Segurana: Conceito nico

1
Segurança Conceito Único ?

• Prof. Dr. Jorge Rady de Almeida Jr.
• GAS Grupo de Análise de Segurança
• 11/11/2002

2
Segurança Conceito Único ?

• Segurança Safety
• Aplicações Críticas quanto à Segurança

3
Segurança Conceito Único ?

• Segurança Safety
• Aplicações Críticas quanto à Segurança

4
Segurança Conceito Único ?

• Segurança Security
• Manutenção de Consistência de Dados

5
Segurança Conceito Único ?

• Segurança Security
• Invasões a Sistemas

6
Segurança Conceito Único ?

• Safety ação física
• Motor, mecanismo, freio, turbina

• Security ação eletrônica
• Dados

7
Definição

• Safety

• Security

Sistema de Informação
8
Definição

• Safety - Railway Applications The Specification
  and Demonstration of Reliability, Availability,
  Maintenability and Safety - EN 50126
• Freedom from unacceptable risk or harm.
• Security Norma NBR ISO/IEC 17799
• Segurança de Informação é a proteção contra um
  grande número de ameaças às informações, de forma
  a assegurar a continuidade do negócio,
  minimizando danos comerciais e maximizando o
  retorno de possibilidade de investimentos.

9
New Approaches to Critical-Systems Survivability,
Nancy Leveson, Mats Heimdahl, www.cert.org/researc
h/isw/isw98/all_the_papers/no26.html

• Safety and security hazards have many
  similarities
• Both deal with threats or risks
• Safety primarily deals with threats to life or
  property while security has traditionally dealt
  with threats to privacy or national security
• With the current interest in information warfare
  and security threats to the critical
  infrastructure, this difference is fading
• Both often involve negative requirements or
  constraints that may conflict with some important
  system goals
• Both involve protection against losses, although
  the types of losses involved may be different
• Both involve global system properties considered
  of supreme importance

10
New Approaches to Critical-Systems Survivability,
Nancy Leveson, Mats Heimdahl

• Security focuses on malicious actions, whereas
  safety on primarily concerned with well-intended
  actions

11
Software Safety, Alan Tribble, Software
July/August 2002

• Safety is freedom from the conditions that cause
  accidents.
• This is a separate idea from security, a systems
  ability to resist attempts to influence its
  operation or reliability, a systems ability to
  continue to provide functionality

12
Addressing New Security and Privacy Challenges,
Anup Ghosh, IT Pro, May/June 2002

• However, the tragic events of 11 September and a
  series of serious worms and denial-of-service
  attacks should serve as an urgent wake-up call
  that society is indeed vulnerable to threats
  against critical infrastructure.
• These critical systems include those for
  telecommunications, transportation, energy,
  banking and finance, government and emergency
  services - systems vital to the worlds normal
  functioning and well being
• Incapacitating any one or multiple portions of
  these infrastructures could compromise economics
  and public safety

13
The Technology of Safety and Security, John
Cullyer, Computer Bulletin, October 1993

• There are two main areas of concern
• First, the very large banking, stock market and
  financial services networks
• and second the embedded systems used to control
  vital transportation systems or continuous flow
  production plant
• If hardware or software malfunction threatens
  large-scale financial losses, places the lives of
  the general public at risk, or threatens serious
  damage to the environment of the Earth, we
  describe the system as high integrity

14
The Technology of Safety and Security, John
Cullyer, Computer Bulletin, October 1993

• A security kernel is some combination of
  hardware and software used in conjunction with a
  processor, which helps to prevent unauthorized
  disclosure or modification of data held within
  the computing systems and provides support for
  measures to ensure continuous service in the
  presence of potentially malicious acts by users
• A safety kernel is some combination of hardware
  and software protection which helps to preserve
  service and ensure reliable operation in a system
  in which there are assumed to be no malicious
  acts by users, but where operations may be
  threatened by accidental errors made by both
  designers and operators
• These concerns can be blended into a single topic
  often called computer integrity

15
Requirements Engineering, Kotonya e Sommerville,
John Wiley, 1998

• There are three principal types of critical
  systems
• Business Critical Systems, where a failure of the
  system causes significant economic damage to a
  business. An example of such a system is an
  airline reservation system
• Mission Critical System, where the failure of the
  system means that some mission cannot be
  accomplished. An example of such a system is a
  control system on a spacecraft
• Safety Critical System, where a failure of a
  system endangers human life or causes significant
  environmental damage. An example of such a system
  is a control system for a radiation therapy
  machine

16
Requirements Engineering, Kotonya e Sommerville,
John Wiley, 1998

• Security is an essential prerequisite for safety,
  as it is impossible to be confident that a system
  is safe unless you can be confident that the
  system and its data cannot be tampered with

17
Safety Critical Systems Challenges and
Directions, John C. Knight, 24rd Conference on
Software Engineering, 2002

• What are Safety-Critical Systems?
• The concern both intuitively and formally is with
  the consequences of failure
• If the failure of a system could lead to
  consequences that are determined to be
  unacceptable, then the system is safety-critical
• Traditional Systems
• Traditional areas that have been considered the
  home of safety-critical systems include medical
  care, commercial aircraft, nuclear power and
  weapons
• Failure in these areas can quickly lead to human
  life being put in danger, loss of equipment, and
  so on

