Erol Hofman's notes from my presentation at the 3rd Annual World-Wide Security Conference
Erol Hofman organised East-West Institute's Second and Third annual Worldwide Security Conferences. The Third Annual World-Wide Security Conference was held in Brussels, 21-23 February 2006. I presented on the technology track and Erol has posted his notes from my presentation. There's also a post-conference report available here.
The final speaker in the technology session was Stephen McGibbon, Microsoft's Regional Technology Officer who chose to address three topics in his presentation. These were: recent developments in cyber-security and what Microsoft is doing to improve the security of the Windows operating system, electronic identity and biometrics and ultimately, the future.
Security is related to risk, and risk is an easier term to define: risk is generally accepted as being 'the likelihood of something happening, and its impact if it does'.
He illustrated that risk is inherent in everything that, and said that simply in crossing the road there is the possibility of being hit by a lorry and that while the likelihood of being hit by a lorry is relatively low, the impact of being hit by a lorry might be quite high. Alternatively, you might have something extremely likely to happen, but with relatively low impact. It is therefore necessary to perform risk assessments in order to determine the likelihood and potential impact of an attack. Then the nature of cyber-security changed completely.
The reason for this change was simple: In 1995 most people used their personal computers in the environment of their homes. They might possibly use a modem to dial Compuserve or AOL and there they would have some limited interaction. There was a risk model associated with this type of use. Then, what McGibbon described as the phenomenon called the worldwide web happened. Simultaneously Internet access was revolutionized through the increase in high-speed broadband networks and the threat model for personal computing changed accordingly. The customer upgraded to broadband and bought new modems for their computer and left them on all day. The computers were not designed for this kind of usage McGibbon explained, and he said that basically, you had a machine that was designed with a particular threat model in place but was now being used in a totally different environment.
Microsoft naturally had to respond to this change as the majority of computers use a Windows operating system and a candid McGibbon admitted it was quite apparent that the design points for Windows 95 and for some of the earlier versions of Windows XP were extremely vulnerable to this threat environment. The response was to completely re-examine computer security and to approach software design and security in a new way. The first initiative was called the trustworthy computing initiative. This focused not just on security but identified also privacy, reliability and availability as being the other attributes of a trustworthy system. Having identified the key criteria, Microsoft had to change the way that they engineered their software accordingly. McGibbon said that this came in the shape of something called SD3+C, which stands for 'secure by design, secure by default, secure by deployment, and communications'.
These were the crucial issues in the design of software. Secure by design meant that when Microsoft produced new software a thorough threat analysis would be performed. The vulnerability of the software would be analyzed and new concepts and techniques were created to do this. One of these new concepts, McGibbon said, was that of the attack surface area of a piece of software.
Secure by default applied to the utilization of security mechanisms. McGibbon continued that with Windows 95, users generally wished that everything was turned on by default. However, with the internet model, it's clear that that's not the most appropriate, and therefore now everything is turned off by default. With the new Windows Vista he explained, users will find that many services are automatically turned off and will only become activated when you need those services, and then only for the duration that you need them.
Secure by deployment meant that a set of technologies to help system administrators was needed. Microsoft chose to change their policy of not advising users how to use their software following the realization that they want a prescriptive guidance on how they should deploy our technologies. Now a set of prescriptive guidance for how the technology should be deployed is produced, in addition to other data such as security base-line analyses, software that McGibbon said will run on a system and analyze whether good practice has been followed and where that good practice might be improved.
Another result of the rapid change in security in the broadband era was that Microsoft realized that the necessity of constantly reviewing the threat model. Any necessary changes are then made available through updates. An example of this was 'Service Pack 2' for Windows XP. This was the first update for Windows XP that had gone through the SDC3+C process and provided an improved firewall and a set of technologies to allow for automatic updates.
McGibbon said that the three basic pieces of computer security guidance that Microsoft now provides to computer users are: you should have automatic updates turned on; you should have up-to-date antivirus running; and you should make sure that the firewall was turned on your computer. These three things alone do a great deal in reducing the overall threat of the host of computers that are on the Internet. This is increasingly important, the Microsoft technology officer explained, as the behavior of hackers has also changed with the threat model.
