A Holistic View of Enterprise A Holistic View of Enterprise SecuritySecurity
Rafal LukawieckiRafal Lukawiecki
Strategic Consultant, Project Botticelli LtdStrategic Consultant, Project Botticelli Ltd
[email protected]@projectbotticelli.co.uk
www.projectbotticelli.co.ukwww.projectbotticelli.co.uk
Copyright 2005 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all Copyright 2005 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in File/Properties.File/Properties.
22
ObjectivesObjectives
Define security in a practical, measurable, and Define security in a practical, measurable, and achievable wayachievable way
Introduce security frameworksIntroduce security frameworks
Introduce OCTAVEIntroduce OCTAVE
Introduce simple risk assessmentIntroduce simple risk assessment
Introduce the concepts of threat modelling for Introduce the concepts of threat modelling for enterprise securityenterprise security
Overview major security technologiesOverview major security technologies
33
Session AgendaSession Agenda
Defining Security ConceptsDefining Security Concepts
Building a Secure EnvironmentBuilding a Secure Environment
ProcessesProcesses
OCTAVEOCTAVE
Simplified Security Risk AnalysisSimplified Security Risk Analysis
Formal Threat ModellingFormal Threat Modelling
SummarySummary
44
Defining Security Defining Security ConceptsConcepts
55
SecuritySecurity
Definition (Cambridge Dictionary of English)Definition (Cambridge Dictionary of English)
Ability to avoid being harmed by any risk, danger or Ability to avoid being harmed by any risk, danger or threatthreat
……therefore, in practice, an impossible goal therefore, in practice, an impossible goal
What can we do then?What can we do then?
Be as secure as neededBe as secure as needed
Ability to avoid being harmed too much by reasonably Ability to avoid being harmed too much by reasonably predictable risks, dangers or threats (Rafal’s Definition)predictable risks, dangers or threats (Rafal’s Definition)
66
ChallengeChallenge
Security must be balanced with usability (and Security must be balanced with usability (and accessibility)accessibility)
Most secure = uselessMost secure = useless
Most useful = insecureMost useful = insecure
Know the balance you needKnow the balance you need
Factor the price: both security and usability cost a lotFactor the price: both security and usability cost a lot
77
Cost-Effectiveness of SecurityCost-Effectiveness of Security
"Appropriate business security is that which "Appropriate business security is that which protects the business from undue operational protects the business from undue operational risks in a cost-effective manner.“ – Sherwood, risks in a cost-effective manner.“ – Sherwood, 20032003
Estimation of cost and effectiveness of security Estimation of cost and effectiveness of security requires knowledge and estimation of:requires knowledge and estimation of:
Assets to protectAssets to protect
Possible threats or lossesPossible threats or losses
Cost of their preventionCost of their prevention
Cost of contingenciesCost of contingencies
88
Adequate SecurityAdequate Security
CERT usefully suggests:CERT usefully suggests:
““A desired enterprise security state is the condition where the A desired enterprise security state is the condition where the protection strategiesprotection strategies for an organization's critical for an organization's critical assetsassets and and business business processesprocesses are commensurate with the organization's are commensurate with the organization's risk appetiterisk appetite and and risk tolerancesrisk tolerances.” – .” – www.cert.org/governance/adequate.htmlwww.cert.org/governance/adequate.html
Risk Appetite – defined through executive decision, influences Risk Appetite – defined through executive decision, influences amount of risk worth taking to achieve enterprise goals and amount of risk worth taking to achieve enterprise goals and missionsmissions
Relates to risks that must be mitigated and managedRelates to risks that must be mitigated and managed
Risk Tolerance – residual risk acceptedRisk Tolerance – residual risk accepted
Relates to risk for which no mitigation would be in placeRelates to risk for which no mitigation would be in place
99
11stst Conclusion Conclusion
As 100% security is impossible, you need to decide what As 100% security is impossible, you need to decide what needs to be secured and how well it needs to be securedneeds to be secured and how well it needs to be secured
In other words, you need:In other words, you need:Asset listAsset list
Threat analysis to identify risksThreat analysis to identify risks
Risk impact estimate for each assetRisk impact estimate for each asset
Ongoing process for reviewing assets, threats and risksOngoing process for reviewing assets, threats and risks
Someone responsible for this processSomeone responsible for this process
Operational procedures for responding to changing conditions Operational procedures for responding to changing conditions (emergencies, high risk etc.)(emergencies, high risk etc.)
