a risk assessment tool for network resilience evaluation
TRANSCRIPT
WHITE CYBER KNIGHT – A RISK ASSESSMENT TOOL FOR NETWORK RESILIENCE EVALUATION
Gwendal Le Grand*
Associate Professor, ENST, France.
Eyal Adar†
Founder and CEO – iTcon Ltd.
Keywords: Risk Assessment, Telecommunications, Complex Infrastructures, Complex Networks, Network Resilience
Abstract
The Communication Sector is one of the areas which, over the past several years, evolved most significantly and caused revolutions in both system-wide and system-use aspects.
These revolutions have resulted in many communication networks being set up without adequate consideration of the risks involved.
The existing RM (Risk Management) concepts are high level, and must be adapted to cope with the specific needs and risks of the communication world.
This article aims to:
• Analyze the main existing RM concepts and point out those which can be applied to complex communication systems.
• Define the specific elements which need to be examined while assessing the risks to communication systems, and define how RM software can aid in the process.
The use of RM applications applied specifically to critical and complex communication systems can significantly assist in bridging the gap in communication systems RM which was created in the past few years, and cut down IT Management costs.
Introduction: Risk Management in Telecom Today
Today, increasingly complex and IT-dependent digital elements (computers, networks, contents, etc.) or infrastructures are at the center of our lives; they constitute the essential pillars of our communication, economic, social and institutional infrastructures.
Security and threat mitigation within those systems has thus implicitly become a fundamental stake for the citizen (to preserve his privacy), for the company (to protect digital assets and transactions), and for the states (to protect their critical infrastructures, and ensure the smooth continuity of the government and government services, etc.)
Generalized access to infrastructures like the Internet or mobile 3G telephone infrastructures has profoundly modified users’ behaviors and has radically changed the risks they and the infrastructures are facing. Although several security measures exist, trust in the digital world is not sufficient for several reasons. On the one hand, security technologies are not yet widespread due to the complexity involved in deploying them. On the other hand, ICT (Information and Communication Technologies) are particularly vulnerable due to the heterogeneity of systems, terminals, users, and infrastructures, which all require regular upgrades, and to the interconnectivity of infrastructures, the mobility of the users, and the facility to launch remote or distributed attacks.
Risk assessment is therefore an essential stake in our societies, and it remains a burden because of its complexity. Actually, it is necessary to adopt a global vision that takes into account not only technical elements like cryptographic protocols used to provide confidentiality or infrastructures resilience, but also economic aspects like the impact an attack could have on the business or on the corporate image of a company.
Interdependencies between infrastructures will also play a major role in the near future since they will certainly be exploited to build attacks using their interplay, while the attacked infrastructure may not necessarily be the final designated target. The effects of such attacks will be disseminated rapidly through a domino effect and the chain of events will be difficult to predict or control in time before a major breakdown happens.
Therefore, infrastructure and service risk and crisis management must play an increasing role: since it is impossible to make a system error-free and invulnerable, it is necessary to cope with identifiable, controllable and quantifiable risks. This must be accomplished through various types of actions: the design of efficient risk assessment tools, the development of crisis management models, the certification of systems and products, etc.
In subsequent sections of the paper, we will first examine the challenges related to complex risk management in telecommunication. We will then present existing frameworks and methodologies for risk analysis. Then, we will focus on specific parameters for telecom risk assessment and provide an example evaluation checklist. Finally, we will introduce WCK (White Cyber Knight), a software tool which constitutes a possible answer to risk assessment requirements.
Dealing with Complex Risk Management Challenges
The growing field of risk management plays an important role in mitigating and managing risks of complex and distributed architectures and environments. However, this field is not yet fully standardized, and different RM methods cover different RM aspects. Within the
different frameworks which currently exist for assessing risk in such environments, many methods are very high level oriented.
From industry inputs, there is little use of these methodologies by IT operations staff on a day-to-day basis. The products used often include software tools that address specific IT platforms, and lack the "over-all" security assessment ability.
In order to adapt these frameworks towards a more practical application for the telecom world, a layer of additional analysis is needed; such a layer must rely upon a thorough and multi-faceted understanding of the telecom world's unique business needs and requirements, and its specific systems and protocols. This assessment layer should include concrete checklists which will adhere to these parameters.
Practical methodologies that can bridge this gap are required. These should enable the identification of critical paths through an understanding of the telecommunications unique business processes as well as the ability to apply an additional assessment layer which deals with the specific parameters which will be discussed in this article.
