This course we will explore the foundations of software security. We will consider important software vulnerabilities and attacks that exploit them -- such as buffer overflows, SQL injection, and session hijacking -- and we will consider defenses that prevent or mitigate these attacks, including advanced testing and program analysis techniques. Importantly, we take a "build security in" mentality, considering techniques at each phase of the development cycle that can be used to strengthen the security of software systems. Successful learners in this course typically have completed sophomore/junior-level undergraduate work in a technical field, have some familiarity with programming, ideally in C/C++ and one other "managed" program language (like ML or Java), and have prior exposure to algorithms. Students not familiar with these languages but with others can improve their skills through online web tutorials.
Interview with Kevin Haley
Loading...
來自 University of Maryland, College Park 的課程
Software Security
701 個評分
從本節課中
WEB SECURITY
Web security: Attacks and defenses
與講師見面
Michael HicksProfessor
Department of Computer Science
[SOUND].
>> Okay. Welcome, everyone.
I'm pleased to have with me today Kevin Haley, who's Director of
Symantec Security Response at Symantec and we're going to talk about hacks and
defending against them and trends and all kinds of fun stuff about cyber security.
So Kevin, welcome.
>> Thanks, thanks for having me.
>> So, I wonder if you could tell us a bit more about your background and
how you got involved in computer security work.
>> Well, it's interesting when I, when I was first getting started there were
really, really wasn't strong computer programs in schools and
certainly no computer security programs.
So I came up through computer company working on operating systems.
I have a good knowledge of those and
then found the security area interesting and got engaged in that.
And it's been really a terrific experience.
It's an ever changing field.
No day is like the other.
And we spend a lot of time protecting people against the bad guys, so
it's pretty satisfying work.
>> And can you say more about your how, what's it's been like to work at Symantec?
How long you've been there?
And maybe more about your job title and what you do?
>> Sure. I've been with Symantec for 16 years I've
had a variety of roles mainly in product management where I have
worked on security products for mail servers for gateways and for desktops.
So the product that many people are running at home,
the Norton product on your desktop or at work, the Symantec or
Symantec Endpoint Protection product, I had a hand in those.
For the last six years, I've been in our research area.
This is security response, where we are looking at the latest threats.
We're trying to figure out how to protect our customers from them and we actually
received malware from our customers and so we are responding to about a million
new threats every single day and pumping out protection for our customers, so
that we can update those systems and keep them protected from the latest threats.
>> Oh, fantastic.
So maybe we could dig into that a little bit.
Symantec because of its pervasive security products,
the ones you were just mentioning.
Right? It's running on a lot of people's desktops
on there, whether at work or at home.
And so obviously, those products are on the front lines,
they're seeing what's happening.
And the information that they observe, I I, presume you guys are able
to take advantage of that information and figuring out what the trends are.
What, what the adversaries might be doing and that helps you craft a response.
I wonder if you could say more about what you've been able to learn about trends
and, and sort of the state of security today and how you make,
take advantage of the information that you have.
>> Yeah absolutely.
That's one of our great sources of information is the feedback that's coming
from all those systems.
They let us know about detections that we've made.
What we've detected, where we've detected from, so
we've been able to gather information there.
We of course, have Honey Pots out on the network.
We have researchers that are out there looking for new things, as well.
But it's that feedback from customers, the automatic feedback built into products
themselves and our customers ability to send us suspicious files.
They'd give us a great deal of data and to be able to track and see different trends.
Probably, the most significant trend that I've seen having been here for
a number of years is the change from kind of the lazy malware looking to kind
of make a name for themselves, the people writing it to the criminalization of it,
which we first started seeing around in 2005, 2006.
Where today, the vast majority of malware is written by criminals looking
to steal money or information and data that can be turned into money from you.
And then of course, in the last several years,
the nation state type of use of malware for cyber espionage.
And of course, it has the potential for cyber sabotage and,
and other forms of politics by other means.
>> So, I, I, it sounds like just that, that brief history of the,
the way things have been moving that and
probably everyone would think this just from reading their newspaper,
that the scope of a security threat is, is just growing like crazy.
Is that true from your vantage point?
And why do you think that is, if so?