1010
Digital Security as Extension of Digital Security as Extension of Physical Security of Physical Security of Key AssetsKey Assets
Strong PhysicalStrong PhysicalSecurity of KASecurity of KA
Strong DigitalStrong DigitalSecuritySecurity
Good SecurityGood SecurityEverywhereEverywhere
Weak PhysicalWeak PhysicalSecurity of KASecurity of KA
Strong DigitalStrong DigitalSecuritySecurity
InsecureInsecureEnvironmentEnvironment
Strong PhysicalStrong PhysicalSecurity of KASecurity of KA
Weak DigitalWeak DigitalSecuritySecurity
InsecureInsecureEnvironmentEnvironment
1111
Aspects of SecurityAspects of SecurityStatic, passive, pervasiveStatic, passive, pervasive
Confidentiality Confidentiality
◄ ◄ Your data/service provides no useful information to unauthorised Your data/service provides no useful information to unauthorised peoplepeople
Integrity Integrity
◄ ◄ If anyone tampers with your asset it will be immediately evidentIf anyone tampers with your asset it will be immediately evident
Authenticity Authenticity
◄ ◄ We can verify that asset is attributable to its authors or caretakersWe can verify that asset is attributable to its authors or caretakers
IdentityIdentity
◄ ◄ We can verify who is the specific individual entity associated with your We can verify who is the specific individual entity associated with your assetasset
Non-repudiationNon-repudiation
◄ ◄ The author or owner or caretaker of asset cannot deny that they are The author or owner or caretaker of asset cannot deny that they are associated with itassociated with it
1212
Aspects of SecurityAspects of SecurityDynamic, active, transientDynamic, active, transient
AuthorisationAuthorisation
◄ ◄ It is clear what actions are permitted with respect to your assetIt is clear what actions are permitted with respect to your asset
Loss Loss
◄ ◄ Asset is irrecoverably lost (or the cost of recovery is too high)Asset is irrecoverably lost (or the cost of recovery is too high)
Denial of access (aka denial of service)Denial of access (aka denial of service)
◄ ◄ Access to asset is temporarily impossibleAccess to asset is temporarily impossible
1313
Approaches for Achieving SecurityApproaches for Achieving Security
Two approaches are needed:Two approaches are needed:
ActiveActive, dynamic, transient, dynamic, transient
Implemented through Implemented through behaviour and pattern analysisbehaviour and pattern analysis
PassivePassive, static, pervasive, static, pervasive
Implemented through Implemented through cryptographycryptography
1414
Behaviour (Pattern) AnalysisBehaviour (Pattern) Analysis
Prohibits reaching an asset if access is out-of-pattern, e.g.:Prohibits reaching an asset if access is out-of-pattern, e.g.:
Password lock-out after N unsuccessful attemptsPassword lock-out after N unsuccessful attempts
Blocking packets at a router if too many come from a given sourceBlocking packets at a router if too many come from a given source
Denying a connection based on IPSec filter rulesDenying a connection based on IPSec filter rules
Stopping a user from seeing more than N records in a database per Stopping a user from seeing more than N records in a database per dayday
Time-out of an idle secure session Time-out of an idle secure session
““Active”Active”
Cannot always prevent unauthorised use of assetCannot always prevent unauthorised use of asset
Can prevent legitimate access – need easy and secure “unlock” Can prevent legitimate access – need easy and secure “unlock” mechanismsmechanisms
Strength varies with sophistication on known attacksStrength varies with sophistication on known attacks
1515
CryptographyCryptography
Using hard mathematics to implement passive security Using hard mathematics to implement passive security aspects mentioned earlieraspects mentioned earlier
““Static”Static”
Cannot detect or prevent problems arising from a pattern of Cannot detect or prevent problems arising from a pattern of behaviourbehaviour
Relies of physical security of Key Assets (such as Relies of physical security of Key Assets (such as master private keys etc.)master private keys etc.)
