9. Security Management
Security Management
CITS3004
Alvaro Monsalve
1
1. IT Security Management
2. Security Standards
1. ISO27000
2. NIST Security Framework
3. Security Assessment And Models
1. Attack Trees
2. Attack Graphs
4. Digital Forensics
Agenda
2
• Security requirements asks key security questions of the system
– What assets to be protected?
– Which threats can compromise/damage the assets?
– What are the means to mitigate those threats?
• Security management aims to resolve those questions
– Define security objectives and potential threats
– Carry out security risk assessment (w.r.t. assets)
– Implement security solutions and monitoring
3
Overview
4
Terminology
Term Meaning
Risk
The potential for an unwanted or adverse outcome resulting from an incident, event, or occurrence, as
determined by the likelihood (or the potential) that a particular threat will exploit a particular
vulnerability, with the associated consequences.
Vulnerability
A characteristic or specific weakness that renders an organization or asset (such as information or
information system) open to exploitation by a given threat or susceptible to a given hazard.
Exploitation A technique to breach the security of a network or information system in violation of security policy.
Threat
A circumstance or event (including accidental and non-human related) that has or indicates the potential
to exploit vulnerabilities and to adversely impact (create adverse consequences for) organizational
operations, organizational assets (including information and information systems), individuals, other
organizations, or society.
Asset
A person, structure, facility, information, and records, information technology systems and resources,
materials, process, relationships, or reputation allowing entities (e.g., individuals, businesses and
governments) to achieve social, economic, and other objectives of value.
5
Threats in Security
also for Dependability and Survivability
Threats
Faults
Attacks
Accidents/disasters
Physical faults
Software Bugs
Physical Attacks
Software-based
Attacks
Jamming
Node faults
Link faults
Power faults
Node Attack
Exploitation of software vulnerability
Infrastructure Attack
Spurious traffic (denial of service)
“Byzantine generals” man-
in-the-middle Attack
Bohrbugs
Aging-related bugs
Mandelbugs
Change configuration data
Equipment behind enemy lines
Link attack
K. S. Trivedi, D. S. Kim, A. Roy and D. Medhi, “Dependability and security models,” 2009 7th International Workshop on Design of Reliable Communication Networks, Washington, DC, 2009, pp. 11-20.
doi: 10.1109/DRCN.2009.5340029
• IT security management aims to achieve and
maintain appropriate levels of confidentiality,
integrity and availability of the system
• In addition, it also look at accountability, authenticity,
reliability, and other security objectives
6
1. IT Security Management
• Related tasks for IT security management include
– Specification of security objectives, strategies and policies
– Determine organisational IT security requirements
– Security threat assessments of IT assets and risks
– Specification of appropriate security methods
– Implementation and maintenance of security methods
– Security awareness program and adoption
– Detection and prevention of security incidents
7
IT Security Management
8
IT Security Management
K. S. Trivedi, D. S. Kim, A. Roy and D. Medhi, “Dependability and security models,” 2009 7th International Workshop on Design of Reliable Communication Networks, Washington, DC, 2009, pp. 11-20.
doi: 10.1109/DRCN.2009.5340029
Dependability
and Security
Threats
Attributes
Means
Faults/Attacks
Errors
Confidentiality
Integrity
Availability
Failures
Reliability
Safety
Maintainability
Fault/Intrusion Prevention
Fault/Intrusion Detection
Fault/Intrusion Tolerance
Fault/Vulnerability Removal
Fault/Intrusion Forecasting
Security
IT Security management is one of
the IT system management tasks
Dependability is also a significant
aspects of IT system management
• ISO 27000 Security Standards
– About 36 standards1
– Widely used, but not public
• NIST Security Framework
– Publicly available
– Broadly reviewed by government and industry professionals
– E.g., SP800 series
• E.g., SP800-12: Computer security handbook
• E.g., SP800-14: Generally accepted security principles & practices etc.
