A Holistic View of Enterprise Security

1
A Holistic View of Enterprise Security

• Rafal Lukawiecki
• Strategic Consultant, Project Botticelli Ltd

2
Objectives

• Define security in a practical and measurable way
• Decompose the environment
• Introduce OCTAVE
• Introduce simple risk assessment
• Introduce the concepts of threat modelling for
  enterprise security
• Overview major security technologies

3
Session Agenda

• Defining Security Concepts
• Building a Secure Environment
• Processes
• OCTAVE
• Simplified Security Risk Analysis
• Formal Threat Modelling
• Summary

4
Defining Security Concepts
5
Security

• Definition (Cambridge Dictionary of English)
• Ability to avoid being harmed by any risk, danger
  or threat
• therefore, in practice, an impossible goal ?
• What can we do then?
• Be as secure as needed
• Ability to avoid being harmed too much by
  reasonably predictable risks, dangers or threats
  (Rafals Definition)

6
Challenge

• Security must be balanced with usability (and
  accessibility)
• Most secure useless
• Most useful insecure
• Know the balance you need
• Factor the price both security and usability
  cost a lot

7
Cost-Effectiveness of Security

• "Appropriate business security is that which
  protects the business from undue operational
  risks in a cost-effective manner. Sherwood,
  2003
• Estimation of cost and effectiveness of security
  requires knowledge and estimation of
• Assets to protect
• Possible threats or losses
• Cost of their prevention
• Cost of contingencies

8
Adequate Security

• CERT usefully suggests
• A desired enterprise security state is the
  condition where the protection strategies for an
  organization's critical assets and business
  processes are commensurate with the
  organization's risk appetite and risk
  tolerances. www.cert.org/governance/adequate.ht
  ml
• Risk Appetite defined through executive
  decision, influences amount of risk worth taking
  to achieve enterprise goals and missions
• Relates to risks that must be mitigated and
  managed
• Risk Tolerance residual risk accepted
• Relates to risk for which no mitigation would be
  in place

9
1st Conclusion

• As 100 security is impossible, you need to
  decide what needs to be secured and how well it
  needs to be secured
• In other words, you need
• Asset list
• Threat analysis to identify risks
• Risk impact estimate for each asset
• Ongoing process for reviewing assets, threats and
  risks
• Someone responsible for this process
• Operational procedures for responding to changing
  conditions (emergencies, high risk etc.)

10
Digital Security as Extension of Physical
Security of Key Assets
11
Aspects of SecurityStatic, passive, pervasive

• Confidentiality
• ? Your data/service provides no useful
  information to unauthorised people
• Integrity
• ? If anyone tampers with your asset it will be
  immediately evident
• Authenticity
• ? We can verify that asset is attributable to
  its authors or caretakers
• Identity
• ? We can verify who is the specific individual
  entity associated with your asset
• Non-repudiation
• ? The author or owner or caretaker of asset
  cannot deny that they are associated with it

12
Aspects of SecurityDynamic, active, transient

• Authorisation
• ? It is clear what actions are permitted with
  respect to your asset
• Loss
• ? Asset is irrecoverably lost (or the cost of
  recovery is too high)
• Denial of access (aka denial of service)
• ? Access to asset is temporarily impossible

13
Approaches for Achieving Security

• Two approaches are needed
• Active, dynamic, transient
• Implemented through behaviour and pattern
  analysis
• Passive, static, pervasive
• Implemented through cryptography

14
Behaviour (Pattern) Analysis

• Prohibits reaching an asset if access is
  out-of-pattern, e.g.
• Password lock-out after N unsuccessful attempts
• Blocking packets at a router if too many come
  from a given source
• Denying a connection based on IPSec filter rules
• Stopping a user from seeing more than N records
  in a database per day
• Time-out of an idle secure session
• Active
• Cannot always prevent unauthorised use of asset
• Can prevent legitimate access need easy and
  secure unlock mechanisms
• Strength varies with sophistication on known
  attacks

