travis+seuritysubspaeeld.org
January26, 2015
Abstrat
Thisisanonlinebookaboutomputer,network, tehnial, physial,
informationand ryptographiseurity. Itis alabor oflove, inomplete
untilthedayIamnished.
Contents
1 Metadata 11
1.1 CopyrightandDistributionControl. . . 12
1.2 Goals . . . 12
1.3 Audiene . . . 12
1.4 AboutThisWork . . . 13
1.5 OntheHTMLVersion . . . 13
1.6 AboutWritingThis . . . 13
1.7 ToolsUsedToCreateThis Book . . . 14
2 Seurity Properties 14 2.1 Information SeurityisaPAIN . . . 15
2.2 ParkerianHexad . . . 15
2.3 PentagonofTrust . . . 16
2.4 SeurityEquivaleny . . . 16
2.5 Other Questions . . . 16
4.1 TheClassiationProblem . . . 17
4.2 SeurityLayers . . . 19
4.3 PrivilegeLevels . . . 20
4.4 WhatisaVulnerability? . . . 21
4.5 VulnerabilityDatabases . . . 21
4.6 AurayLimitations. . . 23
4.7 Rie'sTheorem . . . 23
5 Eonomisof Seurity 23 5.1 HowExpensiveareSeurityFailures? . . . 23
5.2 Abuse DetetionandResponse: ACost-BenetPerspetive . . . 26
6 Adversary Modeling 27 6.1 CommonPsyhologialErrors. . . 28
6.2 Cost-Benet . . . 28
6.3 RiskTolerane . . . 28
6.4 Capabilities . . . 29
6.5 Sophistiation Distribution . . . 29
6.6 Goals . . . 29
7 Threat Modeling 29 7.1 CommonPlatformEnumeration . . . 30
7.2 A TaxonomyofPrivayBreahes . . . 30
7.3 ThreatstoSeurityProperties . . . 31
7.4 QuantifyingRisk . . . 32
7.5 AttakSurfae . . . 32
7.6 AttakTrees . . . 33
7.7 TheWeakestLink . . . 34
8 Physial Seurity 34 8.1 NoPhysialSeurityMeansNoSeurity . . . 35
8.2 DataRemanene . . . 35
9.1 Introdution. . . 38
9.2 Protetion Rings . . . 39
9.3 OperatingModes . . . 39
9.4 NX bit . . . 39
9.5 SupervisorsandHypervisors. . . 40
9.6 TrustedComputing. . . 40
9.7 IntelvPro . . . 41
9.8 HardwareVulnerabilitiesand Exploits . . . 41
10DistributedSystems 41 10.1 NetworkSeurityOverview . . . 41
10.2 NetworkAessControl . . . 42
10.3 NetworkReonnaissane . . . 43
10.4 NetworkIntrusionDetetionandPrevention. . . 44
10.5 CryptographyistheSineQuaNonofSeureDistributedSystems 44 10.6 Hello,MyNameis192.168.1.1 . . . 45
10.7 Soure Tapping;TheFirstHopandLastMile . . . 45
10.8 SeurityEquivalentThingsGoTogether . . . 46
10.9 ManInTheMiddle. . . 46
10.10NetworkSurveillane . . . 48
10.11Pushvs. PullUpdates . . . 48
10.12DNSIssues . . . 48
10.13NetworkTopology . . . 48
11Identiationand Authentiation 49 11.1 Identity . . . 49
11.2 IdentityManagement. . . 49
11.3 TheIdentityContinuum . . . 50
11.4 ProblemsRemainingAnonymous . . . 51
11.5 ProblemswithIdentifyingPeople . . . 51
11.8 AuthentiationFators . . . 52
11.9 Authentiators . . . 52
11.10Biometris. . . 56
11.11AuthentiationIssues: When,What . . . 56
11.12RemoteAttestation. . . 57
11.13Advaned AuthentiationTools . . . 58
12Authorization -Aess Control 58 12.1 PrivilegeEsalation . . . 58
12.2 Physial AessControl . . . 59
12.3 OperatingSystemAessControl . . . 59
12.4 AppliationAuthorizationDeisions . . . 60
12.5 IPTables,IPChains,Netlter . . . 65
12.6 PF . . . 65
12.7 Keynote . . . 65
13SeureSystemAdministration 65 13.1 Bakups . . . 65
13.2 Monitoring . . . 66
13.3 Visualization . . . 66
13.4 ChangeManagement . . . 66
13.5 Self-HealingSystems . . . 67
13.6 Heterogeneousvs. HomogeneousDefenses . . . 67
14Logging 67 14.1 SynhronizedTime . . . 67
14.2 Syslog . . . 68
14.3 CryptographiallyUntamperableLogs . . . 68
15Reporting 68 15.1 ChangeReporting . . . 68
15.2 ArtiialIgnorane . . . 68
16.1 Physial IntrusionDetetion. . . 69
16.2 MisuseDetetionvs. AnomalyDetetion . . . 70
16.3 ComputerImmuneSystems . . . 70
16.4 Behavior-BasedDetetion . . . 70
16.5 HoneyTraps . . . 71
16.6 TripwiresandBoobyTraps . . . 71
16.7 MalwareandAnti-Malware . . . 72
16.8 DetetingAutomated Peers . . . 74
16.9 Host-BasedIntrusionDetetion . . . 75
16.10IntrusionDetetionPriniples . . . 76
16.11IntrusionInformation Colletion . . . 77
17Abuse Response 77 17.1 Abuse Alerting . . . 78
17.2 Howto RespondtoAbuse . . . 79
17.3 IdentiationIssues . . . 83
17.4 ResoureConsumptionDefenses . . . 83
17.5 ProportionalResponse . . . 84
18Forensis 85 18.1 ForensiLimitations . . . 85
18.2 RemnantData . . . 86
18.3 EphemeralData . . . 86
18.4 RemnantData . . . 86
18.5 HiddenData . . . 86
18.6 Metadata . . . 86
18.7 LoatingEnryptionKeysandEnryptedData . . . 86
18.8 ForensiInferene. . . 87
19Privay 87 19.1 Mix-BasedSystems. . . 87
20.1 ResponsetoWormsandHumanPerpetrators . . . 88
20.2 ResponsetoMalware. . . 89
21Network Seurity 89 21.1 TheCurrentStateofThings . . . 89
21.2 TraIdentiation . . . 90
21.3 Brute-ForeDefenses . . . 92
21.4 FederatedDefense . . . 92
21.5 VLANsAreNotSeurityTehnologies . . . 92
21.6 Advaned NetworkSeurityTehnologies . . . 92
22EmailSeurity 93 22.1 UnsoliitedBulkEmail. . . 93
22.2 Phishing . . . 96
22.3 Frameworks . . . 96
23Web Seurity 96 23.1 DiretBrowserAttaks . . . 96
23.2 Indiret BrowserAttaks. . . 97
23.3 WebAppliationVulnerabilities . . . 99
23.4 RelevantStandards. . . 99
23.5 CrawlerAttaks . . . 99
23.6 SSLCertiatesMadeRedundant . . . 100
24Software Seurity 100 24.1 SeurityisaSubsetofCorretness . . . 100
24.2 Seure Coding. . . 100
24.3 Malwarevs. Data-DiretedAttaks. . . 101
24.4 LanguageWeaknesses . . . 101
24.5 ReverseEngineering . . . 103
24.6 AppliationExploitation . . . 104
24.9 FailureModes. . . 107
24.10FaultTolerane . . . 108
24.11ImpliationsofInorretness . . . 108
25Human Fators and Usability 108 25.1 ThePsyhologyofSeurity . . . 108
25.2 SoialEngineering . . . 109
25.3 SeurityShouldBe Obvious,andtheDefault . . . 109
25.4 SeurityShouldBe EasytoUse . . . 109
25.5 NoHiddenData . . . 109
26Attak Patterns 110 26.1 AttakTaxonomy. . . 110
26.2 AttakProperties. . . 110
26.3 AttakCyle . . . 111
26.4 CommonAttakPatternEnumerationandClassiation. . . 112
27Trust and Personnel Seurity 112 27.1 TrustandTrustworthiness . . . 112
27.2 Who orWhatAreYouTrusting? . . . 113
27.3 CodeProvenane . . . 114
27.4 TheInompeteneDefense. . . 115
27.5 LimitingDamageCausedbyTrustedPeople . . . 115
28Cryptography 116 28.1 ThingsToKnowBeforeDoingCrypto . . . 116
28.2 LimitsofCryptography . . . 120
28.3 CryptographiAlgorithms . . . 123
28.4 CryptographiAlgorithmEnhanements . . . 128
28.5 CryptographiCombinations . . . 137
28.6 CryptographiProtools . . . 140
28.7 EnryptedStorage . . . 144
28.8 Deniable Storage . . . 147
28.9 Key Management . . . 148
29.1 TypesofRandomNumberGenerators . . . 158
29.2 Pseudo-RandomNumberGenerators . . . 158
29.3 An IdealRandomNumberGenerator. . . 158
29.4 Denitions ofUnpreditability . . . 159
29.5 Denitions ofRandomness. . . 159
29.6 TypesofEntropy . . . 160
29.7 WhyEntropyandUnpreditabilityAreNottheSame . . . 162
29.8 UnpreditabilityistheSineQuaNonofCryptography . . . 163
29.9 UnpreditabilityisNot Provable . . . 163
29.10RandomlyGeneratedSamples. . . 164
29.11TestingSamplesForPreditability . . . 164
29.12TestingNoise Soures . . . 164
29.13Waysto Fail. . . 165
29.14SouresofUnpreditability . . . 166
29.15TheLawsofUnpreditability . . . 169
30Cryptanalysis 172 30.1 CryptographiAttakPatterns . . . 172
30.2 A PrioriKnowledge . . . 173
30.3 LengthExtensionAttaks . . . 174
30.4 HashCollisions . . . 174
30.5 PKCSPaddingOraleAttak . . . 175
30.6 CryptanalysisofRandomNumberGenerators . . . 177
30.7 CryptanalysisofWirelessProtools. . . 178
31Lateral Thinking 178 31.1 TraAnalysis . . . 179
32.1 IntelligeneJargon . . . 185
32.2 ControllingInformationFlow . . . 186
32.3 LabelingandRegulations . . . 186
