Thinking about network safety in a public health light. ネットワークの安全性を公衆衛生にたとえて解説。

1. Code Blue in the ICU!
Thinking
about
network
safety
in
a
public
health
light
©
Jeff
Moss
–
jm@defcon.org

11. h@p://chrisharrison.net/

14. 1. NaEon
States
want
SECRETS

15. 1. NaEon
States
want
SECRETS
2. Organized
Criminals
want
MONEY

16. 1. NaEon
States
want
SECRETS
2. Organized
Criminals
want
MONEY
3. Protesters
want
ATTENTION

17. 1. NaEon
States
want
SECRETS
2. Organized
Criminals
want
MONEY
3. Protesters
want
ATTENTION
4. Hackers
&
researchers
want
KNOWLEDGE

18. 1. NaEon
States
want
SECRETS
2. Organized
Criminals
want
MONEY
3. Protesters
want
ATTENTION
4. Hackers
&
researchers
want
KNOWLEDGE
That’s
you
guys!

19. Hackers
&
Researchers
point
the
way!
-­‐ Discover
new
classes
of
vulnerabiliEes
-­‐ Expose
poor
product
security
-­‐ Spur
public
debate

20. Hackers
&
Researchers
point
the
way!
-­‐ Discover
new
classes
of
vulnerabiliEes
-­‐ Expose
poor
product
security
-­‐ Spur
public
debate
Criminals
and
Governments
don’t
do
this
It’s
not
in
their
interests

21. All
these
groups
need
the
net
to
work

22. Q:
What
if
there
is
a
5th
group
that
doesn’t?

23. Denial of service is increasing
0
00
00
00
00
00
00
00
2010
2011
Mar-­‐12
Oct-­‐12
Apr-­‐13
Feb-­‐14
Sept-­‐14
?
DDoS
in
Gigabits
per
second
Gps
fl
?
NTP
RAMP
CloudFlare
DNS
RAMP
SpamHaus

24. When
invesEng:
Specialize
for
larger
risk
/
returns

25. When
invesEng:
Specialize
for
larger
risk
/
returns
Diversify
to
reduce
risk
/
returns

26. We
now
have
clouds
of
complexity

27. We
have
virtual
clouds
of
complexity

28. The
failure
modes
of
Complex
systems
are
impossible
to
predict

31. I
like
the
Code
Blue
press
release
“Code
Blue
is
a
hospital
emergency
code
that
indicates
a
paEent
in
need
of
immediate
medical
a@enEon,
or
that
calls
for
relevant
teams
to
respond
immediately.
We
named
the
conference
ajer
the
code
because
we
hope
to
save
the
world
by
combining
people’s
knowledge”
h@p://japandailypress.com/white-­‐hat-­‐hackers-­‐to-­‐gather-­‐at-­‐code-­‐blue-­‐cybersecurity-­‐conference-­‐in-­‐tokyo-­‐1043926/

32. Public
health
analogy
• No
one
thinks
they
are
going
to
cure
cancer
• Diseases
are
“managed”,
very
few
are
ever
eliminated
• It
is
possible
to
be
re-­‐infected

33. Public
health
analogy
• No
one
thinks
they
are
going
to
cure
cancer
• No
administrator
thinks
they
can
ever
be
perfectly
secure
• Diseases
are
“managed”,
very
few
are
ever
eliminated
• Very
few
classes
of
vulnerabiliEes
are
ever
eliminated
• It
is
possible
to
be
re-­‐infected
• A
new
variant
of
an
old
vulnerability
can
re-­‐infect
your
systems

34. This
is
a
healthy
way
of
thinking

36. Perimeter
security
Involves:
Security
department
IT
department
ApplicaEon
teams

38. an
arEst
Babis
Cloud
has
made
'hedonIsM(y)
trojaner',
an
installaEon
of
the
ancient
greek
trojan
horse
from
computer
keyboard
bu

39. They
are
already
inside
your
perimeter
Involves:
Security
department
Legal
department
IT
department
CommunicaEons
ApplicaEon
teams
Risk
Management
Public
RelaEons
Finance
R&D

40. The
year
is
2014
• You
sEll
can’t
send
secure
email
easily
• You
can’t
have
a
secure
mobile
phone
call
• Web
browsing
securely
is
essenEally
impossible
• Name
resoluEon
is
insecure,
but
geqng
be@er
Why?
What
has
failed
us?

