security analysis part i: basics · on security analysis classify security concepts introduce,...
TRANSCRIPT
![Page 1: Security Analysis Part I: Basics · on Security Analysis Classify security concepts Introduce, motivate and explain a basic apparatus for risk management in general and risk analysis](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd52844dfa761677c503af6/html5/thumbnails/1.jpg)
Security AnalysisPart I: Basics
Ketil Stølen, SINTEF & UiO
CORAS 1
![Page 2: Security Analysis Part I: Basics · on Security Analysis Classify security concepts Introduce, motivate and explain a basic apparatus for risk management in general and risk analysis](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd52844dfa761677c503af6/html5/thumbnails/2.jpg)
Acknowledgments
The research for the contents of this tutorial has partly been funded by the European Commission through the FP7 project SecureChange and the FP7 network of excellence NESSoS
CORAS 2
![Page 3: Security Analysis Part I: Basics · on Security Analysis Classify security concepts Introduce, motivate and explain a basic apparatus for risk management in general and risk analysis](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd52844dfa761677c503af6/html5/thumbnails/3.jpg)
Objectives for the three Lectures on Security Analysis
Classify security conceptsIntroduce, motivate and explain a basic apparatus for risk management in general and risk analysis in particularRelate risk management to system developmentDescribe the different processes that risk management involveMotivate and illustrate model-driven security risk analysis (or security analysis, for short)Demonstrate the use of risk analysis techniques
CORAS 3
![Page 4: Security Analysis Part I: Basics · on Security Analysis Classify security concepts Introduce, motivate and explain a basic apparatus for risk management in general and risk analysis](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd52844dfa761677c503af6/html5/thumbnails/4.jpg)
The three Lectures onSecurity Analysis
Part I : Basics
Part II : Example-Driven Walkthrough of the CORAS Method
Part III : Change Management
CORAS 4
![Page 5: Security Analysis Part I: Basics · on Security Analysis Classify security concepts Introduce, motivate and explain a basic apparatus for risk management in general and risk analysis](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd52844dfa761677c503af6/html5/thumbnails/5.jpg)
Overview of Part IWhat is security?What is risk?What is risk management?Central termsWhat is CORAS?Main conceptsThe CORAS processRisk modelingSemanticsLikelihood reasoningThe CORAS tool
CORAS 5
![Page 6: Security Analysis Part I: Basics · on Security Analysis Classify security concepts Introduce, motivate and explain a basic apparatus for risk management in general and risk analysis](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd52844dfa761677c503af6/html5/thumbnails/6.jpg)
What is Security Analysis?
Security analysis is a specialized form of risk analysis focusing on security risks
CORAS 6
![Page 7: Security Analysis Part I: Basics · on Security Analysis Classify security concepts Introduce, motivate and explain a basic apparatus for risk management in general and risk analysis](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd52844dfa761677c503af6/html5/thumbnails/7.jpg)
What is Security?security
integrity availability accountabilityconfidentiality
Only authorised actors have access to information
Only authorised actors can change, create or delete information
Authorised actors haveaccess toinformation they need whenthey need it
It is possible to audit the sequence of events in the system
CORAS 7
![Page 8: Security Analysis Part I: Basics · on Security Analysis Classify security concepts Introduce, motivate and explain a basic apparatus for risk management in general and risk analysis](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd52844dfa761677c503af6/html5/thumbnails/8.jpg)
Security is more than Technology
From a technical standpoint, security solutions are available – but what good is security if no one can use the systems?
Security requires more than technical understandingSecurity problems are often of non-technical originA sound security evaluation requires a uniform description of the system as a whole
how it is used, the surrounding organisation, etc.
CORAS 8
![Page 9: Security Analysis Part I: Basics · on Security Analysis Classify security concepts Introduce, motivate and explain a basic apparatus for risk management in general and risk analysis](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd52844dfa761677c503af6/html5/thumbnails/9.jpg)
Security – Part of System Development
Security is traditionally added as an “afterthought”
Solutions often reactive rather than proactiveSecurity issues often solved in isolationCostly redesignSecurity not completely integrated
Enforcing security only at the end of the development process “by preventing certain behaviors...may result in a so useless system that the complete development effort would be wasted” [Mantel'01].
“It would be desirable to consider security aspects already in the design phase, before a system is actually implemented, since removing security flaws in the design phase saves cost and time” [Jürjens'02].