Strength changes with time, depending on the power of Strength changes with time, depending on the power of computers and developments in cryptanalysiscomputers and developments in cryptanalysis
1616
Future Security TechnologiesFuture Security Technologies
Behaviour analysis is under tremendous Behaviour analysis is under tremendous development at presentdevelopment at present
Expect from Microsoft:Expect from Microsoft:
Microsoft Operations Manager 2005Microsoft Operations Manager 2005
Already available, more rules on their wayAlready available, more rules on their way
Active ProtectionActive Protection
Set of technologies for intrusion detection and automatic Set of technologies for intrusion detection and automatic response and ongoing protectionresponse and ongoing protection
Imagine: MOM + IDS based on neural network + Imagine: MOM + IDS based on neural network + GPOsGPOs
1717
Holistic View of SecurityHolistic View of Security
Security should be:Security should be:
Static + Active Static + Active AcrossAcross All Your Assets All Your Assets Based OnBased On Ongoing Threat Risk AssessmentOngoing Threat Risk Assessment
1818
Building a Secure Building a Secure EnvironmentEnvironment
1919
Defense in DepthDefense in DepthUsing a layered approach:Using a layered approach:
Increases an attacker’s risk of detection Increases an attacker’s risk of detection
Reduces an attacker’s chance of successReduces an attacker’s chance of success
Policies, Procedures, & Awareness
Policies, Procedures, & Awareness
OS hardening, update management, OS hardening, update management, authenticationauthentication
Firewalls, VPN quarantineFirewalls, VPN quarantine
Guards, locks, tracking devices, Guards, locks, tracking devices, HSMHSM
Network segments, IPSec, NIDSNetwork segments, IPSec, NIDS
Application hardening, antivirusApplication hardening, antivirus
ACL, encryptionACL, encryption
User education against social User education against social engineeringengineering
Physical SecurityPhysical Security
PerimeterPerimeter
Internal NetworkInternal Network
HostHost
ApplicationApplication
DataData
2020
Secure EnvironmentSecure Environment
A secure environment is a combination of:A secure environment is a combination of:
Hardened hosts (nodes)Hardened hosts (nodes)
Intrusion Detection System (IDS)Intrusion Detection System (IDS)
Operating ProcessesOperating Processes
Standard and EmergencyStandard and Emergency
Threat Modelling and AnalysisThreat Modelling and Analysis
Dedicated Responsible StaffDedicated Responsible Staff
Chief Security Officer (CSO) responsible for allChief Security Officer (CSO) responsible for all
Continuous TrainingContinuous Training
Users and security staff – against “social engineering”Users and security staff – against “social engineering”
2121
ProcessesProcesses
Operating ProcessesOperating Processes
Microsoft Operations Framework (MOF)Microsoft Operations Framework (MOF)
IT Infrastructure LibraryIT Infrastructure Library
BS7799 and related ISOBS7799 and related ISO
Informal: Standard and Emergency Operating ProceduresInformal: Standard and Emergency Operating Procedures
Risk and Threat Analysis ProcessesRisk and Threat Analysis Processes
Simple Security Risk AnalysisSimple Security Risk Analysis
Attack Vectors and Threat ModellingAttack Vectors and Threat Modelling
OCTAVEOCTAVE
2222
Operating ProcessesOperating Processes
As a minimum, defineAs a minimum, define
Standard Operating ProceduresStandard Operating Procedures
Set of security policies used during “normal” conditionsSet of security policies used during “normal” conditions
Could be based on Windows AD Group PoliciesCould be based on Windows AD Group Policies
Emergency Operating ProceduresEmergency Operating Procedures
Tighter policies used during “high-risk” or “under-attack” Tighter policies used during “high-risk” or “under-attack” conditionsconditions
Aim for compliance with an overall operational process Aim for compliance with an overall operational process frameworkframework