32.4 KnowledgeisPower . . . 188
32.5 SereyisPower . . . 188
32.6 NeverConrmGuesses. . . 189
32.7 WhatYouDon'tKnowCanHurt You . . . 189
32.8 HowSereyisLost . . . 190
32.9 CostsofDislosure . . . 190
32.10Dissemination . . . 191
32.11Information,Misinformation,Disinformation . . . 191
33Conit and Combat 192 33.1 IndiatorsandWarnings . . . 192
33.2 Attaker'sAdvantagein Network Warfare . . . 193
33.3 Defender's AdvantageinNetworkWarfare . . . 193
33.4 OODALoops . . . 194
33.5 CoursesofAtion . . . 195
34Seurity Priniples 195 34.1 ThePriniple ofLeast Privilege . . . 195
34.2 ThePriniple ofAgility . . . 196
34.3 ThePriniple ofMinimal Assumptions . . . 198
34.4 ThePriniple ofFail-SeureDesign . . . 199
34.5 ThePriniple ofUnique Identiers . . . 200
34.6 ThePriniplesofSimpliity . . . 201
34.7 ThePriniple ofDefense inDepth . . . 202
34.8 ThePriniple ofUniform Fronts . . . 202
34.9 ThePriniple ofSplitControl . . . 203
34.10ThePriniple ofMinimal Changes . . . 205
34.13ThePriniple ofRemovingExuses . . . 207
34.14ThePriniple ofUsability . . . 207
34.15ThePriniple ofRetaining Control . . . 207
34.16ThePriniple ofPersonality . . . 209
34.17ThePriniple ofLeast CommonMehanism . . . 209
34.18ThePriniple ofPratie . . . 210
34.19Work Fator Calulation. . . 210
34.20AvailabilityPriniples . . . 211
35Common Arguments 211 35.1 Dislosure: Full,Partial,orNone? . . . 211
35.2 Absolutevs. EetiveSeurity . . . 216
35.3 QuantiationandMetrisvs. Intuition . . . 218
35.4 SeurityThroughObsurity . . . 219
35.5 SeurityofOpenSourevs. ClosedSoure. . . 220
35.6 InsiderThreatvs. OutsiderThreat . . . 221
35.7 Preventionvs. Detetion. . . 223
35.8 Auditvs. Monitoring. . . 225
35.9 Earlyvs. LateAdopters . . . 225
35.10SendingHTMLEmail . . . 226
36Editorials,Preditions, Polemis,and PersonalOpinions 226 36.1 SoYouThinkYou'reOldShool?. . . 226
36.2 SeurityisforPolymaths . . . 227
36.3 A ProposedPerimeterDefense . . . 228
36.4 LinearOrderPlease! . . . 229
36.5 ComputersareTransendingourLimitations . . . 229
36.6 PasswordLengthLimitsConsideredHarmful . . . 230
36.7 EverythingWillBe EnryptedSoon . . . 230
36.8 HowUniversalDigitalSigningWillAetThings . . . 231
36.11ShouldMyEmployees AttendHakerConferenes? . . . 234
36.12ShouldYouSellOut? . . . 234
36.13AnonymityisnotaCrime . . . 236
36.14MonitoringYourEmployees . . . 237
36.15TrustPeople inSpiteofCounterexamples . . . 237
36.16DoWhatI Meanvs. DoWhatISay . . . 238
36.17YouArePartoftheProblemifYou... . . 239
36.18WhatDoI Doto NotGetHaked? . . . 239
37Resoures 240 37.1 MyOtherStu . . . 240
37.2 Publiations . . . 240
37.3 Conferenes . . . 240
37.4 Books . . . 241
37.5 Periodials. . . 242
37.6 Blogs. . . 242
37.7 MailingLists . . . 243
37.8 ComputerSeurityMovies. . . 244
38Unsorted 244
39Credits 246
1 Metadata
Thebooksthat helpyoumostarethose whih makeyouthink the
most. The hardest way of learningis that of easy reading; but a
great book that omes from a great thinker is a ship of thought,
deepfreightedwithtruthandbeauty.
Kindlylinkapersontoitinsteadofredistributingit,sothatpeoplemayalways
reeivethelatestversion. However,evenanoutdatedopyisbetterthannone.
The PDF version is preferred and more likely to render properly (espeially
graphisandspeialmathematialharaters),buttheHTMLversionissimply
tooonvenienttonothaveitavailable. Thelatestversionisalwayshere:
http://www.subspaeeld.org/seurity/seurity_onepts.html
Thisisaopyrightedwork,withsomerightsreserved. Thisworkisliensed
un-dertheCreativeCommonsAttribution-Nonommerial-NoDerivativeWorks 3.0UnitedStatesLiense.
Thismeansyoumayredistributeitfornon-ommerialpurposes,andthatyou
mustattributemeproperly(withoutsuggestingIendorseyourwork). For
attri-bution,pleaseinludeaprominentlinkbaktothisoriginalworkandsometext
desribingthe hanges. I am omfortable with ertain derivative works,suh
astranslationinto otherlanguages,butnotsureaboutothers,so haveyet not
expliitlygrantedpermissionforallderivativeuses. Ifyouhaveanyquestions,
pleaseemailmeandI'llbehappytodisussitwithyou.
1.2 Goals
Iwrotethispapertotryandexaminethetypialproblemsinomputerseurity
and related areas,and attempt to extrat from them priniples for defending
systems. To this end I attempt to synthesize various elds of knowledge,
in-ludingomputerseurity,networkseurity,ryptology,andintelligene. Ialso
attempt to extrat thepriniples and impliit assumptions behind
ryptogra-phy and theprotetion of lassiedinformation, asobtained through
reverse-engineering(thatis,informedspeulationbasedonexistingregulationsandstu
Ireadin books),where theyarerelevanttotehnologialseurity.
1.3 Audiene
When I piture a perfet reader, I always piture a monster of
ourage and uriosity, also something supple, unning, autious, a
bornadventurerand disoverer.
FriedreihNietzshe
Thisisnotintendedtobeanintrodutorytext,althoughabeginnerouldgain
somethingfromit. Thereasonbehindthisis that beginners think in termsof
tatis,ratherthanstrategy,andofdetails ratherthangeneralities. Thereare
manynebooksonomputerandnetworkseuritytatis(andmanymore
attemptedtoextratabstratoneptsandstrategieswhiharenotneessarily
tiedto omputerseurity. AndI haveattempted to illustrate the pointswith
interestingand entertaining examplesand would loveto havemore, so if you
anthinkofanexampleforoneofmypoints,pleasesendittome!
I'm writing this for you, noble reader, so your omments are very welome;
youwill behelpingme makethis better foreveryfuture reader. If yousend a
ontributionoromment,you'llsavemealotofworkifyoutellmewhetheryou
wishtobementionedintheredits(see39)ornot;Iwanttorespettheprivay
of anonymousontributors. If you'reonerned that wouldbe presumptuous,
don'tbe;Ionsideritonsiderateofyoutosavemeanemailexhange. Seurity
bloggerswillndplentyoffodderbylookingfornewURLsaddedtothispage,
and I enourage you to do it, sine I simply don't have time to ommenton
everything I link to. If you link to this paper from your blog entry, all the
better.
1.4 About This Work
Ihavestartedthisbookwithsometerminologyasawaytoframethedisussion.
ThenIgetintothedetailsofthetehnology. Sinethisisadequatelyexplainedin
otherworks,thesesetionsaresomewhatleanandmaymerelybealistoflinks.
ThenI get into my primaryontribution, whih isthe fundamental priniples
ofseuritywhihIhaveextratedfromthetehnologialdetails. Afterwards,I
summarizesomeommonargumentsthat onesees amongseuritypeople, and
Inishupwithsomeofmypersonalobservationsandopinions.
1.5 On the HTML Version
Sinethis doument isonstantlybeingrevised, I suggestthat you startwith
thetableofontentsandlikonthesubjetheadingssothatyouanseewhih
onesyouhavereadalready. IfIaddasetion,itwillshowupasunread. Bythe
timeithasexpiredfromyourbrowser'shistory,itisprobablytimetore-readit
anyway,sinetheontentshaveprobablybeenupdated.
Seethe end of this page for the date it wasgenerated (whih is also the last
updatetime). I urrentlyupdatethisaboutoneeverytwoweeks.
Someequationsmayfailto renderin HTML.Thus,youmaywishto viewthe
PDFversioninstead.
1.6 About Writing This
Partofthehallengewithwritingaboutthistopiisthatwearealwayslearning
to-datethanabook,andmoreomprehensiveandself-ontainedthanmostweb
pages. Iknowit'suneven;insomeareasit'sjustaheadingwithaparagraph,or
afewlinks,in otherplaesitanbeassmoothlywrittenasabook. Ithought
aboutbreakingitupintomultipledouments,soIouldreleaseeahwithmuh
morefanfare,butthat'sjustnotthewayI write,anditmakesitdiulttodo
asmuhross-linkingasI'dlike.
