Trusted computing a shield against worst attacks?
The case for identifiable devices
Trusted computing proponents may have found their best argument yet for incorporating specialised security hardware into every computer system.
A report published this week by computer firmware developer Phoenix Technologies concluded that the risks posed by the most damaging digital attacks could be eliminated if companies adopted technology to identify users' computers on the network.
Based on an analysis of the damage numbers included in 107 cybercrime cases prosecuted by the US Department of Justice, the author of the eight-page report - market research firm Trusted Strategies - concluded that the most damaging attacks are those where the offender used stolen usernames and passwords and that such attacks caused on average $1.5m in damages per occurrence.
The win for trusted computing: The analysis estimated that 84 per cent of the attacks disclosed in court filings could have been prevented by checking the identity of the device being used to connect to a company's network as well as the user.
"We didn't know what we were going to get back - what we wanted was to objectively look at the losses caused by attacks," said Dirck Schou, senior director of security solutions for Phoenix Technologies. "What (the analyst) came back with was a strong case for having identifiable devices."
Device identification - or attestation - is a central capability of the hardware component of the trusted computing model, known as the Trusted Platform Module (TPM).
Phoenix Technologies, which makes one version of the basic input/output system (BIOS) that allows operating systems to control a computer's hardware, has created products that work with the TPM to identify the computer systems on a corporate network, but has also created products that can also work without the specialised hardware, Schou said.
The analysis could be the most persuasive argument to date for the adoption of trusted computing to increase network security. Trusted computing has garnered a great deal of criticism because another primary application of the technology - digital rights management (DRM) - could significantly reduce consumers' fair use of copyrighted content and give third-party content companies a great deal of control over users' systems.
Yet, more and more personal computers and laptop systems are shipped with the technology already on board. About 20m computers, most of them laptops, shipped with the Trusted Platform Module in 2005, according to the Trusted Computing Group, the industry association that has created the hardware specification.
The US Army has required that all procured computer systems include the latest version of the Trusted Platform Module. And consumers that buy the latest Mac hardware from Apple are also getting the technology.
However, the increase in the number of systems shipped with the technology does not mean users are sold on trusted computing. While media companies interested in stronger copy protection have already bought into the idea, companies have been a harder sell. Many of them have purchased systems with the feature but have not turned on the capabilities, said Brian Berger, executive vice president for Wave Systems and a board member for the Trusted Computing Group. The Phoenix Technologies study could convince them to do so.
"I think (the trusted computing platform) reduces the risk significantly, but the caveat to that comment is that companies need to deploy TPMs and turn them on," Berger said. "If they implement a model that prevents user name and password from being stolen on a prevalent basis, that is a great solution. If they do platform attestation, that is a great solution as well."
In many cases, however, trusted computing hardware could be overkill.
Even if companies accept that device identification could stymie 84 per cent of the most damaging attacks, that does not necessarily mean that trusted computing is the only way to go, said Seth Schoen, staff technologist at the Electronic Frontier Foundation, who has researched the potential societal effects of trusted computing in the past.
"In some cases, there may be cheaper and simple ways to defend against some of the attacks," he said in an email interview with SecurityFocus. "For example, IP addresses could be used to authenticate some machines - and are probably sufficient under some threat models and policies to make the distinction between 'sanctioned' and 'unsanctioned' machines."
Moreover, Schoen still has questions about the methodology of the report, because the version of the report available online does not provide much detail about the data set. The study found that the industries hardest hit by attacks were government, retail and high-tech, and that 78 per cent of attackers used a home computer to do the deed, but that leaves a lot of questions unanswered, Schoen said.
Companies should ask whether they can reliably distinguish between sanctioned and unsanctioned computers on the network, whether employees working from home on unsanctioned computers would be allowed to access the network, and whether the technology could be deployed pervasively enough to matter.
"We would need to know that the unsanctioned computers were actually necessary to the commission of these crimes, and that the crimes could not have been committed without using the unsanctioned computers," he said. "Here, especially, we have no evidence whatsoever."
The report accounts for most of those questions, said Bill Bosen, founding partner of Trusted Strategies, the firm that researched and created the report.
The analyst trimmed down the data set to only those cases that included information on damages, where the computers used to stage the attack was located, and the relationship of the defendant to the organisation hit. Home computers used by someone unrelated to the company were considered 'unsanctioned' while computers located on the company premises were 'sanctioned', Bosen said.
"We think the margin of error was small. Device authentication would not have stopped all crimes. For example, there were a number of cases were the individual had valid credentials and was on a company machine but overstepped their authorisation."
The study found that an attacker with valid credential could do far more damage than a program that exploited some other flaw to gain control of a system. The average cost of a virus attack to any single company was about $2,400, far lower than the $1.5m caused by attackers armed with a valid username and password, Bosen said.
Perhaps a larger question regarding the report is whether a study funded by a company benefiting from the conclusions should be taken seriously. While the report takes the form of a whitepaper supporting Phoenix Technologies security product, that should not take away from the validity of it, said Suzy Bauter, a spokesperson for the company.
"We originally did the research to make sure that we were going down the right path and make sure that we were solving the right problem," she said. "Sure, it's self serving, but it is what it is. We didn't create the common denominators found by the report."
This article originally appeared in Security Focus.
Copyright © 2006, SecurityFocus