A solution to the complex problems we have stated here lies in utilizing a combination of 3 realms:
• RM framework or methodology layer which includes risk analysis • Controls and policies – IT governance layer • Specific checklists (detailed controls) or questionnaires aimed to identify the telecom
specific vulnerabilities
IT Governance and Management
(RM Life Cycle)
Security Governance
(Assessment Fields)
Detailed Controls
(Technical, Policy, Operational)
COBIT, ITIL
ISO17799, ISF, GAISP, OCTAVE, SysTrust
NIST, CIS,FFIEC, EESA
Evaluate Using Automated
Software Tool
Figure 1: Describes how these 3 elements operate and interact
RM Framework or Methodology Layer Which Includes Risk Analysis
The following are examples of some of the leading RM frameworks: • Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE®)1:
The Octave approach is a systematic way for an organization to address its information
1 http://www.cert.org/octave/
security risks, sorting through the complex web of organizational and technological issues. The OCTAVE approach includes a set of criteria that defines the requirements for a comprehensive, self-directed information security risk evaluation, and a set of methods consistent with the criteria. Octave was developed by Software Engineering Institute at Carnegie Mellon University. COBIT®• Information and related Technology, is an
• complete system that combines different
2: COBIT, Control Objectives for IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organizations. COBIT® is Sponsored and funded by the IT Governance Institute (affiliate of the Information Systems Audit and Control Association). The Framework emphasizes best practices and leverages other recognized methodologies and tools such as COSO, ISO, ITIL, NIST and AICPA. Its Focus is on helping leaders understand and manage the risks relating to IT and the links between the management process, the technical questions, the need for control and the risks Thales SHIELD™3: Thales SHIELD is a areas from intelligence gathering and analysis, communications and network security, physical security to crisis management, to provide a fully integrated solution for nations, regions and institutions potentially vulnerable to intrusive security strikes or threats.
Figure 2: the COBIT® risk assessment framework
Focusing on the RM framework layer, in this context we will recommend COBIT® as a risk
• It is one of the only RM frameworks which deal with organizational processes.
ganization to speak the
management framework, due to the following advantages:
• It is a well respected and recognized tool - even by regulators. • It is an excellent methodology for getting various parts of an or
same language.
2 http://www.isaca.org/cobit/
3 http://shield.thalesgroup.com/
• t IT in general - not just at security, and it includes detailed
• cutives and provides an excellent
• with other methods, which makes it an open
Controls and Policies – IT Governance Layer - ISO 17799
COBIT® looks aassessment domains, systems and programs. It facilitates communication with top level exemanagement perspective (e.g., CMM). It was planned and designed to interfaceframework.
4
ISO (the International Organization for Standardization) along with IETC (the International
Originally developed in the UK, the standard has gained much popularity and is a favored risk
ISO 17799 spans the following fields:
1. Security Policy and Operations Management
ion and Control ance
Management
Moreover, ISO 17799 has some specific relevant advantages, such as:
• Very detailed guidance
rge business enterprises
Despite its many advantages as a RM framework, ISO 17799 does not supply the required
Specific Checklists (Detailed Controls) or Questionnaires Aimed to Identify the Telecom
Electro Technical Commission) form the specialized system for worldwide standardization. The stated purpose of ISO 17799 is to provide a common basis for developing organizational security standards and effective security management practice and to provide confidence in inter-organizational dealings.
assessment approach in Europe. It is typically used in larger organizations, especially those involved with international activities. ISO offers very specific guidance that requires specific modification and adaptation. ISO 17799 is often referenced and leveraged by other well-known methodologies.
2. Communications3. Organizational Security 4. Access Control 5. Asset Classificat6. System Development and Mainten7. Personnel Security 8. Business Continuity9. Physical and Environment Security10. Compliance
• Standard of standards • Common language • Well-known • Favored by la
technological depth to cover all technical aspects, which is why more detailed, specific checklists are required.
Specific Vulnerabilities
In order to identify specific vulnerabilities in telecom systems, several checklists and methods
may be used. They include:
4 http://www.iso.org/iso/en/prods-services/popstds/informationsecurity.html
• End to End Security Assessment (EESA™)5: EESA is an assessment method which deals with Critical Information Infrastructure Protection (CIIP). It analyzes the
• and guidelines for the cost-
•
A possible way of combining these realms could be using a sophisticated software tool that will enable a more efficient analysis of the data. Combining these three elements will allow
elecom Risk Assessment Parameters
overed in risk assessment for future complex communication networks. Based upon these parameters we will mention several telecom
limited to):
sessment:
on, modification, copy, etc. – and its volatility, which is critical in a world where broadband wireless and ubiquitous
ks, etc.)
