IT Security: General Trends IT Security: General Trends and Research Directionsand Research Directions

Sherif El-KassasSherif El-Kassas

Department of Computer ScienceDepartment of Computer Science

The American University in CairoThe American University in Cairo

OutlineOutline

Practical considerationsPractical considerations

Academic and research perspectiveAcademic and research perspective

National perspectiveNational perspective

Practical considerationsPractical considerations

Types of attacks on the IT infrastructureTypes of attacks on the IT infrastructure

TechnicalTechnicalPhysicalPhysicalSocialSocial

Technical AttacksTechnical Attacks

~ 80% Considered the easiest to defend ~ 80% Considered the easiest to defend against (easiest doesn't mean easy)against (easiest doesn't mean easy)

The remaining ~ 20% are difficult!The remaining ~ 20% are difficult!Examples include forms of technical Examples include forms of technical

hacking, automated attacks, Malicious hacking, automated attacks, Malicious software, …etc.software, …etc.

Typical attackTypical attack

Incident and Vulnerability Trends,http://www.cert.org/present/cert-overview-trends/

Automated attacks viaAutomated attacks viaWorms, Trojans, & VirusesWorms, Trojans, & Viruses

The Slammer worm!The Slammer worm! The fastest mass The fastest mass

attack in historyattack in history It doubled in size It doubled in size

each 8.5 secondseach 8.5 seconds It infected 90% of It infected 90% of

vulnerable systems vulnerable systems in 10 minutes!in 10 minutes!

Slammer after a few minutesSlammer after a few minutes

D. Moore and others, Inside the Slammer Worm, IEEE Security & Privacy, July/August, 2003

Geographic DistributionGeographic Distribution

D. Moore and others, Inside the Slammer Worm, IEEE Security & Privacy, July/August, 2003

Flash WormsFlash Worms“[…] infecting 95% of hosts in 510ms, and 99% in 1.2s.”Staniford and others, The Top Speed of Flash Worms, www.caida.org/outreach/papers/2004/topspeedworms/

Google wormsGoogle worms

“inurl:id= filetype:asp site:gov” – 572,000 results

The Hacking Evolution: New Trends in Exploits and Vulnerabilities, www.sans.org

Physical AttacksPhysical Attacks

Combine physical and technical intrusionsCombine physical and technical intrusionsHigh risk for attacker, but may provide High risk for attacker, but may provide

quicker access to sensitive resourcesquicker access to sensitive resourcesExamples include: trashing, hardware Examples include: trashing, hardware

loggers, …etc.loggers, …etc.

http://keystroke-loggers.staticusers.net/

http://www.keyghost.com/

http://www.amecisco.com/hkstandalone.htm

http://www.littlepc.com/products_wireless.htm

Social & Semantic AttacksSocial & Semantic Attacks

Rely on attacking the users of the Rely on attacking the users of the systems, using social engineering, and systems, using social engineering, and possibly assisted with technical toolspossibly assisted with technical tools

Reported to be the most effective and low Reported to be the most effective and low risk (from the attacker’s point of view)risk (from the attacker’s point of view)

Examples include fake web sites, Examples include fake web sites, pphishing, ..etc.hishing, ..etc.

Phishing & Semantic AttacksPhishing & Semantic Attacks

Please update your billing information Please update your billing information by clicking […]:by clicking […]:

<a <a href="http://cgi4.ebay.com/ws/eBayISAPIhref="http://cgi4.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=.dll?MfcISAPICommand=

RedirectToDomain&DomainUrl=RedirectToDomain&DomainUrl=

http://goens.net/.www.ebay.com/" http://goens.net/.www.ebay.com/" onMouseOut="status='';return true" onMouseOut="status='';return true" target=_blanktarget=_blank

onMouseOver="status=‘onMouseOver="status=‘

https://billing.ebay.com/';return https://billing.ebay.com/';return true">true">

https://billing.ebay.com/</a>https://billing.ebay.com/</a>

http://avirubin.com/passport.html

Technologiesand

Tools

What are we doing about the threat!What are we doing about the threat!