E.g. Microsoft Operation Framework’s SLAs, OLAs and UCsE.g. Microsoft Operation Framework’s SLAs, OLAs and UCs
2323
Education & ResearchEducation & Research
As minimum, you really need to subscribe to security As minimum, you really need to subscribe to security advisories:advisories:
Microsoft Security Notification ServiceMicrosoft Security Notification Service
www.microsoft.com/securitywww.microsoft.com/security
CERTCERT
www.cert.orgwww.cert.org
SANS InstituteSANS Institute
www.sans.orgwww.sans.org
Other vendor-specificOther vendor-specific
CISCO, Oracle, IBM and so onCISCO, Oracle, IBM and so on
Apart from notifications, study available operational Apart from notifications, study available operational security guidancesecurity guidance
www.microsoft.com/technet/securitywww.microsoft.com/technet/security
2424
OCTAVEOCTAVE
2525
OCTAVEOCTAVE
Operationally Critical Threat, Asset and Operationally Critical Threat, Asset and Vulnerability EvaluationVulnerability Evaluation
Carnegie-Mellon University guidanceCarnegie-Mellon University guidance
Origin in 2001Origin in 2001
Used by US military and a growing number of larger Used by US military and a growing number of larger organisationsorganisations
www.cert.org/octavewww.cert.org/octave
2626
Concept of OCTAVEConcept of OCTAVE
Workshop-based analysisWorkshop-based analysis
Collaborative approachCollaborative approach
Guided by an 18-volume publicationGuided by an 18-volume publication
Very specific, with suggested timings, personnel selection etc.Very specific, with suggested timings, personnel selection etc.
www.cert.org/octave/omig.htmlwww.cert.org/octave/omig.html
Smaller version, OCTAVE-S, for small and medium Smaller version, OCTAVE-S, for small and medium organisationsorganisations
www.cert.org/octave/osig.htmlwww.cert.org/octave/osig.html
2727
OCTAVE ProcessOCTAVE ProcessProgressive Series of WorkshopsProgressive Series of Workshops
Phase 1
OrganizationalView
Phase 2
TechnologicalView
Phase 3
Strategy and Plan Development
Tech. Vulnerabilities
Planning
AssetsThreatsCurrent PracticesOrg. VulnerabilitiesSecurity Req.
RisksProtection Strategy
Mitigation Plans
2828
Steps of OCTAVE ProcessesSteps of OCTAVE Processes
2929
Simplified Security Simplified Security Risk AnalysisRisk Analysis
3030
ExamplesExamples
Asset:Asset:
Internal mailbox of your Managing DirectorInternal mailbox of your Managing Director
Risk Impact Estimate (examples!)Risk Impact Estimate (examples!)
Risk of loss: Medium impactRisk of loss: Medium impact
Risk of access by staff: High impactRisk of access by staff: High impact
Risk of access by press: Catastrophic impactRisk of access by press: Catastrophic impact
Risk of access by a competitor: High impactRisk of access by a competitor: High impact
Risk of temporary no access by MD: Low impactRisk of temporary no access by MD: Low impact
Risk of change of content: Medium impactRisk of change of content: Medium impact
3131
Creating Your Asset ListCreating Your Asset List
List all of your List all of your namednamed assets starting with the assets starting with the most sensitivemost sensitive
Your list won’t ever be complete, keep updating Your list won’t ever be complete, keep updating as time goes onas time goes on
Create default “all other assets” entriesCreate default “all other assets” entries
Divide them into logical groups based on their Divide them into logical groups based on their probability of attacks or the risk of their “location” probability of attacks or the risk of their “location” between perimetersbetween perimeters
3232
Risk Impact AssessmentRisk Impact Assessment
For each asset and risk attach a measure of impactFor each asset and risk attach a measure of impact
Monetary scale if possible (difficult) or relative numbers Monetary scale if possible (difficult) or relative numbers with agreed meaningwith agreed meaning
E.g.: Trivial (1), Low (2), Medium (3), High (4), Catastrophic (5)E.g.: Trivial (1), Low (2), Medium (3), High (4), Catastrophic (5)
