Go to page content

Plaintext
Information that makes security stakeholders better off

Article — by Alfonso De Gregorio, 23 March 2011

Aedificatoria: Layered Weak Links

The Ability to Refresh Attack Cost is Key to Mission Success, but Seldom Available

Today, I'm kicking off a column on security architectures and architecting security. Articles - sometimes op-ed - will be aimed at addressing:

  • the security architect's working landscape (with its tools, objects, technologies, processes, and challenges);
  • the architecture, as the set of theoretical and practical knowledge driving our activities;
  • the human element.

I believe this couldn't be a more timely topic and, as somebody who worked a lot on security architectures first at Andxor and later as an information assurance consultant, I couldn't refrain myself from contributing my take on this. I hope the column will provide us yet one more discussion topic.

In Depth: Strengths or Weaknesses?

Delivering cost-e ffective commoditized services, cloud-service providers concentrate a massive amount of data and resources, becoming in this way, attractive targets to attackers. At the same time, as more assets are at stake - including cloud-service providers' reputation - as stronger the economies of scale will also suggest to devise and employ in the cloud setting novel security solutions, with degrees of assurance higher than those a ffordable by each single cloud customer.

How to achieve the levels of security the cloud risk profi le can demands? A commonly held viewpoint is that a Defense in Depth strategy is a smart design paradigm to build security in. Layering defenses along multiple dimensions has been widely believed to provide a computing environment that meet the information assurance requirements of our organizations.

On the other hand, the key assumptions and design paradigms our security architectures rely on have been repeatedly challenged by the intrusions into information systems we observed over the past decade. The mounting evidences of the limited e ffectiveness of the current defensive measures should suggest us to examine the key assumptions that underline our security architectures. By doing so may lead us to a fundamentally di fferent understanding of the technological challenges and an even firmer foundation for moving forward on the current assumptions, helping in both cases in building the novel solutions we need.

Layered Weak Links

Although Defense-in-Depth is in concept a strategy we would like to apply, its implementations have to be careful of the uncertain e ffectiveness of layered security mechanisms, their composition and interactions. Every architectural component we use to implement our security policy may be a weak link. Systems, even if well-designed, exhibit multiple weak links, especially in the context of insider misuse. From an assurance perspective, the non-zero probability that each particular mechanism will fail, sooner or later, leads to a limited amount of reliance we can place on the same element. As such, layered defenses needs to be understood as layered weak links.

Layering multiple potentially weak links may be helpful, but is not necessarily suffcient to keep the risk of mission failure negligible. Depending on the desired system lifetime and attack costs (i.e., in terms of required temporal and fi nancial resources), a determined opponent might find the way to break all the defense layers and compromise the mission of essential functions. On the otherhand and from an incentives perspective, it is worth to observe how undermining the attacker revenue expectations deters the opponent from entering into the game, and, in turn, can signifi cantly contribute to the mission assurance. This can be accomplished by refreshing the attack costs, updating the system on a periodic basis, and before the attack time is elapsed, in order to rejuvenate the security of defensive measures and make the attacker e ffort fruitless. As long as a practical attack vector exists, with enough time (i.e., system operation time) the attacker will manage to exploit the vulnerabilities present in the target system. Hence, refreshing the security of weak layered defenses appears to be key to mission success.

More speci cally, the management life cycle of defenses based on refreshable security mechanisms goes through four steps, here dubbed RD2: Raise, Defer, Refresh, and Deter. The attack cost is first raised at system development time, when the adoption and composition of the selected security mechanisms shapes the current and future attack vectors the system will be subject to. The financial and temporal resources required by each applicable attack will defer the harm the opponent may make. If the ability to refresh the security of any of the particular layered defenses exist, then the attack costs can be re-established, before the attack time elapses. Refreshing the security acts as a controlled change across the system, that reduce the attackers' windows of opportunity, and increments the apparent complexity and eff ort of the exploitation. In turn, this can deter the adversary from engaging in attacks. Therefore, a life cycle that ends with the defer step appears to contribute more to the system survivability, while the ability to refresh the attack costs contributes directly to the mission assurance.

Unfortunately, the ability to refresh attack costs is seldom present in the systems we design and their business models. Still, notable exceptions exist. For instance, the implementation of the Defense-in-Depth strategy done by pay-TV companies for protecting their revenues from piracy losses, have the ability to refresh the security by sending a new smartcard to subscribers. In turn, this forces attackers to go again trough the trouble of reverse engineering. In a similar way, existing guidelines to the selection of cryptographic key sizes and lifetimes enforce a negligible error-bound to the probability of key-exposure, arisingfromexhaustivesearchattacks or accidental faults of the cryptographic module, by mandating when the keys will be revoked or updated. At the same time, many other security mechanisms lack a cost-e ffective or timely way to refresh their security. This is the case of TCBs, security printing inks, or protocols later found to be have a design flaw. Economic incentives (eg., positive network externalities) might suggest adopters of the latter to retain backward compatibility with the broken security mechanisms, fostering downgrade attacks - as already happened.

Conclusions

Defense-in-Depth is a strategy that can provide great value to the security initiatives of our society, such as secure cloud computing architectures, by contributing to the survivability of our infrastructures. Still, it is not a silver bullet with regard to mission assurance objectives. It would be helpful a review of which implementation tactics works and which don't, and investigate further strategies for achieving information assurance in today's highly connected environment.