Perspective to security:Perspective to security:

Prevention Prevention

What are we doing about the threat!What are we doing about the threat!

Perspective to security:Perspective to security:

Security = Security = Prevention + Prevention +

Detection + Detection +

ResponseResponse

What are we doing about the threat!What are we doing about the threat!

Layered view of information securityLayered view of information security

Network

System

Applications

Data & InformationSD

Products are Necessary, but not Sufficient!

Security is a Process

A Security ProcessA Security Process

Security Quality Standards

ISO17799 / BS 7799ISO17799 / BS 7799

1.1. Business Continuity PlanningBusiness Continuity Planning2.2. System Access ControlSystem Access Control3.3. System Development and MaintenanceSystem Development and Maintenance4.4. Physical and Environmental SecurityPhysical and Environmental Security5.5. ComplianceCompliance6.6. Personnel SecurityPersonnel Security7.7. Security OrganizationSecurity Organization8.8. Computer & Network ManagementComputer & Network Management9.9. Asset Classification and ControlAsset Classification and Control10.10. Security PolicySecurity Policy

Common Criteria for Information Common Criteria for Information Technology Security EvaluationTechnology Security Evaluation

Rooted in the Orange book or the DoD Rooted in the Orange book or the DoD Trusted Computer System Evaluation Trusted Computer System Evaluation CriteriaCriteria

ISO 15408ISO 15408

http://csrc.nist.gov/cc/http://csrc.nist.gov/cc/

Academic & research perspectiveAcademic & research perspective::

Future Directions and IssuesFuture Directions and Issues

www.cra.org/Activities/grand.challenges/security/home.html

www.cra.org/Activities/grand.challenges/security/home.html

National Perspective

T R U S T

Ken Thompson: on Trusting TrustKen Thompson: on Trusting Trust

The moral is obviousThe moral is obvious. . You can't trust You can't trust code that you did not totally create code that you did not totally create yourselfyourself. (. (Especially code from Especially code from companies that employ people like mecompanies that employ people like me.) .)

[…][…]

A well installed microcode bug will be A well installed microcode bug will be almost impossible to detectalmost impossible to detect..

www.acm.org/classics/sep95/

http://www.iwm.org.uk/online/enigma/eni-intro.htm

Research and DevelopmentResearch and Development

CryptologyCryptologyCryptographyCryptography

Theoretical research: number theory, Theoretical research: number theory, algebraic geometry, complexity theory, graph algebraic geometry, complexity theory, graph theory, …etc.theory, …etc.

Research for the development of new (or Research for the development of new (or bespokebespoke) cryptographic algorithms and ) cryptographic algorithms and protocolsprotocols

CryptanalysisCryptanalysis tools research (e.g., grid computing)tools research (e.g., grid computing)

Security Policy ModelsSecurity Policy Models

Fundamentals of security models (e.g., Fundamentals of security models (e.g., Multi level vs. multi lateral security)Multi level vs. multi lateral security)

National (possibly government) security National (possibly government) security policy modelspolicy models

Evaluating and auditing methodologies for Evaluating and auditing methodologies for national and established models (e.g., ISO national and established models (e.g., ISO 17799, and CC / ISO 15408)17799, and CC / ISO 15408)

Computing modelsComputing models

Failure resistant systemsFailure resistant systemsDigital immune systems (and anti virus Digital immune systems (and anti virus

systems)systems)http://www.research.ibm.com/antivirus/http://www.research.ibm.com/antivirus/http://www.ibm.com/autonomichttp://www.ibm.com/autonomic

AI and NN applicationsAI and NN applications

Security management and Security management and system development issuessystem development issues

Incremental and Agile development Incremental and Agile development methods (Iterative, XP)methods (Iterative, XP)

Threat modeling and risk analysis (threat Threat modeling and risk analysis (threat trees, ..etc.)trees, ..etc.)Good opportunity for interdisciplinary research Good opportunity for interdisciplinary research

with economicswith economicsApplications and use of formal methods in Applications and use of formal methods in

security (BAN logic, B, Z, ..etc.)security (BAN logic, B, Z, ..etc.)

