The document discusses the complexities of security capability modeling in the context of changing business dynamics and increasing risks from third-party integrations. It outlines various laws and regulations impacting information security, the evolving model of security compliance, and the observations of the risks and challenges specific to third-party assessments. Additionally, it suggests the necessity for rapid risk assessments that can keep pace with business developments and outlines several preventive measures and controls against various types of security threats.

1. InfoSec Forum VIII
Security Capability Modeling
Dan Houser, CISM, ISSAP, CISSP
17-May-06

2. Dec 2, 2017 2
Introduction
 Significant recent changes in velocity of
business, and thus, IT
 Security models for determination of risk are
becoming larger, not smaller
Knowledge
0
0 Speed
IT
Security

3. Dec 2, 2017 3
Laws and Regulations  eSecurity
 Sarbanes - Oxley Act of 2002
 Basel II Accord
 Privacy
 Gramm Leach Bliley Act
 HIPAA
 European Union
Directive on Data
Protection
 State, County &
Municipality privacy laws
 FERPA
 FTC Act
 Bank Secrecy Act
 General Negligence Law
 Electronic Communications
Privacy Act
 California (SB)1386
 Other State Breach
Notification Laws
 OFAC –OCC Rules
 USA Patriot Act
 SEC Regulations 10b(5)
 FTC Do-Not-Call Law
 Digital Millennium Copyright
Act
 Super-DMCA
 Foreign Corrupt Practices Act
Failed but Scary:
 Feinstein Data Privacy
Reporting Proposal
 Know Your Customer
 Putnam’s CISAA
 California Privacy Law

4. Dec 2, 2017 4
 Offshore, co-sourcing, co-location
 Tight market, Next quarter focus
 Highly fractal service & supply chains
 Very tight business integration
 Highly connected networks
 Kevin Bacon maneuver
Rapid Business Model Changes

5. Dec 2, 2017 5
Web Services Security is changing the rules:
 Extranet access to core systems
 RPC calls over HTTP
 Dynamic re-routing of SOAP packets
 Outsourced authentication through federated
identity
 Autonomous systems
 Shrinking time to market, change control, and
presentation layer
Rapid Business Model Changes

6. Dec 2, 2017 6
Security Compliance Group
Governance, inspection, assessments and periodic audit
firewall
DMZ
Router
Cloud
Router firewallfirewall
Core
Network
DMZ
firewall
Biz
Partner
Core
Employee Background, Drug Testing,
Credit Checks, Bonding
Data Center Inspection
InfoSec Policies
HR Policies
Physical Security Standards
Policies/Standards review
Independent Audits
Independent Security Assessments
Attack & Penetration Tests
SAS-70
Disaster Recovery/Business
Continuity Plan & Testing
Emergency Preparedness
Application/Infrastructure SC&A
Change Control Coordination
On-site Risk Assessments
Offsite Hosting & Hotsite agreements
BIA/Risk Assessment Documents
Firewall rules
Key management/PKI
Privacy policy
Test Data Anonymization
Segregation of NW/Partner data
Government Vetting or Audit results
Application Authentication model
Application Peak/Worst Response
Application SLA
CIRT Coordination
CIRT Capabilities

7. Dec 2, 2017 7
Current Approach to Managing
Affiliate and Third-party Risk
 Top risk nn number of vendors receive onsite
assessment, annually, at significant expense
 Medium risk vendors are assessed through
document exchange
 Low risk vendors are given a pass
 Contracts & insurance applied liberally as a
salve to conscience and burns (i.e. auditors)

8. Dec 2, 2017 8
Security Governance
Constant Vigilance
Minor security stance variations will erode over time (entropy)
At Implementation
Your Policy,
Standards
& Business
Practices
Affiliate
Security
Stance
Policy Gaps
After 6 months
Your Policy,
Standards
& Business
Practices
Affiliate
Security
Stance