18
Safety Critical Systems Challenges and
Directions, John C. Knight

• Non-Traditional Systems
• A closer examination reveals that many new types
  of system have the potential for very high
  consequences or failures, and these systems
  should probably be considered safety-critical
  also
• It is not obvious that loss of a telephone system
  could kill people. But a protracted loss of 911
  service will certainly result in serous injury or
  death
• Other examples are transportation control,
  banking and financial systems, electricity
  generation and distribution, telecommunications,
  and the management of water systems
• It is prudent to put the computer systems upon
  which critical infrastructures depend into the
  safety-critical category

19
Safety Critical Systems Challenges and
Directions, John C. Knight

• System Design and Manufacturing
• There are however, plenty of software systems
  that are used in the design and manufacture of
  other systems where the consequences of failure
  could be considerable. Software that support the
  development of other software (such a compiler)
  is itself safety-critical if the product that it
  supports is safety-critical
• Thus although the end product might be a building
  or a bridge, the dependence of that end product
  on a computer system during design make the
  design computer system safety-critical

20
Safety Critical Systems Challenges and
Directions, John C. Knight

• Information System Security
• Money is moved locally and around the World on
  private networks owned by financial institutions.
  Transportation systems are monitored and
  controlled using mostly private networks. A
  successful attack against certain private
  networks could permit funds or valuable
  information such as credit card numbers to be
  stolen, transportation to be disrupted, and so on
• The potential for loss is considerable, and
  although no physical damage would be involved in
  security failures, the consequences of failure
  are such that many systems that only carry
  information should be regarded as safety-critical

21
The Integration of Safety and Security
Requirements-Safecomp 99, D. Eames, J. Moffett

• Computer systems are increasingly used in areas
  where their failure could have serious
  consequences
• There are many opinions as to the properties such
  critical systems should possess, and the
  techniques that should be used to develop them
• Two such properties are safety and security
• Within their domains, specialized methods have
  been developed to investigate and generate
  requirements specifications
• However, systems that are now being built are
  frequently required to satisfy these properties
  simultaneously
• There is growing interest in the degree to which
  techniques from one domain complement or conflict
  with those from the other

22
The Integration of Safety and Security
Requirements-Safecomp 99, D. Eames, J. Moffett

• Safety Risk Analysis Process
• Functional and Technical Analysis (como o sistema
  funciona)
• Qualitative Analysis (causas e perigos que possam
  afetar o sistema)
• Quantitative Analysis (números da etapa anterior)
• Synthesis and Conclusions (identif. de módulos
  críticos)
• Security Analysis Process
• Asset Identification (ident. de recursos que
  requerem proteção)
• Vulnerability Analysis (ameaças a segredos,
  integridade e disponibilidade de dados)
• Likelihood Analysis (números sobre as ameaças)
• Countermeasure evaluation (novos controles)

23
The Integration of Safety and Security
Requirements-Safecomp 99, D. Eames, J. Moffett

• Integration of Safety and Security
• Adjusting or modifying techniques to bring them
  into alignment with each other
• Comparação
• System Modeling
• Qualitative Analysis
• Quantitative Analysis
• Defining the Requirements

24
The Integration of Safety and Security
Requirements-Safecomp 99, D. Eames, J. Moffett

• Discussion
• Both (safety and security) deal with risks
• Both safety and security risk analyses result in
  constraints (negative requirements)
• Both involve protective measures
• Both produce requirements that are considered to
  be of greatest importance
• These similarities indicate that some of the
  techniques applicable to one field could also be
  applicable to the other

25
The Integration of Safety and Security
Requirements-Safecomp 99, D. Eames, J. Moffett

• Discussion
• It is inappropriate to attempt to unify safety
  and security risk analysis techniques
• Consolidation of safety and security could reduce
  developers understanding of the system being
  analyzed
• Attempts to unify two such techniques would
  involve compromises in each, which in turn could
  lead to an incomplete analysis, with subsequent
  safety and security risks going unobservable and
  being incorporated in the final system
• An additional danger is that a unified approach
  might actually hide the requirements conflicts
  that it aims to resolve
• Also, the process of resolving conflicts itself
  can actually be worthwhile, as engenders better
  understanding of the system and its domain

26
The Integration of Safety and Security
Requirements-Safecomp 99, D. Eames, J. Moffett

• Discussion
• Our analysis leads us to believe that the value
  in integrating safety and security lies with
  harmonizing techniques from each domain. Such an
  approach would provide numerous benefits without
  the disadvantages associated with unification
  approaches
• The specialized techniques developed in each
  domain would not have to be compromised
• Conflicts could become more apparent than if the
  techniques were applied in isolation, as
  comparisons between two sets of requirements
  could be simpler
• The cross fertilization of ideas from one domain
  to the other could promote better understanding
  of the system and its environment, and might lead
  to the recognition of risks that could otherwise
  be overlooked
• Separation of properties would permit recognition
  of conflicts and trade-offs, and allow
  judgment-based decisions to be made, rather than
  have an automated method make choices, and
  perhaps screen them from the system developers

27

• Análise
• Análise de Segurança x Análise de Risco