9
2. Security Standards
1http://www.iso27001security.com/index.html
• Information Systems Management
– ISO27001 – information security management systems – requirements
– ISO27002 – Code of practice for information security management
– ISO27003 – information security management system implementation guidance
– ISO27007 – guidelines for information security management systems
– SP800-14 – generally accepted principles and practices for securing IT systems
• Security Measurement
– ISO27004 – information security management – measurement
– SP800-55 – performance measurement guide for information security
10
Security Standards
• Security Risk Management
– ISO27005 – information security risk management
– SP800-30 – guide for conducting risk assessments
– SP800-37 – guide for applying the risk management framework to federal
information systems: a security life cycle approach
• Incident Management
– ISO27035 – Security incident management
– SP800-61 – computer security incident handling guide
11
Security Standards
12
Security Management
Process
IT Security Policy
Organisational
Aspects
Risk Analysis Options
Security Risk Analysis
Baseline Informal Formal Combined
Security Control Selection
Development of Security
Plan and Procedures
Implementation
Implement
controls
Security Awareness
& Training
Follow-up
Maintenance
Security
Compliance
Change
Management
Incident
Handling
• Typical system includes many assets
– Confidential data, user details, operational policies etc
• It is infeasible to examine the risk of all the assets due to
limited resources
• To use the best security risk assessment approach given the
organisation’s resources
– Baseline: use the “industry best practice”
• Implementing standard security and safeguards against common threats
– Informal: conduct informal, pragmatic/practical risk analysis
– Formal: assess the security risk using formal structured process
– Combined: combinations of other approaches
13
Security Risk Assessment
14
2.1 ISO27001
1. Define information security
policy
2. Define scope of ISMS
3. Perform risk assessment
for scope of ISMS
4. Identified risk management
decision
5. Selection of objectives and
controls
6. Control Implementation
7. Certification assessment 9. Certification grantedPass?
Yes
No8. Take corrective action
http://www.27000.org/ismsprocess.htm
15
Output
• Delivers policy document
1. Define information
security policy
To specify a set of security policy to follow
ISO27001
16
2. Define scope of
ISMS Output
• Delivers ISMS scope
document
To define the scope of the information security management system
e.g., Identify threats the ISMS will mitigate. Security objectives to satisfy
ISO27001
17
3. Perform risk assessment
for scope of ISMSInput
• Threats
• Risks
• Impacts
• Vulnerabilities
Output
• Risk Assessment document
Carry out risk assessment given the scope of ISMS and the security policy.
This involves risk management and risk treatment.
ISO27001
18
4. Identified risk
management decisionInput
• Company decision
makers
Output
• Agreement document of
accountabilities and
responsibilities
Distribute tasks and identify responsibilities for managing the identified
risks
ISO27001
19
5. Selection of
objectives and controlsInput
• Controls and guidance
from ISO17799
• Any other controls
Output
• Produce statement of
applicability (SoA)
Produces SoA, which is a selection of controls to mitigate risks and the reason
for selecting them. Also specifies their progress on implementation, and
explanations on why certain controls are not implemented.
ISO27001
20
6. Control
Implementation
Carry out implementation of controls specified in SoA.
ISO27001
21
ISO27001
7. Certification
assessment
Review that all process steps are complete and identified risks are mitigated.
22
ISO27001
8. Take corrective
action
Revisit incomplete process steps and complete them as necessary.
23
ISO27001
9. Certification
granted
The company is now ISO27001 certified.
Estimate:
24
ISO27001 Timeframe
25
2.2 NIST SP800-30
1. System
characterisation
2. Threat identification
3. Vulnerability
identification
4. Control analysis
5. Likelihood
determination6. Impact analysis
7. Risk determination
8. Control
recommendation
9. Results
documentation
• NIST SP800-30 outlines 9 risk assessment activities
Also ISO27005, but not covered.