9. Dec 2, 2017 9
3rd
Party Assessments:
Death by 1000 cuts
After 100 Business Partner
implementations:
• conduct periodic
assessments of 100
partners,
• provide assessments to
100 partners,
• provide compliance with
regulators,
• manage changes to the
policy & posture space.
Entities
You
Assess
Entities
Assessing
You
Regulators

10. Dec 2, 2017 10
Problems with Current Approach
 If Top risk nn number of vendors receive
onsite assessments, nn+1 still has significant
risk
 All are historical measurements – rarely
getting out in front of the contract
 Difficult to quantify and compare
 Slippery slope – “They’re not much worse
than company ABC.”

11. Dec 2, 2017 11
Goal: Rapid 3rd
Party Assessments
 As business accelerates, risk management
must evolve and accelerate
 Risk assessment must match SOA timelines
 What we need is a rapid smoke-test
assessment that can be executed within
dynamic, speed-to-market implementations

12. Dec 2, 2017 12
Risk Management
 Vulnerabilities
 Attacks
 Threat Agents
 Controls

13. Dec 2, 2017 13
Attacks
 Abuse of privilege
 Anti-virus
 ARP poisoning
 Assault
 Audit suppression
 Backup corruption
 Backup deletion/erasure
 Backup theft
 BIOS tampering
 Bomb threat
 Bribery
 Buffer overflow
 Cable cuts
 Cable splicing
 Civil unrest
 Collusion
 Component substitution
 Content-based attack
 Cookie decipherment
 Corruption
 Countermeasures
 Covert channel analysis
 Cross-site scripting
 Cryptanalysis

14. Dec 2, 2017 14
Attacks
 Crypto DoS
 Daemon exploit
 Data diddling
 De-aggregation
 Deletion of data
 Denial of Service
 Disaster exploitation
 Disinformation campaign
 Disruption of Service
 DNS poisoning
 Drive lockout
 Dumpster diving
 Earth movement
 Eavesdropping
 Emergency procedure exploit
 Environmental corruption
 Environmental degradation
 Environmental failure
 Epidemic
 Error analysis
 Error insertion
 Errors & omissions
 Errors of commission
 Espionage

15. Dec 2, 2017 15
Attacks
 Excess privilege
 Exploit
 Extortion
 False updates
 Fiber tapping
 Fin-syn
 Fingerprinting
 Fire
 Flooding
 Force
 Forced browsing
 Forged ID
 Fraud
 Half-open
 Hardware failure
 Hardware theft
 Hurricane
 HVAC exploitation
 IDS attack
 Impairment
 Impersonation
 Implied trust exploit
 Inappropriate defaults
 Inference analysis
 Injection attack

16. Dec 2, 2017 16
Attacks
 Input overflow
 Insertion in transit
 Insufficient maintenance
 Interprocess comm. attack
 IPSEC IKE attack
 Job applicant espionage
 Key distribution attack
 Key management attack
 Kiting
 Low & Slow attacks
 MAC flooding
 Maintenance exploit
 Malicious code
 Malicious Hackers/Crackers
 Malware
 Man-in-the-Middle (MITM)
 MITM token attack
 Null session
 Observation
 Pandemic
 Password Cracking
 Password guessing
 Password jumper bypass
 PBX bugging
 Peer exploitation

17. Dec 2, 2017 17
Attacks
 Phishing
 Physical entry
 Piggybacking
 Pillow talk
 Port scan
 Power disruption
 Privilege escalation
 Proxy attack
 Race condition
 Radiation monitoring
 Relocation
 Replay attack
 Reputation smear
 Resource availability exploit
 Restoration process exploit
 Rootkit
 Sabotage
 Salami slicing
 Sequence guessing
 Session hijacking
 Sniffing
 Social engineering
 Software patch substitute
 Solar flares

