CS计算机代考程序代写 database Bayesian algorithm 9. Security Management

9. Security Management

Security Management

CITS3004
Alvaro Monsalve

1. IT Security Management
2. Security Standards

1. ISO27000
2. NIST Security Framework

3. Security Assessment And Models
1. Attack Trees
2. Attack Graphs

4. Digital Forensics

Agenda

• Security requirements asks key security questions of the system
– What assets to be protected?
– Which threats can compromise/damage the assets?
– What are the means to mitigate those threats?

• Security management aims to resolve those questions
– Define security objectives and potential threats
– Carry out security risk assessment (w.r.t. assets)
– Implement security solutions and monitoring

Overview

Terminology
Term Meaning

Risk
The potential for an unwanted or adverse outcome resulting from an incident, event, or occurrence, as
determined by the likelihood (or the potential) that a particular threat will exploit a particular
vulnerability, with the associated consequences.

Vulnerability
A characteristic or specific weakness that renders an organization or asset (such as information or
information system) open to exploitation by a given threat or susceptible to a given hazard.

Exploitation A technique to breach the security of a network or information system in violation of security policy.

Threat

A circumstance or event (including accidental and non-human related) that has or indicates the potential
to exploit vulnerabilities and to adversely impact (create adverse consequences for) organizational
operations, organizational assets (including information and information systems), individuals, other
organizations, or society.

Asset
A person, structure, facility, information, and records, information technology systems and resources,
materials, process, relationships, or reputation allowing entities (e.g., individuals, businesses and
governments) to achieve social, economic, and other objectives of value.

Threats in Security
also for Dependability and Survivability

Threats

Faults

Attacks

Accidents/disasters

Physical faults

Software Bugs

Physical Attacks

Software-based
Attacks

Jamming

Node faults

Link faults
Power faults

Node Attack

Exploitation of software vulnerability
Infrastructure Attack

Spurious traffic (denial of service)
“Byzantine generals” man-

in-the-middle Attack

Bohrbugs

Aging-related bugs
Mandelbugs

Change configuration data
Equipment behind enemy lines

Link attack

K. S. Trivedi, D. S. Kim, A. Roy and D. Medhi, “Dependability and security models,” 2009 7th International Workshop on Design of Reliable Communication Networks, Washington, DC, 2009, pp. 11-20.
doi: 10.1109/DRCN.2009.5340029

• IT security management aims to achieve and
maintain appropriate levels of confidentiality,
integrity and availability of the system

• In addition, it also look at accountability, authenticity,
reliability, and other security objectives

1. IT Security Management

• Related tasks for IT security management include
– Specification of security objectives, strategies and policies
– Determine organisational IT security requirements
– Security threat assessments of IT assets and risks
– Specification of appropriate security methods
– Implementation and maintenance of security methods
– Security awareness program and adoption
– Detection and prevention of security incidents

IT Security Management

Dependability
and Security

Threats

Attributes

Means

Faults/Attacks
Errors

Confidentiality
Integrity
Availability

Failures

Reliability
Safety
Maintainability

Fault/Intrusion Prevention
Fault/Intrusion Detection
Fault/Intrusion Tolerance
Fault/Vulnerability Removal
Fault/Intrusion Forecasting

Security

IT Security management is one of
the IT system management tasks

Dependability is also a significant
aspects of IT system management

• ISO 27000 Security Standards
– About 36 standards1
– Widely used, but not public

• NIST Security Framework
– Publicly available
– Broadly reviewed by government and industry professionals
– E.g., SP800 series

• E.g., SP800-12: Computer security handbook
• E.g., SP800-14: Generally accepted security principles & practices etc.

2. Security Standards

1http://www.iso27001security.com/index.html

• Information Systems Management
– ISO27001 – information security management systems – requirements
– ISO27002 – Code of practice for information security management
– ISO27003 – information security management system implementation guidance
– ISO27007 – guidelines for information security management systems
– SP800-14 – generally accepted principles and practices for securing IT systems

• Security Measurement
– ISO27004 – information security management – measurement
– SP800-55 – performance measurement guide for information security

Security Standards

• Security Risk Management
– ISO27005 – information security risk management
– SP800-30 – guide for conducting risk assessments
– SP800-37 – guide for applying the risk management framework to federal

information systems: a security life cycle approach

• Incident Management
– ISO27035 – Security incident management
– SP800-61 – computer security incident handling guide

