2. 22
ObjectivesObjectives
Define security in a practical, measurable, andDefine security in a practical, measurable, and
achievable wayachievable way
Introduce security frameworksIntroduce security frameworks
Introduce OCTAVEIntroduce OCTAVE
Introduce simple risk assessmentIntroduce simple risk assessment
Introduce the concepts of threat modelling forIntroduce the concepts of threat modelling for
enterprise securityenterprise security
Overview major security technologiesOverview major security technologies
5. 55
SecuritySecurity
Definition (Cambridge Dictionary of English)Definition (Cambridge Dictionary of English)
Ability to avoid being harmed by any risk, danger orAbility to avoid being harmed by any risk, danger or
threatthreat
……therefore, in practice, an impossible goaltherefore, in practice, an impossible goal
What can we do then?What can we do then?
Be as secure as neededBe as secure as needed
Ability to avoid being harmed too much byAbility to avoid being harmed too much by
reasonably predictable risks, dangers or threatsreasonably predictable risks, dangers or threats
(Rafal’s Definition)(Rafal’s Definition)
6. 66
ChallengeChallenge
Security must be balanced with usability (andSecurity must be balanced with usability (and
accessibility)accessibility)
Most secure = uselessMost secure = useless
Most useful = insecureMost useful = insecure
Know the balance you needKnow the balance you need
Factor the price: both security and usability cost a lotFactor the price: both security and usability cost a lot
7. 77
Cost-Effectiveness of SecurityCost-Effectiveness of Security
"Appropriate business security is that which"Appropriate business security is that which
protects the business from undue operationalprotects the business from undue operational
risks in a cost-effective manner.“ – Sherwood,risks in a cost-effective manner.“ – Sherwood,
20032003
Estimation of cost and effectiveness of securityEstimation of cost and effectiveness of security
requires knowledge and estimation of:requires knowledge and estimation of:
Assets to protectAssets to protect
Possible threats or lossesPossible threats or losses
Cost of their preventionCost of their prevention
Cost of contingenciesCost of contingencies
8. 88
Adequate SecurityAdequate Security
CERT usefully suggests:CERT usefully suggests:
““A desired enterprise security state is the condition where theA desired enterprise security state is the condition where the
protection strategiesprotection strategies for an organization's criticalfor an organization's critical assetsassets andand
businessbusiness processesprocesses are commensurate with the organization'sare commensurate with the organization's
risk appetiterisk appetite andand risk tolerancesrisk tolerances.” –.” –
www.cert.org/governance/adequate.htmlwww.cert.org/governance/adequate.html
Risk Appetite – defined through executive decision, influencesRisk Appetite – defined through executive decision, influences
amount of risk worth taking to achieve enterprise goals andamount of risk worth taking to achieve enterprise goals and
missionsmissions
Relates to risks that must be mitigated and managedRelates to risks that must be mitigated and managed
Risk Tolerance – residual risk acceptedRisk Tolerance – residual risk accepted
Relates to risk for which no mitigation would be in placeRelates to risk for which no mitigation would be in place
9. 99
11stst
ConclusionConclusion
As 100% security is impossible, you need to decide whatAs 100% security is impossible, you need to decide what
needs to be secured and how well it needs to beneeds to be secured and how well it needs to be
securedsecured
In other words, you need:In other words, you need:
Asset listAsset list
Threat analysis to identify risksThreat analysis to identify risks
Risk impact estimate for each assetRisk impact estimate for each asset
Ongoing process for reviewing assets, threats and risksOngoing process for reviewing assets, threats and risks
Someone responsible for this processSomeone responsible for this process
Operational procedures for responding to changing conditionsOperational procedures for responding to changing conditions
(emergencies, high risk etc.)(emergencies, high risk etc.)