18. Dec 2, 2017 18
Attacks
 Spam
 Spoofing
 SSH password attack
 SSL race condition
 Strategic deception
 Tactical deception
 Theft
 Threats
 Threshold attacks
 Threshold exploitation
 Timing analysis
 Timing attack
 Timing inference
 Traffic analysis
 Trojan horse
 Tsunami
 Typhoon
 Unauthorized updates
 Undocumented changes
 Undocumented processes
 Unicode spoof
 Van Eck phreaking
 Vibration
 VLAN hopping

19. Dec 2, 2017 19
Terms: Attacks
 Volcano
 Voltage irregularity
 Vulnerability exploit
 War dialing
 Wire closet attack
 Wiretap
 Worm

20. Dec 2, 2017 20
Controls
 802.11q (QoS/CoS)
 802.1x
 Access approval process
 Alerts
 Anomoly detection
 Anomoly identification
 Anti-sniffer
 Application firewalls
 Audit logging
 Audit trails
 Available tools
 Background check
 Badge access
 Badge reader
 Biometrics
 BIOS password
 Centralized logging
 chroot'd execution
 CIRT process
 Closed Circuit TV (CCTV)
 Clustering
 Configuration management
 Cookie policy
 Database ACLs

21. Dec 2, 2017 21
Controls
 Deep packet inspection
 DHCP Authentication
 Document inspection
 EAP-TLS
 Encrypted cookies
 Encrypted pwd storage
 Endpoint compliance
 Endpoint healthcheck
 Escalation
 Escorted visitors
 Event monitoring
 Failure recognition and
response
 Federation origination
metadata
 File permission/ACLs
 FIPS-140
 Formal user registration
 Fraud detection controls
 Hardened kernel
 Hardware case alarms
 Hardware monitoring
 Heuristic analysis
 HIDS
 ID badge
 Identity verification process

22. Dec 2, 2017 22
Controls
 IDS
 Illegal software monitoring
 Incidence response drill
 Individual accountability
 Intrusion Detection
 Intrusion Prevention
 Intrusion Response
 Investigation unit
 IPS
 IPSec
 Keystroke monitoring
 L2TP
 Law-enforcement
collaboration
 LDAP
 LDAPS
 License auditing
 Lifestyle polygraph
 Locks
 MAC Authentication
 Media
 Monitoring
 Multi-factor authentication
 NIDS
 Out-of-band verification

23. Dec 2, 2017 23
Controls
 Passive detection
 Password masking
 Password policy
 Password reset process
 Password salt
 Pattern recognition
 PEAP
 Penetration testing
 Periodic drug testing
 Picture ID badges
 POST password
 Problem identification
 Problem resolution
 Provisioning
 Psychiatric profiling
 Psychiatric surveys
 r services disabled
 RADIUS
 Random session numbers
 Real-time analysis
 Reconstruction of events
 Reporting
 Reporting mechanisms
 Restricted cookie content

24. Dec 2, 2017 24
Controls
 Retention periods
 root login disabled
 Sampling and data extraction
 Secure password code
 Security events
 Security guards
 service accounts
 Session/state tracking
 Shadow file
 Signature-based detection
 SSL
 Strict sudo permissions
 System audit trails
 Tarpit
 TLS
 Traffic analysis
 Training & awareness
 Trend analysis
 Tripwire
 User authentication
 User logon
 Visitor log

25. Dec 2, 2017 25
Controls
 VLAN
 VPN
 Warning banners
 WEP
 Windowless datacenter
more???

26. Dec 2, 2017 26
Models
 Perhaps a model could help us
organize this?
The sciences do not try to explain, they hardly even try to interpret, they
mainly make models. By a model is meant a mathematical construct
which, with the addition of certain verbal interpretations, describes
observed phenomena. The justification of such a mathematical construct
is solely and precisely that it is expected to work.
-Johann Von Neumann (1903 - 1957)
Image courtesy best-
wallpapers.com.
No, not THAT kind of model!