Security Standards

Security Management
Process

IT Security Policy
Organisational

Aspects

Risk Analysis Options

Security Risk Analysis

Baseline Informal Formal Combined

Security Control Selection

Development of Security
Plan and Procedures

Implementation
Implement

controls
Security Awareness

& Training

Follow-up

Maintenance
Security

Compliance

Change
Management

Incident
Handling

• Typical system includes many assets
– Confidential data, user details, operational policies etc

• It is infeasible to examine the risk of all the assets due to
limited resources

• To use the best security risk assessment approach given the
organisation’s resources
– Baseline: use the “industry best practice”

• Implementing standard security and safeguards against common threats
– Informal: conduct informal, pragmatic/practical risk analysis
– Formal: assess the security risk using formal structured process
– Combined: combinations of other approaches

Security Risk Assessment

2.1 ISO27001

1. Define information security
policy

2. Define scope of ISMS
3. Perform risk assessment
for scope of ISMS

4. Identified risk management
decision

5. Selection of objectives and
controls

6. Control Implementation

7. Certification assessment 9. Certification grantedPass?
Yes

No8. Take corrective action
http://www.27000.org/ismsprocess.htm

Output
• Delivers policy document

1. Define information
security policy

To specify a set of security policy to follow

ISO27001

2. Define scope of
ISMS Output

• Delivers ISMS scope
document

To define the scope of the information security management system
e.g., Identify threats the ISMS will mitigate. Security objectives to satisfy

ISO27001

3. Perform risk assessment
for scope of ISMSInput

• Threats
• Risks
• Impacts
• Vulnerabilities

Output
• Risk Assessment document

Carry out risk assessment given the scope of ISMS and the security policy.
This involves risk management and risk treatment.

ISO27001

4. Identified risk
management decisionInput

• Company decision
makers

Output
• Agreement document of

accountabilities and
responsibilities

Distribute tasks and identify responsibilities for managing the identified
risks

ISO27001

5. Selection of
objectives and controlsInput

• Controls and guidance
from ISO17799

• Any other controls

Output
• Produce statement of

applicability (SoA)

Produces SoA, which is a selection of controls to mitigate risks and the reason
for selecting them. Also specifies their progress on implementation, and
explanations on why certain controls are not implemented.

ISO27001

6. Control
Implementation

Carry out implementation of controls specified in SoA.

ISO27001

7. Certification
assessment

Review that all process steps are complete and identified risks are mitigated.

ISO27001

8. Take corrective
action

Revisit incomplete process steps and complete them as necessary.

ISO27001

9. Certification
granted

The company is now ISO27001 certified.

Estimate:

ISO27001 Timeframe

2.2 NIST SP800-30

1. System
characterisation

2. Threat identification
3. Vulnerability
identification

4. Control analysis
5. Likelihood
determination6. Impact analysis

7. Risk determination
8. Control
recommendation

9. Results
documentation

• NIST SP800-30 outlines 9 risk assessment activities

Also ISO27005, but not covered.

NIST SP800-30

Input
• Hardware
• Software
• System interfaces
• Data and information
• People
• System mission

Output
• System boundary
• System functions
• System and data criticality
• System and data sensitivity

1. System
characterisation

Process to profile the system
e.g., find the system configuration, dependencies, operations, usage etc.

NIST SP800-30

2. Threat identification
Input

• History of system attack
• Data from intelligence

agencies, NIPC, OIG,
FedCIRC, mass media, etc

Output
• Threat statement

Identify and understand possibilities of attacks to the system
e.g., latest attack methods and approaches that can violate the security
requirements of the system

NIST SP800-30

3. Vulnerability
identificationInput

• Reports from prior risk
assessments

• Any audit comments
• Security requirements
• Security test results

Output
• List of potential

vulnerabilities

Locate vulnerabilities in the system
e.g., using vulnerability scanners and IDS reports

NIST SP800-30

4. Control analysis
Input

• Current controls
• Planned controls

Output
• List of current and planned

controls

Identify and evaluate the effects of current and planned security controls
e.g., authentication will protect the system from external users

NIST SP800-30

5. Likelihood
determinationInput

• Threat-source
motivation

• Threat capacity
• Nature of vulnerability
• Current controls

Output
• Likelihood rating

Consider the inputs to evaluate the likelihood (will someone exploit this?)
e.g., found a BoF vulnerability on a machine which is disconnected from
the network