Ex:Ex:Asset: Internal MD mailboxAsset: Internal MD mailbox
Risk: Access to content by pressRisk: Access to content by press
Impact: Catastrophic (5)Impact: Catastrophic (5)
3333
Risk Probability AssessmentRisk Probability Assessment
Now for each entry measure probability the loss Now for each entry measure probability the loss may happenmay happen
Real probabilities (difficult) or a relative scale Real probabilities (difficult) or a relative scale (easier) such as: Low (0.3), Medium, (0.6), and (easier) such as: Low (0.3), Medium, (0.6), and High (0.9)High (0.9)
Ex:Ex:
Asset: Internal MD mailboxAsset: Internal MD mailbox
Risk: Access to content by pressRisk: Access to content by press
Probability: Low (0.3)Probability: Low (0.3)
3434
Risk Exposure and Risk ListRisk Exposure and Risk List
Multiply probability by impact for each entryMultiply probability by impact for each entryExposureExposure = Probability x Impact = Probability x Impact
Sort by exposureSort by exposureHigh-exposure risks need very strong security measuresHigh-exposure risks need very strong security measures
Lowest-exposure risks can be covered by default mechanisms Lowest-exposure risks can be covered by default mechanisms or ignoredor ignored
Example:Example:Press may access MD mailbox: Press may access MD mailbox: Exposure = P(Low=0.3) x I(Catastrophic=5) = 1.5Exposure = P(Low=0.3) x I(Catastrophic=5) = 1.5
By the way, minimum exposure is 0.3 and maximum is 4.5 is our By the way, minimum exposure is 0.3 and maximum is 4.5 is our examplesexamples
3535
Mitigation and ContingencyMitigation and Contingency
For high-exposure risks plan:For high-exposure risks plan:
Mitigation: Reduce its probability or impact (so Mitigation: Reduce its probability or impact (so exposure)exposure)
Transfer: Make someone else responsible for the riskTransfer: Make someone else responsible for the risk
Avoidance: avoid the risk by not having the assetAvoidance: avoid the risk by not having the asset
Contingency: what to do if the risk becomes realityContingency: what to do if the risk becomes reality
3636
Formal Threat Formal Threat ModellingModelling
3737
Threat ModelingThreat Modeling
Structured analysis aimed Structured analysis aimed at:at:
Finding infrastructure Finding infrastructure vulnerabilitiesvulnerabilities
Evaluating security threatsEvaluating security threats
Identify countermeasuresIdentify countermeasures
Originated from software Originated from software development security threat development security threat analysisanalysis
1. Identify Assets1. Identify Assets
2. Create an Architecture Overview2. Create an Architecture Overview
3. Decompose the System3. Decompose the System
4. Identify the Threats4. Identify the Threats
5. Document the Threats5. Document the Threats
6. Rate the Threats6. Rate the Threats
3838
Architecture Diagram (Step 2)Architecture Diagram (Step 2)
Bob
Alice
Bill
Asset #4
Asset #1 Asset #2 Asset #3
Asset #5 Asset #6
IIS ASP.NET
Web Server
Login
State
Main
Database Server
Firew
allF
irewall
3939
Decomposition (Step 3)Decomposition (Step 3)
Bob
Alice
BillIIS ASP.NET
Web Server Database ServerTrust
Forms Authentication URL Authorization
DPAPI Windows Authentication
Firew
allF
irewall
Login
State
Main
4040
STRIDESTRIDEA Technique for Threat Identification (Step 4)A Technique for Threat Identification (Step 4)Type of ThreatType of Threat ExamplesExamples
SSpoofingpoofing Forging Email MessageForging Email Message
Replaying AuthenticationReplaying Authentication
TTamperingampering Altering data during transmissionAltering data during transmission
Changing data in databaseChanging data in database
RRepudiationepudiation Delete critical data and deny itDelete critical data and deny it
Purchase product and deny itPurchase product and deny it
IInformation disclosurenformation disclosure Expose information in error messagesExpose information in error messages
Expose code on web siteExpose code on web site