Thisistomyknowledgetherstattempttopublish aomputerseuritybook
on the web before printing it, so I have no idea if it will even bepossible to
print it ommerially. That's okay; I'm not writing for money. I'd like for
the Internet to be the publi library of the
21
stentury, and this is my rst
signiantdonationtotheolletion. Iamremindedoftheadvieofastaerin
theomputersienedepartment,whosaid,dowhatyoulove,andthemoney
willtakeareofitself.
Thathavingbeensaid,ifyouwantedtowardstheeort,youanhelpmedefray
theostsofmaintainingaserverandsuhbyvisitingourdonationpage. Ifyou
would like to donate but annot, you may wait until suh atime asyou an
aordto, andthengivesomethingaway(i.e. payitforward).
1.7 Tools Used To Create This Book
I useLyX,but I'mstill abitof anovie. I havealove/haterelationshipwith
itandtheunderlying typesettinglanguageLaTeX.
2 Seurity Properties
Whatdowemeanbyseure? WhenIsayseure,Imeanthatanadversaryan't
makethesystemdosomethingthatitsowner(ordesigner,oradministrator,or
evenuser)didnotintend. Oftenthis involvesaviolation ofageneralseurity
property. Someseuritypropertiesinlude:
ondentiality refersto whether the information in question is dislosed or
remainsprivate.
integrity refers to whether the systems (or data) remain unorrupted. The
oppositeofthisismalleability,whereitispossibletohangedata
with-outdetetion,andbelieveitornot,sometimesthisisadesirableseurity
property.
availability is whetherthesystemisavailable whenyouneeditornot.
soit an be investigated later. Diret-reordeletroni voting mahines
(withnopapertrail)areunauditable.
ontrol is whetherthesystemobeysonlytheauthorizedusersornot.
authentiation iswhetherthesystemanproperlyidentifyusers. Sometimes,
itisdesirablethatthesystemannotdoso,inwhihaseitisanonymous
orpseudonymous.
non-repudiation is a relatively obsure term meaning that if you take an
ation, you won't be able to deny it later. Sometimes, you want the
opposite, inwhih aseyouwantrepudiability(plausibledeniability).
Pleaseforgivetheslightdiereneinthewaytheyarenamed; whileEnglishis
partlytoblame, these properties arenotentirelyparallel. Forexample,
on-dentialityrefersto information (or inferenesdrawnon suh) just asprogram
refers to an exeutable stored on the disk, whereas ontrol implies an ative
systemjust asproessreferstoarunningprogram(as theysay,aproessisa
programinmotion). Also,youanompromisemydataondentialitywitha
ompletelypassiveattaksuhasreadingmybakuptapes,whereasontrolling
mysystemisinherentlydetetablesineitinvolvesinterating withitin some
way.
2.1 Information Seurity is a PAIN
You an remember the seurity properties of information as PAIN; Privay,
Authentiity,Integrity,Non-repudiation.
2.2 Parkerian Hexad
There issomething similar known astheParkerianHexad, dened by Donn
B.Parker,whih is six fundamental, atomi, non-overlappingattributes of
in-formationthat areprotetedbyinformationseuritymeasures:
1. ondentiality
2. possession
3. integrity
4. authentiity
5. availability
1. Admissibility(istheremotenodetrustworthy?)
2. Authentiation(whoareyou?)
3. Authorization(whatareyouallowedto do?)
4. Availability(isthedataaessible?)
5. Authentiity(isthedataintat?)
2.4 Seurity Equivaleny
I onsider two objetsto be seurity equivalent if they are idential with
re-spet to the seuritypropertiesunder disussion; for preision,I may referto
ondentiality-equivalent piees of information if the sets of parties to whih
theymay bedislosed (without violating seurity)are exatly the same(and
onversely, so arethe sets of parties to whih they may notbe dislosed). In
this ase, I'm disussing objetswhih, iftreated improperly, ould leadto a
ompromiseoftheseuritygoal ofondentiality. OrIouldsaythattwo
ryp-tosystemsare ondentiality-equivalent,in whih asetheobjetshelpahieve
theseuritygoal. Tobeperverse,these last twoexamplesouldbeombined;
iftheinformationintherst examplewasatuallythekeysfor the
ryptosys-temin theseondexample,then dislosureof therstouldimpatthe
on-dentialityof the keys and thus the ondentialityof anythinghandled by the
ryptosystems. Alternately,I ouldrefertoaess-ontrolequivalenebetween
tworewallimplementations;inthisase,Iamdisussingobjetswhih
imple-ment aseurity mehanism whih helps us ahievethe seurity goal, suh as
ondentialityofsomething.
2.5 Other Questions
1. Seuretowhom? Awebsite maybeseure(toitsowners)against
unau-thorizedontrol,butmayemploynoenryptionwhenolleting
informa-tionfromustomers.
2. Seure from whom? A site may be seure againstoutsiders,but not
in-siders.
3 Seurity Models
IintendtoexpandthissetionwhenI havesometime.
BibaIntegrityModel
Brewer-NashModel
Graham-Denning Model
Take-Grant Model
Clark-WilsonModel
Harrison-Ruzzo-UllmanModel
Non-interfereneModel
RelatedinformationinOperatingSystemAessControl(12.3).
4 Seurity Conepts
Thereisnoseurityonthis earth,thereisonlyopportunity.
GeneralDouglasMaArthur(1880-1964)
These are important onepts whih appear to apply arossmultiple seurity
domains.
4.1 The Classiation Problem
Many timesin seurityyou wish to distinguishbetweenlasses ofdata. This
ours in rewalls, where you want to allow ertain tra but not all, and
in intrusion detetion where you want to allow benign tra but not allow
maliioustra, and in operating systemseurity, we wish to allow the user
to runtheirprograms but notmalware(see 16.7). Indoingso, werun into a
numberoflimitationsinvariousdomainsthat deservementiontogether.
4.1.1 Classiation Errors
False Positives vs. False Negatives, also alled Type I and Type II errors.
Disussequalerrorrate(EER)anditsusein biometris.
A more sophistiated measure is its ReeiverOperating Charateristi urve,
see:
InTheBase Rate Fallayand itsImpliations for Intrusion Detetion,the
au-thoressentiallypoints outthat there's alot of benign tra foreveryattak,
andsoeven asmall hane of afalse positivewill quiklyoverwhelmany true
positives. Putanotherway,ifoneoutofevery10,001onnetionsismaliious,
andthe testhasa 1%falsepositiveerrorrate, thenfor every1real maliious
onnetionthere 10,000benignonnetions,andhene100falsepositives.
4.1.3 Test Eieny
Inotherases,youareperfetlyapableofperforminganauratetest,butnot
onallthetra. Youmaywantto applyaheaptestwithsomeerrorsonone
side before applying aseond, more expensive test on the side with errors to
weedthemout. Inmediine,thisisdonewithasreening testwhih haslow
falsenegatives,andthenhavingonentratedthehighriskpopulation,younow
diagnosewithamoreomplexproedurewithalowfalsepositiveratebeause
you'renowdiagnosingahigh-prevalenepopulation. ThisisdoneinBSDUnix
withpaketapturingviatpdump,whihuploadsaoarselterintothekernel,
andthenappliesamoreexpensivebutner-grainedtestinuserlandwhihonly
operatesonthepaketswhihpassthersttest.
4.1.4 Inompletely-DenedSets
Asfarasthelawsofmathematisrefertoreality,theyarenot
er-tain;andasfarastheyareertain,theydonotrefertoreality.
Albert Einstein
Stopforamomentandthinkaboutthediultyoftryingtolistallthe
undesir-ablethingsthatyouromputershouldn'tdo. Ifyoundyourselfnished,then
askyourself;didyouinludethatitshouldn'tattakotheromputers? Didyou
inludethatitshouldn'ttransfer$1000toamaa-runwebsitewhenyoureally
intended to transfer $100 to your mother? Did you inlude that it shouldn't
sendspamtoyouraddressbook? Thelistgoesonand on.
Thus, ifwe hadaomplete list of everythingthat wasbad, we'dblokit and
never haveto worry aboutit again. However,often weeither don't know, or
theset isinnite.
Insomeases,itmaybepossibletodenealistofgoodthings(see34.1);for
ex-ample,thelistofprogramsyoumightneedtouseinyourjobmaybesmall,and
sotheyouldbeenumerated. However,itiseasytoimaginewherewhitelisting
wouldbeimpossible;forexample,itwouldbeimpratialtoenumerateallthe
possiblegood networkpakets,beausethere'sjust somanyofthem.
Itisprobablytruethatomputerseurityisinterestingbeauseitisopen-ended;
Sooftenwean'tenumerateallthethingswewouldwanttodo,norallthethings
thatwewouldnotwanttodo. Beauseofthis,intrusiondetetionsystems(see
16)oftensimplyguess;theytryto detetattaksunknowntothembylooking
forfeatures that arelikely to be present in exploits but notin normal tra.
At the urrentmoment, youannd out ifyourtra is passingthroughan
IPSbytryingtosendalongstringof0x90otets(x86NOPs)inasession. This
isn'tmaliiousbyitself,butisaommonletterwithwhihpeoplepadexploits
(see 24.6). In this ase, it's a great example of a false positive, or ollateral
damage,generatedthroughguilt-by-assoiation;there's nothinginherently bad
about NOPs, it's just that exploit writers use them a lot, and IPS vendors
deided that made them suspiious. I'm nota big fan of these beause I feel
thatitbreaksfuntionalitythatdoesn'tthreatenthesystem,andthat itould
be used as evidene of malfeasane against someone by someone whodoesn't
really understand the tehnology. I'm already irritated by the false-positives
orexessivewarningsaboutseuritytoolsfromanti-virussoftware;itseemsto
alertto potentially-unwantedprograms anabsurd amountofthetime; most
noviesdon'tunderstandthattheanti-virussoftwarereadsthediskeventhough
I'mnotrunning theprograms,and that youhavenothingto fearifyoudon't
runtheprograms. I fearthat oneday myInternetServie Providerwill start
ltering them out of my email ornetwork streams, but fortunately they just
don'tarethat muh.