41. We
are
running
out
of
opEons
1990s
• Consumer
SelecEon

42. We
are
running
out
of
opEons
1990s
• Consumer
SelecEon
sumers
can’t
make
informed
Security
product
decisions

43. We
are
running
out
of
opEons
1990s
• Consumer
SelecEon
2000s
• Insurance
Pressure
sumers
can’t
make
informed
Security
product
decisions

44. We
are
running
out
of
opEons
1990s
• Consumer
SelecEon
2000s
• Insurance
Pressure
sumers
can’t
make
informed
Security
product
decisions
Lack
of
data
prevents
the
Crea>on
of
actuarial
tables

45. We
are
running
out
of
opEons
1990s
• Consumer
SelecEon
2000s
• Insurance
Pressure
2010s
• RegulaEons
sumers
can’t
make
informed
Security
product
decisions
Lack
of
data
prevents
the
Crea>on
of
actuarial
tables

46. We
are
running
out
of
opEons
1990s
• Consumer
SelecEon
2000s
• Insurance
Pressure
2010s
• RegulaEons
sumers
can’t
make
informed
ecurity
product
decisions
Lack
of
data
prevents
the
crea>on
of
actuarial
tables
Governments
are
reluctant
regulate
the
fast
moving
inte

47. That
leaves
us
We
must
provide
leadership
and
direcEon
where
and
when
we
can
We
need
to
help
companies
do
the
right
thing
through
educaEon
and
configuraEon

48. “First, Do No Harm” -Auguste François Chomel, 1847
Primum
non
nocere
“SomeEmes
it
may
be
be@er
to
not
do
something,
or
even
be@er
to
do
nothing,
than
to
risk
causing
more
harm
than
good.”

49. “First, Do No Harm” -Auguste François Chomel, 1847
To
me
this
can
be
applied
to
informaEon
security
when
thought
of
as
a
public
safety
issue:
• Do
no
harm
to
the
trust
of
users
–
be
open
about
your
policies
• Be
honest
about
the
risks
of
using
technology
• Do
not
let
wishful
thinking
influence
your
decisions

50. Community Immunity
(Also
known
as
Herd
Immunity
Theory)
“A
form
of
immunity
that
occurs
when
the
vaccinaEon
of
a
significant
porEon
of
a
populaEon
provides
a
measure
of
protecEon
for
individuals
who
have
not
developed
immunity.”

51. Three Modes of Immunity

52. Three Modes of Immunity

53. Three Modes of Immunity

54. Community Immunity only applies to
diseases that are contagious
Disease
Transmission
Immunity
threshold
Mumps
Airborne
droplet
75
-­‐
86%
Pertussis
Airborne
droplet
92
-­‐
94%
Rubella
Airborne
droplet
80
-­‐
85%
Smallpox
Social
contact
83
-­‐
85%

55. 1. No
one
is
immunized
–
Contagious
disease
spreads
through
the
populaEon
2. Some
of
the
populaEon
gets
immunized
–
Contagious
disease
spreads
through
some
of
the
populaEon
3. Most
of
the
populaEon
is
immunized
–
Spread
of
contagious
disease
is
contained
Three Modes of Immunity

56. 1. No
one
is
immunized
–
Contagious
disease
spreads
through
the
populaEon
Networks
and
systems
are
not
maintained
–
Malware
spreads
through
networks
without
noEce
and
li@le
to
stop
them
2. Some
of
the
populaEon
gets
immunized
–
Contagious
disease
spreads
through
some
of
the
populaEon
3. Most
of
the
populaEon
is
immunized
–
Spread
of
contagious
disease
is
contained
Three Modes of Immunity

57. 1. No
one
is
immunized
–
Contagious
disease
spreads
through
the
populaEon
Networks
and
systems
are
not
maintained
–
Malware
spreads
through
networks
without
noEce
and
li@le
to
stop
them
2. Some
of
the
populaEon
gets
immunized
–
Contagious
disease
spreads
through
some
of
the
populaEon
Some
networks
and
systems
are
not
maintained
–
Malware
is
someEmes
noEced
and
removed,
and
spreads
through
some
of
the
populaEon
3. Most
of
the
populaEon
is
immunized
–
Spread
of
contagious
disease
is
contained
Three Modes of Immunity

58. 1. No
one
is
immunized
–
Contagious
disease
spreads
through
the
populaEon
Networks
and
systems
are
not
maintained
–
Malware
spreads
through
networks
without
noEce
and
li@le
to
stop
them
2. Some
of
the
populaEon
gets
immunized
–
Contagious
disease
spreads
through
some
of
the
populaEon
Some
networks
and
systems
are
not
maintained
–
Malware
is
someEmes
noEced
and
removed,
and
spreads
through
some
of
the
populaEon
3. Most
of
the
populaEon
is
immunized
–
Spread
of
contagious
disease
is
contained
Most
all
networks
and
systems
are
maintained
–
Malware
is
noEced
most
of
the
Eme
and
removed,
acEons
are
taken
to
protect
other
systems
besides
your
own.
Three Modes of Immunity