DDenial of Serviceenial of Service Flood web service with invalid requestFlood web service with invalid request
Flood network with SYNFlood network with SYN
EElevation of Privilegelevation of Privilege Obtain Administrator privilegesObtain Administrator privileges
Use assembly in GAC to create acctUse assembly in GAC to create acct
4141
Threat TreeThreat Tree
Inside AttackEnabled
Inside AttackEnabled
Attack domain controller from inside
Attack domain controller from inside
SQL InjectionSQL Injection
An application doesn’t validate user’s input and allows evil texts
An application doesn’t validate user’s input and allows evil texts
Dev ServerDev Server
Unhardened SQL server used by internal developers
Unhardened SQL server used by internal developers
Messenger XferMessenger Xfer
Novice admin uses an instant messenger on a server
Novice admin uses an instant messenger on a server
Trojan Soc EngTrojan Soc Eng
Attacker sends a trojan masquerading as network util
Attacker sends a trojan masquerading as network util
OR
AND AND
4242
Attack Vector in a Threat TreeAttack Vector in a Threat Tree
Theft ofAuth Cookies
Theft ofAuth Cookies
Obtain auth cookie to spoof identity
Obtain auth cookie to spoof identity
UnencryptedConnection
UnencryptedConnection
Cookies travel over unencrypted HTTP
Cookies travel over unencrypted HTTP
EavesdroppingEavesdropping
Attacker uses sniffer to monitor HTTP traffic
Attacker uses sniffer to monitor HTTP traffic
Cross-SiteScripting
Cross-SiteScripting
Attacker possesses means and knowledge
Attacker possesses means and knowledge
XSSVulnerability
XSSVulnerability
Application is vulnerable to XSS attacks
Application is vulnerable to XSS attacks
OR
AND AND
4343
Document Threats (Step 5)Document Threats (Step 5)
DescriptionDescription TargetTarget RiskRisk Attack Attack TechniquesTechniques
CountermeasuresCountermeasures
Attacker Attacker obtains obtains credentialscredentials
User Auth User Auth processprocess
SnifferSniffer Use SSL to encrypt Use SSL to encrypt channelchannel
Injection of Injection of SQL SQL commandscommands
Data Access Data Access ComponentComponent
Append SQL Append SQL to user nameto user name
Validate user nameValidate user name
Parameterized stored Parameterized stored procedure for data procedure for data accessaccess
4444
Rate Threats (Step 6)Rate Threats (Step 6)
Rate Risk Rate Risk
Probability-Impact-ExposureProbability-Impact-Exposure
Risk Exposure = Probability * Damage PotentialRisk Exposure = Probability * Damage Potential
DREADDREAD
4545
DREADDREAD
DD – Damage Potential – Damage Potential
RR – Reproducibility – Reproducibility
EE – Exploitability – Exploitability
AA – Affected Users – Affected Users
DD – Discoverability – Discoverability
Rate each category High(3), Medium(2) and Low(1)Rate each category High(3), Medium(2) and Low(1)
ThreatThreat DD RR EE AA DD TotalTotal RatingRating
Attacker obtains credentialsAttacker obtains credentials 33 33 22 22 22 1212 HighHigh
Injection of SQL commandsInjection of SQL commands 33 33 33 33 22 1414 HighHigh
4646
SummarySummary
4747
SummarySummary
Viewing security holistically combines perspectives of Viewing security holistically combines perspectives of people, processes, technologies and requires ongoing people, processes, technologies and requires ongoing research and educationresearch and education
Security goals oppose those of usabilitySecurity goals oppose those of usability
Cost of protection is a factor that necessitates a risk Cost of protection is a factor that necessitates a risk assessmentassessment
Processes such as OCTAVE allow for threat Processes such as OCTAVE allow for threat identification as well as cost-effectiveness analysisidentification as well as cost-effectiveness analysis
Lower security needs can be solved with cheaper, Lower security needs can be solved with cheaper, reactive approachesreactive approaches
High security needs require more expensive, formal High security needs require more expensive, formal methodsmethods