r the ability to prevent potentially dangerous
"Security Quality of Service" (SQOS) along the path of critical processes within a business environment or system and evaluates whether the security mechanisms along it are adequate for protecting against likely threats. The uniqueness of EESA lies in the fact that the analysis covers both strategic issues as well as very detailed technical security design issues. Ranging from business layer to IT layers (from business processes thru systems and applications and infrastructure), it provides an interdisciplinary, business oriented assessment method. NIST6: ITL (Information Technology Laboratory within the NIST) develops technical, physical, administrative, and management standards effective security and privacy of sensitive unclassified information in federal computer systems. Publications issued report on ITL’s research, guidance, and outreach efforts in computer security, and its collaborative activities with industry, government and academic organizations. As governmental agencies, banking regulators frequently participate in NIST research and are audited against these guidelines. Many other methodologies leverage the work performed by the NIST. It also includes many detailed checklists tailor-cut for specific realms and sectors. Specific Telecom Driven Vulnerability Checklists which will be presented in this article.
risk managers to better deal with the complexity and technological difficulties, while saving time and manpower. In the following, we aim to demonstrate how these 3 elements contribute to the creation of a holistic and telecom-applied risk management view, when used with a comprehensive software tool which automates many of the assessment and risk management processes.
T
Several important parameters should be c
specific vulnerabilities that need to be addressed. This will be the basis of a checklist or baseline in our example.
These include (but are not
• Overall threat and vulnerability as
o Vulnerability of content – destructi
access are generalized. o Vulnerability of media – on which the content is stored or sent (hard disks,
wireless transmission lino Vulnerability of access and access control means – for example, what devices
should connect to the network, odevices (that are infected by viruses or spyware) or content from penetrating a
5 http://www.iabg.de/acip/doc/ergebnisse_workshop_2002_12_bruessel/EESA-basics.pdf
6 http://csrc.nist.gov/pcig/index.html
corporate network. Moreover, increased interconnection of infrastructures eases remote and distributed attacks, which makes access control even more critical. Vulnerability of well known technologies, operating systems, or protocols – on which networks and systems rely worldwide.
o
introduce new vulnerabilities or
o tures (e.g. two telecom operators or a telecom operator and a power
• Securi unications, characterized by security objectives expressed in terms of confidentiality (non-disclosure to unauthorized persons), integrity (non-alteration of
• • , operators,
• which characterizes their ability to resist attacks or elf-learning, self-healing and fast cicatrisation
• gating or accepting an
• meworks.
An Example of a Telecom Risk Assessment Evaluation Checklist
o fully assess the pecific vulnerabilities and risks inherent to the telecom field.
sed.
entioned parameters, as an valuation checklist. This checklist should allow an evaluator to identify and assess the
o Vulnerability of complexity – complex and non error-free systems require constant upgrades that may be insecure andfailures. Vulnerability of interdependencies – interdependencies of similar and different infrastrucprovider).
ty of comm
content) and availability (the ability of licensed users to use digital assets). Certification or standards compliance. Trust with respect to the reliability and confidentiality of operationsinfrastructures and software.
• Safety (security of people and goods). Resilience of infrastructuresfailures. Resilience should consider sproperties of a system with respect to a set of canonical attacks. Cost of security or of insecurity evaluates the economic impact (profit loss and indirect losses due to a degradation of the corporate image) related to mitiidentified vulnerability. Security policy of the system and crisis management models, together with protection measures within legal fra
There is a growing need for an additional layer of evaluation in order tsIt seems prudent that this additional layer should include specific risks and vulnerabilities driven by the business process of the infrastructure being asses We offer an example of a concrete baseline, based upon the aforemeunique vulnerabilities of the telecom world.
Threats to the Security of Communications
The core business of the telecommunications field is the communication of data. According to this ground statement, it is crucial to view the unique threats to this data, in aspect of the
• Disclosure and/or alteration of sensitive billing information illicit use of telephony
th other networks
confidentiality, availability, and integrity of the data being communicated:
• Eavesdropping , fraud and call theft
• Unauthorized use of resources such as• Interrogation of secure databases • Risk of data disclosure due to IP based infrastructure linked wi
Interdependencies and Threats to the Resilience and Availability of Infrastructures
lability of infrastructures include:
cy, which poses a potential risk to the resilience of the telecom
• to software dependence in
• s on central cellular communication nodes.