10. 1010
Digital Security as Extension ofDigital Security as Extension of
Physical Security ofPhysical Security of Key AssetsKey Assets
Strong PhysicalStrong Physical
Security of KASecurity of KA
Strong DigitalStrong Digital
SecuritySecurity
Good SecurityGood Security
EverywhereEverywhere
Weak PhysicalWeak Physical
Security of KASecurity of KA
Strong DigitalStrong Digital
SecuritySecurity
InsecureInsecure
EnvironmentEnvironment
Strong PhysicalStrong Physical
Security of KASecurity of KA
Weak DigitalWeak Digital
SecuritySecurity
InsecureInsecure
EnvironmentEnvironment
11. 1111
Aspects of SecurityAspects of Security
Static, passive, pervasiveStatic, passive, pervasive
ConfidentialityConfidentiality
◄◄ Your data/service provides no useful information to unauthorisedYour data/service provides no useful information to unauthorised
peoplepeople
IntegrityIntegrity
◄◄ If anyone tampers with your asset it will be immediately evidentIf anyone tampers with your asset it will be immediately evident
AuthenticityAuthenticity
◄◄ We can verify that asset is attributable to its authors or caretakersWe can verify that asset is attributable to its authors or caretakers
IdentityIdentity
◄◄ We can verify who is the specific individual entity associated with yourWe can verify who is the specific individual entity associated with your
assetasset
Non-repudiationNon-repudiation
◄◄ The author or owner or caretaker of asset cannot deny that they areThe author or owner or caretaker of asset cannot deny that they are
associated with itassociated with it
12. 1212
Aspects of SecurityAspects of Security
Dynamic, active, transientDynamic, active, transient
AuthorisationAuthorisation
◄◄ It is clear what actions are permitted with respect to your assetIt is clear what actions are permitted with respect to your asset
LossLoss
◄◄ Asset is irrecoverably lost (or the cost of recovery is too high)Asset is irrecoverably lost (or the cost of recovery is too high)
Denial of access (aka denial of service)Denial of access (aka denial of service)
◄◄ Access to asset is temporarily impossibleAccess to asset is temporarily impossible
13. 1313
Approaches for Achieving SecurityApproaches for Achieving Security
Two approaches are needed:Two approaches are needed:
ActiveActive, dynamic, transient, dynamic, transient
Implemented throughImplemented through behaviour and pattern analysisbehaviour and pattern analysis
PassivePassive, static, pervasive, static, pervasive
Implemented throughImplemented through cryptographycryptography
14. 1414
Behaviour (Pattern) AnalysisBehaviour (Pattern) Analysis
Prohibits reaching an asset if access is out-of-pattern, e.g.:Prohibits reaching an asset if access is out-of-pattern, e.g.:
Password lock-out after N unsuccessful attemptsPassword lock-out after N unsuccessful attempts
Blocking packets at a router if too many come from a given sourceBlocking packets at a router if too many come from a given source
Denying a connection based on IPSec filter rulesDenying a connection based on IPSec filter rules
Stopping a user from seeing more than N records in a database perStopping a user from seeing more than N records in a database per
dayday
Time-out of an idle secure sessionTime-out of an idle secure session
““Active”Active”
Cannot always prevent unauthorised use of assetCannot always prevent unauthorised use of asset
Can prevent legitimate access – need easy and secure “unlock”Can prevent legitimate access – need easy and secure “unlock”
mechanismsmechanisms
Strength varies with sophistication on known attacksStrength varies with sophistication on known attacks
15. 1515
CryptographyCryptography
Using hard mathematics to implement passive securityUsing hard mathematics to implement passive security
aspects mentioned earlieraspects mentioned earlier
““Static”Static”
Cannot detect or prevent problems arising from a pattern ofCannot detect or prevent problems arising from a pattern of
behaviourbehaviour
Relies of physical security of Key Assets (such asRelies of physical security of Key Assets (such as
master private keys etc.)master private keys etc.)
Strength changes with time, depending on the power ofStrength changes with time, depending on the power of
computers and developments in cryptanalysiscomputers and developments in cryptanalysis
16. 1616
Future Security TechnologiesFuture Security Technologies
Behaviour analysis is under tremendousBehaviour analysis is under tremendous
development at presentdevelopment at present
Expect from Microsoft:Expect from Microsoft:
Microsoft Operations Manager 2005Microsoft Operations Manager 2005
Already available, more rules on their wayAlready available, more rules on their way
Active ProtectionActive Protection
Set of technologies for intrusion detection and automaticSet of technologies for intrusion detection and automatic
response and ongoing protectionresponse and ongoing protection
Imagine: MOM + IDS based on neural network +Imagine: MOM + IDS based on neural network +
GPOsGPOs
17. 1717
Holistic View of SecurityHolistic View of Security
Security should be:Security should be:
Static + ActiveStatic + Active
AcrossAcross
All Your AssetsAll Your Assets
Based OnBased On
Ongoing Threat Risk AssessmentOngoing Threat Risk Assessment
19. 1919
Defense in DepthDefense in Depth
Using a layered approach:Using a layered approach:
Increases an attacker’s risk of detectionIncreases an attacker’s risk of detection
Reduces an attacker’s chance of successReduces an attacker’s chance of success
Policies, Procedures, &
Awareness
Policies, Procedures, &
Awareness
OS hardening, update management,OS hardening, update management,
authenticationauthentication
Firewalls, VPN quarantineFirewalls, VPN quarantine
Guards, locks, tracking devices,Guards, locks, tracking devices,
HSMHSM
Network segments, IPSec, NIDSNetwork segments, IPSec, NIDS
Application hardening, antivirusApplication hardening, antivirus
ACL, encryptionACL, encryption
User education against socialUser education against social
engineeringengineering
Physical SecurityPhysical Security
PerimeterPerimeter
Internal NetworkInternal Network
HostHost
ApplicationApplication
DataData
20. 2020
Secure EnvironmentSecure Environment
A secure environment is a combination of:A secure environment is a combination of:
Hardened hosts (nodes)Hardened hosts (nodes)
Intrusion Detection System (IDS)Intrusion Detection System (IDS)
Operating ProcessesOperating Processes
Standard and EmergencyStandard and Emergency
Threat Modelling and AnalysisThreat Modelling and Analysis
Dedicated Responsible StaffDedicated Responsible Staff
Chief Security Officer (CSO) responsible for allChief Security Officer (CSO) responsible for all
Continuous TrainingContinuous Training
Users and security staff – against “social engineering”Users and security staff – against “social engineering”
21. 2121
ProcessesProcesses
Operating ProcessesOperating Processes
Microsoft Operations Framework (MOF)Microsoft Operations Framework (MOF)
IT Infrastructure LibraryIT Infrastructure Library
BS7799 and related ISOBS7799 and related ISO
Informal: Standard and Emergency Operating ProceduresInformal: Standard and Emergency Operating Procedures
Risk and Threat Analysis ProcessesRisk and Threat Analysis Processes
Simple Security Risk AnalysisSimple Security Risk Analysis
Attack Vectors and Threat ModellingAttack Vectors and Threat Modelling
OCTAVEOCTAVE
22. 2222
Operating ProcessesOperating Processes
As a minimum, defineAs a minimum, define
Standard Operating ProceduresStandard Operating Procedures
Set of security policies used during “normal” conditionsSet of security policies used during “normal” conditions
Could be based on Windows AD Group PoliciesCould be based on Windows AD Group Policies
Emergency Operating ProceduresEmergency Operating Procedures
Tighter policies used during “high-risk” or “under-attack”Tighter policies used during “high-risk” or “under-attack”
conditionsconditions
Aim for compliance with an overall operational processAim for compliance with an overall operational process
frameworkframework
E.g. Microsoft Operation Framework’s SLAs, OLAs and UCsE.g. Microsoft Operation Framework’s SLAs, OLAs and UCs
23. 2323
Education & ResearchEducation & Research
As minimum, you really need to subscribe to securityAs minimum, you really need to subscribe to security
advisories:advisories:
Microsoft Security Notification ServiceMicrosoft Security Notification Service
www.microsoft.com/securitywww.microsoft.com/security
CERTCERT
www.cert.orgwww.cert.org
SANS InstituteSANS Institute
www.sans.orgwww.sans.org
Other vendor-specificOther vendor-specific
CISCO, Oracle, IBM and so onCISCO, Oracle, IBM and so on
Apart from notifications, study available operationalApart from notifications, study available operational
security guidancesecurity guidance
www.microsoft.com/technet/securitywww.microsoft.com/technet/security
25. 2525
OCTAVEOCTAVE
Operationally Critical Threat, Asset andOperationally Critical Threat, Asset and
Vulnerability EvaluationVulnerability Evaluation
Carnegie-Mellon University guidanceCarnegie-Mellon University guidance
Origin in 2001Origin in 2001
Used by US military and a growing number of largerUsed by US military and a growing number of larger
organisationsorganisations
www.cert.org/octavewww.cert.org/octave
26. 2626
Concept of OCTAVEConcept of OCTAVE
Workshop-based analysisWorkshop-based analysis
Collaborative approachCollaborative approach
Guided by an 18-volume publicationGuided by an 18-volume publication
Very specific, with suggested timings, personnel selection etc.Very specific, with suggested timings, personnel selection etc.
www.cert.org/octave/omig.htmlwww.cert.org/octave/omig.html
Smaller version, OCTAVE-S, for small and mediumSmaller version, OCTAVE-S, for small and medium
organisationsorganisations
www.cert.org/octave/osig.htmlwww.cert.org/octave/osig.html
27. 2727
OCTAVE ProcessOCTAVE Process
Progressive Series of WorkshopsProgressive Series of Workshops
Phase 1
Organizational
View
Phase 2
Technological
View
Phase 3
Strategy and Plan
Development
Tech. Vulnerabilities
Planning
Assets
Threats
Current Practices
Org. Vulnerabilities
Security Req.