27. Dec 2, 2017 27
Source:
Wikipedia.org

28. Dec 2, 2017 28
Building the Capability Model
 OSI 7-layer model, plus:
 Data at rest
 People
 Process
 Hardware
 Operating Systems
 12 layers to defend
against attacks through
the implementation of
controls
Data
People
Process
Application
Presentation
Session
Transport
Network
Data-Link
Physical
Hardware
Operating System

29. Dec 2, 2017 29
Threat Assessment
Kudos to Dr. Cohen’s site, all.net
Data
salami slicing; DoS; corruption;
inference analysis; de-aggregation;
deletion of data; unauthorized updates;
data diddling; cryptanalysis; spam;
covert channels; password cracking;
malware
People
impersonation; social engineering;
extortion; bribery; force; bomb threat;
pillow talk; job applicant; trojan horse;
forged ID; collusion; phishing; strategic
or tactical deception; peer relationship
exploitation
Process
unauthorized changes; undocumented
changes; undocumented processes;
audit suppression; errors and omissions;
kiting; backup corruption; error insertion
and analysis; threshold analysis &
exploit; key distribution attack; fraud

30. Dec 2, 2017 30
Threat Assessment
Application
input overflow; injection attack;
maintenance; replay attack; race
condition; piggybacking; audit
suppression; password guessing;
fingerprinting; IDS attack; malware;
content-based attack; fraud; abuse of
privileges
Presentation
key management attack; crypto DoS;
Unicode spoof; forced browsing; man-in-
middle attack
Session
session hijacking; sequence guessing;
cookie decipherment; interprocess
communication attack; SSL race
condition; SSH password attack; null
session;
Transport fin-syn; half-open; port scan; timing
analysis & inference; IPSEC IKE attack
Network spoofing; timing attack; insertion in
transit; fingerprinting; proxy attack
Data-Link MAC flooding; VLAN hopping; ARP
poisoning

31. Dec 2, 2017 31
Threat Assessment
Physical
Power disruption; cable cuts; splicing
into cables; assault/DOS; bomb threat;
physical entry; civil unrest; force; wire
closet attack; voltage irregularity; PBX
bugging; dumpster diving; fire;
emergency procedure exploitation; earth
movement; flooding; environmental
degredation; environmental control loss;
backup theft; piggybacking; theft;
volcano; hurricane; tsunami; relocation;
observation
Hardware
maintenance; hardware failure; Solar
flares; implied trust exploit; password
jumper bypass; hardware theft;
insufficient maintenance; environmental;
Van Eck phreaking; force; component
substitution; vibration; BIOS tampering;
drive lockout
Operating System
false updates; environmental corruption;
excess privilege exploitation; rootkit;
resource availability exploitation;
inappropriate defaults; vulnerability
exploit; daemon exploit; restoration
process corruption/mis-use

32. Dec 2, 2017 32
But wait, there’s more!
Photo courtesy South Coast Today, s-t.com

33. Dec 2, 2017 33
Building the Capability Model
 Environmental in nature
 Where?
Data
People
Process
Application
Presentation
Session
Transport
Network
Data-Link
Physical
Hardware
Operating System

34. Dec 2, 2017 34
Four Disciplines of Security Mgmt
Copyright 2005 by Peter Lindstrom. Used with permission of the author.
Peter Lindstrom, Spire Security, http://www.spiresecurity.com/fourdisciplines.asp

35. Dec 2, 2017 35
Four Disciplines of Security Management
 Identity Management
 Provisioning, authentication, user accounts,
subjects & objects, web access control (WAM)
 Vulnerability Management
 Identification & remediation of vulnerabilities, A&P,
firewalls, security engineering measures
 Threat Management
 Detect, respond, investigate, forensics, antivirus
 Trust Management
 Securing high-value systems, crypto, PKI, VPN,
high-end access controls
Peter Lindstrom, Spire Security, http://www.spiresecurity.com/fourdisciplines.asp

