Professional Documents
Culture Documents
November 2011
What we hear.
Hijacked
web page
Demonstrate
asymmetric ease of
exploitation of DoD
computer versus
efforts to defend.
Infected .pdf
document
Result
Multiple remote
compromises of fully
security compliant and
patched HBSS
computer within days:
2 remote accesses.
25+ local privilege
escalations.
Undetected by host
defenses.
HBSS Workstation
Penetration Demonstration
FPGA
FPGA
Manufacture Location
ASIC
Manufacture Location
Asia
Asia
Europe
USA
Approved for Public Release, Distribution Unlimited.
Europe
USA
Ground truth
45,000
40,000
35,000
Cyber Incidents
Reported to
US-CERT [1]
by Federal
agencies
30,000
10.0
25,000
8.0
20,000
6.0
Federal Defensive
Cyber Spending [2]
($B)
15,000
4.0
10,000
2.0
5,000
0
2006
2007
2008
2009
2010
0.0
Why?
Lines of Code
10,000,000
Unified Threat
Management
8,000,000
Security software
6,000,000
4,000,000
x
2,000,000
Milky Way
DEC Seal
0
1985
Stalker
1990
x
1995
Network Flight
Recorder
Malware:
125 lines of code*
Snort
2000
2005
2010
# Passwords
Time
Approved for Public Release, Distribution Unlimited
Fix Avail?
Date Added
No
8/25/2010
Yes
8/24/2010
No
8/20/2010
No
8/18/2010
No
8/17/2010
Yes
8/16/2010
No
8/16/2010
No
8/12/2010
No
8/10/2010
No
Yes
No
No
6 of the
8/09/2010
vulnerabilities
8/06/2010
are in security
8/05/2010
software
No
7/29/2010
No
7/28/2010
No
7/26/2010
No
7/22/2010
8/10/2010
Regardless of the
application size,
the system loads
the same number
of support
functions.
Economics matter
There are multiple choices for addressing the supply chain vulnerability:
Bot Herder
Cost
Strategy 1:
XOR branch
Storm
Botnet
New
P2P Botnet
Strategy 2:
AES* branch
Root
Tree
Solution exists:
weekly patch,
kills branch
Solution needed:
high cost solution,
kills tree
Bot Herder
Return
Antivirus
Cost
Antivirus
Return
Short
Long
Small
High
High
Low
High
Small
High
High
Low
Branch
Approach
Uniform, layered
network defense
Example
Host Based Security
System
Unintended
consequence
Larger attack surface
introduces more areas
of exploitability for
attackers
Homogeneous targets
that amplify effects
Operator hygiene
15 character password
Antitrust law
rulings, use of
COTS
Competition and
independence in
security software and
COTS
We missed it too
#DARPACyber