CORAS 9
![Page 10: Security Analysis Part I: Basics · on Security Analysis Classify security concepts Introduce, motivate and explain a basic apparatus for risk management in general and risk analysis](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd52844dfa761677c503af6/html5/thumbnails/10.jpg)
In what way is “Security” related to
safetyreliabilitydependabilitymaintainabilitydata protectionprivacytrustworthytrustpublic key infrastructure based on trusted third partyauthentication and authorization
CORAS 10
![Page 11: Security Analysis Part I: Basics · on Security Analysis Classify security concepts Introduce, motivate and explain a basic apparatus for risk management in general and risk analysis](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd52844dfa761677c503af6/html5/thumbnails/11.jpg)
Oversettelse av Terminologi
asset aktivum (noe med verdi)
threat trussel
unwanted incident uønsket hendelse
risk risiko
vulnerability sårbarhet
consequence konsekvens
probability sannsynlighet
frequency frekvens/hyppighet
treatment behandling
CORAS 11
![Page 12: Security Analysis Part I: Basics · on Security Analysis Classify security concepts Introduce, motivate and explain a basic apparatus for risk management in general and risk analysis](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd52844dfa761677c503af6/html5/thumbnails/12.jpg)
What is Risk?
Many kinds of riskContractual riskEconomic risk Operational risk Environmental riskHealth riskPolitical riskLegal riskSecurity risk
CORAS 12
![Page 13: Security Analysis Part I: Basics · on Security Analysis Classify security concepts Introduce, motivate and explain a basic apparatus for risk management in general and risk analysis](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd52844dfa761677c503af6/html5/thumbnails/13.jpg)
Definition of Risk from ISO 31000
Risk: Effect of uncertainty on objectivesNOTE 1 An effect is a deviation from the expected — positive and/or negativeNOTE 2 Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process)NOTE 3 Risk is often characterized by reference to potential eventsand consequences, or a combination of theseNOTE 4 Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrenceNOTE 5 Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of an event, its consequence, or likelihood
CORAS 13
![Page 14: Security Analysis Part I: Basics · on Security Analysis Classify security concepts Introduce, motivate and explain a basic apparatus for risk management in general and risk analysis](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd52844dfa761677c503af6/html5/thumbnails/14.jpg)
What is Risk Management?Risk management:Coordinated activities to direct and control an organization with regard to risk[ISO 31000:2009]
CORAS 14
Com
mun
icat
e an
d co
nsul
t
Establish the context
Identify risks
Estimate risks
Evaluate risks
Treat risks
Mon
itor a
nd re
view
Ris
k as
sess
men
t
![Page 15: Security Analysis Part I: Basics · on Security Analysis Classify security concepts Introduce, motivate and explain a basic apparatus for risk management in general and risk analysis](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd52844dfa761677c503af6/html5/thumbnails/15.jpg)
Risk Analysis InvolvesDetermining what can happen, why and howSystematic use of available information to determine the level of riskPrioritization by comparing the level of risk against predetermined criteriaSelection and implementation of appropriate options for dealing with risk
CORAS 15
Com
mun
icat
e an
d co
nsul
t
Establish the context
Identify risks
Estimate risks
Evaluate risks
Treat risks
Mon
itor a
nd re
view
Ris
k as
sess
men
t
![Page 16: Security Analysis Part I: Basics · on Security Analysis Classify security concepts Introduce, motivate and explain a basic apparatus for risk management in general and risk analysis](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd52844dfa761677c503af6/html5/thumbnails/16.jpg)
Terms
CORAS 16
Asset Vulnerability
Threat
Risk
Need to introduce risk treatment
Reduced risk
![Page 17: Security Analysis Part I: Basics · on Security Analysis Classify security concepts Introduce, motivate and explain a basic apparatus for risk management in general and risk analysis](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd52844dfa761677c503af6/html5/thumbnails/17.jpg)
17
Terms
Risk
Threat
Vulnerability
Unwanted incident
Worm
Computer running Outlook
Internet
- Infected twice per year- Infected mail send to all
contacts
Infected PC
V
Install virus scanner
Treatment
![Page 18: Security Analysis Part I: Basics · on Security Analysis Classify security concepts Introduce, motivate and explain a basic apparatus for risk management in general and risk analysis](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd52844dfa761677c503af6/html5/thumbnails/18.jpg)
Security Analysis Using CORAS
18
![Page 19: Security Analysis Part I: Basics · on Security Analysis Classify security concepts Introduce, motivate and explain a basic apparatus for risk management in general and risk analysis](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd52844dfa761677c503af6/html5/thumbnails/19.jpg)
Overview
What is CORAS?Main conceptsProcess of eight stepsRisk modelingSemanticsCalculusTool supportFurther reading
CORAS 19
![Page 20: Security Analysis Part I: Basics · on Security Analysis Classify security concepts Introduce, motivate and explain a basic apparatus for risk management in general and risk analysis](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd52844dfa761677c503af6/html5/thumbnails/20.jpg)
