human factor vs. technology.pptVIP

Human Factor vs. Technology Joanna Rutkowska Invisible Things Lab Gartner IT Security Summit, London, 17 September, 2007. Basic Definitions… Message of this talk Human factor is not the weakest link in IT security The technology factor is as week as the human factor! Human factor used to describe: User’s unawareness (“stupidity”) Admin’s incompetence NOT developer’s incompetence NOT system designer’s incompetence Security Consumers ? “Human Factor” Security Vendors ? “Technology Factor” Getting Into System Exploiting User’s Unawareness/Incompetence Social engineering Bad configuration Exploiting Technological Weakness Software flaw (e.g. buffer overflow) Protocol weakness (e.g. MitM) Usual Goal: arbitrary code execution on target system After Getting In… “Break and Escape” E.g. website defacement, files deletion Introduce damage, not compromise! “Steal and Escape” Steal confidential files, databases records, etc.. Do not compromise system – escape after data theft! Problems: encrypted data, passwords – only hashes stored “Install Some Malware” Compromise the system for full control! Prevention Approaches… Prevention Approaches Signature-based User’s education AI-based (anomaly detection) Host IPSes OS hardening (anti-exploitation) Host IPSes Least privilege design Code verification Signature based approaches Protect against “user’s stupidity” by blacklisting known attack patterns – e.g. certain “phishing mails” Protect against technological weaknesses by having a signature for an exploit (majority) or generic signature for an attack (minority, unfortunately) No protection against unknown (targeted) attacks! All major A/V vendors alerts about increasing number of targeted attacks, since 2006 targeted ? we usually don’t have a signature User’s education Increase awareness among users and competences of system administrators Should eliminate most of the social engineering based attacks, e.g. sending a malware via email Can not protect against attacks exploit