59. 1. No
one
is
immunized
–
Contagious
disease
spreads
through
the
populaEon
Networks
and
systems
are
not
maintained
–
Malware
spreads
through
networks
without
noEce
and
li@le
to
stop
them
2. Some
of
the
populaEon
gets
immunized
–
Contagious
disease
spreads
through
some
of
the
populaEon
Some
networks
and
systems
are
not
maintained
–
Malware
is
someEmes
noEced
and
removed,
and
spreads
through
some
of
the
populaEon
3. Most
of
the
populaEon
is
immunized
–
Spread
of
contagious
disease
is
contained
Most
all
networks
and
systems
are
maintained
–
Malware
is
noEced
most
of
the
Eme
and
removed,
acEons
are
taken
to
protect
other
systems
besides
your
own.
Three Modes of Immunity

60. Firewall
as
VaccinaEon?

61. Vaccinate
yourself
and
others
Can
protecEng
your
network
and
systems
with
a
firewall
or
router
act
as
a
“virtual
vaccine”?
Can
your
network
peers
get
a
conferred
benefit?

62. Don’t
do
anything
addiEonal
on
your
network
Don’t
go
out
of
your
way
to
monitor
your
systems
Don’t
stay
up
to
date
on
patches
or
applicaEon
updates
Do
Nothing
or
“Not
Immunized”

63. Do
Nothing
or
“Not
Immunized”
PRO:
• Least
expensive
opEon,
no
training
or
changes
necessary
• Requires
no
network
or
applicaEon
modificaEons
CON:
• You
are
part
of
the
problem
and
possibly
causing
harm
• There
might
be
legal
consequences

64. Protect
your
systems
and
applicaEons,
but
not
those
of
others
Protect
only
yourself
or
“ParEally
Immunized”

65. Protect
your
systems
and
applicaEons,
but
not
those
of
others
Examples:
• Secure
your
systems
by
patching,
updaEng,
selecEng
good
sojware
• Filter
spoofed
inbound
traffic
to
your
network,
but
not
outbound
• Enable
DNSSEC
validaEon
on
your
DNS,
but
do
not
sign
your
zones
• Limit
spam
by
checking
for
SPF
records
and
using
DNS
blackholes,
but
not
publishing
your
own
SPF
records
Protect
only
yourself
or
“ParEally
Immunized”

66. Protect only yourself or “Partially
Immunized”
PRO:
• Lower
cost
that
being
fully
immunized
• You
are
be@er
protecEng
your
systems
against
misuse
by
others
CON:
• You
only
take
acEons
that
protect
your
systems
–
not
those
of
others
• Higher
management
and
configuraEon
overhead

67. Same
as
“ParEally
Immunized”
but
you
take
addiEonal
acEons
to
protect
those
around
you.
Protect yourself and others or “Fully
Immunized”

68. Same
as
“ParEally
Immunized”
but
you
take
addiEonal
acEons
to
protect
those
around
you.
Examples:
• Prevent
source
address
spoofing
from
leaving
your
network
• DNSSEC
sign
your
zone
files
so
others
can
rely
on
the
data
• Disable
recursion
on
your
name
servers
to
limit
AMP
a@acks
• Publish
an
SPF
record
to
reduce
spam
by
telling
other
networks
about
your
mail
server
Protect yourself and others or “Fully
Immunized”

69. Protect yourself and others or “Fully
Immunized”
PRO:
• You
are
“conferring
an
immunity”
to
some
degree
to
others
•
Most
beneficial
to
all
users
of
the
internet
•
Best
security
stance
for
yourself
and
those
around
you
CON:
•
Most
expensive
to
maintain
due
to
configuraEon
maintenance
•
You
need
be@er
trained
staff
to
stay
current
on
best
pracEces

70. DNSSEC
is
available
to
the
majority
of
internet
users
https://www.dnssec-deployment.org/

71. What
if
you
don’t
own
or
operate
a
network?

72. Donate
Resources

73. Donate resources

75. Donate resources
h?p://folding.stanford.edu/

76. Different communities
Companies
Governments
Individuals

78. Think
of
the
Future
Next
GeneraEon
technologies
are
starEng
to
be
deployed
Can
we
use
them
to
help
protect
ourselves
and
others?
DNSSEC
=
You
can
trust
the
answers
from
DNS
DANE
=
Risk
of
rogue
SSL
CAs
virtually
eliminated
IPv6
=
IPSEC
support,
less
NAT,
be@er
a@ribuEon,
future
growth

79. Has
thinking
about
network
heath
in
a
public
safety
light
helped?