Defense vs. Offense
CS 493/693 Lecture,
Dr. Lawlor, 2006/02/06
It's useful to consider how society has solved the same security problems we now face with computers.
For example, a normal passenger car has laughably poor security--the
vehicle can be trivially hijacked during operation using almost any
weapon, the windows can be broken, the locks can be picked, the
ignition can be hotwired, the tires can be deflated (denial of service)
or the entire vehicle itself ignited (serious denial of service).
A "secure" car would be more like a tank--virtually impossible to
steal, no windows, thick hardened steel armor. But even a tank
can be disabled with a simple shaped charge (like a rocket propelled
grenade) or sufficient explosive power. A modern innovation in
tank armor is Reactive Armor. The most common type consists of a high explosive that explodes when shot, breaking up the incoming projectile.
The standard security model for an automobile also includes a reactive
component--the cops! Car theft is treated as a serious crime, and
society expends considerable resources detecting, investigating, and
responding to car theft. Imagine how many more car thefts there
would be, if car theft were treated the same way as computer security
incidents! That is, imagine the response to a car theft was just
to buy a new car and blame the victim--"You should have kept your
system patched. And where was your firewall?"
In general, security problems can be addressed in one of two ways:
- Defense: Harden the target. Keep your system patched.
Disable unused network services. Use a good firewall.
Defensive techniques normally impose fairly heavy costs on legitimate
users (e.g., more annoyance at each login, fewer ways to get legitimate
work done). But because of the "weakest link in the chain" problem,
defensive techniques don't always impose equal costs on
attackers. The problem is that time spent securing services that don't get attacked is wasted effort.
- Offense: Stop the attacker. Log IP addresses and packet
traces for use in court. In case of an unambiguous attack,
involve law enforcement early. The (local, state, or federal)
police and the courts can impose very heavy costs on attackers, while
leaving legitimate users untouched. Note that "stop the attacker"
does not mean vigilante justice! You can block an attacker's
traffic to your subnet, perform simple connection tests to his IP
(e.g., ping, traceroute), and initiate legal action against him, but
even something as simple as a portscan of the attacking IP address is
legally perilous.
Both security aspects are important and useful, and neither should be
forgotten. We'll talk about defense, but in my opinion offensive
capability against network attackers today is sorely lacking--law
enforcement is very rarely involved, and prosecutions make the national
news because they are so rare. The single factor that most
complicates law enforcement's reach on the internet is
jurisdiction--conventional law enforcement is restricted to a single
geographically defined area. This means attackers not from your
home town are very difficult to successfully prosecute.