Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s.

Avenue4 LLCRead Message Promoted Post

Home / Industry

What's in Your Attack Surface?

The concept of "attack surface" has been batted around in the security community for a long time. At a high-level, we all get the gist of it: the more exposed a system is to attackers (attack surface) the more risk it is probably exposing to those who depend on it, but what does that mean? Recently, my colleagues Danny McPherson, Lixia Zhang and I decided that it would be useful to have a definition and a technique that would let people illustrate and quantify systems' attack surfaces. Specifically, we asked the questions: how do we measure attack surfaces, how do we clearly understand the exposure of our systems' attack surfaces, and to understand these things where should we start?

Initially, we sought to understand the attack surfaces of systems that we are already interested in. Our operational responsibilities have motivated us to study topics like secure network protocols and systems, and helped us understand just how pronounced and complicated the systemic dependencies can be in them. One area of study that Verisign Labs and the Verisign CSO office have been investigating for a number of years is secure cryptographic key learning in the Internet. So, we decided to start there, with a topic on which we already have some knowledge.

"Knowing is half the battle!"

Recently, we created a new methodology called Functional Process Digraphs (FPDs) to address these shortcomings: systematically mapping the inherited dependencies of networked systems and quantifying their attack surfaces. Using this technique, we set about measuring and comparing the attack surfaces of deployments of two specific Internet protocols that do cryptographic key learning: the WebPKI and a new protocol called DNS-based Authentication of Named Entities (DANE). Our objective with this research has been to evolve a methodology that lets anyone gain more clarity into the complex protocols running in today's Internet.

We detailed our approach, a round of measurements, and some of our findings in a recent publication titled "The Shape and Size of Threats: Defining a Networked System's Attack Surface." At this year's IEEE Workshop on Secure Network Protocols (NPSec '14) we were presented with the Best Paper Award for this paper.

We were flattered for this recognition as NPSec is well known for publishing top quality works that address protocol-level security research. Among our contributions in this paper, we described:

  • The definition of a networked system's attack surface
  • Repeatable ways in which to quantify networked systems' attack surfaces
  • Observations to help design protocols in a way that can augment their availability without increasing their attack surfaces
  • How much some popular websites would be able to reduce their attack surfaces by deploying DNSSEC, and how much more by deploying DANE
  • A novel visualization technique, called resource tiers, to relate different types of resources in an attack surface in a visual manner

Our hope for this work is that it will serve as a starting point for researchers, engineers, and anyone who is invested in a secure Internet to begin quantifying systemic dependencies and attack surfaces. Additional details can be found in our Verisign Labs Technical Report #1120004. We have plans for follow-on work to apply this methodology to more networked systems and to build on it with techniques like Kill-Chain Analysis.

Verisign

About Verisign – Verisign, a global leader in domain names and internet security, enables internet navigation for many of the world's most recognized domain names and provides protection for websites and enterprises around the world. Verisign ensures the security, stability and resiliency of key internet infrastructure and services, including the .com and .net domains and two of the internet's root servers, as well as performs the root-zone maintainer functions for the core of the internet's Domain Name System (DNS). Visit Page

SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Mobile Internet

Sponsored byAfilias

Cybersecurity

Sponsored byVerisign

IP Addressing

Sponsored byAvenue4 LLC

DNS Security

Sponsored byAfilias

Promoted Post

Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s.