>> What we're seeing is an incredible increase every year in the amount of
threats.
We are at a point where we see almost a million new pieces of malware
every single day.
I think there's a driver for this and it's really that our
move to the virtual world has led criminals to the virtual world, as well.
With a minimum amount of technical skills, one can get involved in crime and
that crime can be done from a distance and it can be quite profitable and
it's very difficult for law enforcement to catch these people.
Now, instead of walking up to somebody knocking them down and
stealing their purse or their wallet or their watch, you can do it from one
country using computers in another country and the ultimate victim is in a third.
Whose jurisdiction is that?
Whose responsible?
Takes a lot of coordination between law enforcement,
takes a lot of technical expertise on their part.
So, it can be very complicated to find these people and to prosecute them.
So, it's a lot safer for the bad guys to move to the virtual world.
>> Wow, that makes a lot of sense.
In, in the class, in this Coursera class on software security we've spent a lot of
time looking at the root causes for some of the vulnerabilities that adversaries,
like the ones you speak of are exploiting.
The sophisticated hackers who are able to effectively re-purpose software from
what it was intended to do to something nefarious that they can take advantage of.
And we've looked at things like, that classic buffer overflows
to format string attacks to web based security threats too.
Like SQL injections and cross-eyed scripting and say request forgery.
I wonder if you could say a little bit about the trends
in terms of vulnerabilities that the root causes of those vulnerabilities.
Does the data you have a look at that, that you have access to
say anything about these vulnerabilities, which maybe are the more important?
>> Well, if it's okay with you, I'd like to go back and
actually talk about, you know?
We, we're focused and what gets in the newspapers about these very
sophisticated hackers who use vulnerabilities.
Unfortunately, there is an underground economy with an infrastructure in place
that allows even people that aren't that sophisticated to use these
vulnerabilities.
There are people that make toolkits and
the way they sell those toolkits is that it has a lot of functionality,
you don't need to know much to be able to use this toolkit to attack someone and
these toolkits are always refreshed with the latest vulnerabilities.
So you always have fresh vulnerabilities to use things that people haven't,
aren't aware of, haven't patched yet.
So that really becomes a selling point for these toolkits.
It's a way for them to make more money and it enables people with very
little technical skills to get into this game and to rip us off.
From a trend perspective, we have seen, you know,
an increase in the number of vulnerabilities found every year.
That continues to trend upward.
Some of this of course is the number of lines of code continue to increase.
So, it's probably natural, but it also says that we haven't done
a great job of making that new code have less vulnerabilities in it, you know?
Despite all our efforts, we are not keeping up.
And there is an active underground group of users who are looking for
those vulnerabilities to exploit them.
>> That we really need to step out,
up our efforts to avoid putting those vulnerabilities in the first place.
And when we do have them, get them patched, updated and
get that out to all the people using that software as soon as we can.
>> That makes a lot of sense.
One of the elements of a reasonable security posture
is when those vulnerabilities inevitably do remain to respond
to them as to used something like antivirus.
You mentioned a couple of Symantec products before.
I wonder if you could tell us a bit more about how antivirus works and
what it's role is in in someone's security posture.
>> Absolutely, historically antivirus is a pattern matching type technology,
we know what a virus looks like, we will write a signature or
a fingerprint that can identify it when we scan a system.
So we'll know it when we see it.
When we see it, we'll either remove it from your machine or
we'll stop it from getting on your machine overall.
We've had to get a bit more sophisticated with antivirus, because of the amount of
malware that's written the bad guys use something called variants.
So they have tools that will create versions that look slightly different from
the one they wrote and that tool will create 1000 of these new variants in order
to try to evade detection.
So we've put in heuristic technology.
We've used machine learning.
We've taken steps to increase our ability to catch things beyond
exactly matching them with a pattern or fingerprint.
We've also invested in other technologies and when we talk about technology or
software that you're running on your desktop to protect you,
we don't even say antivirus anymore.
We say, endpoint protection, because we're using network-based protection,
IPS protection to look for signs of to command and
control server or when these exploits or vulnerabilities being used.
If we can catch the exploit or the vulnerability quickly, vulnerability or
the exploitation of that vulnerability, doesn't matter what the malware is,
we can block it.
