About This E-Book EPUB is an open, industry-standard format for e-books. However, support for EPUB and its many features varies across reading devices and applications. Use your device or app settings to customize the presentation to your liking. Settings that you can customize often include font, font size, single or double column, landscape or portrait mode, and figures that you can click or tap to enlarge. For additional information about the settings and features on your reading device or app, visit the device manufacturer’s Web site. Many titles include programming code or configuration examples. To optimize the presentation of these elements, view the e-book in single-column, landscape mode and adjust the font size to the smallest setting. In addition to presenting code and configurations in the reflowable text format, we have included images of the code that mimic the presentation found in the print book; therefore, where the reflowable format may compromise the presentation of the code listing, you will see a “Click here to view code image” link. Click the link to view the print-fidelity code image. To return to the previous page viewed, click the Back button on your device or app. Thinking Security Stopping Next Year’s Hackers Steven M. Bellovin New York • Boston • Indiannopolis • San Francisco Toronto • Montreal • London • Munich • Paris • Madrid Capetown • Sydney • Tokyo • Singapore • Mexico City Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and the publisher was aware of a trademark claim, the designations have been printed with initial capital letters or in all capitals. A complete list of sources and credits appears on pages 379–380. The author and publisher have taken care in the preparation of this book, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information or programs contained herein. For information about buying this title in bulk quantities, or for special sales opportunities (which may include electronic versions; custom cover designs; and content particular to your business, training goals, marketing focus, or branding interests), please contact our corporate sales department at [email protected] or (800) 382-3419. For government sales inquiries, please contact [email protected]. For questions about sales outside the United States, please contact [email protected]. Visit us on the Web: informit.com/aw Library of Congress Cataloging-in-Publication Data Bellovin, Steven M., author. Thinking security : stopping next year’s hackers / Steven M. Bellovin. pages cm Includes bibliographical references and index. ISBN 978-0-13-427754-7 (hardcover : alk. paper) 1. Computer networks—Security measures. 2. Computer security. I. Title. TK5105.59.B45154 2016 658.4’78—dc23 2015030719 Copyright © 2016 Steven M. Bellovin All rights reserved. Printed in the United States of America. This publication is protected by copyright, and permission must be obtained from the publisher prior to any prohibited reproduction, storage in a retrieval system, or transmission in any form or by any means, electronic, mechanical, photocopying, recording, or likewise. To obtain permission to use material from this work, please submit a written request to Pearson Education, Inc., Permissions Department, 200 Old Tappan Road, Old Tappan, New Jersey 07675, or you may fax your request to (201) 236-3290. ISBN-13: 978-0-13-427754-7 ISBN-10: 0-13-427754-6 Text printed in the United States on recycled paper at RR Donnelley in Crawfordsville, Indiana. First printing, November 2015 To Diane, for many reasons and then some, and to Rebecca and Daniel who asked me not to write another book but no longer live at home and hence don’t get a veto. Contents Preface I Defining the Problem 1 Introduction 1.1 Changes 1.2 Adapting to Change 1.3 Security Analysis 1.4 A Few Words on Terminology 2 Thinking About Security 2.1 The Security Mindset 2.2 Know Your Goals 2.3 Security as a Systems Problem 2.4 Thinking Like the Enemy 3 Threat Models 3.1 Who’s Your Enemy? 3.2 Classes of Attackers 3.3 Advanced Persistent Threats 3.4 What’s at Risk? 3.5 The Legacy Problem II Technologies 4 Antivirus Software 4.1 Characteristics 4.2 The Care and Feeding of Antivirus Software 4.3 Is Antivirus Always Needed? 4.4 Analysis 5 Firewalls and Intrusion Detection Systems 5.1 What Firewalls Don’t Do 5.2 A Theory of Firewalls 5.3 Intrusion Detection Systems 5.4 Intrusion Prevention Systems 5.5 Extrusion Detection 5.6 Analysis 6 Cryptography and VPNs 6.1 Cryptography, the Wonder Drug 6.2 Key Distribution 6.3 Transport Encryption 6.4 Object Encryption 6.5 VPNs 6.6 Protocol, Algorithm, and Key Size Recommendations 6.7 Analysis 7 Passwords and Authentication 7.1 Authentication Principles 7.2 Passwords 7.3 Storing Passwords: Users 7.4 Password Compromise 7.5 Forgotten Passwords 7.6 Biometrics 7.7 One-Time Passwords 7.8 Cryptographic Authentication 7.9 Tokens and Mobile Phones 7.10 Single-Sign-On and Federated Authentication 7.11 Storing Passwords: Servers 7.12 Analysis 8 PKI: Public Key Infrastructures 8.1 What’s a Certificate? 8.2 PKI: Whom Do You Trust? 8.3 PKI versus PKI 8.4 Certificate Expiration and Revocation 8.5 Analysis 9 Wireless Access 9.1 Wireless Insecurity Myths 9.2 Living Connected 9.3 Living Disconnected 9.4 Smart Phones, Tablets, Toys, and Mobile Phone Access 9.5 Analysis 10 Clouds and Virtualization 10.1 Distribution and Isolation 10.2 Virtual Machines 10.3 Sandboxes 10.4 The Cloud 10.5 Security Architecture of Cloud Providers 10.6 Cloud Computing 10.7 Cloud Storage 10.8 Analysis III Secure Operations 11 Building Secure Systems 11.1 Correct Coding 11.2 Design Issues 11.3 External Links 11.4 Trust Patterns 11.5 Legacy Systems 11.6 Structural Defenses 11.7 Security Evaluations 12 Selecting Software 12.1 The Quality Problem 12.2 Selecting Software Wisely 13 Keeping Software Up to Date 13.1 Holes and Patches 13.2 The Problem with Patches 13.3 How to Patch 14 People 14.1 Employees, Training, and Education 14.2 Users 14.3 Social Engineering 14.4 Usability