Security Overview: Trends

Rafal LukawieckiStrategic Consultant

Project Botticelli Ltd

rafal@projectbotticelli.co.uk

22

Objectives

Overview a process-oriented approach to security

Discuss the recent trends in approaching security issues

33

Session Agenda

Frameworks, Processes and Concepts

Issues

Trends

44

The Problem

We have (more than enough) security technologies, but we do not know how (and if) we are secure

55

Security Frameworks

66

Security

Definition (Cambridge Dictionary of English)

Ability to avoid being harmed by any risk, danger or threat

…therefore, in practice, an impossible goal

What can we do then?

Be as secure as needed

Ability to avoid being harmed too much by reasonably predictable risks, dangers or threats (Rafal’s Definition)

77

Adequate Security

CERT usefully suggests:

“A desired enterprise security state is the condition where the protection strategies for an organization's critical assets and business processes are commensurate with the organization's risk appetite and risk tolerances.” – www.cert.org/governance/adequate.html

Risk Appetite – defined through executive decision, influences amount of risk worth taking to achieve enterprise goals and missions

Relates to risks that must be mitigated and managed

Risk Tolerance – residual risk accepted

Relates to risk for which no mitigation would be in place

88

Approaches for Achieving Security

Two approaches are needed:

Active, dynamic, transient

Implemented through behaviour and pattern analysis

Passive, static, pervasive

Implemented through cryptography

99

Holistic View of Security

Security should be:

Static + Active Across All Your Assets Based On Ongoing Threat Risk Assessment

1010

Framework 1: Defense in Depth

Using a layered approach:Increases an attacker’s risk of detection

Reduces an attacker’s chance of success

Policies, Procedures, & Awareness

Policies, Procedures, & Awareness

OS hardening, update management, OS hardening, update management, authenticationauthentication

Firewalls, VPN quarantineFirewalls, VPN quarantine

Guards, locks, tracking devices, Guards, locks, tracking devices, HSMHSM

Network segments, IPSec, NIDSNetwork segments, IPSec, NIDS

Application hardening, antivirusApplication hardening, antivirus

ACL, encryptionACL, encryption

User education against social User education against social engineeringengineering

Physical SecurityPhysical Security

PerimeterPerimeter

Internal NetworkInternal Network

HostHost

ApplicationApplication

DataData

1111

Secure Environment

A secure environment is a combination of:

Hardened hosts (nodes)

Intrusion Detection System (IDS)

Operating ProcessesStandard and Emergency

Threat Modelling and Analysis

Dedicated Responsible StaffChief Security Officer (CSO) responsible for all

Continuous TrainingUsers and security staff – against “social engineering”

1212

Framework 2: OCTAVE

Operationally Critical Threat, Asset and Vulnerability Evaluation

Carnegie-Mellon University guidance

Origin in 2001

Used by US military and a growing number of larger organisations

www.cert.org/octave

1313

Concept of OCTAVE

Workshop-based analysis

Collaborative approach

Guided by an 18-volume publication

Very specific, with suggested timings, personnel selection etc.

www.cert.org/octave/omig.html

Smaller version, OCTAVE-S, for small and medium organisations

www.cert.org/octave/osig.html

1414

OCTAVE ProcessProgressive Series of Workshops

Phase 1

OrganizationalView

Phase 2

TechnologicalView

Phase 3

Strategy and Plan Development

Tech. Vulnerabilities

Planning

AssetsThreatsCurrent PracticesOrg. VulnerabilitiesSecurity Req.