What is CORAS?CORAS consists of
Method for risk analysisLanguage for risk modelingTool for editing diagrams
Stepwise, structured and systematic processDirected by assetsConcrete tasks with practical guidelinesModel-driven
Models as basis for analysisModels as documentation of results
Based on international standards
CORAS 20
![Page 21: Security Analysis Part I: Basics · on Security Analysis Classify security concepts Introduce, motivate and explain a basic apparatus for risk management in general and risk analysis](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd52844dfa761677c503af6/html5/thumbnails/21.jpg)
Main Concepts
CORAS 21
Asset
Vulnerability
Threat
Consequence
Unwanted incident
Likelihood
Risk
Party
Treatment
![Page 22: Security Analysis Part I: Basics · on Security Analysis Classify security concepts Introduce, motivate and explain a basic apparatus for risk management in general and risk analysis](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd52844dfa761677c503af6/html5/thumbnails/22.jpg)
DefinitionsAsset: Something to which a party assigns value and hence for which the party requires protectionConsequence: The impact of an unwanted incident on an asset in terms of harm or reduced asset valueLikelihood: The frequency or probability of something to occurParty: An organization, company, person, group or other body on whose behalf a risk analysis is conductedRisk: The likelihood of an unwanted incident and its consequence for a specific assetRisk level: The level or value of a risk as derived from its likelihood and consequenceThreat: A potential cause of an unwanted incidentTreatment: An appropriate measure to reduce risk levelUnwanted incident: An event that harms or reduces the value of an assetVulnerability: A weakness, flaw or deficiency that opens for, or may be exploited by, a threat to cause harm to or reduce the value of an asset
CORAS 22
![Page 23: Security Analysis Part I: Basics · on Security Analysis Classify security concepts Introduce, motivate and explain a basic apparatus for risk management in general and risk analysis](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd52844dfa761677c503af6/html5/thumbnails/23.jpg)
Exercise I
How would you represent risk in UML sequence diagrams?
CORAS 23
![Page 24: Security Analysis Part I: Basics · on Security Analysis Classify security concepts Introduce, motivate and explain a basic apparatus for risk management in general and risk analysis](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd52844dfa761677c503af6/html5/thumbnails/24.jpg)
Process of Eight Steps1. Preparations for the analysis2. Customer presentation of the target3. Refining the target description using
asset diagrams4. Approval of the target description5. Risk identification using threat diagrams6. Risk estimation using threat diagrams7. Risk evaluation using risk diagrams8. Risk treatment using treatment
diagrams
CORAS 24
Establish context
Assess risk
Treat risk
![Page 25: Security Analysis Part I: Basics · on Security Analysis Classify security concepts Introduce, motivate and explain a basic apparatus for risk management in general and risk analysis](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd52844dfa761677c503af6/html5/thumbnails/25.jpg)
Risk ModelingThe CORAS language consists of five kinds of diagrams
Asset diagramsThreat diagramsRisk diagramsTreatment diagramsTreatment overview diagrams
Each kind supports concrete steps in the risk analysis processIn addition there are three kinds of diagrams for specific needs
High-level CORAS diagramsDependent CORAS diagramsLegal CORAS diagrams
CORAS 25
![Page 26: Security Analysis Part I: Basics · on Security Analysis Classify security concepts Introduce, motivate and explain a basic apparatus for risk management in general and risk analysis](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd52844dfa761677c503af6/html5/thumbnails/26.jpg)
Example: Threat Diagram
CORAS 26
Server is infectedby computer virus
[possible]
Virus protection not up to date
Servergoes down[unlikely] Availability
of serverComputer
virus
Likelihood
Virus creates back door to server[possible]
Hacker
Hacker gets access to server[unlikely]
Integrity of server
Confidentialityof information
0.2
0.1
Vulnerability
Threat
Threat scenario Unwanted incident
Asset
Likelihood
Consequence
![Page 27: Security Analysis Part I: Basics · on Security Analysis Classify security concepts Introduce, motivate and explain a basic apparatus for risk management in general and risk analysis](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd52844dfa761677c503af6/html5/thumbnails/27.jpg)
SemanticsHow to interpret and understand a CORAS diagram?Users need a precise and unambiguous explanation of the meaning of a given diagram
Natural language semanticsCORAS comes with rules for systematic translation of any diagram into sentences in English
Formal semanticsSemantics in terms of a probability space on traces
CORAS 27
![Page 28: Security Analysis Part I: Basics · on Security Analysis Classify security concepts Introduce, motivate and explain a basic apparatus for risk management in general and risk analysis](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd52844dfa761677c503af6/html5/thumbnails/28.jpg)
ExampleElements
Computer virus is a non-human threat.Virus protection not up to date is a vulnerability.Threat scenario Server is infected by computer virus occurs with likelihood possible.Unwanted incident Server goes down occurs with likelihood unlikely.Availability of server is an asset.