36. Dec 2, 2017 36
Security Capability Modeling
Identity Threat Trust Vulnerability
Data
People
Process
Application
Presentation
Session
Transport
Network
Data-Link
Physical
Hardware
Operating System

37. Dec 2, 2017 37
Identity Threat
Data
Database ACLs; LDAP encrypted password storage; password
salt; federation origination metadata Anomoly detection; centralized logging & monitoring;
People Background check; ID badge; federation and registration
document inspection; biometrics; multi-factor authentication
random drug testing; psychiatric profiling; training and
awareness
Process
Provisioning; cookie policy; password policy; password reset
process; out-of-band identity validation; access approval
process; identity verification processes; OFAC
CIRT process; incident response exercises; security event
management; malware ingress/egress scanning; law
enforcement collaboration; incident drill; escalation; event
correlation
Application Web Access Management; Single Sign-On; Anomoly
detection; secure password code; password masking
anomoly detection; fraud detection controls; application
firewall; centralized logging and monitoring;
Presentation user authentication; file permissions; ACLs Configuration Management; Failure recognition & response
Session session tracking; cookie management; user logon; password
controls
deep packet inspection; heuristic analysis; pattern recognition;
signature-based detection
Transport TLS; SSL HIDS
Network IPSec; DHCP AuthN; 802.1x, ZECC/Mobile IP; RADIUS Network IDS; Intrusion Prevention (IPS); anti-sniffer analysis;
Data-Link MAC AuthN; Next-Gen L2 AuthN; WEP; L2TP; VLAN L2 AuthN alerting & monitoring; tarpit; traffic analysis
Physical
badge access controls; photo ID cards; escorted visitors;
visitor log
security patrols; entry alarms; investigation unit; incident drill;
red team exercise;
Hardware badge reader; biometrics; BIOS password; POST password;
OTP token case alarms; FIPS-140; hardware monitoring
Operating
System
shadow file; salt; root login disabled; strict sudoers; services
running as service accounts; multi-factor authentication
Tripwire; HIDS; centralized logging and alerts; illegal software
monitoring; license audit
Security Capability Modeling

38. Dec 2, 2017 38
Trust Vulnerability
Data
Encrypted data storage; secure key storage; HSM; Fortezza
cards; information classification
two-phase commit; transaction tracking; replication; remote
backup
People PKI; digital signature; Split-key; dual controls; segregation of
duties in key functions; need-to-know; least privilege;
Lifestyle polygraph; pre-hire drug testing; employee credit
check; psychiatric profiling surveys; stress management
counseling; social engineering testing; forced vacations
Process
Key Escrow; Certification & Accreditation; change control;
external audit validation; Attack & Penetration Testing;
information classification
vulnerability assessment; configuration management; Attack &
Penetration testing; change control; patch verification process;
code walkthroughs; Attack & Penetration testing; application
building codes
Application S/MIME; LDAP-S; Secure NTP; Trusted Time; secure
password code
secure coding; code scanning; field-level validation; screen
validation; application firewall; security testing; third-party
validation; NAT; hashing/batching totals
Presentation XML DSig; SOAP Encrypt; SMTP-TLS; message digest
XML validation; buffer overflow controls; ch'rooted execution;
warning banners
Session
SCP; SSH; encrypted cookies; challenge-response
SSH; session management controls; random session
numbers; restricted cookie content; state tracking standards
Transport VPN; TLS; SSL 802.1q
Network IPSec firewall
Data-Link L2 PKI; EAP-TLS; PEAP walled garden / endpoint compliance
Physical
pressurized fiber conduit; locked trays; air gapped systems;
media controls; split-control zones
windowless datacenter; security guards; locks; fire-rated
cabling
Hardware Fortezza cards; HSM; smart cards; random number
generators centralized procurement;
Operating
System
hardened kernel; trusted system certification; validated and
verified OS builds; patch verification; encrypted credentials;
certified PRNG
r-services disabled; hardening scripts and templates; standard
image; central image management; clustering; Endpoint
healthcheck; licensing validation
Security Capability Modeling