RisksProtection Strategy

Mitigation Plans

1515

Framework 3: Security Risk Analysis

A simplified approach, taking into account your assets exposure to security risks

Requires:

1. Identifying your assets

2. Assesing risks and their impact, probability and exposure

3. Formulating plans to reduce overall risk exposure

1616

Risk Impact Assessment

For each asset and risk attach a measure of impact

Monetary scale if possible (difficult) or relative numbers with agreed meaning

E.g.: Trivial (1), Low (2), Medium (3), High (4), Catastrophic (5)

Ex:

Asset: Internal MD mailbox

Risk: Access to content by press

Impact: Catastrophic (5)

1717

Risk Probability Assessment

Now for each entry measure probability the loss may happen

Real probabilities (difficult) or a relative scale (easier) such as: Low (0.3), Medium, (0.6), and High (0.9)

Ex:

Asset: Internal MD mailbox

Risk: Access to content by press

Probability: Low (0.3)

1818

Risk Exposure and Risk List

Multiply probability by impact for each entryExposure = Probability x Impact

Sort by exposureHigh-exposure risks need very strong security measures

Lowest-exposure risks can be covered by default mechanisms or ignored

Example:Press may access MD mailbox: Exposure = P(Low=0.3) x I(Catastrophic=5) = 1.5

By the way, minimum exposure is 0.3 and maximum is 4.5 is our examples

1919

Mitigation and Contingency

For high-exposure risks plan:

Mitigation: Reduce its probability or impact (so exposure)

Transfer: Make someone else responsible for the risk

Avoidance: avoid the risk by not having the asset

Contingency: what to do if the risk becomes reality

2020

Framework 4: Threat Modeling

Structured analysis aimed at:

Finding infrastructure vulnerabilities

Evaluating security threats

Identify countermeasures

Originated from software development security threat analysis

1. Identify Assets1. Identify Assets

2. Create an Architecture Overview2. Create an Architecture Overview

3. Decompose the System3. Decompose the System

4. Identify the Threats4. Identify the Threats

5. Document the Threats5. Document the Threats

6. Rate the Threats6. Rate the Threats

2121

STRIDEA Technique for Threat Identification (Step 4)

Type of Threat Examples

Spoofing Forging Email Message

Replaying Authentication

Tampering Altering data during transmission

Changing data in database

Repudiation Delete critical data and deny it

Purchase product and deny it

Information disclosure Expose information in error messages

Expose code on web site

Denial of Service Flood web service with invalid request

Flood network with SYN

Elevation of Privilege Obtain Administrator privileges

Use assembly in GAC to create acct

2222

Threat Tree

Inside AttackEnabled

Inside AttackEnabled

Attack domain controller from inside

Attack domain controller from inside

SQL InjectionSQL Injection

An application doesn’t validate user’s input and allows evil texts

An application doesn’t validate user’s input and allows evil texts

Dev ServerDev Server

Unhardened SQL server used by internal developers

Unhardened SQL server used by internal developers

Messenger XferMessenger Xfer

Novice admin uses an instant messenger on a server

Novice admin uses an instant messenger on a server

Trojan Soc EngTrojan Soc Eng

Attacker sends a trojan masquerading as network util

Attacker sends a trojan masquerading as network util

OR

AND AND

2323

Current Security Issues

2424

Industry Issues for 2005-2006

Without undue generalisation:

Mobile security at data layer

Malware/spyware

Compliance auditing

Identity management

Patch/update management

Application defence

Intrusion detection

2525

Mobile Security at Data Layer

Laptops and PDAs are rarely protected against physical data extraction

Encryption with removable keys is very effective, though deployment requires planning and is sometimes cumbersome

Smartcards plus EFS or an alternative system, such as PGP etc. can be applied

Data recovery needs (legal and practical) complicate the matter greatly

2626

Spyware (Malware) Protection

90% machines have malicious software, on average 28 separate spyware programs (report by Earthlink & Webroot)

Zombies

Network bandwidth and CPU degradation

Commercial secrets leaked

Privacy destroyed

3rd party liability arises

Best practice:SpyBot Search and Destroy (www.spybot.info)

Microsoft AntiSpyware (in beta)

AdAware

Limit use of administrative privileges for end-users

2727

Compliance Auditing

An area of rapid growth, primarily due to Sarbannes/Oxley (“Sarbox”, or “Sox”) and EU Data Privacy regulation