Hardware and physical security Hardware and physical security related issuesrelated issues

Engineering embedded hardware security Engineering embedded hardware security devices (e.g., ARM processor core like devices (e.g., ARM processor core like systems)systems)

Tamper resistant/evident systemsTamper resistant/evident systemsEmission and tempest securityEmission and tempest securityResisting High-power microwaveResisting High-power microwave

Firewalls and network isolationFirewalls and network isolation

Distributed firewall systemsDistributed firewall systemsThe use of agent technologiesThe use of agent technologies

Application level firewalls for Web services Application level firewalls for Web services and similar technologiesand similar technologies

Firewalls to face challenges paused by Firewalls to face challenges paused by new technologies: IP telephony, wireless new technologies: IP telephony, wireless networks, …etc.networks, …etc.

Intrusion Detection and PreventionIntrusion Detection and Prevention

High performance IDS systemsHigh performance IDS systemsApplications of NNs, GAs, and other AI Applications of NNs, GAs, and other AI

techniquestechniquesApplications of data miningApplications of data miningStatistical modeling and correlationStatistical modeling and correlation

Authentication and access controlAuthentication and access control

BiometricsBiometrics

SmartcardsSmartcards

Other systems (secure hardware!)Other systems (secure hardware!)

Application securityApplication security

EducationEducation IDS/IPS for applicationsIDS/IPS for applicationsLibraries and design patternsLibraries and design patternsMore..More..

Research aimed at better Research aimed at better understanding attack understanding attack technologies and trends technologies and trends

National Honynet like projectNational Honynet like projectLarge scale data collection and statistical Large scale data collection and statistical

trend analysis researchtrend analysis researchVulnerability researchVulnerability research

Other issuesOther issues

Computer ForensicsComputer ForensicsTelecommunications securityTelecommunications security

Systems, Metering, Signaling, SwitchingSystems, Metering, Signaling, SwitchingMobile phone security (cloning, GSM security, Mobile phone security (cloning, GSM security,

…etc.)…etc.)Secure hardwareSecure hardwarePKI & PMIPKI & PMILegal issuesLegal issues

ConclusionsConclusions Security is a wide and challenging fieldSecurity is a wide and challenging field Developers:Developers:

Look for shiftsLook for shifts The phone is the computerThe phone is the computer The application is the security problemThe application is the security problem Web services and virtual computingWeb services and virtual computing Think servicesThink services

Researches:Researches: Risk modelingRisk modeling Fundamental issuesFundamental issues Don’t be swayed by fadsDon’t be swayed by fads

Government:Government: Adopt standards and security processAdopt standards and security process DiversifyDiversify Think in terms of threat pyramidsThink in terms of threat pyramids Manage trustManage trust Encourage R&D Encourage R&D

Questions?Questions?Links:Links:

sherif@aucegypt.edusherif@aucegypt.eduwww.cs.aucegypt.edu/~skassas/ict-asrt/www.cs.aucegypt.edu/~skassas/ict-asrt/www.cert.orgwww.cert.orgwww.sans.orgwww.sans.org

IEEEIEEE16th IEEE Computer Security Foundations Workshop (CSFW'03)16th IEEE Computer Security Foundations Workshop (CSFW'03)19th Annual Computer Security Applications Conference19th Annual Computer Security Applications ConferenceFoundations of Intrusion Tolerant Systems (OASIS'03)Foundations of Intrusion Tolerant Systems (OASIS'03)2003 IEEE Symposium on Security and Privacy2003 IEEE Symposium on Security and Privacyhttp://csdl.computer.org/http://csdl.computer.org/

ACMACMConference on Computer and Communications SecurityConference on Computer and Communications SecurityNew Security Paradigms WorkshopNew Security Paradigms WorkshopWireless SecurityWireless SecurityWorkshop On Xml SecurityWorkshop On Xml Securityhttp://portal.acm.org/http://portal.acm.org/

Recent Advances in Intrusion DetectionRecent Advances in Intrusion Detectionhttp://www.raid-symposium.org/http://www.raid-symposium.org/