Embed Size (px)
Citation preview
SECURITY ECONOMICSWhy companies build insecure systems?
why it's tough to manage security projects?how to cope with insecure systems?
SUBMITTED BY:- SUBMITTED TO:
Isha and Keertika Gangwar Dr. Shashi KarhailShreya and Vaishali Secure Coding andYansi Keim and Sonali Tyagi Secure EngineeringM. Tech (I.S.M.) – 1st Semester I.G.D.T.U.W.
1
1. Introduction.
2. Why companies build insecure systems?
3. Why it’s tough to manage security projects?
4. How to cope up with insecure systems?
CONTENTS
© I.G.D.T.U.W.2
1. INTRODUCTION There are two things I am sure of after all these years: there is a
growing societal need for high assurance software, and market forces are never going to provide it. — Earl Boebert
Security economics provides valuable insights not just into ‘security’ topics such as privacy, bugs, spam, and phishing, but into more general areas such as system dependability.
It also enables us to analyze the policy problems that security technology increasingly throws up — on issues like digital rights management. Where protection mechanisms are used by the system designer to control the owner of a machine, rather than to protect her against outside enemies, questions of competition policy and consumer rights follow, which economics provides the language to discuss.
3
© I.G.D.T.U.W.
1. WHY COMPANIES BUILD INSECURE SYSTEMS
Presented by Isha and Keertika
© I.G.D.T.U.W.
4
ECONOMICS OF INFORMATION SECURITY
Economic analysis to information security has started in last decade.
Economic analysis often explains security failure better than technical analysis!
Information security mechanisms are used increasingly to support business models rather than to manage risk
Economic analysis is also vital for the public policy aspects of security. [1] © I.G.D.T.U.W.
Fig. 1 Information Security
5
ECONOMICS AND SECURITY Economic analysis often explains failure
better! Electronic banking: UK banks were less liable
for fraud, so became careless and ended up suffering more internal fraud and errors
Distributed denial of service: viruses now don’t attack the infected machine so much as use it to attack others
Why is Microsoft software so insecure, despite market dominance?© I.G.D.T.U.W.
6
DEFINITION OF ECONOMICS Security economics provides valuable
insights not just into ‘security’ topics such as privacy, bugs, spam, and phishing, but also in generic areas like system dependability.
Enables us to analyse the policy problems that security technology throws up – on issues like digital rights management, balance between public and private actions etc. © I.G.D.T.U.W.
7
Basics of EconomicsMonopoly Public goods Information economics
Price of information Value of lock-in
Asymmetric Information
© I.G.D.T.U.W.
8
WHY INSECURE SYSTEMS?Systems are often insecure because the
people who could fix them have no incentive to
Bank customers suffer when bank systems allow fraud; patients suffer when hospital systems break privacy; Amazon’s website suffers when infected PCs attack it
Security is often what economists call an ‘externality’
Provides an excuse for government intervention
© I.G.D.T.U.W.
9
Contd…
If you have a nice new hack on Windows, do you tell Microsoft?
If You Tell – protect 300m Americans If You Don’t tell – be able to hack more than
400m Europeans, 1000m Chinese,… If the Chinese hack US systems, they keep
quiet. If you hack their systems, you can brag about it to the President and get more budget © I.G.D.T.U.W.
10
WHY MICROSOFT WASN’T INTERESTED IN SECURITY?
While Microsoft was growing, the two critical factors were speed, and appeal to application developers
Security markets were over-hyped and driven by artificial factors
Issues like privacy and liability were more complex than they seemed
The public couldn’t tell good security from bad © I.G.D.T.U.W.
11
THE GLADMAN PRINCIPLE
“You can have security, or functionality, or scale. With good engineering you can have any two of these. But there’s no way you can get all three.”
- Brian Gladman (formerly of UKDefence Science Advisory Board)
© I.G.D.T.U.W.
12
WHY COMPANIES BUILD INSECURE SYSTEM(1)
Security is always a Trade-off "Perfect security" is unachievable - Must find the
right trade-off Security versus Cost Security versus Convenience Security versus Profit "More" is not always better – vendors of products
will try to convince you that you cannot live without their particular gadget
© I.G.D.T.U.W.
13
WHY COMPANIES BUILD INSECURE SYSTEM(2)Facebook now 7th biggest phishing target (after PayPal, top banks, eBay)
Facebook privacy setting are not enough to protect privacy why?? Cause - Facebook wants to sell user data
Over 90% of users never change defaults
The complexity lets Facebook blame the customer when things go wrong© I.G.D.T.U.W.