In hands of specialised providers, mainly consulting business

Microsoft Operations Manager (MOM) can be applied for this purpose

2828

Identity Management

Heterogeneity of authentication and security measures is a common fact

Don’t fight it, integrate it

Synchronisation between directories, no matter how different, is becoming a reality with solutions build on systems such as MIIS (Identity Integration Server)

Alternatively, converge onto a client-solution, such as smartcards or OTP/tokens

2929

Patch and Update Management

As of Sept 2005, Microsoft Update is fully functioning, and integrates, at present:

Windows OS updates

Office

SQL Server

Exchange

More Microsoft products being added over the next months

Enterprise solutions, however, will still benefit from a fully-managed software distribution system, such as SMS (Systems Management Server)

3030

Application Defence

As networks and hosts become well protected, application-level attacks are on the increase

Other than for very new in-house applications, development security has rarely been a concern

This is a major area of worry from both perspectives of an insider and outside attacks

Approaches:

Prove it’s safe (threat modelling)

Isolate-and-monitor

Replace

3131

Treating Unproven Applications

Until proven to be secure, treat all applications as “evil”

Restrict access only to users on need-to-use basis

Restrict remote use

Isolate to dedicated application servers

Restrict servers through IPSec policies to only allow communication that applications explicitly require

Monitor usage pattern to establish a baseline and raise alarm when patterns vary

Enable stringent auditing

Request a formal threat analysis if above restrictions are too severe

3232

Intrusion Detection

Intrusion Detection Systems (IDS) are still fairly basic, though sophistication grew at network-level detection

Honeypots, i.e. monitored vulnerable servers exposed as “bait” are still very effective, though may pose legal problems

3333

Trends for 2006

3434

Network Security – IPv6

A major development for 2006+ will be gradual replacement of IPv4 with IPv6

Amongst many benefits of this move, a crucial introduction of compulsory IPSec6 will provide much needed authentication and confidentiality of data at wire-level

Interesting issues still remain to be solved, but now is a very good time to seriously evaluate the technology

Windows Vista comes with a new IPv6 stack, as part of the entirely rewritten TCP/IP substrate, called “Next Generation TCP/IP”

3535

Network Device Port Protection

Though long awaited, “802.1x for wired networks” is off to a confused start, as many basic devices, such as switches, are unlikely to support the technology as expected

With new infrastructure this technology might be useful in high-risk areas, especially exposed networks

3636

Smartcards

While not a new technology, Microsoft’s support in Windows Vista promises a serious approach to solving deployment, manageability and developer issues

Infocard specification for developers

Alacris acquisition (20 Sept) for smartcard lifecycle management

Axalto deal for smartcard infrastructure

Windows Vista re-write of smartcard functionality

3737

Biometrics

Overhyped: be careful and sceptical

Useful as a secondary protection of a private encryption key on a smartcard in a controlled environment

Advantage:Simple and works in some environments, e.g. immigration control or secondary authentication of staff

Weakness:Not useful for at-home, remote etc. applications as no way to ensure it is your real fingerprint, iris, retina etc. being scanned

Biometric data can be stolen and can be used to fake identity – no way to change it later

Too many positive and negative false matches

3838

Application-level Protection

With .NET Framework 2.0 and SQL Server 2005 developers can use a plethora of security technologies – easily

Developers are increasingly seen as responsible for security

This extends even to database developers, previously unlikely to engage in cryptography or ACL management

It is very important that all in-house and vertical solution-provider application developers undergo security training

Refresher courses or workshops are a good idea

Community participation helps

3939

Summary

4040

Summary

Viewing security holistically combines perspectives of people, processes, technologies and requires ongoing research and education

Security goals oppose those of usability

Frameworks enable achieving security goals without facing unexpected costs

Network and host protections are fairly mature

Developer-oriented solutions to prevent application-level attacks must be employed

4141

© 2005 Project Botticelli Ltd & Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. PROJECT BOTTICELLI AND MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN

THIS SUMMARY. You must verify all the information presented before relying on it. E&OE.

Welcome

Clare DillonDeveloper and Platform Group

Microsoft Ireland

Clare.Dillon@microsoft.com