NIST SP800-30

6. Impact analysis
Input

• Mission impact analysis
• Asset criticality

assessment
• Data criticality
• Data sensitivity

Output
• Impact rating

To determine the significance of an attack to the system and the organisation
e.g., compromised user profile database will disable users logging into the
system to carry out their tasks

NIST SP800-30

7. Risk determination
Input

• Likelihood of threat
exploitation

• Magnitude of impact
• Adequacy of planned or

current controls

Output
• Risks and associated risk

levels

Take consideration of the risk assessment results and determine the level of
the system security risk
e.g., to prioritise security control selection (next activity)

NIST SP800-30

8. Control
recommendation Output

• Recommended controls

Based on the risk assessment results, select the security control to implement
e.g., update firewall rules, adopt new security policy, deploy IDS etc.

NIST SP800-30

9. Results
documentation Output

• Risk assessment report

• Different actions can be taken for identified risks
– Risk acceptance

• Understand the risk but will not act on it
– Risk avoidance

• Take actions to prevent this risk from happening
– Risk transfer

• Shift the risk to other assets, processes or organisations
• E.g., outsourcing to other organisations, get insurance etc

– Reduce consequence
• Implement security controls
• E.g., off-site backup, disaster recovery plan, replications etc

– Reduce likelihood
• Implement security controls
• E.g., firewall, password complexity management/policy etc. 35

Risk Treatment

IT Security Management

• Some key questions to answer in security assessment are:
– How to represent and capture various attack scenarios?

• What kinds of attacks are applicable?
• How can these attacks be carried out?
• How do we measure their impact on the system?

– How to select the best security solutions and controls?
• What is the best security practice for the given attack scenario?
• What is the best security solution given these constraints?

3. Security Assessment

• Three main approaches
1. Test on a real network

2. Test on a duplicated real network
• E.g., Emulation

3. Model-based Security Assessment

4. Others 38

Security Assessment

•Realistic Result
•Low Cost
•Time-consuming
•Disruption of Service

•Realistic Result
•High Cost
•Time-consuming
•No Disruption

•Model-dependant Result
•Low Cost
•Time-efficient
•No Disruption

• Security models can be used to provide a systematic
approach to assess the security of systems

• Security models are one aspect of the security
assessment, which requires 3M
– Security Measures : To collect required information
– Security Metrics : To represent the analysis results
– Security Models : To capture security information of the system

Use of Security Models

Not the post-it guys

• What do we want to measure?
– Vulnerabilities and their scores

• Common Vulnerability and Exposures (CVE)
• Common Vulnerability Scoring System (CVSS) Base Score (BS): e.g., 9

out of 10.
– Reachability

• Nmap (network mapping)
• Network Configurations (e.g., access control by firewalls)

– Mitigations
• Detection (Intrusion Detection, Vulnerability Identification, …)
• Countermeasure (Patch, firewall rules changes, …)

Security Measurement

• What can we measure?
– Qualitative Analysis (Metrics)

• Attack countermeasure scenarios
• Importance Measures
• …

– Quantitative Analysis (Metrics)
• Probability of Attacks
• Adversary’s viewpoint

– Cost of Attack
– Return on Attack (ROA)

• Defender’s Viewpoint
– Risk = Prob.*Impact
– Security Investment Cost
– Return on Investment (ROI)
– …

Security Metrics

Security
Analysis

Qualitative
Analysis

Probabilistic
Analysis

Mincuts
Structural Importance

Prob. of attacks
Cost

Impact
Risk
ROI&ROA

Birnbaum Importance

• Other way to categorise security metrics:

Security Metrics

Host based Network based

Without Probability With Probability Path based Non-path based
§ Attack cost
§ Impact analysis
§ Mean time to compromise
§ Mean time to recovery
§ Mean time to failure
§ Mean time to breach
§ …

§ Probability of attack success
§ Probability of detection
§ Probability of success

of a mitigation
§ …

§ Shortest path
§ Number of path
§ Mean of path
§ …

§ Critical Vulnerability Set
§ Network Compromise

percentage
§ ..

Security Models

Tree
based

Attack
Trees

Defense
Trees

…
Attack

Countermeasure
Trees (ACT)*

Graph
based

Attack
Graphs

…

Hybrid

Hierarchical Attack
Representation

models (HARMs)

• Security models can…
– Capture and analyse attack scenarios
– Perform automated security analysis
– Compute optimal countermeasures
– Use various security metrics

Security Models

Security Model Lifecycle

Reachability

Vulnerability

Build/Update
Security Model

Security
Analysis

Security
metrics

Network

Applying
security best
practices

Change(s) in
the network

Update
Updated information

Visualisation/
Storage

Other if
necc.