15
Cryptography

• Using hard mathematics to implement passive
  security aspects mentioned earlier
• Static
• Cannot detect or prevent problems arising from a
  pattern of behaviour
• Relies of physical security of Key Assets (such
  as master private keys etc.)
• Strength changes with time, depending on the
  power of computers and developments in
  cryptanalysis

16
Future Security Technologies

• Behaviour analysis is under tremendous
  development at present
• Expect from Microsoft
• Microsoft Operations Manager 2005
• Already available, more rules on their way
• Active Protection
• Set of technologies for intrusion detection and
  automatic response and ongoing protection
• Imagine MOM IDS based on neural network GPOs

17
Holistic View of Security

• Security should be
• Static Active Across All Your Assets
  Based On Ongoing Threat Risk Assessment

18
Building a Secure Environment
19
Defense in Depth

• Using a layered approach
• Increases an attackers risk of detection
• Reduces an attackers chance of success

Policies, Procedures, Awareness
Physical Security
ACL, encryption
Data
Application
Application hardening, antivirus
OS hardening, update management, authentication
Host
Network segments, IPSec, NIDS
Internal Network
Firewalls, VPN quarantine
Perimeter
Guards, locks, tracking devices, HSM
User education against social engineering
20
Secure Environment

• A secure environment is a combination of
• Hardened hosts (nodes)
• Intrusion Detection System (IDS)
• Operating Processes
• Standard and Emergency
• Threat Modelling and Analysis
• Dedicated Responsible Staff
• Chief Security Officer (CSO) responsible for all
• Continuous Training
• Users and security staff against social
  engineering

21
Processes

• Operating Processes
• Microsoft Operations Framework (MOF)
• IT Infrastructure Library
• BS7799 and related ISO
• Informal Standard and Emergency Operating
  Procedures
• Risk and Threat Analysis Processes
• Simple Security Risk Analysis
• Attack Vectors and Threat Modelling
• OCTAVE

22
Operating Processes

• As a minimum, define
• Standard Operating Procedures
• Set of security policies used during normal
  conditions
• Could be based on Windows AD Group Policies
• Emergency Operating Procedures
• Tighter policies used during high-risk or
  under-attack conditions
• Aim for compliance with an overall operational
  process framework
• E.g. Microsoft Operation Frameworks SLAs, OLAs
  and UCs

23
Education Research

• As minimum, you really need to subscribe to
  security advisories
• Microsoft Security Notification Service
• www.microsoft.com/security
• CERT
• www.cert.org
• SANS Institute
• www.sans.org
• Other vendor-specific
• CISCO, Oracle, IBM and so on
• Apart from notifications, study available
  operational security guidance
• www.microsoft.com/technet/security

24
OCTAVE
25
OCTAVE

• Operationally Critical Threat, Asset and
  Vulnerability Evaluation
• Carnegie-Mellon University guidance
• Origin in 2001
• Used by US military and a growing number of
  larger organisations
• www.cert.org/octave

26
Concept of OCTAVE

• Workshop-based analysis
• Collaborative approach
• Guided by an 18-volume publication
• Very specific, with suggested timings, personnel
  selection etc.
• www.cert.org/octave/omig.html
• Smaller version, OCTAVE-S, for small and medium
  organisations
• www.cert.org/octave/osig.html

27
OCTAVE ProcessProgressive Series of Workshops
Phase 1 OrganizationalView
Phase 3 Strategy and Plan Development
Planning
Phase 2 TechnologicalView
28
Simplified Security Risk Analysis
29
Examples

• Asset
• Internal mailbox of your Managing Director
• Risk Impact Estimate (examples!)
• Risk of loss Medium impact
• Risk of access by staff High impact
• Risk of access by press Catastrophic impact
• Risk of access by a competitor High impact
• Risk of temporary no access by MD Low impact
• Risk of change of content Medium impact

