaware or uncertain of important system parameters
(e.g., by using nondeterministic or deceptive system behavior, increased component diversity, or multiple lines of defense)
Trang 18Control 3.3 Privacypreserving Data Dissemination 3.4 Fraud Countermeasure Mechanisms
Trang 20ICDCIT 2004 20
Models of Threats
Threats in security domain – like errors in reliability domain
Entities that can intentionally exploit or inadvertently trigger specific system vulnerabilities to cause security breaches [16, 27]
Based on consequences, we have:
threats of disclosure, threats of (illegal) execution, threats ofmisrepresentation, and threats of repudiation
Trang 22ICDCIT 2004 22
Dealing with Threats – Threat Avoidance (1)
Trang 23Dealing with Threats – Threat Avoidance (2)
Models for statistical databases to prevent data
disclosures [1]
Trang 24ICDCIT 2004 24
Dealing with Threats – Threat Tolerance
can be implicit (e.g., voting schemes follow the same procedure whether attacked
or not)
Phase 6: report attack
to repair and fault treatment (to prevent a recurrence of similar attacks)
Trang 25Dealing with Threats – Fraud Threat Detection for Threat Tolerance
Widely used in telecommunications, online transactions, insurance
Effective systems use both fraud rules and pattern
analysis of user behavior
Challenge: a very high false alarm rate
Due to the skewed distribution of fraud occurrences
Trang 27 Identify (in metabases) known threats relevant for the context
Find salient features of these threats and associations between them
Trang 28 Mere threat (a potential for attack) has its impact
Consider threat properties: direct damage, indirect damage, recovery cost, prevention overhead
Consider interaction with other threats and defensive mechanisms
Trang 29to reduce number and severity of threats
Consider injection of unpredictability or uncertainty to reduce threats
E.g., reduce data transfer threats by sending portions of critical data through different routes
Investigate threats to security mechanisms themselves
It might be needed for threat tolerance
Includes investigation of fraud threat detection
Trang 30ICDCIT 2004 30
Products, Services and Research Programs for Industry (1)
There are numerous commercial products and services, and some free products and services
Examples follow.
Notation used below: Product (Organization)
Example vulnerability and incident metabases
CVE (Mitre), ICAT (NIST), OSVDB (osvdb.com), Apache Week Web Server (Red Hat), Cisco Secure Encyclopedia (Cisco), DOVESComputer Security Laboratory (UC Davis), DragonSoft Vulnerability Database (DragonSoft Security Associates), Secunia Security Advisories (Secunia), SecurityFocus Vulnerability Database (Symantec), SIOS (Yokogawa Electric Corp.), VerletzbarkeitsDatenbank (scip AG), Vigil@nce AQL (Alliance Qualité Logiciel)
Example vulnerability notification systems
CERT (SEICMU), Cassandra (CERIASPurdue), ALTAIR (esCERTUPC), DeepSight Alert Services (Symantec), Mandrake Linux Security Advisories (MandrakeSoft)
Example other tools (1)
Vulnerability Assessment Tools (for databases, applications, web applications, etc.)
AppDetective (Application Security), NeoScanner@ESM (Inzen), AuditPro for SQL Server (Network Intelligence India Pvt. Ltd.), eTrust Policy Compliance (Computer Associates), Foresight (Cubico Solutions CC), IBM Tivoli Risk Manager (IBM), Internet Scanner (Internet Security Systems), NetIQ Vulnerability Manager (NetIQ), NStealth (N Stalker), QualysGuard (Qualys), Retina Network Security Scannere (Eye Digital Security), SAINT (SAINT Corp.), SARA (Advanced Research Corp.), STATScanner (Harris Corp.), StillSecure VAM (StillSecure), Symantec Vulnerability Assessment (Symantec)
Automated Scanning Tools, Vulnerability Scanners
Automated Scanning (Beyond Security Ltd.), ipLegion/intraLegion (E*MAZE Networks), Managed Vulnerability Assessment (LURHQ Corp.), Nessus Security Scanner (The Nessus Project), NeVO (Tenable Network Security)
Trang 31Products, Services and Research Programs for Industry (2)
Example other tools (2)
Vulnerability und Penetration Testing
Attack Tool Kit (Computec.ch), CORE IMPACT (Core Security Technologies), LANPATROL (Network Security Syst.)
Intrusion Detection System
Cisco Secure IDS (Cisco), Cybervision Intrusion Detection System (Venus Information Technology), Dragon Sensor (Enterasys Networks), McAfee IntruShield (IDSMcAfee), NetScreenIDP (NetScreen Technologies), Network Box Internet Threat Protection Device (Network Box Corp.)
Trang 34ICDCIT 2004 34
Applying Reliability Principles
to Security Research (2)
Fault avoidance threat avoidance
Fault tolerance threat tolerance (gracefully adapts to threats that have materialized)
Maybe threat avoidance/tolerance should be named: vulnerability
avoidance/tolerance
(to be consistent with the vulnerability fault analogy)
To deal with failures, build faulttolerant systems
To deal with security breaches, build threattolerant systems
Trang 35 To increase security use checkpoints to bring system back to a secure state
Adaptability / selfhealing
Adapt to common and less severe security breaches as we adapt to everyday and relatively benign failures
Adapt to: timing / severity / duration / extent of a security breach
Trang 36 In such cases, analogy of time (Reliability) to effort (Security) is meaningless
Trang 40 Declarative language to define role assignment policies
Algorithm to assign roles to users
Based on role assignment policies and evidence statements
Algorithm to continuously update trustworthiness ratings for user
Its output is used to grant or disallow access request
Trustworthiness ratings for a recommender is affected by trustworthiness ratings of all users he recommended
Trang 423.4 Fraud Countermeasure Mechanisms
Trang 43Basic Terms Privacypreserving Data Dissemination
Guardian 1 Original Guardian
Guardian 3
Guardian 5 Thirdlevel
Guardian 6 Guardian 4
“Owner”
(Private Data Owner)
Trang 44honor them
Trang 45 Detection of a loss of data or metadata
Efficient recovery of data and metadata
Recovery by retransmission from the original guardian is most trustworthy
Trang 46ICDCIT 2004 46
Overview Privacypreserving Data Dissemination
Use bundles to make data and metadata inseparable
Develop distancebased evaporation of bundles
E.g., the more “distant” from it owner is a bundle, the more it evaporates (becoming more distorted)
More details on “Privacypreserving Data Dissemination”
available in the extended version of this presentation at: www.cs.purdue.edu/people/bb#colloquia
Trang 47Control 3.3 Privacypreserving Data Dissemination
Trang 48ICDCIT 2004 48
Overview Fraud Countermeasure Mechanisms (1)
Trang 49Overview Fraud Countermeasure Mechanisms (2)
Profilebased anomaly detector
Monitors suspicious actions searching for identified fraudulent behavior patterns
State transition analysis
Provides state description when an activity results in entering a dangerous state
Deceiving intention predictor
Discovers deceiving intention based on satisfaction ratings
Decision making
Decides whether to raise fraud alarm when deceiving pattern is discovered
Trang 50ICDCIT 2004 50
Overview Fraud Countermeasure Mechanisms (3)
All three types of fraudulent behavior were quickly detected
More details on “Fraud Countermeasure Mechanisms” available in the extended version of this presentation
at: www.cs.purdue.edu/people/bb#colloqia
Trang 52interested in progress in this research
Trang 56ICDCIT 2004 56
Thank you!