4.2 Seurity Layers
Iliketothinkofseurityasahierarhy. Atthebase,youhavephysialseurity.
OntopofthatisOSseurity,andontopofthatisappliationseurity,andon
topofthat, network seurity. The widthof eah layerofthehierarhyanbe
thoughtofasthelevelofseurityassurane,sothat itformsapyramid.
Youmayhaveanunbeatablerewall,butifyourOSdoesn'trequireapassword
andyouradversaryhasphysialaesstothesystem,youlose. Soeahlayerof
thepyramidannotbemoreseure(inanabsolutesense)asthelayerbelowit.
Ideally,eahlayershould beavailabletofeweradversariesthanthelayerabove
it,sothat onehasasortofbalaneorriskequivaleny.
1. networkseurity
2. appliation/databaseseurity
3. OSseurity
4. hardwareseurity
dividualomputers), and donotdistinguish betweenusersof eah system. In
somesense,weareassigningrightstoomputersandnotpeople. Weare
den-ing whih omputersmay talk to whih other omputers, orperhaps even to
whih appliations. This is oftenjustied sineit is usuallyeasier to leverage
oneuser'saess togainanother'swithin thesamesystemthantogainaess
toanothersystem(butthis isnotatruism).
Inappliation or database seurity, we are onerned abouthow software
ap-pliationshandle seurity. Forexample,mostdatabaseshavenotionsofusers,
andonemayallowertainuserstoaessertaindatabases,tables,orrowsand
notothers. Itis assumedthat theadversaryis oneof theusersofthesystem,
andthedisussion entersaround whatthat useranorannotdo within the
appliation,assumingthattheuserannot
Inoperating system seurity, wedistinguish betweenusers of thesystem, and
perhapstheroles theyarefullling, andonlyonernourselveswith ativities
within that omputer. It is assumed that the adversary hassomeaess, but
lessthanfullprivilegesonthesystem.
Hardwareseurity reeiveslittledisussionin seurityirles,butasproessors
andhipsetsgetmoreomplex,therearemorevulnerabilitiesbeingfoundwithin
them. Inhardwareseurity,weassumethattheadversaryhasroot-levelaess
onthesystem,anddisusswhatthat enablestheadversarytodo.
Whenwedisussphysialseurity,weassumethattheadversarymayphysially
approahtheampus,building,room,oromputer. Wetendtoreate
onen-triseurityzones aroundthesystem,and trytokeepadversariesasfaraway
fromitaspossible. Thisisbeauseifanadversarygainsphysial,unmonitored
aesstotheomputersystem,itisvirtuallyimpossibletomaintaintheseurity
ofthesystem. Thiskindofdisussionispartiularlyinterestingtodesignersof
tamper-resistantsystems,suhasdigitalsatelliteTVreeivers.
4.3 Privilege Levels
Here'sataxonomyofsomeommonly-usefulprivilegelevels.
1. Anonymous,remotesystems
2. Authentiatedremotesystems
3. Loalunprivileged user(UID>0)
4. Administrator(UID0)
5. Kernel(privileged mode,ring0)
the higher the privilege level you get, the harder you an be to detet. The
gatewaysbetweenthelevelsareaessontroldevies,analogouswithrewalls.
4.4 What is a Vulnerability?
Now that you know what a seurity property is, what onstitutes (or should
onstitute)avulnerability? On thearguableend of the salewehavelossof
availability,orsuseptibilitytodenialofservie(DoS).Ontheinarguableend
ofthe sale, wehavelossof ontrol,whih usually arbitraryodeexeution,
whihoftenmeansthattheadversaryandowhateverhewantswiththesystem,
andthereforeanviolateanyotherseurityproperty.
Inanidealworld,everypieeofsoftwarewouldstateitsassumptionsaboutits
environment, and then state theseurity properties it attempts to guarantee;
thiswouldbeaseuritypoliy. Anyviolationoftheseexpliitly-statedseurity
propertieswouldthenbeavulnerability,andanyotherseuritypropertieswould
simply be outside the design goals. However, I only know of one piee of
ommonly-available software whih does this, and that's OpenSSL (http://
oss-institute.org/FIPS_733/SeurityPoliy-1.1.1_733.pdf).
Avulnerabilityisaholeoraweaknessintheappliation,whihan
beadesignaworanimplementation bug,that allowsanattaker
to ause harm to thestakeholders of anappliation. Stakeholders
inlude theappliation owner,appliation users, andother entities
that relyontheappliation. Thetermvulnerability isoftenused
veryloosely. However,hereweneedtodistinguishthreats,attaks,
andountermeasures.
OWASPVulnerabilitiesCategory(http://www.owasp.org/index.
php/Category:Vulnerability)
Vulnerabilitiesanbedividedroughlyintotwoategories,implementationbugs
anddesignaws. GaryMGraw(http://www.igital.om/~gem/),thehostof
theSilverBulletSeurityPodast(http://www.igital.om/silverbullet/),
reportsthatthevulnerabilitieshendsaresplitintothesetwoategoriesroughly
evenly.
4.5 Vulnerability Databases
4.5.1 NationalVulnerability Database
NVDistheU.S.governmentrepositoryofstandardsbased
vulnera-bilitymanagementdatarepresentedusingtheSeurityContent
Au-tomationProtool(SCAP).Thisdataenablesautomationof
aws,misongurations,produtnames,andimpatmetris.
NVDHomePage
NationalVulnerability Database (http://nvd.nist.gov/)
4.5.2 Common Vulnerabilitiesand Exposures
Internationalinsopeandfreeforpubliuse,CVEisaditionaryof
publilyknowninformationseurityvulnerabilitiesandexposures.
CVE's ommon identiers enable data exhange between seurity
produtsandprovideabaselineindex pointforevaluatingoverage
oftoolsandservies.
CVE HomePage
CommonVulnerabilitiesandExposures (http://ve.mitre.org/)
4.5.3 Common Weakness Enumeration
TheCommonWeaknessEnumerationSpeiation(CWE)provides
aommonlanguageofdisoursefordisussing, ndinganddealing
withtheausesofsoftwareseurityvulnerabilitiesastheyarefound
in ode, design,orsystemarhiteture. Eah individualCWE
rep-resentsasinglevulnerabilitytype. CWEisurrentlymaintainedby
theMITRECorporationwithsupportfromtheNationalCyber
Se-urityDivision(DHS).AdetailedCWElistisurrentlyavailableat
theMITREwebsite;this listprovidesadetailed denitionforeah
individualCWE.
CWE HomePage
CommonWeaknessEnumeration (http://we.mitre.org/)
4.5.4 Open Soure Vulnerability Database
OSVDB is an independent and open soure database reated by
and for the ommunity. Our goalis to provide aurate, detailed,
urrent,andunbiasedtehnialinformation.
OSVDB HomePage
pat Seurity
OntwooasionsIhavebeenasked,Pray,Mr. Babbage,ifyouput
intothemahinewronggures,willtherightanswersomeout? In
oneaseamemberoftheUpper,andintheotheramemberofthe
Lower,Houseputthisquestion. Iamnotablerightlytoapprehend
thekindofonfusion ofideasthatouldprovokesuhaquestion.
Charles Babbage
This is sometimes alled the GIGO rule (Garbage In, Garbage Out). Stated
thisway, thisseemsself-evident. However,youshouldrealizethat thisapplies
tosystemsaswellasprograms. Forexample,ifyoursystemdependsonDNSto
loateahost,thentheorretnessofyoursystem'soperationdependsonDNS.
Whetherornotthis isexploitable(beyondasimpledenialof servie)depends
agreat dealonthedetails oftheproedures. Thisis aparallel tothequestion
ofwhetheritispossibletoexploit aprogramviaanunsanitizedinput.
Youanneverbemoreauratethanthedatayouusedforyourinput. Trytobe
neitherpreiselyinaurate,norimpreiselyaurate. Learnto usefootnotes.
4.7 Rie's Theorem
Thisappearsto relate to theundeidability ofertain problems relatedto
ar-bitraryprograms,ofertainissuesrelatedtoprogramorretness,andhas
im-portantonsequeneslikenomodern general-purposeomputeransolve the
generalproblemofdeterminingwhetherornotaprogramisvirusfree. Afriend
pointedouttomethattheentireanti-virusindustrydependsonthepublinot
realizingthat thisis provento beanunsolvable (not just adiult) problem.
Theanti-virusindustry,whenitattemptstogeneratesignaturesorenumerate
badness (see34.1), is playinga onstant game of ath-up, usually astep or
twobehindtheiradversaries.
Unfortunately, really understandingand (evenmoreso)explaining deidability
problems requires a lot of thinking, and I'm not quite up to the task at the
moment,soI'llpunt.
Wikipediaartile onRie's Theorem (http://en.wikipedia.org/wiki/
Rie%27s_theorem)
5 Eonomis of Seurity
5.1 How Expensive are Seurity Failures?
TJMaxxwasusingWEP attheirstoresandsuered amajorlossofdata,and
largenes:
WEP Seurity+Pringles-Can =$1B TJXLoss?
TJX's failuretoseureWi-Fiouldost$1B
Reportof anInvestigationintothe Seurity, Colletion andRetentionof PersonalInformation
5.1.2 Greek Cell Tapping Inident
TheGreektelephonetapping aseof2004-2005,also referredto asGreek
Wa-tergate, involved the illegal tapping of more than 100 mobile phones on the
VodafoneGreee network belonging mostlyto membersof the Greek
govern-mentandtop-rankingivilservants.