26
NIST SP800-30
Input
• Hardware
• Software
• System interfaces
• Data and information
• People
• System mission
Output
• System boundary
• System functions
• System and data criticality
• System and data sensitivity
1. System
characterisation
Process to profile the system
e.g., find the system configuration, dependencies, operations, usage etc.
27
NIST SP800-30
2. Threat identification
Input
• History of system attack
• Data from intelligence
agencies, NIPC, OIG,
FedCIRC, mass media, etc
Output
• Threat statement
Identify and understand possibilities of attacks to the system
e.g., latest attack methods and approaches that can violate the security
requirements of the system
28
NIST SP800-30
3. Vulnerability
identificationInput
• Reports from prior risk
assessments
• Any audit comments
• Security requirements
• Security test results
Output
• List of potential
vulnerabilities
Locate vulnerabilities in the system
e.g., using vulnerability scanners and IDS reports
29
NIST SP800-30
4. Control analysis
Input
• Current controls
• Planned controls
Output
• List of current and planned
controls
Identify and evaluate the effects of current and planned security controls
e.g., authentication will protect the system from external users
30
NIST SP800-30
5. Likelihood
determinationInput
• Threat-source
motivation
• Threat capacity
• Nature of vulnerability
• Current controls
Output
• Likelihood rating
Consider the inputs to evaluate the likelihood (will someone exploit this?)
e.g., found a BoF vulnerability on a machine which is disconnected from
the network
31
NIST SP800-30
6. Impact analysis
Input
• Mission impact analysis
• Asset criticality
assessment
• Data criticality
• Data sensitivity
Output
• Impact rating
To determine the significance of an attack to the system and the organisation
e.g., compromised user profile database will disable users logging into the
system to carry out their tasks
32
NIST SP800-30
7. Risk determination
Input
• Likelihood of threat
exploitation
• Magnitude of impact
• Adequacy of planned or
current controls
Output
• Risks and associated risk
levels
Take consideration of the risk assessment results and determine the level of
the system security risk
e.g., to prioritise security control selection (next activity)
33
NIST SP800-30
8. Control
recommendation Output
• Recommended controls
Based on the risk assessment results, select the security control to implement
e.g., update firewall rules, adopt new security policy, deploy IDS etc.
34
NIST SP800-30
9. Results
documentation Output
• Risk assessment report
• Different actions can be taken for identified risks
– Risk acceptance
• Understand the risk but will not act on it
– Risk avoidance
• Take actions to prevent this risk from happening
– Risk transfer
• Shift the risk to other assets, processes or organisations
• E.g., outsourcing to other organisations, get insurance etc
– Reduce consequence
• Implement security controls
• E.g., off-site backup, disaster recovery plan, replications etc
– Reduce likelihood
• Implement security controls
• E.g., firewall, password complexity management/policy etc. 35
Risk Treatment
• Related tasks for IT security management include
– Specification of security objectives, strategies and policies
– Determine organisational IT security requirements
– Security threat assessments of IT assets and risks
– Specification of appropriate security methods
– Implementation and maintenance of security methods
– Security awareness program and adoption
– Detection and prevention of security incidents
36
IT Security Management
• Some key questions to answer in security assessment are:
– How to represent and capture various attack scenarios?
• What kinds of attacks are applicable?
• How can these attacks be carried out?
• How do we measure their impact on the system?
– How to select the best security solutions and controls?
• What is the best security practice for the given attack scenario?
• What is the best security solution given these constraints?
37
3. Security Assessment
• Three main approaches
1. Test on a real network
2. Test on a duplicated real network
• E.g., Emulation
3. Model-based Security Assessment
4. Others 38
Security Assessment
•Realistic Result
•Low Cost
•Time-consuming
•Disruption of Service
•Realistic Result
•High Cost
•Time-consuming
•No Disruption
•Model-dependant Result
•Low Cost
•Time-efficient
•No Disruption
• Security models can be used to provide a systematic
approach to assess the security of systems
• Security models are one aspect of the security
assessment, which requires 3M
– Security Measures : To collect required information
– Security Metrics : To represent the analysis results
– Security Models : To capture security information of the system
39
Use of Security Models
Not the post-it guys
• What do we want to measure?
