Team 12 Main SectIV

From CyberSecurity
Revision as of 00:51, 25 October 2005 by Chris DuPuis (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

IV.Defenses

Sections I - III are at:

http://cubist.cs.washington.edu/CyberSecurity/index.php/Team_12_Main

Home Computer scenario

--Dennis Galvin 16:25, 23 October 2005 (PDT)

We first identified a number of potential defenses which might have some applicability to attacks against and through home computers.

  • Anti-Virus and Anti-Spyware software: There are both shrink-wrap (commercial) and freeware/open source products available in this category. The commercially available products typically have a low initial cost and renewable subscription to virus signatures. A signficant portion of users do not renew their subscriptions, however, leading to vulnerable computers which can be compromised.
  • Firewalls: These can be software or hardware. The hardware firewalls can be purchased for home use. The more fully featured and fully configurable hardware firewalls found in businesses are generally not required for home use. Software firewalls are available as both add-on purchases and Microsoft has now integrated a firewall into the Windows XP operating system.
  • High quality software: Software by its nature has flaws. Software developers and publishers strive to develop less vulnerable products, and repair (patch) vulnerabilities in already released products. The computer operating system software needs to be as flaw free as possible.
  • Operating systems and security products default to most secure settings, and easily configured for high security: The Windows family of operating systems have moved this direction, but there is far to go. Linux is notoriously difficult to configure securely, although it is becoming easier and there are now some more secure distributions and utilities for locking down a Linux box (e.g. Bastille). Mac is Unix now, so somebody please say something about Macs if you can. Windows needs refuse to install unsigned drivers and codecs (this will begin to force accountability in third party software).
  • Effective patching/updating mechanisms: Windows and some Linux distributions have moved in the direction of making it easy to update systems (Windows Update and Synaptic respectively). Many users still do not patch regularly or in the case of Windows have turned off automatic updates.
  • ISP default port blocking policy: Prevent home users from operating exposed servers unless separate application is made for credible reasons. Exposed servers can be attacked and compromised. Providers can be more proactive as attacks are mounted by aggressively blocking inbound traffic on ports affected by the attacks. ISP's need to very aggressively block outbound attack traffic from their networks and shut off access to / from attack sources (many do, but others – especially in non-US countries do not).
  • Redesign the internet communications protocol to be more secure, preventing address spoofing. This is a massive, costly undertaking, but will need to be done eventually anyway (PITAC report).
  • User education: What good is all of the above if users will defeat all security just so they can have a cool screen saver somebody sent them in an e-mail. This is very tough to do, as owners have different motivations for purchasing computers, some computers are used entirely by children, and there is no licensing requirement to operate a computer.

Identify existing financial and non-financial incentives for installing defenses

  • Financial incentives: For the home computer scenario, there are few extant financial incentives, and a couple of significant disincentives for the owner. Installing defenses can be one component of protection from identity theft, and disclosure of personal information to a wider audience. Both of these types of breaches can have significant financial effects on the computer owners. Additionally restoring a compromised system to working order may require additional expertise and software which comes as a cost to the computer owner. The cost (disincentive) of implementation of these security measures is borne entirely by the computer user, and many home computer users do not possess the skills required to put these measures in place. Home computers are along for the ride when the internet communications protocols are eventually reworked.
  • Non-Financial incentives: Not installing defenses can lead to time the computer and its resources are unavailable for entertainment, educational pursuits, communication, news gathering, etc. Restated: Installing defenses is one component of maximizing the reliability, and availability of the computer. For ISP's aggressive port blocking should improve their user experience which might contribute to more word of mouth referrals.

Evaluate the adequacy of these incentives

  • Unfortunately the incentives are largely non-existent in the major areas of user education and redesigning the internet protocols.

Discuss whether additional protection would be cost-effective

  • It is only effective if the vast majority of computer owners would opt for buying in. As most of the costs for defenses would be passed on to the owners.

Identify lowest cost provider for upgrading protection (e.g. Microsoft, Norton, AOL, Corporate IT networks, computer owners)

  • The lowest cost provider for upgrading defenses is going to vary depending on which defenses are implemented. Clearly the lowest cost provider of the more secure operating system software with more secure defaults and intuitive security features is going to be the OS publisher (e.g. Microsoft, Apple, etc). The lowest cost provider for creating the innovations to the commonly used by all infra-structure will be government funding of basic research.

List and evaluate possible policy levers for government intervention (e.g. tax incentives, legal liability, insurance)

  • Require OS vendors to provide a minimum amount of anti-virus, anti-spyware, firewall software in the operating systems.
  • Increase regulatory penalties for ISP's whose customer base are the source of attacks.


Corporate Defenses section is here:

Team_12_Corporate_Defenses 





      B. Walmart Ordering Computer

         1. All of the above

         2. Intrusion detection tools

         3. Auditing tools

         4. Managed software deployment and maintenance tools.

--Dennis Galvin 15:05, 22 October 2005 (PDT) Walmart is clearly a huge business. As a corporation, they need to set an IT policy, and take responsibility for insuring the integrity of their computing mesh. The above measures are partially the means of implementing that policy. Some components of an effective policy to defend against attacks may include: 1) defining access rights (for instance only IT folk are allowed sign on as administrators); 2) testing of patches before rollout; 3) Testing of software before it is installed; 4) Acceptable use policy; 5) Strong password policy and enforcement; 6) Containment policy when intrusions are detected. The chosen policy must be clearly articulated and understood at the level required by all levels (upper management to greeters) in the firm.

--Chris DuPuis 20:24, 22 October 2005 (PDT) Another aspect of a security policy is to define the services that each class of network user requires, and to put up obstacles (such as firewall rules and enforced corporate policies) to any other network service. By making strict enough policies, the majority of workstations, which have no need to be connected to by other computers, and only need to connect to other computers for web and mail service, can be protected from the kind of remote exploit that we are considering here. This allows the administrator to concentrate on the more difficult task of keeping the servers that provide services on the Internet secure. 


      C. Trading Computer
Retrieved from "http://cubist.cs.washington.edu/CyberSecurity/index.php?title=Team_12_Main_SectIV&oldid=2308"