OnOtober19, 2007,VodafoneGreeewasagainned ¿19millionbyEETT,
thenationalteleommuniationsregulator,forallegedbreahofprivayrules.
Wikipediaartile
GreekWatergate sandalsends politial shokwaves
The Athens Aair
5.1.3 VAServ/LxLabs
Thedisoveryof24seurityvulnerabilitiesmayhaveontributedto thedeath
of the hief of LxLabs. A aw in the ompany's HyperVM software allowed
data on 100,000 sites, all hosted by VAserv, to be destroyed. The HyperVM
solutionispopularwithheapwebhostingserviesandtheattaksareeasyto
reprodue,whihouldleadto furtherinidents.
Slashdot artile (http://it.slashdot.org/story/09/06/09/1422200/
Seurity-Flaw-Hits-VAserv-Head-of-LxLabs-Found-Hanged)
LxLabsbossfoundhangedaftervulnwipeswebsites(http://www.theregister.
o.uk/2009/06/09/lxlabs_funder_death/)
Webhosthakwipesoutdatafor100,000sites(http://www.theregister.
o.uk/2009/06/08/webhost_attak/)
5.1.4 CardSystems
CardSystemsSolutionsSettlesFTCCharges (http://www.ft.gov/opa/
EggheadwashurtbyaDeember2000revelationthat hakershad
aessed its systemsand potentially ompromised ustomer redit
arddata. TheompanyledforbankruptyinAugust2001. After
adeal to sell the ompany to Fry's Eletronisfor $10 millionfell
through,itsassetswere aquiredbyAmazon.omfor$6.1million.
...
In Deember 2000, the ompany's IIS-based servers were
ompro-mised,potentiallyreleasingredit arddataofover3.6million
peo-ple. InadditiontopoortimingneartheChristmasseason,the
han-dling of the breah bypublily denying that there wasa problem,
then notifying Visa, whoin turn notied banks, who notied
on-sumers,ausedthebreahtoesalateintoafullblownsandal.
Wikipedia
WikipediaartileonEggheadSoftware(http://en.wikipedia.org/wiki/
Egghead_Software)
5.1.6 HeartlandPaymentSystems
Heartland sued over data breah (http://news.net.om/8301-1009_
3-10151961-83.html)
5.1.7 VerizonData BreahStudy
NotethatVerizonondutedthestudy,andoneshouldnotonstruethissetion
tomeanthattheyhadanydatabreahesthemselves.
VerizonBusiness2009 DataBreahStudy Finds SigniantRise in
Tar-getedAttaks,OrganizedCrimeInvolvement(http://newsenter.verizon.
om/press-releases/verizon/2009/verizon-business-2009-data.html)
5.1.8 Web Haking Inidents Database
OldSite(http://www.webappse.org/projets/whid/)
NewSite(http://www.xiom.om/whidf)
5.1.9 DATALOSSdb
http://seurityblog.verizonbusiness.om/2009/04/15/2009-dbir/
5.2 Abuse Detetion and Response: A Cost-Benet
Per-spetive
AsI mentionedearlier, abusedetetionisakindof lassiationproblem(see
4.1),whihwill foreverbeanimpreisesiene.
Ingeneral,youwanttobalanetheostsof falsepositivesandfalsenegatives.
If weassume rate means per unit of time, or per number of interations
withtheoutsideworld,thentheequationwould be:
f prate
∗
f pcost
=
f nrate
∗
f ncost
Notethatthedenitionsareveryimportanttotheequation! Theratioofabuse
orintrusionattempts to legitimatetrais usuallyratherlow,andso naively
substituting the hane of failing to reognize a valid abuse attempt as the
fprateabovewillgiveaninorretresult. Thisisrelatedtothebase-ratefallay
desribedabove(see4.1.2). Whatyouprobablywantthenistodenetheabuse
ratio(abrat)asthenumberofabuseattemptsperinomingrequests, andyou
get:
f prate
=
abrat
∗
f pchance
f nrate
= (1
−
abrat)
∗
f nchance
Thus,ifwewishtoavoidthetermrateasbeingmisleading,thentheequation
shouldreallybe:
abrat
∗
f pchance
∗
f pcost
= (1
−
abrat)
∗
f nchance
∗
f ncost
Abusedetetion(see16)isallaboutthefailurehanes(andthus, ratesas
de-nedabove). Abuseresponsehoies(see17)determinetheost. Forexample,
anomalydetetionwillgiveahigherfalsepositiverate(andlowerfalsenegative
rate)thanmisusedetetion(see16.2).
Ifyourresponsetoabuseausesanalert(see17.1)tobegenerated,andahuman
mustinvestigateit,thenthefalsepositiveostwillbehigh, soyoumightwant
to(forexample)dosomefurthervalidationof thedetetioneventtolowerthe
falsepositiverate. Forexample,ifyourIDSdetetedaWin32attakagainsta
fromdoingsoevenifitwasafalsepositive,thenyouantakealiberaldenition
ofwhatyouonsiderabusive. Tousetheaboveexample,onemightwishtotaint
thesoure(see17.2.2)andshunhim,eveniftheWin32attakhelaunhedould
nothaveworkedagainsttheLinux box.
Intrusiondetetion ismerelyasubset ofabuse detetion,sine anintrusionis
onlyonekindofabuseofasystem.
Seealso35.7,35.8.
6 Adversary Modeling
If you know the enemy and know yourself, you need not fear the
resultofahundredbattles.
Ifyouknowyourselfbutnottheenemy,foreveryvitorygainedyou
willalsosuer adefeat.
If you know neither the enemy nor yourself, you will suumb in
everybattle.
SunTzu,TheArtofWar(http://en.wikipedia.org/wiki/The_
Art_of_War)
Afterdeidingwhatyouneedtoprotet(yourassets),youneedtoknowabout
thethreatsyouwishtoprotetitagainst,ortheadversaries (sometimesalled
threat agents)whih maythreaten it. Generally intelligene units havethreat
shops,wheretheymonitorandkeeptrakofthepeoplewhomaythreatentheir
operations. Thisisnatural,sineitis easierto getanideaofwhowilltryand
dosomethingthanhowsomeunspeiedpersonmaytrytodoit,andanhelp
byhardeningsystemsinenemyterritorymorethanthoseinsaferareas,leading
tomoreeientuseofresoures. I shallallthisadversary modeling.
In adversary modeling, the impliit assumptions are that you have alimited
budgetandthenumberofthreatsissolargethatyouannotdefendagainstall
ofthem. Soyounowneedtodeidewheretoalloateyourresoures.Partofthis
involvestryingtogureoutwhoyouradversariesareandwhattheirapabilities
and intentions are, and thus how muh to worryaboutpartiular domains of
knowledge or tehnology. You don't have to know their name, loation and
soialseuritynumber;itanbeassimpleassomehigh shoolstudentonthe
Internetsomewherewhodoesn'tlikeus,adisgruntledemployee (asopposed
toagruntledemployee),orsomesexuallyfrustratedsript-kiddieonIRCwho
doesn'tlikethefat that heis ajerk whoenjoysabusing people andtherefore
his only friends are other dysfuntional jerks like him. People in harge of
doingattaker-entrithreat modeling must understand their adversariesand
be willing to take hanes by alloatingresouresagainst an adversarywhih
hasn'tatuallyattakedthemyet,orelsetheywillalwaysbedefendingagainst
Theexellentbut poorlytitled 1
book Stumblingon Happiness tellsus thatwe
maketwoommonkindsoferrorswhenreasoningaboutotherhumans:
1. Overlydierent;ifyoulookedatgrapesallday,you'dknowahundred
dif-ferentkinds,andnaturallythinkthemverydierent. Buttheyallsquish
whenyousteponthem,theyareallfruitsandfrankly,notterribly
dier-entatall. Sotooweareonditionedtoseepeopleasdierentbeausethe
thingsthatmattermosttous,likendinganappropriatemateortrusting
people, annotbedisernedwith questions likedoyoulikebreathing?.
An interestingexperimentshowedthat adesriptionof how theyfeltby
people who had gone through a proess is more aurate in prediting
howapersonwill feelafter theproess thanadesriptionoftheproess
itself. Put another way, people assume that the experiene of others is
toodependentontheminordierenesbetweenhumansthatwementally
exaggerate.
2. Overly similar; people assume that others are motivated by the same
things they are motivated by; we projet onto them a reetion of our
self. If a nanieror aountanthas everlimbed mount Everest, I am
notawareofit. Surelyitisaostenter, yes?
6.2 Cost-Benet
Often,thelowerlayersoftheseurityhierarhyostmoretobuildoutthanthe
higherlevels. Physial seurity requires guards,loks, iron bars,shatterproof
windows, shielding, and various other things whih, being physial, ost real
money. On the other hand, network seurity may only need a free software
rewall. However,what an adversary ouldost you during aphysial attak
(e.g. aburglarlootingyourhome)maybegreaterthananadversaryouldost
youbydefaingyourwebsite.
6.3 Risk Tolerane
We may assume that the distribution of risk tolerane among adversaries is
monotoniallydereasing;thatis,thenumberofadversarieswhoarewillingto
tryalow-riskattakisgreaterthanthenumberofadversarieswhoarewilling
toattemptahigh-riskattaktogetthesameresult. Bewareofriskevaluation
though;whileahakermaybetakingagreatrisktogainaesstoyourhome,
loallawenforementwithavalidwarrantisnotgoingto beriskingasmuh.
1
StumblingonHappinessisatuallyabookofpsyhologialillusions,waysthatourmind
unknown,youmaywishtohavegreaternetworkseuritythanphysialseurity,
simplybeausetherearegoingtobemoreremoteattaks.