• Prob. of attack success
• Return on attacks
• Risk = prob*I
• …

Reachability
information

Vulnerability
information

Security
Model

Pre-processing Construction Evaluation ModificationRepresentation
(Generation)

• Describe security of systems and subsystems
• Specify and decompose attack goals and steps to

achieve it
• Evaluate the severity of different vulnerabilities in the

system
• Helps making decision to improve security

3.1 Attack Trees

Bruce Schneier, Attack Trees, Dr. Dobb’s J., 1999

• Structure
– Represent the attacks and countermeasures as a tree

structure
– Root node is the goal of the attack
– Leaf nodes represents (atomic) attacks
– Uses logical gates to connect different attack events

• E.g., uses of AND or OR gates
• Attacker needs a swipe card AND pin number
• Attacker needs to pick the lock OR break a window

Attack Trees

Attack Trees
1. Adversary gains access to a user’s personal information

1.1. Gain direct access
to the database

1.2. Login as target user 1.3. Hijack user session
1.4. Passively intercept

personal data

1.1.1. Exploit a
hole in system

application
kernel

1.2.1. Bruteforce
login

1.2.2. Steal user
credentials

1.3.1.
Steal user

session
cookie

1.4.1. Identify
user connection

initiation

1.4.2. Sniff
network traffic

for personal
data

1.2.1.1.
Identify

username

1.2.1.2.
Identify user

password

Attack Trees
1. Adversary gains access to a user’s personal information
OR 1.1 Gain direct access to the database

1.1.1 Exploit a hole in system application or kernel
1.2 Log in as target user
OR 1.2.1 Brute-force login

AND 1.2.1.1 Identify username
1.2.1.2 Identify user password

1.2.2 Steal user credentials
1.3 Hijack user session

1.3.1 Steal user session cookie
1.4 Passively intercept personal data
AND 1.4.1 Identify user connection initiation

1.4.2 Sniff network traffic for personal data

• Leaf nodes can be assigned values to evaluate ATs
– Boolean
– Continuous
– Other
– Combined

Attack Trees

[e.g., possible/impossible]

[e.g., cost in $, time]

[e.g., probability, impact, risk]

[e.g., cheapest attack with high probability]

Attack Trees
1. Adversary gains access to a user’s personal information

1.1. Gain direct access
to the database

1.2. Login as target user 1.3. Hijack user session
1.4. Passively intercept

personal data

1.1.1. Exploit a
hole in system

application
kernel

1.2.1. Bruteforce
login

1.2.2. Steal user
credentials

1.3.1.
Steal user

session
cookie

1.4.1. Identify
user connection

initiation

1.4.2. Sniff
network traffic

for personal
data

1.2.1.1.
Identify

username

1.2.1.2.
Identify user

password
P I

PI I P

Possible or impossible?

I IP

Attack Trees
1. Adversary gains access to a user’s personal information

1.1. Gain direct access
to the database

1.2. Login as target user 1.3. Hijack user session
1.4. Passively intercept

personal data

1.1.1. Exploit a
hole in system

application
kernel

1.2.1. Bruteforce
login

1.2.2. Steal user
credentials

1.3.1.
Steal user

session
cookie

1.4.1. Identify
user connection

initiation

1.4.2. Sniff
network traffic

for personal
data

1.2.1.1.
Identify

username

1.2.1.2.
Identify user

password

$50$200

$5 $50

$400
$20 $40

OR: min
AND: sum

Calculate the Attack Cost

$55

$200 $55 $50 $60

$50

Attack Trees

• Computations become more complex when using different
types of gates for joining leaf nodes
– Sequential AND, k-out-of-n gates etc…

• Many variants of the ATs
– Protection Trees, Defense Trees, Attack Countermeasure Trees etc…

• There are various tools to generate ATs
– SeaMonster
– AttackTree+ (commercial)
– SecuITree (commercial)
– ATSyRa
– Attack Navigator

Attack Trees

• Similar technique to ATs
• Unlike ATs, AGs may have cyclic dependencies or

merged states
– State transition information
– Order of events
– Etc.