14
WHY COMPANIES BUILD INSECURE SYSTEM(3) Systems are often insecure because the
people who guard them, or who could fix them, have insufficient incentives Medical record systems bought by research or finance directors, not patients – so failed to protect privacy
Casino websites suffer when infected PCs run DDoS attacks on them
Insecurity is often what economists call an ‘externality’ – a side-effect© I.G.D.T.U.W.
15
WHY COMPANIES BUILD INSECURE SYSTEM(4) In IT for a company switching from one
product or service to another is expensive E.g. switching from Windows to Linux means
retraining staff, rewriting apps Shapiro-Varian theorem: the net present
value of a software company is the total switching costs
So major effort goes into managing switching costs – once you have $3000 worth of songs on a $300 iPod, you’re locked into iPods
© I.G.D.T.U.W.
16
2. WHY IT’S TOUGH TO MANAGE SECURITY
PROJECTS
Presented by Vaishali and Shreya
© I.G.D.T.U.W.
Management of Security Projects
17
Do we spend enough on keeping hackers out of our computer systems???
Do we not spend enough or spend too much. Do we spend too little on the police and army or too much??? Do we spend our security budgets on the right things???
QUESTIONS TO PONDER UPON…
© I.G.D.T.U.W.18
1. The likely hackers are not malicious outsiders but the owners of the equipment, or new firms trying to challenge the incumbent by making compatible products.
2. The issues are made more complex by the fact that innovation is often incremental, and the products succeed when new firms find killer applications for them.
3. Laws in many countries give companies a right to reverse- engineer their competitors products for compatibility.
REASONS FOR LOOSING SECURITY…
© I.G.D.T.U.W.19
The USA confronted the USSR over security, but Japan and the EU over trade. It has been left to the information security world to re- establish the connection.
In UK, banks generally got away with claiming that their systems were ‘secure’, the telling customers who complained as mistaken. They spent more on security and suffered more fraud as they knew that customer complaint would not be taken seriously, so they became lazy and leading to epidemic of fraud.
THE ECONOMICS OF SECURITY AND DEPENDABILITY
© I.G.D.T.U.W.20
People were not spending as much money on anti- virus as the vendors hoped. Now a typical virus payload, way back was a denial attack on Microsoft, and while a rational consumer might spend $20 to stop a virus trashing her HDD, she will be likely less to do so just to protect a wealthy corporation.
Hospitals systems bought by a medical directors and administrators that look after their interests but don’t protect patients privacy.© I.G.D.T.U.W.
21
Programs correctness can depend on minimum effort while software vulnerability testing may depend on the sum of everyone’s efforts.
Systems become more reliable in the total-efforts case but less reliable in the weakest-link case.
Software companies should hire more software testers and fewer (but more competent) programmers.
WEAKEST LINKS OR SUM OF EFFORTS
© I.G.D.T.U.W.22
There has been much debate about ‘open source security’, and more generally whether actively seeking and disclosing vulnerabilities is socially desirable but opening up a system helps the attackers and defend-on equally. Data showing public disclosures made vendors respond with fixes more quickly, attacks increased with , but reported vulnerabilities declined over time.
MANAGING THE PATCHING CYCLE
© I.G.D.T.U.W.23
First, desktop Windows stands firmly on a foundation as a stand alone PC operating system. It was never meant to work in a networked world. So, security holes that existed back in the days of Windows for Workgroups, are still with us.
Many of these problems come down to Windows has IPC’s, procedures that move information from one program to another, that never designed with security in mind.
They’ hv included DLL’s and OCXs(Object Linking and Embedding (OLE) Control Extension) and Active X, without any regard to security. Worse matter is they can be activated by user- level scripts, as Word macros, or by program simply viewing data, as Outlook’s view window.
WHY IS WINDOWS SO INSECURE???
© I.G.D.T.U.W.24
Microsoft Office formats are commonly used to transit malware. It’ s latest Office 2010 tries to deal with this by blocking all but read access to documents or ‘sandboxing’ them. Since we can’t edit the sandboxed document, we think that’s going to go really well. But users won’t use the sandbox utility , they’ll just spread the malware. This data format ‘functionality’ and easy ‘application-to-file-to-application’ IPC is in windows because it makes it simple for Windows program to share data. That’s great in stand alone PC, but a permanent security hole in PC in a network.
© I.G.D.T.U.W.25
There are some problems like Windows 7’s XP mode, which bypasses all the improvement made in Windows vista and Windows 7. Again it comes down to all of Windows security improvement amounting to just being layer over another of security over its fatal single- user, non networked genetics.
