$30 off During Our Annual Pro Sale. View Details »

There is no impenetrable system - So, why we are just waiting to get breached?

Nane Kratzke
February 20, 2018

There is no impenetrable system - So, why we are just waiting to get breached?

Although it might be hard to accept. By principle, attackers can establish footholds in our systems whenever they want (zero-day exploits). This presentation is some input for a panel discussion about "Security and Safety in Cloud-based Systems and Services" (9th International Conference on Cloud Computing, GRIDs, and Virtualization (CLOUD COMPUTING 2018) in Barcelona, Spain in February 2018).

Cloud application security engineering efforts focus to harden the "fortress walls". Therefore, cloud applications rely on these defensive walls but seldom attack intruders actively. There is the somehow the need for a more reactive component. A component that could be inspired by biological systems. Biological systems consider by design that defensive "walls" can be breached at several layers. So, biological systems provide an additional active defense system to attack potential successful intruders - an immune system. Although several experts find this approach "intriguing", there are follow-up questions arising. What is about exploits that adapt to bio-inspired systems? How to protect the immune system against direct attacks? Are cloud immune systems prone to phenomenons like fever (running hot) or auto-immune diseases (self-attacking)?

Nane Kratzke

February 20, 2018
Tweet

More Decks by Nane Kratzke

Other Decks in Programming

Transcript

  1. There is no impenetrable system
    So, why we are just waiting to get
    breached?
    Nane Kratzke
    Panel Discussion: “Security and Safety in Cloud-based Systems and Services“
    9th International Conference on Cloud Computing, GRIDs, and Virtualization (CLOUD COMPUTING 2018); Barcelona, Spain, 2018

    View Slide

  2. The Fortress Walls of Cloud Applications
    Prof. Dr. rer. nat. Nane Kratzke
    Computer Science and Business Information Systems
    2
    • Security Groups
    • Firewalls
    • VPNs
    • Intrusion Detection Systems
    • Unattended Security Updates
    • Symmetric and asymmetric
    encryption
    • Password (checks)
    • SSH Keys
    • Authentication
    • Authorization
    • Two (Multi) Factor Authentication
    • …

    View Slide

  3. How to defense against unknown
    vulnerabilities?
    Prof. Dr. rer. nat. Nane Kratzke
    Computer Science and Business Information Systems
    3
    Reported in January 2018. Mainly x86 microprocessors with out-of-order
    execution and branch-prediction affected since
    1995 (says Google).
    CVE-2017-5754
    CVE-2017-5715
    CVE-2017-5753
    I started my
    computer science
    studies in 1996!
    My microprocessor
    professor told me,
    out-of-order
    execution and
    branch-prediction is
    one of the coolest
    things on earth.

    View Slide

  4. How long can presence be maintained?
    Prof. Dr. rer. nat. Nane Kratzke
    Computer Science and Business Information Systems
    4
    Answer:
    Surprisingly long!

    View Slide

  5. Some scary considerations
    • In principle attackers can establish footholds in our
    systems whenever they want (zero-day exploits)
    • Cloud application security engineering efforts focus to
    harden the fortress walls.
    • Cloud applications rely on their defensive walls but
    seldom attack intruders actively.
    Prof. Dr. rer. nat. Nane Kratzke
    Computer Science and Business Information Systems
    5

    View Slide

  6. We need a reactive component as well
    Biological systems are
    different.
    Defensive “walls” can be
    breached at several layers.
    An additional active defense
    system is needed to attack
    potential successful intruders -
    an immune system.
    Prof. Dr. rer. nat. Nane Kratzke
    Computer Science and Business Information Systems
    6

    View Slide

  7. Let us make the game more challenging
    for the attacker (act, do not react)
    Prof. Dr. rer. nat. Nane Kratzke
    Computer Science and Business Information Systems
    7
    We can create a race between
    a manual (time-intensive)
    breach and a fully automatic
    (and fast) regeneration.
    Regenerated node (randomly chosen at some point in time)
    Successfully breached node (lateral movement)

    View Slide

  8. It is all about Pets versus Cattle
    Prof. Dr. rer. nat. Nane Kratzke
    Computer Science and Business Information Systems
    8
    • Assume you are a rancher
    • Assume one of your cattle is deadly infectious
    • Be professional, shoot – and replace it
    • Yes, life is not fair (maybe for the cute kitty)
    • However, we should remember that for
    security (and that zero-day attacks are not fair
    as well)

    View Slide

  9. Immune systems for cloud applications?
    Yes, there are questions worth to be discussed …
    • Can we reduce regenerations?
    • Can we identify suspect nodes automatically?
    • Limited to what kind of applications?
    • What is about exploits/attacks that are adaptable to bio-
    inspired systems?
    • How to protect the regeneration mechanism against
    attackers?
    • Are cloud immune systems prone to phenomenons like
    fever (running hot) or auto-immune diseases (self-
    attacking)?
    Prof. Dr. rer. nat. Nane Kratzke
    Computer Science and Business Information Systems
    9

    View Slide

  10. Acknowledgement
    Picture Reference
    • Ninja: Pixabay (CC0 Public Domain)
    • Fortress: Pixabay (CC0 Public Domain)
    • Bowman: Pixabay (CC0 Public Domain)
    • Cattle: Pixabay (CC0 Public Domain)
    • Cell: Pixabay (CC0 Public Domain)
    • Air Transport: Pixabay (CC0 Public Domain)
    Prof. Dr. rer. nat. Nane Kratzke
    Computer Science and Business Information Systems
    10
    This contribution resulted as a side-effect from research that is
    funded by German Federal Ministry of Education and Research
    (Project Cloud TRANSIT, 13FH021PX4).
    Presentation URL

    View Slide

  11. About
    Prof. Dr. rer. nat. Nane Kratzke
    Computer Science and Business Information Systems
    11
    Nane Kratzke
    CoSA: http://cosa.fh-luebeck.de/en/contact/people/n-kratzke
    Blog: http://www.nkode.io
    Twitter: @NaneKratzke
    GooglePlus: +NaneKratzke
    LinkedIn: https://de.linkedin.com/in/nanekratzke
    GitHub: https://github.com/nkratzke
    ResearchGate: https://www.researchgate.net/profile/Nane_Kratzke
    Speaker Deck: https://speakerdeck.com/nkratzke

    View Slide