– Vulnerabilities and their scores
• Common Vulnerability and Exposures (CVE)
• Common Vulnerability Scoring System (CVSS) Base Score (BS): e.g., 9
out of 10.
– Reachability
• Nmap (network mapping)
• Network Configurations (e.g., access control by firewalls)
– Mitigations
• Detection (Intrusion Detection, Vulnerability Identification, …)
• Countermeasure (Patch, firewall rules changes, …)
40
Security Measurement
• What can we measure?
– Qualitative Analysis (Metrics)
• Attack countermeasure scenarios
• Importance Measures
• …
– Quantitative Analysis (Metrics)
• Probability of Attacks
• Adversary’s viewpoint
– Cost of Attack
– Return on Attack (ROA)
• Defender’s Viewpoint
– Risk = Prob.*Impact
– Security Investment Cost
– Return on Investment (ROI)
– …
41
Security Metrics
Security
Analysis
Qualitative
Analysis
Probabilistic
Analysis
Mincuts
Structural Importance
Prob. of attacks
Cost
Impact
Risk
ROI&ROA
Birnbaum Importance
• Other way to categorise security metrics:
42
Security Metrics
Security Metrics
Host based Network based
Without Probability With Probability Path based Non-path based
§ Attack cost
§ Impact analysis
§ Mean time to compromise
§ Mean time to recovery
§ Mean time to failure
§ Mean time to breach
§ …
§ Probability of attack success
§ Probability of detection
§ Probability of success
of a mitigation
§ …
§ Shortest path
§ Number of path
§ Mean of path
§ …
§ Critical Vulnerability Set
§ Network Compromise
percentage
§ ..
43
Security Models
Security Models
Tree
based
Attack
Trees
Defense
Trees
…
Attack
Countermeasure
Trees (ACT)*
Graph
based
Attack
Graphs
…
Hybrid
Hierarchical Attack
Representation
models (HARMs)
• Security models can…
– Capture and analyse attack scenarios
– Perform automated security analysis
– Compute optimal countermeasures
– Use various security metrics
44
Security Models
45
Security Model Lifecycle
Reachability
Vulnerability
Build/Update
Security Model
Security
Analysis
Security
metrics
Network
Applying
security best
practices
Change(s) in
the network
Update
Updated information
Visualisation/
Storage
Other if
necc.
• Prob. of attack success
• Return on attacks
• Risk = prob*I
• …
Reachability
information
Vulnerability
information
Security
Model
Security
Model
Pre-processing Construction Evaluation ModificationRepresentation
(Generation)
• Describe security of systems and subsystems
• Specify and decompose attack goals and steps to
achieve it
• Evaluate the severity of different vulnerabilities in the
system
• Helps making decision to improve security
46
3.1 Attack Trees
Bruce Schneier, Attack Trees, Dr. Dobb’s J., 1999
• Structure
– Represent the attacks and countermeasures as a tree
structure
– Root node is the goal of the attack
– Leaf nodes represents (atomic) attacks
– Uses logical gates to connect different attack events
• E.g., uses of AND or OR gates
• Attacker needs a swipe card AND pin number
• Attacker needs to pick the lock OR break a window
47
Attack Trees
48
Attack Trees
1. Adversary gains access to a user’s personal information
1.1. Gain direct access
to the database
1.2. Login as target user 1.3. Hijack user session
1.4. Passively intercept
personal data
1.1.1. Exploit a
hole in system
application
kernel
1.2.1. Bruteforce
login
1.2.2. Steal user
credentials
1.3.1.