© I.G.D.T.U.W.26
That’s why Linux and Mac OS X, which is based on BSD unix at it’s heart, are fundamentally safer. Their design forefathers were multi user, networked systems. From the very beginning, they were built to deal with a potentially hostile world. Windows wasn’t.
Windows is more popular so it gets attacked more often as almost all the applications are built specifically for it.
Running Windows means that your PC will be attacked on almost daily basis. Even with constant patching and adding security programs, you’re always going to be in danger of having your PC hijacked.
© I.G.D.T.U.W.27
3. HOW TO COPE UP WITH INSECURE SYSTEMS
Presented by Sonali Tyagi and Yansi Keim
© I.G.D.T.U.W.
28
Managing Information Security
© I.G.D.T.U.W.
Fig. 2 Factors of Information Security [2]
29
FOUR FACTORS OF INFORMATION SECURITY
THREAT
© I.G.D.T.U.W.
VULNERABILITIES
VALUEOF INFORMATIONAL
ASSETS
MONEY THAT SHOULD BE SPENT
30
WHAT DOES COPING MEANS? Knowledge of a threat’s capabilities, infrastructure, motives, goals, and
resources. The application of this information assists in the operational and
strategic defense of network-based assets.
Fig. 3 Coping Features [3] 31
© I.G.D.T.U.W.
ISO CODE OF PRACTICE FOR INFORMATION SECURITY-ISO 17799
Guiding Principle No.1. Security policy Guiding Principle No. 2. Security organization Guiding Principle No. 3. Asset classification and control Guiding Principle No. 4. Personnel security Guiding Principle No. 5. Physical and environmental security Guiding Principle No. 6. Communications and operations management Guiding Principle No. 7. Access control Guiding Principle No. 8. Systems development and maintenance Guiding Principle No. 9. Business Continuity Management Guiding Principle No. 10. Compliance [3]
© I.G.D.T.U.W.
32
For the security engineer two concepts are important:
‘monopoly’ and ‘public goods’ are important to the security engine
Monopoly:
33Fig. 4 Monopoly[3]© I.G.D.T.U.W.
Under monopoly the merchant is a price setter while under perfect competition he simply has to accept whatever price the market establishes (he is a price taker).
Public Goods : A second type of market failure occurs when everyone gets the same quantity of some good, whether they want it or not. Classic examples are air quality, national defense and scientific research.
Windows is a monopoly, while the common Unix systems (Linux and OpenBSD)are public goods maintained by volunteers.
34
© I.G.D.T.U.W.
Threats such as viruses and spam used to come from a large number of small actors.
The number of serious spammers had dropped to the point that ISPs see significant fluctuations in overall spam volumes as the big spammers run particular campaigns — there is no law of large numbers operating any more
This suggest a different and perhaps more centralised strategy.
Ex: 1. Air-defense threat in 1987 by Russian forces
2.Cyber-defense threat in 2007 by russian gang 35
© I.G.D.T.U.W.
Instead of telling us to buy anti-virus software, our governments could be putting pressure on the Russians to round up and jail their cyber-gangsters.
Suggestions by the board include taking steps toward making software, systems vendors, and system operators more liable for security breaches.
The precedent has been set by Congress that companies could not be held liable if their software was not Y2K-compliant, and technology companies have naturally steered clear of laws that increase their liability.
36
© I.G.D.T.U.W.
Why companies buy products that are not up to the job, or fail to purchase a product that would be secure.[4]
Education is the best solution to increased security.[4]
Computer and Telecommunications board stated that the laws in place today fail to provide enough incentives for the market to respond adequately to information and software security issues.[4] 37
© I.G.D.T.U.W.
CONCLUSION• Many systems fail because the incentives are wrong, rather than
because of some technical design mistake. As a result, the security engineer needs to understand basic economics as well as the basics of crypto, protocols, access controls and psychology. Security economics is a rapidly growing research area that explains many of the things that we used to consider just ‘bad weather’, such as the insecurity of Windows. It constantly throws up fascinating new insights into all sorts of questions from how to optimise the patching cycle through whether people really care about privacy to what legislators might do about DRM.
38
© I.G.D.T.U.W.
REFERENCES
[1]: Security Engineering by Ros Anderson. [2]:http://www.itu.int/net/wsis/docs/background/themes/security/
information_insecurity_2ed.pdf [3]: White Paper on “Threat Intelligence Platform”. [4]: http://www.geek.com/news/companies-to-be-punished-for-
insecure-software-548720/#
© I.G.D.T.U.W.
39