Risks
Protection Strategy
Mitigation Plans
30. 3030
ExamplesExamples
Asset:Asset:
Internal mailbox of your Managing DirectorInternal mailbox of your Managing Director
Risk Impact Estimate (examples!)Risk Impact Estimate (examples!)
Risk of loss: Medium impactRisk of loss: Medium impact
Risk of access by staff: High impactRisk of access by staff: High impact
Risk of access by press: Catastrophic impactRisk of access by press: Catastrophic impact
Risk of access by a competitor: High impactRisk of access by a competitor: High impact
Risk of temporary no access by MD: Low impactRisk of temporary no access by MD: Low impact
Risk of change of content: Medium impactRisk of change of content: Medium impact
31. 3131
Creating Your Asset ListCreating Your Asset List
List all of yourList all of your namednamed assets starting with theassets starting with the
most sensitivemost sensitive
Your list won’t ever be complete, keep updatingYour list won’t ever be complete, keep updating
as time goes onas time goes on
Create default “all other assets” entriesCreate default “all other assets” entries
Divide them into logical groups based on theirDivide them into logical groups based on their
probability of attacks or the risk of their “location”probability of attacks or the risk of their “location”
between perimetersbetween perimeters
32. 3232
Risk Impact AssessmentRisk Impact Assessment
For each asset and risk attach a measure of impactFor each asset and risk attach a measure of impact
Monetary scale if possible (difficult) or relative numbersMonetary scale if possible (difficult) or relative numbers
with agreed meaningwith agreed meaning
E.g.: Trivial (1), Low (2), Medium (3), High (4), Catastrophic (5)E.g.: Trivial (1), Low (2), Medium (3), High (4), Catastrophic (5)
Ex:Ex:
Asset: Internal MD mailboxAsset: Internal MD mailbox
Risk: Access to content by pressRisk: Access to content by press
Impact: Catastrophic (5)Impact: Catastrophic (5)
33. 3333
Risk Probability AssessmentRisk Probability Assessment
Now for each entry measure probability the lossNow for each entry measure probability the loss
may happenmay happen
Real probabilities (difficult) or a relative scaleReal probabilities (difficult) or a relative scale
(easier) such as: Low (0.3), Medium, (0.6), and(easier) such as: Low (0.3), Medium, (0.6), and
High (0.9)High (0.9)
Ex:Ex:
Asset: Internal MD mailboxAsset: Internal MD mailbox
Risk: Access to content by pressRisk: Access to content by press
Probability: Low (0.3)Probability: Low (0.3)
34. 3434
Risk Exposure and Risk ListRisk Exposure and Risk List
Multiply probability by impact for each entryMultiply probability by impact for each entry
ExposureExposure = Probability x Impact= Probability x Impact
Sort by exposureSort by exposure
High-exposure risks need very strong security measuresHigh-exposure risks need very strong security measures
Lowest-exposure risks can be covered by default mechanismsLowest-exposure risks can be covered by default mechanisms
or ignoredor ignored
Example:Example:
Press may access MD mailbox:Press may access MD mailbox:
Exposure = P(Low=0.3) x I(Catastrophic=5) = 1.5Exposure = P(Low=0.3) x I(Catastrophic=5) = 1.5
By the way, minimum exposure is 0.3 and maximum is 4.5 is ourBy the way, minimum exposure is 0.3 and maximum is 4.5 is our
examplesexamples
35. 3535
Mitigation and ContingencyMitigation and Contingency
For high-exposure risks plan:For high-exposure risks plan:
Mitigation: Reduce its probability or impact (soMitigation: Reduce its probability or impact (so
exposure)exposure)
Transfer: Make someone else responsible for the riskTransfer: Make someone else responsible for the risk
Avoidance: avoid the risk by not having the assetAvoidance: avoid the risk by not having the asset
Contingency: what to do if the risk becomes realityContingency: what to do if the risk becomes reality
37. 3737
Threat ModelingThreat Modeling
Structured analysis aimedStructured analysis aimed
at:at:
Finding infrastructureFinding infrastructure
vulnerabilitiesvulnerabilities
Evaluating security threatsEvaluating security threats
Identify countermeasuresIdentify countermeasures
Originated from softwareOriginated from software
development security threatdevelopment security threat
analysisanalysis
1. Identify Assets1. Identify Assets
2. Create an Architecture Overview2. Create an Architecture Overview
3. Decompose the System3. Decompose the System
4. Identify the Threats4. Identify the Threats