Steal user
session
cookie
1.4.1. Identify
user connection
initiation
1.4.2. Sniff
network traffic
for personal
data
1.2.1.1.
Identify
username
1.2.1.2.
Identify user
password
49
Attack Trees
1. Adversary gains access to a user’s personal information
OR 1.1 Gain direct access to the database
1.1.1 Exploit a hole in system application or kernel
1.2 Log in as target user
OR 1.2.1 Brute-force login
AND 1.2.1.1 Identify username
1.2.1.2 Identify user password
1.2.2 Steal user credentials
1.3 Hijack user session
1.3.1 Steal user session cookie
1.4 Passively intercept personal data
AND 1.4.1 Identify user connection initiation
1.4.2 Sniff network traffic for personal data
• Leaf nodes can be assigned values to evaluate ATs
– Boolean
– Continuous
– Other
– Combined
50
Attack Trees
[e.g., possible/impossible]
[e.g., cost in $, time]
[e.g., probability, impact, risk]
[e.g., cheapest attack with high probability]
51
Attack Trees
1. Adversary gains access to a user’s personal information
1.1. Gain direct access
to the database
1.2. Login as target user 1.3. Hijack user session
1.4. Passively intercept
personal data
1.1.1. Exploit a
hole in system
application
kernel
1.2.1. Bruteforce
login
1.2.2. Steal user
credentials
1.3.1.
Steal user
session
cookie
1.4.1. Identify
user connection
initiation
1.4.2. Sniff
network traffic
for personal
data
1.2.1.1.
Identify
username
1.2.1.2.
Identify user
password
P I
PI I P
I
Possible or impossible?
I
I
I IP
P
52
Attack Trees
1. Adversary gains access to a user’s personal information
1.1. Gain direct access
to the database
1.2. Login as target user 1.3. Hijack user session
1.4. Passively intercept
personal data
1.1.1. Exploit a
hole in system
application
kernel
1.2.1. Bruteforce
login
1.2.2. Steal user
credentials
1.3.1.
Steal user
session
cookie
1.4.1. Identify
user connection
initiation
1.4.2. Sniff
network traffic
for personal
data
1.2.1.1.
Identify
username
1.2.1.2.
Identify user
password
$50$200
$5 $50
$400
$20 $40
OR: min
AND: sum
Calculate the Attack Cost
$55
$200 $55 $50 $60
$50
53
Attack Trees
• Computations become more complex when using different
types of gates for joining leaf nodes
– Sequential AND, k-out-of-n gates etc…
• Many variants of the ATs
– Protection Trees, Defense Trees, Attack Countermeasure Trees etc…
• There are various tools to generate ATs
– SeaMonster
– AttackTree+ (commercial)
– SecuITree (commercial)
– ATSyRa
– Attack Navigator
54
Attack Trees
• Similar technique to ATs
• Unlike ATs, AGs may have cyclic dependencies or
merged states
– State transition information
– Order of events
– Etc.
55
3.2 Attack Graphs
56
Attack Graphs
User
(host) 0
User 1
User 2
Vulnerabilities:
• ftp_rhosts
• rsh
• sshd_BoF
• local_BoF
Vulnerabilities:
• ftp_rhosts
• rsh
• local_BoF
M. Albanese, S.Jajodia, S. Noel, “A Time-Efficient and Cost Effective Network Hardening Using Attack Graphs”, in Proc. IEEE DSN 2012
57
Attack Graphs
• Many variants of the AGs
– Logical AGs, Bayesian AGs, Multiple prerequisite AGs, etc…
• There are tools available to generate AGs
– NuSMV
– RedSeal (commercial)
– Skybox (commercial)
– Cauldron (commercial)
– CyGraph
• Depends on various factors
– What metrics can I use?
– How efficient is the security assessment?
– What tools are available?
– What type of attacks can it model?
– Which systems can I use the model?
– Etc…
58
What type do you use?