So we have that type technology, we use behavior blocking technology.
Things that, that file is doing on a machine looks like malware, so
it must be malware.
And we've even introduced technologies like reputation, where have the file,
where, what machines have it been on before?
What are those types of machines?
How prevalent is it in the wild?
Looking at different factors so not even having seen that file, but
knowing things about it we can determine whether it's malware or not.
So, it takes a whole host of technologies to protect people today.
>> So, it sounds like these technologies it in the beginning or a few moments ago,
you pointed out the importance of of getting that software fixed and
getting the patches out and, and users actually applying those patches.
And then at the same time,
we have these various technologies whether it's scanning files for, for signatures or
looking at message messaging patterns or protocols being used and so on.
That all of these things are sort of working together to identify behavior.,
. but in the end,
you're not going to solve the problem of buggy software.
Ultimately, the software needs to be fixed and these other technologies are,
are complimentary in identify potentially malicious behavior and
stopping it before it's able to exploit things.
Is it, do I have that right?
>> Yeah, absolutely.
We're trying to cover during that period while the patch is being developed and
distributed out.
And we're going to do the best we can until that that,
that vulnerability's been patched.
>> Okay. Excellent.
So, I'm wondering if you know, if Symantec has any
advice based on, well, if you have any advice, I suppose.
Based on your perspective firm seeing the exploitations or vulnerabilities and
seeing these various trends.
At how maybe we, we could do a better job of building security and
maybe avoiding those vulnerabilities in the first place.
I mean, maybe it's fair enough to say that really you're,
you're operating outside of that space in order to protect us in that window.
But I wonder if you have any insights based on your observation of all of these,
these threats and
attacks about maybe how we could build software a little bit better.
What, maybe what are the most important things to focus on,
assuming we're going to get some things wrong.
What are the things we really outta try harder to get right to make
software better?
>> I think the first step is really recognizing
the problem that the software that you write can be use for other purposes and
put the users of the software at risk.
And I don't think a lot of people think of that responsibility they have when they
write that code.
We often see, especially startups who are anxious to get software out in
the marketplace to acquire customers and so
the most important thing is to have some functionality, somebody wants to use.
Security tends to be an afterthought.
When, when the first problem happens, then we'll address it.
It's really not a good business plan and in the end,
you shake the confidence of your customers in you and your brand.
We think first of all, it needs to be built-in.
So that's why courses, like are very exciting for us.
That we're training people to think about this when they develop the software.
The other thing is to recognize that there are a lot of people out there that
are going to spend a lot of time thinking about this and
trying to break your systems.
And then so
part of your process may be to have somebody do that before you release it.
So for all the texting you do, maybe you need to do some type of pen testing
whether it's internal to your organization or external.
And have somebody come in there and try to break it for
you before it's released, rather than when it's out in the wild.
>> We it's, it's great that you mention that.
So a little bit later on in this course, one of the last the last week, in fact,
we do talk about penetration testing and we interview a, a guy from a penetration
testing company, Eric Ames to talk about penetration testing.
And it's really, really a fascinating area,
because you get to put that black hat on.
But for the ultimate purpose of revealing the bugs as you say,
before they're exploited in the wild.
So, I know a lot of students are excited about that kind of activity.
>> Yeah, it's a, it's a great exercise to go through.
>> So that kind of relates back to this a broader question,
which is undergraduate education.
So, I'm a professor in Computer Science at the University of Maryland and
I think we, have a, a great curriculum.
But I know that computer science is really broad and
covering the goal of covering so many different courses,
some important things, like maybe some aspects of computer security get left out.
And that, that's certainly true in, in our curriculum.
If you don't, in some ways, look for security,
it's not necessarily going to find you and I suspect it's true in other curricula.
So, I wonder what's your view from being in
the industry about stuff that maybe students are interested in computer
security really ought to be learning in their of course curricula.
If they have an opportunity, what should they take?
What should maybe university curricula be doing differently to better train up
people to, to be ready for, for careers such as yours or in, in the, in the field?
>> Well, I, I think the fundamentals are that, that build, you, as you said,
you need to fixs security into the process.
So that really needs to be part of, of every every application you build.