6.4 Capabilities
You only have to worry about things to the extent they may lie within the
apabilitiesofyouradversaries. Itisrarethatadversariesuseoutsidehelpwhen
itomes to ritialintelligene;it ould, forallthey know, be disinformation,
ortheoutsiderouldbeanagent-provoateur.
6.5 SophistiationDistribution
Iftheywereapable,honest,andhard-working,theywouldn'tneed
tosteal.
Alongsimilarlines, oneanassumeamonotoniallydereasingnumberof
ad-versarieswithaertainlevelofsophistiation. Myruleofthumbisthatforevery
person who knows how to performa tehnique,there are x people whoknow
about it,where x isasmallnumber,perhaps3to10. Thesameruleappliesto
people with the ability to write an exploit versusthose ableto downloadand
useit(the so-alledsript kiddies). One anexploitis oded intoaworm, the
haneofaompromisedhosthavingbeenompromisedbytheworm(instead
ofahumanwhotargetsitspeially)approahes100%.
6.6 Goals
We'veallmetorknowaboutpeoplewhowouldlikenothingmorethantobreak
things,just forthehekofit;shoolyardbullieswhofeelhurtandwanttohurt
others,or theirovergrownsadistkin. Vandalswhomerelywantto writetheir
nameonyourstorefront. Astreetthugwhowillstealaellphonejusttothrow
it througha window. I'm sure the sort of person reading this isn't like that,
but unfortunatelysome people are. What exatlyare youradversary'sgoals?
AretheytomaximizeROI(ReturnOnInvestment)forthemselves,orarethey
out to maximize pain (tax your resoures) for you? Are they monetarily or
ideologially motivated? What do they onsider investment? What do they
onsider a reward? Put another way, you an't just assign a dollarvalue on
assets,youmustonsidertheirvaluetotheadversary.
7 Threat Modeling
Men of sense oftenlearn from their enemies. It is from their foes,
Aristophanes
In tehnology, people tend to fous on how rather than who, whih seems to
workbetterwhenanyoneanpotentiallyattakanysystem(likewith
publily-faingsystemsontheInternet)andwhenprotetionmehanismshaveloworno
inrementalost(likewithfreeandopen-souresoftware). Ishallallmodeling
thesethreatmodeling (http://en.wikipedia.org/wiki/Threat_model).
7.1 Common Platform Enumeration
CPEisastruturednamingshemeforinformationtehnology
sys-tems, software, and pakages. Based upon the generi syntax for
Uniform Resoure Identiers (URI), CPE inludes a formal name
format, a method for heking names againsta system, and a
de-sriptionformatforbindingtextandteststoaname.
CPE HomePage
Therstpartofthreatmodellingshould be,what isitI wanttoprotet? And
oneyoustartto ompilealistofthings youwish to protet,you mightwant
aonsistentnaming systemfor youromputerassets. TheCPE mayhelp you
here.
CommonPlatform Enumeration (http://pe.mitre.org/)
7.2 A Taxonomy of Privay Breahes
ATaxonomyofPrivay (http://www.onurringopinions.om/arhives/
2006/03/a_taxonomy_of_p.html)
Intheaboveartile,DanielSolovesuggeststhatbreahesofprivayare notof
asingletype,but anmeanavarietyofthings:
surveillane
interrogation
aggregation
identiation
inseurity
breahofondentiality
dislosure
exposure
inreasedaessibility
blakmail
appropriation
distortion
intrusion
deisionalinterferene
7.3 Threats to Seurity Properties
An important mnemoni for remembering the threats to seurity properties,
originallyintroduedwhen threatmodeling,isSTRIDE:
Spoong
Tampering
Repudiation
Informationdislosure
Denialofservie
Elevationofprivilege
Relatedlinks:
WikipediaonSTRIDE (http://en.wikipedia.org/wiki/STRIDE_(seurity))
UnoverSeurity Design Flaws Using The STRIDE Approah (http://
Mirosofthasarating systemforalulating risks(http://msdn.mirosoft.
om/en-us/library/ff648644.aspx). Itsmnemoni isDREAD:
Damagepotential
Reproduibility
Exploitability
Aetedusers
Disoverability
7.5 Attak Surfae
GnothiSeauton(KnowThyself)
anientGreekaphorism(http://en.wikipedia.org/wiki/Know_
thyself)
Whendisussingseurity,it'softenusefultoanalyzethepartwhihmayinterat
with apartiular adversary (or set of adversaries). Forexample, let's assume
you are only worriedabout remote adversaries. If your system ornetwork is
onlyonnetedtooutsideworldviatheInternet,thentheattaksurfaeisthe
parts ofyoursystemthat interat withthingson theInternet, ortheparts of
yoursystemwhihaeptinputfrom theInternet. Arewall,then,limits the
attak surfaeto a smaller portion of your systems by ltering some of your
network tra. Often,therewallbloksallinomingonnetions.
Sometimestheattaksurfaeispervasive. Forexample,ifyouhavea
network-enabledembedded devie likeawebamon yournetwork that hasa
vulnera-bilityin itsnetworking stak,then anythingwhihansenditpaketsmaybe
abletoexploitit. Sineyouprobablyan'txthesoftwareinit,youmustthen
usearewalltoattempttolimitwhatantriggerthebug. Similarly,therewas
abugin Sendmailthatould beexploited bysending aarefully-raftedemail
throughavulnerableserver. Theinterestingbit hereisthat itmightbean
in-ternalserverthatwasn'texposedtotheInternet;theexploitwasdata-direted
andsoouldbepassedthroughyourinfrastrutureuntilithitavulnerable
im-plementation. That'swhyIonsistentlyuseoneimplementation(notSendmail)
throughoutmynetwork now.
IfpluggingaUSBdriveinto yoursystemausesitto automatiallyrunthings
likeastandardMirosoftWindowsXPinstallation,thenanyplugged-indevie
ispartof theattaksurfae. Butevenifit doesnot,then bypluggingaUSB
devieinyououldpotentiallyoverowtheodewhihhandlestheUSBorthe
intothesystem.
MalwareDistributionthroughPhysialMediaaGrowingConern(http://
it.slashdot.org/artile.pl?sid=08/01/13/1533243)
usbroken,aUSBfuzzerbasedonArduino(http://ode.google.om/p/
usbroken/)
ShneierHakingComputersoverUSB(http://www.shneier.om/blog/
arhives/2006/06/haking_ompute.html)
USBDeviesanCrakWindows(http://www.eweek.om//a/Seurity/
USB-Devies-Can-Crak-Windows/)
psgroove, a jailbreak exploit for PS3 (http://github.om/psgroove/
psgroove)
Moreover,areentvulnerability(http://it.slashdot.org/it/08/01/14/1319256.
shtml)illustratesthatwhenyouhavesomethingwhihinspetsnetworktra,
suhasuPNPdeviesorportknokingdaemons,thentheirodeformspartof
theattaksurfae.
Sometimesyouwillhearpeopletalkabouttheanonymousattaksurfae;thisis
theattaksurfaeavailabletoeveryone(ontheInternet). Sinethisnumberof
peopleissolarge,andyouusuallyan'tidentifythemorpunishthem,youwant
tobereallysurethattheanonymousattaksurfaeislimitedanddoesn'thave
anyso-alledpre-auth vulnerabilities,beausethoseanbeexploited priorto
identiationandauthentiation.
7.6 Attak Trees
Thenext logialstepis to movefrom dening theattak surfaeto modeling
attaksandquantifyrisklevels.
WikipediaonAttakTree(http://en.wikipedia.org/wiki/Attak_tree)
ShneieronAttakTrees(http://www.shneier.om/paper-attaktrees-ddj-ft.
html)
https://buildseurityin.us-ert.gov/daisy/bsi/artiles/best-praties/
requirements/236.html
MirosoftonAttakTrees(http://msdn.mirosoft.om/en-us/library/
Amdahl's law, also known as Amdahl's argument, is named after
omputerarhitetGeneAmdahl,andisusedtondthemaximum
expeted improvementto an overall system when only partof the
systemisimproved.
Wikipedia(http://en.wikipedia.org/wiki/Amdahl%27s_law)
Youaretheweakestlink,goodbye!
The Weakest Link (TVseries)
Let us think of our seurity posture for whatever we're proteting as being
omposedofanumberofsystems(orgroupsofsystemspossiblyoering
defense-in-depth). Thestrengthofthesesystemstoattakmayvary. Youmaywishto
pour all your resouresinto one, but theseurity will likely be brokenat the
weakestpoint,eitherbyhane orbyanintelligentadversary.
Thisisananalogyto Amdahl'slaw,statedabove,inthat weanonlyinrease
ouroverallseurityposturebymaintainingadeliatebalanebetweenthe
dif-ferentdefensestoattakvetors.Mostofthetime,yourresouresarebestspent
ontheweakestarea,whihforsomeinstitutions(nanial,military)isusually
personnel.
Thereasonsyoumightnotbalaneallseuritysystemsmayinlude:
Eonomis matter here; it may be muh heaperand reliable to buy a
re-wallthanputyouremployeesthroughseuritytraining. Softwareseurity
measuressometimeshavezeromarginalost,buthardwarealmostalways
hasamarginalost.
Exposure aetsyourriskalulations;anInternetattakismuhmorelikely
thanaphysialattak, soyoumayput moreeortintoInternetdefense
thanphysialdefense.
Capability impliesin that organizationshavevaryingabilities. Forexample,
the military may simply make arrying a thumb drive into the faility
a punishable oense, but a ommerial organization may nd that too
diultorunpopulartoenfore. An Internetompany,byontrast,may
haveastrong tehnial apability, andso mighthoose towrite software
topreventtheuseofthumb drives.
8 Physial Seurity
Whenpeoplethinkofphysialseurity,theseoftenarethelimitonthestrength
ofaessontroldevies; I reallastoryofaatburglarwhousedahainsaw
seurity.