59
Evolution of
Security Models
• Scalability issues
– The generation of full attack models and evaluation of all possible attack
scenarios exhibit a state-space explosion
• Dynamic adjustment (Adaptability) issues
– A change in the network system causes updates in the security model
• Automating security decisions and countermeasure
selections issues
– Requires intelligent security decision making and real-time adaptation
and deployment of security solutions.
60
Limitations
• To address the scalability issues
– Adopt new modelling techniques
• E.g., using hierarchy, etc…
– Implement efficient generation and evaluation algorithms
• E.g., heuristic, dynamic programming solutions, etc…
– Anything else?
• E.g., subgraph evaluation, parallel computing
61
Limitations
• To address the dynamic adjustment issues
– Capture dynamic changes using the model
• E.g., use of temporal graphs
– Real-time change detection mechanisms
• E.g., real-time IDS, system logging etc…
– Develop dynamic security metrics for evaluations
• E.g., identifying persistent vulnerability etc…
62
Limitations
• To address the automation issues
– Develop intelligent security analysis modules
• E.g., use of AI, machine learning etc…
– Pool of countermeasures for implementations
• E.g., security awareness, easy security solution adoption methods etc…
– Secure system architecture planning and implementation
• E.g., security forecast, prediction, attacker profiling etc…
63
Limitations
• Related tasks for IT security management include
– Specification of security objectives, strategies and policies
– Determine organisational IT security requirements
– Security threat assessments of IT assets and risks
– Specification of appropriate security methods
– Implementation and maintenance of security methods
– Security awareness program and adoption
– Detection and prevention of security incidents
64
IT Security Management
• Digital Forensic Science
65
Digital Forensics
“The use of scientifically derived and proven methods toward the
preservation, collection, validation, identification, analysis, interpretation,
documentation, and presentation of digital evidence derived from digital
sources for the purpose of facilitation or furthering the reconstruction of
events found to be criminal, or helping to anticipate unauthorized actions
shown to be disruptive to planned operations.” (Palmer, 2001: 16)
• Digital evidence can be used for various reasons.
• People who could be interested in digital evidence are:
– Law people
• E.g. Criminal justice agencies, Prosecutor’s Office/DA, Attorneys, and
Judges
– Business people
• E.g. Corporate Councils, Company Legal resources, Human Resources
– Security people
• E.g. Auditors, Crackers/Hackers
66
Digital Forensics
Seizure •Physical access to the digital asset
Acquisition •Duplication of data in the digital asset obtained
Analysis •Analysis of the data
Report • Produced for stake holders
67
Digital Forensics
But:
• It can only be done AFTER an incident
• Only produces evidence of violation
• Slow process dealing with large quantity
of data
• There are various security standards and frameworks
internationally accepted as a common practice
– E.g,. ISO and NIST security standards and frameworks
• They provide detailed procedures for organisations to follow,
in order to assess the security posture of their systems
• Many steps are involved, so security administrators should
ensure that each step is done carefully and complete
• Use of automated tools can speed up the process, as well as
avoiding any human errors
68
Summary
• Security standards and framework
– ISO: http://standards.iso.org/ittf/PubliclyAvailableStandards/
– ISO: http://www.iso27001security.com/index.html
– NIST: https://www.nist.gov/cyberframework
• Security models
– Kordy, Barbara, Ludovic Piètre-Cambacédès, and Patrick Schweitzer. “DAG-
based attack and defense modeling: Don’t miss the forest for the attack
trees.” Computer science review13 (2014): 1-38.
– Hong, Jin B., et al. “A survey on the usability and practical applications of
graphical security models.” Computer Science Review 26 (2017): 1-16.
– Visualisation (note: videos are not working): https://visualisation.trespass-
project.eu/
69
Additional Items
http://www.iso27001security.com/index.html
http://www.iso27001security.com/index.html
https://www.nist.gov/cyberframework
https://visualisation.trespass-project.eu/