30
Creating Your Asset List

• List all of your named assets starting with the
  most sensitive
• Your list wont ever be complete, keep updating
  as time goes on
• Create default all other assets entries
• Divide them into logical groups based on their
  probability of attacks or the risk of their
  location between perimeters

31
Risk Impact Assessment

• For each asset and risk attach a measure of
  impact
• Monetary scale if possible (difficult) or
  relative numbers with agreed meaning
• E.g. Trivial (1), Low (2), Medium (3), High (4),
  Catastrophic (5)
• Ex
• Asset Internal MD mailbox
• Risk Access to content by press
• Impact Catastrophic (5)

32
Risk Probability Assessment

• Now for each entry measure probability the loss
  may happen
• Real probabilities (difficult) or a relative
  scale (easier) such as Low (0.3), Medium, (0.6),
  and High (0.9)
• Ex
• Asset Internal MD mailbox
• Risk Access to content by press
• Probability Low (2)

33
Risk Exposure and Risk List

• Multiply probability by impact for each entry
• Exposure Probability x Impact
• Sort by exposure
• High-exposure risks need very strong security
  measures
• Lowest-exposure risks can be covered by default
  mechanisms or ignored
• Example
• Press may access MD mailbox Exposure
  P(Low0.3) x I(Catastrophic5) 1.5
• By the way, minimum exposure is 0.3 and maximum
  is 4.5 is our examples

34
Mitigation and Contingency

• For high-exposure risks plan
• Mitigation Reduce its probability or impact (so
  exposure)
• Transfer Make someone else responsible for the
  risk
• Avoidance avoid the risk by not having the asset
• Contingency what to do if the risk becomes
  reality

35
Formal Threat Modelling
36
Threat Modeling

• Structured analysis aimed at
• Finding infrastructure vulnerabilities
• Evaluating security threats
• Identify countermeasures
• Originated from software development security
  threat analysis

37
Architecture Diagram (Step 2)
Asset 1
Asset 2
Asset 3
Database Server
Web Server
Firewall
IIS
ASP.NET
Login
Bob
Alice
Main
Bill
State
Asset 4
Asset 5
Asset 6
38
Decomposition (Step 3)
Forms Authentication
URL Authorization
Database Server
Web Server
Trust
Firewall
Bob
IIS
ASP.NET
Login
Alice
Main
Bill
State
DPAPI
Windows Authentication
39
STRIDEA Technique for Threat Identification
(Step 4)
40
Threat Tree
Inside Attack Enabled
Attack domain controller from inside
OR
AND
AND
SQL Injection
Dev Server
Messenger Xfer
Trojan Soc Eng
An application doesnt validate users input and
allows evil texts
Unhardened SQL server used by internal developers
Novice admin uses an instant messenger on a server
Attacker sends a trojan masquerading as network
util
41
Attack Vector in a Threat Tree
Theft of Auth Cookies
Obtain auth cookie to spoof identity
OR
AND
AND
Unencrypted Connection
Eavesdropping
Cross-Site Scripting
XSS Vulnerability
Cookies travel over unencrypted HTTP
Attacker uses sniffer to monitor HTTP traffic
Attacker possesses means and knowledge
Application is vulnerable to XSS attacks
42
Document Threats (Step 5)
43
Rate Threats (Step 6)

• Rate Risk
• Probability-Impact-Exposure
• Risk Exposure Probability Damage Potential
• DREAD

44
DREAD

• D Damage Potential
• R Reproducibility
• E Exploitability
• A Affected Users
• D Discoverability
• Rate each category High(3), Medium(2) and Low(1)

45
Summary

• Viewing security holistically combines
  perspectives of people, processes, technologies
  and requires ongoing research and education
• Security goals oppose those of usability
• Cost of protection is a factor that necessitates
  a risk assessment
• Processes such as OCTAVE allow for threat
  identification as well as cost-effectiveness
  analysis
• Lower security needs can be solved with cheaper,
  reactive approaches
• High security needs require more expensive,
  formal methods