3.2 Attack Graphs

Attack Graphs

User
(host) 0

User 1

User 2

Vulnerabilities:
• ftp_rhosts
• rsh
• sshd_BoF
• local_BoF

Vulnerabilities:
• ftp_rhosts
• rsh
• local_BoF

M. Albanese, S.Jajodia, S. Noel, “A Time-Efficient and Cost Effective Network Hardening Using Attack Graphs”, in Proc. IEEE DSN 2012

Attack Graphs

• Many variants of the AGs
– Logical AGs, Bayesian AGs, Multiple prerequisite AGs, etc…

• There are tools available to generate AGs
– NuSMV
– RedSeal (commercial)
– Skybox (commercial)
– Cauldron (commercial)
– CyGraph

• Depends on various factors
– What metrics can I use?
– How efficient is the security assessment?
– What tools are available?
– What type of attacks can it model?
– Which systems can I use the model?
– Etc…

What type do you use?

Evolution of
Security Models

• Scalability issues
– The generation of full attack models and evaluation of all possible attack

scenarios exhibit a state-space explosion

• Dynamic adjustment (Adaptability) issues
– A change in the network system causes updates in the security model

• Automating security decisions and countermeasure
selections issues
– Requires intelligent security decision making and real-time adaptation

and deployment of security solutions.
60

Limitations

• To address the scalability issues
– Adopt new modelling techniques

• E.g., using hierarchy, etc…

– Implement efficient generation and evaluation algorithms
• E.g., heuristic, dynamic programming solutions, etc…

– Anything else?
• E.g., subgraph evaluation, parallel computing

Limitations

• To address the dynamic adjustment issues
– Capture dynamic changes using the model

• E.g., use of temporal graphs

– Real-time change detection mechanisms
• E.g., real-time IDS, system logging etc…

– Develop dynamic security metrics for evaluations
• E.g., identifying persistent vulnerability etc…

Limitations

• To address the automation issues
– Develop intelligent security analysis modules

• E.g., use of AI, machine learning etc…

– Pool of countermeasures for implementations
• E.g., security awareness, easy security solution adoption methods etc…

– Secure system architecture planning and implementation
• E.g., security forecast, prediction, attacker profiling etc…

Limitations

IT Security Management

• Digital Forensic Science

Digital Forensics

“The use of scientifically derived and proven methods toward the
preservation, collection, validation, identification, analysis, interpretation,
documentation, and presentation of digital evidence derived from digital
sources for the purpose of facilitation or furthering the reconstruction of
events found to be criminal, or helping to anticipate unauthorized actions
shown to be disruptive to planned operations.” (Palmer, 2001: 16)

• Digital evidence can be used for various reasons.
• People who could be interested in digital evidence are:

– Law people
• E.g. Criminal justice agencies, Prosecutor’s Office/DA, Attorneys, and

Judges
– Business people

• E.g. Corporate Councils, Company Legal resources, Human Resources
– Security people

• E.g. Auditors, Crackers/Hackers

Digital Forensics

Seizure •Physical access to the digital asset

Acquisition •Duplication of data in the digital asset obtained

Analysis •Analysis of the data

Report • Produced for stake holders

Digital Forensics

But:
• It can only be done AFTER an incident
• Only produces evidence of violation
• Slow process dealing with large quantity

of data

• There are various security standards and frameworks
internationally accepted as a common practice
– E.g,. ISO and NIST security standards and frameworks

• They provide detailed procedures for organisations to follow,
in order to assess the security posture of their systems

• Many steps are involved, so security administrators should
ensure that each step is done carefully and complete

• Use of automated tools can speed up the process, as well as
avoiding any human errors

Summary

• Security standards and framework
– ISO: http://standards.iso.org/ittf/PubliclyAvailableStandards/
– ISO: http://www.iso27001security.com/index.html
– NIST: https://www.nist.gov/cyberframework

• Security models
– Kordy, Barbara, Ludovic Piètre-Cambacédès, and Patrick Schweitzer. “DAG-

based attack and defense modeling: Don’t miss the forest for the attack
trees.” Computer science review13 (2014): 1-38.

– Hong, Jin B., et al. “A survey on the usability and practical applications of
graphical security models.” Computer Science Review 26 (2017): 1-16.

– Visualisation (note: videos are not working): https://visualisation.trespass-
project.eu/

Additional Items

http://www.iso27001security.com/index.html
http://www.iso27001security.com/index.html
https://www.nist.gov/cyberframework
https://visualisation.trespass-project.eu/

Related Posts