RelationsComputer virus exploits vulnerability Virus protection not up to date to initiate Server is infected by computer virus with undefined likelihood.Server is infected by computer virus leads to Server goes down with conditional likelihood 0.2.Server goes down impacts Availability of server with consequencehigh.
CORAS 28
![Page 29: Security Analysis Part I: Basics · on Security Analysis Classify security concepts Introduce, motivate and explain a basic apparatus for risk management in general and risk analysis](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd52844dfa761677c503af6/html5/thumbnails/29.jpg)
Calculus for Likelihood Reasoning
Relation
Mutually exclusive vertices
Statistically independent vertices
CORAS 29
![Page 30: Security Analysis Part I: Basics · on Security Analysis Classify security concepts Introduce, motivate and explain a basic apparatus for risk management in general and risk analysis](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd52844dfa761677c503af6/html5/thumbnails/30.jpg)
Guidelines for Consistency Checking
CORAS 30
![Page 31: Security Analysis Part I: Basics · on Security Analysis Classify security concepts Introduce, motivate and explain a basic apparatus for risk management in general and risk analysis](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd52844dfa761677c503af6/html5/thumbnails/31.jpg)
Tool SupportThe CORAS tool is a diagram editorSupports all kinds of CORAS diagramsSuited for on-the-fly modeling during workshopsEnsures syntactic correctnessMay be used during all the steps of a risk analysis
Documents input to the various tasksSelection and structuring of information during tasksDocumentation of analysis results
CORAS 31
![Page 32: Security Analysis Part I: Basics · on Security Analysis Classify security concepts Introduce, motivate and explain a basic apparatus for risk management in general and risk analysis](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd52844dfa761677c503af6/html5/thumbnails/32.jpg)
Screenshot
CORAS 32
Pull-down menu
Palette
Tool bar
Outline
Canvas
Properties window
![Page 33: Security Analysis Part I: Basics · on Security Analysis Classify security concepts Introduce, motivate and explain a basic apparatus for risk management in general and risk analysis](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd52844dfa761677c503af6/html5/thumbnails/33.jpg)
Where to Find the Tool
http://coras.sourceforge.net/Open source
CORAS 33
![Page 34: Security Analysis Part I: Basics · on Security Analysis Classify security concepts Introduce, motivate and explain a basic apparatus for risk management in general and risk analysis](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd52844dfa761677c503af6/html5/thumbnails/34.jpg)
Mandatory Reading
Mass Soldal Lund, Bjørnar Solhaug, Ketil Stølen: Chapter 3 "A Guided Tour of the CORAS Method" in the book "Model-Driven Risk Analysis: The CORAS Approach", 2011. Springer. The chapter can be downloaded freely.
Mass Soldal Lund, Bjørnar Solhaug, Ketil Stølen: Risk Analysis of Changing and Evolving Systems Using CORAS, 2011. LNCS 6858, Springer. Pages 231-274.
ONLY FOR INF9150: Mass Soldal Lund, Bjørnar Solhaug, Ketil Stølen: Chapter 13 "Analysing Likelihood Using CORAS Diagrams" in the book "Model-Driven Risk Analysis: The CORAS Approach", 2011
CORAS 34
![Page 35: Security Analysis Part I: Basics · on Security Analysis Classify security concepts Introduce, motivate and explain a basic apparatus for risk management in general and risk analysis](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd52844dfa761677c503af6/html5/thumbnails/35.jpg)
Criticism from System Developers
The CORAS language is too simplisticIt is too cumbersome to use graphicalicons
CORAS 35
![Page 36: Security Analysis Part I: Basics · on Security Analysis Classify security concepts Introduce, motivate and explain a basic apparatus for risk management in general and risk analysis](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd52844dfa761677c503af6/html5/thumbnails/36.jpg)
Criticism from Risk Analysts
What’s new with the CORAS language?We have been using something similar for years, namely VISIO!
CORAS 36
![Page 37: Security Analysis Part I: Basics · on Security Analysis Classify security concepts Introduce, motivate and explain a basic apparatus for risk management in general and risk analysis](https://reader036.vdocuments.net/reader036/viewer/2022062403/5fd52844dfa761677c503af6/html5/thumbnails/37.jpg)
Exercise II
Discuss the statements made by thecritics?Argue why the critics are wrong.
CORAS 37