He said that in the past, if you would get a virus or you had a hacker, they wanted to let you know that you have had an attack. However, the nature of the threat changed, and now hackers are far more motivated, not to let you know that your network has been penetrated or that your system has been compromised in some way. The reason for that is that they want to sell the capability to do something illegal from your machine. A lot of money is now involved in this much of it traveling from the West to the East.
This is where the communication factor in SD3+C is relevant. Microsoft now works to communicate threats to, and also to work with law enforcement agencies. Thus involves providing them with access to technical information assisting their specialist departments with forensic work. This support is provided all the way through to the prosecution stage.
He next focused on E-ID - Electronic Identification. This McGibbon said was an interesting area although the 'E' complicates it an awful lot. ID cards themselves are a simple concept. They contain a certain amount of information and their issuance and renewal is an equally simple process. Electronic ID cards however, pose a variety of different problems. McGibbon asserted that there is no real technical challenge in E-ID cards. The challenge is far, far more in the legal frameworks around them, and what do we mean by the 'E'.
Within the European Union this issue is further complicated by what each country thinks should be recorded and also in the legislative framework for the cards and what they should actually be used for. This is an area upon which, even within the European Union, there is considerable debate. Whilst he said that there seems to be the sentiment that a European identity card is a good idea, McGibbon said that the likelihood is that there won't be a single European identification law that will support it and that there will in fact be a series of identity cards issued by the individual Member States that reflect their national legislation. Having only national E-ID cards presents the further problem of having to find a way of inter-operating them and making them compatible with each other. Again, McGibbon said the question of compatibility is not a technological issue but one of reaching legal agreement between states.
He said that with all these problems in mind it was disappointing that the debate on this issue had moved forwards so quickly from the concept of an E-ID into the concept of E-ID with biometrics. Adding the issue of biometrics make it even more difficult to reach agreement on identity cards. McGibbon equated utilizing biometric technology in identity cards to issuing all citizens with a unique serial number and then requiring them to use this number at all times. This he said would cause uproar among citizens yet a unique serial number is exactly what a biometric is. Furthermore he continued, a biometric is a serial number that it's difficult to revoke; I can't easily change my thumbprint. He also cautioned against the potential for abuse of biometrics and personal data. He illustrated this point with the example of a school (in England) which is using a thumbprint to remove the need for money for school lunches. The scheme had been introduced to prevent school bullies from stealing children's lunch money and parents now paid for the meals through direct debit. This McGibbon argued was a sensible use of technology and is also used in some school libraries in Britain. The problem, he pointed out, arose in the fact that it was announced that they planned to extend the scope of the technology so that parents would be able to track the eating habits of their children. This illustrated the ease of abusing a technology that was implemented for one purpose to infringe on an individual's privacy. McGibbon was adamant that, as regards these technologies we need to learn that just because we can, doesn't mean we should.
In addition to biometrics, McGibbon also spoke on RF-ID. This he described as a similar technology to biometrics in that it provides a means to link a unique identifier to a database of other attributes. He explained that if an object has an RF-ID, it doesn't tell me a lot, but it does tell me a unique serial number that permits the identification of the origins of the object and possibly a whole audit trail. In America, he said, there are already people who have an RF-ID transceiver implanted in their bicep and this grants them access to high-security infrastructure without the need for a password. He added that there are some in the European Commission who are even promoting this as a sensible model for the future and forecasted that the identification would become a very serious socio-political issue. McGibbon stressed again that the technology required does not present a problem - it is wholly a case of reaching agreement on legal and privacy issues.
Finally, he spoke of the future. He declared that the threat model will change and in fact is changing right now. He mooted the advent of voiceover IP and highly encrypted point-to-point communication calls, which do not need to travel over state-monitored infrastructure. He pointed also to the model of IPv6 which he said will restore the end to end nature of the internet decentralize it and make everything more peer to peer orientated. With increased peer to peer orientation and decentralization, a lot of the crime detection and the analysis techniques that have been developed to this point will start to lose some of their efficacy, he warned. As a result this would require the development of new techniques to meet this dual problem of the resurgence of the peer to peer/end to end nature of the Internet, together with reasonably high-levels of encryption. Detection is crucial, and it is therefore of vital importance that cyber-security evolves simultaneously with the threat models.