WikipediaartileonPhysialSeurity(http://en.wikipedia.org/wiki/
Physial_seurity)
8.1 No Physial Seurity Means No Seurity
Whiletheloksaregettingtougher,thedoorandframearegetting
weaker. Awell-plaedkikusually doesthetrik.
aburglar
A ouple of limitations ome up without physial seurity for a system. For
ondentiality,allofthesensitivedata needstobeenrypted. Butevenifyou
enryptthe data, anadversarywith physial aess ould trojan the OS and
apturethedata(thisisaontrolattaknow,notjustondentialitybreah;go
thisfarandyou'veprotetedagainstovertseizure,theft,improperdisposaland
suh). Soyou'llneedtoyouprotettheondentialityandintegrityoftheOS,
hetrojans thekernel. Ifyouprotetthekernel,hetrojans thebootloader. If
youprotetthebootloader(saybyputtingonaremovablemedium),hetrojans
theBIOS.IfyouprotettheBIOS,hetrojanstheCPU.Soyouput a
tamper-evidentlabelonit,with yoursignature onit,and hekiteverytime. Buthe
aninstallakeyboardlogger. Sosupposeyoumakeasealedboxwitheverything
in it, and onnetors onthe front. Now he gets measurements and photos of
your mahine, spends a fortune repliating it, replaes your system with an
outwardly idential one of his design (the trojan box), whih ommuniates
(say, viaenrypted spread-spetrumradio) to your real box. Whenyou type
plaintext, itgoesthroughhis system, getslogged, andrelayedto your system
askeystrokes. Sineyoutalkplaintext, neitherofyouarethewiser.
The physial layer is a ommon plae to failitate a side-hannel attak (see
31.2).
8.2 Data Remanene
Iknowwhat youromputerdidlastsummer.
Data remanene is the the residual physial representation of your
informa-tiononmediaafter youbelievethatyouhaveremovedit (denitionthanksto
Wikipedia,http://en.wikipedia.org/wiki/Data_remanene). Thisisa
dis-putedregionoftehnology,withagreatdealofspeulation,self-styledexperts,
Systems(Ver.209/91)(http://www.fas.org/irp/nsa/rainbow/tg025-2.
htm)
NationalSeurityAgeny/CSSDegausserProdutsList25Sep2001 (http://
www.fas.org/irp/nsa/degausse.pdf)
LasttimeIlookedmostofthedegaussersrequire220Vpowerandmaynotwork
onharddrives,duetotheirhighoerivity.
As of 2006, the most denitivestudy seems to be the NISTComputer
Seu-rityDivisionpaperGuidelinesforMediaSanitization(http://sr.nist.gov/
publiations/nistpubs/800-88/NISTSP800-88_rev1.pdf). NIST is known
toworkwith theNSAonsometopis, and thismaybeoneofthem. It
intro-duessomeusefulterminology:
disposing istheatofdisardingmediawithnoother onsiderations
learing isalevelof mediasanitizationthat resistsanythingyououlddoat
the keyboard or remotely, and usually involves overwriting the data at
leastone
purging isaproessthatprotetsagainstalaboratoryattak(signal
proess-ingequipmentandspeiallytrainedpersonnel)
destroying is theultimate form of sanitization,and meansthat themedium
annolongerbeusedasoriginallyintended
8.2.1 Magneti StorageMedia (Disks)
The seminal paper on this is Peter Gutmann's Seure Deletion of Data from
MagnetiandSolid-StateMemory(http://www.s.aukland.a.nz/~pgut001/
pubs/seure_del.html). Inearlyversionsofhispaper,hespeulatedthatone
ould extrat data due to hysteresiseets even after a single overwrite, but
onsubsequentrevisionshestatedthattherewasnoevideneasingleoverwrite
wasinsuient. SimsonGarnkelwroteaboutitreentlyinhisblog(https://
www.tehreview.om/blog/garfinkel/17567/).
The NIST paper has some interesting tidbits in it. Obviously, disposal
an-not protet ondentiality of unenrypted media. Clearing is probably
su-ientseurityfor 99%ofalldata; I highlyreommend Darik'sBoot and Nuke
(http://dban.soureforge.net/), whih is a bootable oppy or CD based
onLinux. However, it annot work ifthe storage devie stops working
prop-erly,and itdoesnotoverwritesetors ortraksmarkedbad andtransparently
reloated by the drive rmware. With all ATA drives over 15GB, there is
a seure delete ATA ommand whih an be aessed from hdparm within
Linux, and Gordon Hughes has some interesting douments and a
seure-erase-data-seurity-you-already-own/). Intheaseofvery
dam-ageddisks, youmayhavetoresorttophysialdestrution. However,withdisk
densities being what they are, even 1/125 of a disk platter may hold a full
setor,andsomeonewithabsurdamountsofmoneyouldtheoretiallyextrat
smallquantitiesofdata. Fortunately,nobodyaresthismuhaboutyourdata.
Now,youmaywonderwhatyouandoaboutverydamageddisks,orwhattodo
ifthemediaisn'tonline(forexample,youburieditinanundergroundbunker),
orifyouhavetogetridofthedatafast. Iwouldsuggestthatenryptedstorage
(see28.7)would almost alwaysbeagoodidea. Ifyouuseit, youmerelyhave
to protet the ondentiality of the key, and if you an properly sanitize the
media,all thebetter. Reently SimsonGarnkelre-disoveredatehniquefor
gettingthedataobrokendrives;freezingthem. AnothertehniquethatIhave
usedistoreplaethelogiboardwithonefrom aworkingdrive.
Hard drive's data survives shuttle explosion (http://bloksandfiles.
om/artile/5056)
GermanrmprobesnalWorldTradeCenterdeals(http://www.prisonplanet.
om/german_firm_probes_final_world_trade_enter_deals.htm)
Wikipedia entry on Data Reovery (http://en.wikipedia.org/wiki/
Data_reovery)
200waystoreoveryourdata(http://btjunkie.org/torrent/200-Ways-To-Reover-Revive-Your-Hard-Drive/
4358d27083f53a0d4d3a7e8354d22b6157453496)
DataReoveryblog(http://datareovery-hddreovery.blogspot.om/)
8.2.2 SemiondutorStorage (RAM)
Peter Gutmann's Data Remanene in Semiondutor Devies (http://www.
ypherpunks.to/~peter/usenix01.pdf) shows that if a partiular value is
held in RAM for extended periods of time, various proesses suh as
eletro-migrationmakepermanenthangesto thesemiondutor's struture. Insome
ases,itispossibleforthevaluetobeburnedin totheell,suhthatitannot
holdanothervalue.
Cold Boot Attak Reently aPrineton team (http://itp.prineton.
edu/memory/)foundthat thevaluesheld in DRAM deay inpreditable ways
afterpowerisremoved,suhthatoneanmerelyrebootthesystemandreover
keys formost enrypted storage systems(http://itp.prineton.edu/pub/
oldboot.pdf). Byoolingthehip rst,this dataremainslonger. This
gen-eratedmuhtalkin theindustry. Thispromptedaninterestingoverviewof
at-taksagainstenrypted storagesystems(http://www.news.om/8301-13578_
12/bbtv-haker-howto-o.html)
DiretMemoryAess Itturnsoutthatertainperipheraldevies,notably
Firewire,havediretmemoryaess.
This means that you an plug something into the omputer and read data
diretlyoutofRAM.
Thatmeansyouanread passwordsdiretlyoutofmemory:
http://storm.net.nz/projets/16
ReadingRAM WithA Laser
On A New Way to Read Data from Memory (http://www.l.am.a.
uk/~rja14/Papers/SISW02.pdf)
8.3 Smart Card Attaks
Thissetiondeservesgreatexpansion.
InsteadI'llpuntandpointyouatthelatestUSENIX onfereneonthis:
Usenix CARDIS02 (http://www.usenix.org/publiations/library/
proeedings/ardis02/teh.html)
9 Hardware Seurity
9.1 Introdution
HardwareseurityisatermIinventedtodesribetheseuritymodelsprovided
byaCPU(http://en.wikipedia.org/wiki/Central_proessing_unit),
as-soiatedhipset(http://en.wikipedia.org/wiki/Chipset)andperipheral
hard-ware. Theassumptionhereisthattheadversaryanreateandexeuteprogram
ode of his own hoosing, possibly as an administrator (root). As omputer
hardwareandrmware(http://en.wikipedia.org/wiki/Firmware)beomes
moreomplex, there willbemoreand morevulnerabilitiesfoundin it, so this
setionislikelytogrowovertime.
Eah omputer hardware arhiteture is going to have its own seurity
mod-els, so this disussion is going to be spei to the hardware platform under
Mostmodern omputersystemshaveat leasttwomodesof operation; normal
operation and privileged mode. The vast majority of software runs in normal
mode, and the operating system, ormoreaurately the kernel, runs in
priv-ileged mode. Similarly, most of the funtionality of the CPU is available in
normalmode, whereas asmall but signiant portion, suh asthat related to
memorymanagementand ommuniatingwith hardware, is restritedto that
operatingin privilegedmode.
SomeCPUarhitetures,gofartheranddeneaseriesofhierarhialprotetion
domains that are often alled protetion rings (http://en.wikipedia.org/
wiki/Ring_(omputer_seurity)). Thisisasimpleextrapolationofthe
two-levelnormal/privilegedmodeintomultiplelevels,orrings.