39. Dec 2, 2017 39
Third Party Risk Assessment
Identity Threat Trust Vulnerability
Data
Database ACLs; LDAP encrypted
password storage; password salt;
federation origination metadata
Anomoly detection; centralized logging
& monitoring;
Encrypted data storage; secure key
storage; HSM; Fortezza cards;
information classification
two-phase commit; transaction tracking;
replication; remote backup
People Background check; ID badge; federation
and registration document inspection;
biometrics; multi-factor authentication
random drug testing; psychiatric profiling;
training and awareness
PKI; digital signature; Split-key; dual
controls; segregation of duties in key
functions; need-to-know; least privilege;
Lifestyle polygraph; pre-hire drug testing;
employee credit check; psychiatric
profiling surveys; stress management
counseling; social engineering testing;
forced vacations
Process
Provisioning; cookie policy; password
policy; password reset process; out-of-
band identity validation; access approval
process; identity verification processes;
OFAC
CIRT process; incident response
exercises; security event management;
malware ingress/egress scanning; law
enforcement collaboration; incident drill;
escalation; event correlation
Key Escrow; Certification & Accreditation;
change control; external audit validation;
Attack & Penetration Testing; information
classification
vulnerability assessment; configuration
management; Attack & Penetration
testing; change control; patch verification
process; code walkthroughs; Attack &
Penetration testing; application building
codes
• Map existing Data Collection Points into Capability Model
• Trial modeling of prior assessments to fine-tune scoring
• Initiate Assessment & Data Collection Process
• Determine controls in each node of the model
• Assign a score value for each node

40. Dec 2, 2017 40
Capture Gap Analysis for Compliance
Reporting
Identity Threat Trust Vulnerability
Data
People
Process
Application
Presentation
Session
Transport
Network
Data-Link
Physical
Hardware
Operating System
2.5 -.25 2.5 2.1
-1.6
5.0
1.3
2.5
0.0
1.3
-1.3
5.0
0.0
3.7
2.5
1.3
Overall 2.2 Advisories 12

41. Dec 2, 2017 41
Determine Gaps, Create Improvement Plan
 Issue: Malware
 Business Need: Data integrity, availability,
avoid costly outbreaks.
 Existing State: Desktop scanning, with 90%
compliance and 60% template update.
Ingress/Egress e-mail scanning 99%
effective.
 Forecast: Continued need, likely 2 major
outbreaks in 2006-2007.

42. Dec 2, 2017 42
Determine Gaps, Create Improvement Plan
 Control Objective: Achieve 98% compliance with
desktop AV, both installed and updated, by 10/2006,
with zero outbreaks (more than 10 users) after
12/2006.
 Strategy
 Create and give user awareness training on malware
and defenses
 Obtain licensing for employee home anti-virus
protection, deploy
 Initiate project to push Anti-Virus software with SMS;
generate and remediate missed users
 Alternative Strategy
 Implement endpoint compliance tool in active mode

43. Dec 2, 2017 43
Security Capability Model Benefits
 Quick smoke test
 Visual Map providing comparison:
 Vendor to baseline
 Vendor RFP bakeoff
 Affiliate to baseline
 Affiliate comparison
 Merger & Acquisition ROI input
 Year over year – progress report
 Easily consumed by upper management, non-
technical users
 Open Source

44. Dec 2, 2017 44
Commentary
 What’s missing?
 How well does this meet your needs?
 Assessment for viability in your organization?
 Next steps?
Identity Threat Trust Vulnerability
Data
People
Process
Application
Presentation
Session
Transport
Network
Data-Link
Physical
Hardware
Operating System

45. Dec 2, 2017 45
Wrap-up
 Q&A
Dan Houser
Dan.houser@gmail.com