5. Document the Threats5. Document the Threats
6. Rate the Threats6. Rate the Threats
38. 3838
Architecture Diagram (Step 2)Architecture Diagram (Step 2)
Bob
Alice
Bill
Asset #4
Asset #1 Asset #2 Asset #3
Asset #5 Asset #6
IIS ASP.NET
Web Server
Login
State
Main
Database Server
FirewallFirewall
39. 3939
Decomposition (Step 3)Decomposition (Step 3)
Bob
Alice
Bill
IIS ASP.NET
Web Server Database Server
Trust
Forms Authentication URL Authorization
DPAPI Windows Authentication
FirewallFirewall
Login
State
Main
40. 4040
STRIDESTRIDE
A Technique for Threat Identification (Step 4)A Technique for Threat Identification (Step 4)
Type of ThreatType of Threat ExamplesExamples
SSpoofingpoofing Forging Email MessageForging Email Message
Replaying AuthenticationReplaying Authentication
TTamperingampering Altering data during transmissionAltering data during transmission
Changing data in databaseChanging data in database
RRepudiationepudiation Delete critical data and deny itDelete critical data and deny it
Purchase product and deny itPurchase product and deny it
IInformation disclosurenformation disclosure Expose information in error messagesExpose information in error messages
Expose code on web siteExpose code on web site
DDenial of Serviceenial of Service Flood web service with invalid requestFlood web service with invalid request
Flood network with SYNFlood network with SYN
EElevation of Privilegelevation of Privilege Obtain Administrator privilegesObtain Administrator privileges
Use assembly in GAC to create acctUse assembly in GAC to create acct
41. 4141
Threat TreeThreat Tree
Inside Attack
Enabled
Inside Attack
Enabled
Attack domain
controller
from inside
Attack domain
controller
from inside
SQL InjectionSQL Injection
An application
doesn’t validate
user’s input and
allows evil texts
An application
doesn’t validate
user’s input and
allows evil texts
Dev ServerDev Server
Unhardened
SQL server
used by internal
developers
Unhardened
SQL server
used by internal
developers
Messenger XferMessenger Xfer
Novice admin
uses an instant
messenger on a
server
Novice admin
uses an instant
messenger on a
server
Trojan Soc EngTrojan Soc Eng
Attacker sends
a trojan
masquerading
as network util
Attacker sends
a trojan
masquerading
as network util
OR
AND AND
42. 4242
Attack Vector in a Threat TreeAttack Vector in a Threat Tree
Theft of
Auth Cookies
Theft of
Auth Cookies
Obtain auth
cookie to
spoof identity
Obtain auth
cookie to
spoof identity
Unencrypted
Connection
Unencrypted
Connection
Cookies travel
over
unencrypted
HTTP
Cookies travel
over
unencrypted
HTTP
EavesdroppingEavesdropping
Attacker uses
sniffer to
monitor HTTP
traffic
Attacker uses
sniffer to
monitor HTTP
traffic
Cross-Site
Scripting
Cross-Site
Scripting
Attacker
possesses
means and
knowledge
Attacker
possesses
means and
knowledge
XSS
Vulnerability
XSS
Vulnerability
Application is
vulnerable to
XSS attacks
Application is
vulnerable to
XSS attacks
OR
AND AND
43. 4343
Document Threats (Step 5)Document Threats (Step 5)
DescriptionDescription TargetTarget RiskRisk AttackAttack
TechniquesTechniques
CountermeasuresCountermeasures
AttackerAttacker
obtainsobtains
credentialscredentials
User AuthUser Auth
processprocess
SnifferSniffer Use SSL to encryptUse SSL to encrypt
channelchannel
Injection ofInjection of
SQLSQL
commandscommands
Data AccessData Access
ComponentComponent
Append SQLAppend SQL
to user nameto user name
Validate user nameValidate user name
Parameterized storedParameterized stored
procedure for dataprocedure for data
accessaccess
47. 4747
SummarySummary
Viewing security holistically combines perspectives ofViewing security holistically combines perspectives of
people, processes, technologies and requires ongoingpeople, processes, technologies and requires ongoing
research and educationresearch and education
Security goals oppose those of usabilitySecurity goals oppose those of usability
Cost of protection is a factor that necessitates a riskCost of protection is a factor that necessitates a risk
assessmentassessment
Processes such as OCTAVE allow for threatProcesses such as OCTAVE allow for threat
identification as well as cost-effectiveness analysisidentification as well as cost-effectiveness analysis
Lower security needs can be solved with cheaper,Lower security needs can be solved with cheaper,
reactive approachesreactive approaches
High security needs require more expensive, formalHigh security needs require more expensive, formal
methodsmethods