And I think probably part of the cor, when you learn the computer program,
you probably should, you taught these best practices alongside that course.
When it's done afterwards, its always more difficult to do.
So first steps are terrific that we're teaching this sort of information and
that people are learning it.
>> They absolutely have to have those skills in order to create good code.
So the, the sooner they learn it and the more integrated it is with their
effort to learn coding overall, I think the better off we'll all be.
>> I wonder if you could open up your crystal ball a little bit and
look at what you see as potential future outcomes.
The long-term prognosis for computer security.
What might happen?
And what might we need to do in order to prevent the worst from
happening looking ahead?
>> Well, I, I, I would say that almost any crime, any type of scam or
con that you can think of is been mo, has moved to the internet or
is in the process of moving it to the internet.
And so we will continue to see crime move there, it'll continue to evolve.
It may look slightly different.
But it will be, because it's using the internet, but it'll be bigger and faster.
So we have an obligation to try to protect ourselves from that.
The other trend clearly is that countries are looking at this
where are all adding their own kind of cyber forces.
Not only for defense, but also for offense as well.
And so this is an ongoing trend that we will continue to see.
I don't expect to see the amount of malware that's created or
crime [INAUDIBLE] go down, that will continue to grow.
But I think what's happened is our systems are becoming even more complex and
more difficult for one person to understand.
But one determined person looking for a hole or a way to break in,
then does have an advantage.
Probably, the biggest factor changing things,
of course, will be the internet of things.
As we get billions of devices that are connected to the internet that are running
operating systems.
But may, may not have a user interface,
may not be something that we ever directly interface with.
But will have software, will have vulnerabilities and
people will look to take advantage of those.
And so, I think that maybe or definitely will be even a bigger challenge than we
have on PCs and phones, it's these devices that sit in our offices,
sit in our homes that we never connect to, but connect us.
And that way may very well be in effect.
We've seen already being taken advantage of.
>> Yeah. Frankly, that's that's a frightening
prospect that even more stuff around you is connected and potentially vulnerable.
And if the people that are putting this stuff together are not thinking about
security and that the products to sort of defend them.
In the mean time, our need to figure out this new landscape.
We're just going to be that much more vulnerable in the short-term.
>> Yeah, I'll give you an example you know, there's a,
there's a very famous story of a baby monitor being hacked.
Dad walks into his room or his daughter's room and somebody is shouting obscenities,
shouting obscenities through the speaker of the webcam that he uses to watch his
daughter and check up on her on his phone.
Well, there is a vulnerability in that webcam that allowed him,
an attacker to get in there, control the camera and the speaker.
Now, if you've gone to the website of the manufacturer, they knew that,
that vulnerability was there and they would tell you that all you need to do is
flash ROM in order to fix that vulnerability.
Well, how many parents of newborns buying a, nanny cam or webcam would think to go
to the website in the first place, think that there would be a vulnerability in it.
And how many of them know how to flash a ROM?
All right.
But the manufacturer hadn't thought about that either and
really didn't have a good way to help these people out.
That's clearly a challenge for us moving forward.
>> Well, that's really interesting.
So maybe as as a final thought I have been to Symantec's website,
you mentioned Symantec research, you know?
There's a lot of great information there that's available for,
for people to find about trends and threats.
I wonder if you could say a little bit about the resources that you have
available for people to learn more about the current state of security or to,
to to learn about techniques and
ideas that you guys are pursuing that maybe they could also learn more about.
>> Yeah, absolutely.
On our site, specifically on the security response part of the site,
we are writing blogs and putting together on white papers on the ways to tax.
Information that we've been able to glean out attack groups and
the methods they use.
So there's a lot of fascinating information there.
And once a year, we gather all the information that we've collected through
the year and we put it together,
compile it to kind of get a sense of where threat landscape is and where it's going.
It's called the Internet Security Threat Report.
The new one will actually be out April 14th and so we'll look back on 2014,
what happened and what that means for the future.
>> Okay.
Great.
Well thank you so much for taking this time to to speak with me and for
our learners in this Coursera course on software security, its been,
it's been really interesting.
So thank you for your time.
>> My pleasure and go up everybody on that course,
it's something we really need people to understand.