9.3 Operating Modes
TheIntelarhiteturesinpartiularhasseveraloperatingmodes. Thesearenot
privilegerings,butratherrepresentthestatethattheCPUisin,whihaets
howvariousinstrutionsare interpreted
Real-addressmode(http://en.wikipedia.org/wiki/Real_mode)
ProtetedMode(http://en.wikipedia.org/wiki/Proteted_mode)
System Management Mode (http://en.wikipedia.org/wiki/System_
Management_Mode)
Virtual8086Mode(http://en.wikipedia.org/wiki/Virtual_8086_mode)
9.4 NX bit
The NX bit, whih stands for No eXeute, is a tehnology used
in CPUs to segregateareas ofmemory foruse byeither storageof
proessor instrutions (or ode) or for storage of data, a feature
normally onlyfound in Harvard arhitetureproessors. However,
theNXbitisbeinginreasinglyusedinonventionalvonNeumann
arhitetureproessors,forseurityreasons.
AnoperatingsystemwithsupportfortheNXbitmaymarkertain
areasofmemoryasnon-exeutable. Theproessorwillthen refuse
toexeuteanyoderesidingin theseareasofmemory. Thegeneral
tehnique,knownasexeutablespaeprotetion,isusedtoprevent
ertain typesof maliious software from taking over omputersby
inserting their ode into another program's data storage area and
runningtheirownodefrom within thissetion;thisis knownasa
Wikipediaentryon NXbit (http://en.wikipedia.org/wiki/NX_bit)
9.5 Supervisors and Hypervisors
SupervisoryProgram(http://en.wikipedia.org/wiki/Supervisory_program)
Hypervisor (http://en.wikipedia.org/wiki/Hypervisor)
9.6 Trusted Computing
TrustedPlatformModule(http://en.wikipedia.org/wiki/Trusted_Platform_
Module)
TrustedComputing: TheMother(board)ofAllBigBrothers (http://www.
ypherpunks.to/TCPA_DEFCON_10.pdf)
Trusted Computing Group (http://en.wikipedia.org/wiki/Trusted_
Computing_Group)
IntelTCPAOverview(http://yuan.eom.mu.edu/trust/d/Presentations/
Intel%20TCPA%20Overview.ppt)
TrustedComputingGrouphomepage(http://www.trustedomputinggroup.
org/)
EFF: TrustedComputing: Promise andRisk (http://www.eff.org/wp/
trusted-omputing-promise-and-risk)
RossAnderson'sTCPAFAQ(http://www.l.am.a.uk/~rja14/tpa-faq.
html)
FSF:CanYouTrustTrustedComputing(http://www.gnu.org/philosophy/
an-you-trust.html)
OpenTCprojet (http://www.opent.net/)
IBMTCPA Group (http://www.researh.ibm.om/gsal/tpa/)
Not really abakdoor, but thewake-on-lanand remotemanagement failities
ouldbeusedbyanattaker.
IntelvPro(http://en.wikipedia.org/wiki/Intel_vPro)
Big Brother Potentially Exists Right Now (http://www.tgdaily.om/
hardware-opinion/39455-big-brother-potentially-exists-right-now-in-our-ps-ompliments-of-intels-vpr)
(note: heiswrongaboutwhat ECHELONis)
9.8 Hardware Vulnerabilities and Exploits
f00f bug (http://en.wikipedia.org/wiki/F00f)
CyrixComa Bug (http://en.wikipedia.org/wiki/Cyrix_oma_bug)
Using CPU System Management Mode to Cirumvent Operating System
SeurityFuntions (http://www.ssi.gouv.fr/fr/sienes/fihiers/
lti/ansewest2006-duflot-paper.pdf)
AttakingSMMMemoryviaIntelCPUCahePoisoning(http://theinvisiblethings.
blogspot.om/2009/03/attaking-smm-memory-via-intel-pu.html)
Attaking IntelTrustedExeutionTehnology (http://www.blakhat.
om/presentations/bh-d-09/Wojtzuk_Rutkowska/BlakHat-DC-09-Rutkowska-Attaking-Intel-TXT-slides.
pdf)
Blue Pill (http://en.wikipedia.org/wiki/Blue_Pill_(malware))
SMM Rootkits: A NewBreedof OSIndependent Malware (http://www.
ees.uf.edu/%7Ezou/researh/SMM-Rootkits-Seureom08.pdf)
SubvertingtheXenHypervisor(http://invisiblethingslab.om/resoures/
bh08/)
TPM ResetAttak (http://www.s.dartmouth.edu/~pkilab/sparks/)
10 Distributed Systems
10.1 Network Seurity Overview
Thethings involvedin network seurityare alled nodes. Oneantalk about
networksomposedofhumans(soialnetworks),butthat'snotthekindof
net-workwe'retalkingabouthere;IalwaysmeanaomputerunlessIsayotherwise.
radio,orwhenthenodewasanembassyin aountryontrolledbythe
adver-sary. Inmodernpratie,this doesn'tseemto usuallybethease,but it'd be
hardto knowfor sure. In theappliation of network seurityto the Internet,
wealmostalwaysassumetheadversaryontrolsatleastoneofthenodesonthe
network.
In network seurity, wean lure an adversary to a system, tempt them with
somethinginviting; suh asystemis alled ahoneypot, andanetwork ofsuh
systemsissometimesalledahoneynet. Ahoneypotmayormaynotbe
instru-mented for arefulmonitoring; sometimes systems so instrumented are alled
shbowls, to emphasizethetransparentnature ofativitywithin them. Often
onedoesn'twanttoallowahoneypottobeusedasalaunh pointforattaks,
sooutbound network tra issanitized orsrubbed;if trato otherhosts is
blokedompletely, somepeople allit ajail, but that is also thename ofan
operatingsystemseuritytehnologyusedbyFreeBSD,soIonsiderit
onfus-ing.
Toredueadistributedsystemproblemtoaphysialseurity(see8)problem,
youanuseanairgap,orsneakernetbetweenonesystemandanother. However,
thedata you transportbetweenthemmay beapable of exploiting theoine
system. Oneouldkeepamahine oineexept during ertainwindows;this
ould be assimple as a ron job whih turns on or o the network interfae
viaifong. However,anoine systemmaybediulttoadminister, orkeep
up-to-datewithseuritypathes.
10.2 Network Aess Control: Paket Filters, Firewalls,
Seurity Zones
Mostnetwork appliations useTCP, aonnetion-orientedprotool,and they
usealient/servermodel. Thelient initiatesahandshake withtheserver,and
thentheyhaveaonversation. Sometimespeopleusethetermslientandserver
tomean theappliation programs,and othertimes theymeanthenode itself.
Othernamesforserverappliationsinludeserviesanddaemons. Obviouslyif
youan't speakwiththeserveratall, or(less obviously)ifyouan'tproperly
ompleteahandshake,youwillnditdiulttoattaktheserverappliation.
Thisiswhat apaket lter does;it allowsorpreventsommuniationbetween
a pair of sokets. A paket lter does not generally do more than a simple
all-or-nothing ltering. Now, everyomputer an potentially havea network
aess ontrol devie, or paket lter, on it. For seurity, this would be the
ideal; eah mahine defends itself, opening up the minimum number of ports
toexternal tra. However,tuning arewallfor minimumexposure anbea
diult,time-onsumingproessandsodoesnotsalewell. Itwouldbebetter
for network daemonsto notaept onnetionsfrom arossthe network,and
openports.
Therewall wasoriginallydened asadevie betweendierentnetworksthat
haddierentseurityharateristis;it wasnamedafterthe barrierbetweena
automobile interiorand the engine,whih is designedto preventaenginere
from spreadingto the passengerabin. Nowadays, they ouldbe installedon
everysystem,protetingitfromallothersystems.
As our understanding of network seurity improved, people started to dene
variouspartsoftheirnetwork. Theanonialtypesofnetworksare:
Trustednetworks wereinternaltoyourorporation.
An untrusted network may be the Internet, or a wi network, or any
networkwithopen,publiaess.
Demilitarizedzones(DMZs)wereoriginallydenedasanareaforplaing
mahinesthatmusttalktonodesonbothtrustedanduntrustednetworks.
Atrst theywere plaedoutsidethe rewallbut inside aborder router,
thenasaseparatelegoftherewall,andnowinaredenedandproteted
inavarietyofways.
Whatthesedenitionsallhaveinommonisthattheyendupdeningseurity
zones (this term thanks to the authors of Extreme Exploits). All the nodes
inside aseurityzonehaveroughlyequivalent aess toorfrom otherseurity
zones. I believethisisthemostimportantandfundamental wayofthinkingof
network seurity. Donotonfusethiswiththeideathat allthesystemsin the
zonehavethesamerelevanetothenetwork'sseurity,orthatthesystemshave
thesameimpatifompromised;thatisaompliationandmoreofamatterof
operatingsystemseurity thannetwork seurity. Inother words,twosystems
(adesktopandyourDNSserver)maynotbeseurityequivalent,buttheymay
beinthesameseurityzone.
10.3 Network Reonnaissane: Ping Sweeps, Port
San-ning
Typiallyanadversaryneedstoknowwhatheanattakbeforeheanattak
it. Thisis alledreonnaissane,andinvolvesgatheringinformation aboutthe
target and identifying ways in whih he an attak the target. In network
seurity,theadversarymaywanttoknowwhatsystemsareavailableforattak,
andatehniquesuhasapingsweep ofyournetworkblokmayfailitatethis.
Then,hemayhoosetoenumerate (getalistof)alltheserviesavailableviaa
tehniquesuhasaportsan. Aportsanmaybeahorizontal san (oneport,
manyIP addresses) orvertial san (one IP address,multiple ports), orsome
ombinationthereof. Youansometimes determinewhatservie(andpossibly
aportsanshouldonlyrevealwhatyoualreadyassumedyouradversaryalready
knew. However,it is onsidered veryrude, evenantisoial,likewalkingdown
thestreetandtryingtoopenthefrontdoorofeveryhouseorbusinessthatyou
pas