Vulne
Examples of possible interdependencies or threats to the resilience and avai
• Reliance of the telecom infrastructure upon a single energy infrastructure creates an obvious dependeninfrastructure in any case of a regional power outage. Extensive use of third party software, which has also been described in the ACIP report as "The far most feared and seen most realistic threat is due both the operational and the production network", creates a major threat which affects the entire telecommunications world. Most service providers use important key components from several specific vendors, so that one could affect many operators and render an entire infrastructure unavailable. Cellular networks are particularly vulnerable to jamming by using RF energy to swamp receiver sites, and to denial of service attack
rability of Telecom Specific Technologies
Recent ACIP research7 revealed that most telecom providers rely on dedicated, specific hardware and communications equipment from a single vendor – one major bug or failure of
ploits which previous communications protocols have been
•
Vulne l
such equipment may cause an infrastructure-wide crash, as mentioned here. Additionally, usage of telecom specific technologies creates a wide range of vulnerabilities which are unique to the telecom world:
• The GPRS method is primarily based upon IP, a protocol well known to hackers and vulnerable to many eximmune to due to their relative obscurity outside of the telecom field. Dedicated communications equipment from a single vendor creates a single point of failure for the entire infrastructure.
rability of Access and Access Contro
connection of infrastructures and the enhanced mobility of information systems today, make it even more crucial and complex a challenge to
ces roam between cells.
her communications networks – ID and
Threa
As described previously, the increased inter
properly identify devices, users and other entities in a communications infrastructure. Additionally, there are several unique issues for telecom in this aspect that come to mind:
• Poor GSM authentication mechanisms do not allow sufficient assurance when devi
• Difficulty to enforce content filtering and strong authentication when mobile communication components interact with otdata migrate through different and segregated worlds (from a cellular network to the enterprise IT infrastructure for example), with minimal or no control.
ts to the Business Viability of the Telecom Service Provider
The potential vulnerabilities mentioned in this article could also project unto the provider's brand image. Any such damage to the telecom service provider's brand image and public
relations status should be considered as a potential threat to its business viability.
7 ACIP CIP Telecom Operators Case Study: http://www.iabg.de/acip/doc/wp2/D2_3_Summary_of_the_Interview_Findings.pdf
Integrating Specific Checklists into the Assessment Process
The aforementioned specific vulnerabilities could be integrated as checklists into the s figure 3 describes.
assessment process as an additional, detailed technical layer a
IT Governance and Management
(RM Life Cycle)
COBIT, ITIL
Security Governance
(Assessment Fields)
ISO17799, ISF, GAISP, OCTAVE, SysTrust
Detailed Controls
(Technical, Policy, Operational)
NIST, CIS,FFIEC, EESA
Evaluate Using Automated
Software Tool
Sector Driven Controls
(Technical, Very Detailed)
Banking, Telecom,Energy, Pharma
Figure 3: This figure describes how the specific questionnaires integrate in the RM process shown in figure 1
WCK – a Possible Solution
Addressing the complexities of integrating the frameworks, methodologies and assessment ires could only be done using a highly sophisticated software
tool engineered to perform this task. In addition, Specific parameters, or rather checklists,
n will be able to bridge the analysis gap through integration of a smart "learning" automated software tool, which is capable of applying such checklists to
e environment and affect several. It could be used by system operators, or by information security managers, as it offers a clear picture of the
criteria with specific questionna
must be applied in order to accurately analyze the unique telecommunications security vulnerabilities and risks.
In order to encompass all of these elements, a comprehensive answer for a complex problem is needed. Such a solutio
analyze the risk in view of all the parameters previously mentioned, while operating within the assessment frameworks effectively.
Such a tool would ideally supply a single person a thorough and panoramic view while mitigating risks which emanate from on
infrastructure and systems security status. It could also be used for further research on the subject, as it allows a comprehensive, single-point look at an entire infrastructure's strong and weak points, while accommodating all of the various parameters that should be considered.
An example of such an automated risk management tool, currently under development, 8
is White Cyber Knight™ .
WCK
System
Organizational Risk Map Managerial Reports
By organization unitsBy security areasCostsSecurity measuresContinuous improvement
Risk Analysis Management
WorkflowAssignment of tasksAggregation of resultsRisk mitigation follow-up
Risk Analysis Process
Dynamic questionnaireRisk analysisCountermeasuresImplementation statusAuditor
RiskEvaluator
Head ofRM Team
GlobalSecurityOfficer
Management
Figure 4: The White Cyber Knight™ assessment process
White Cyber Knight™ is an expert RM system. The tool is designed for CIP, with an emphasis on Criti l is based on an advanced RA engine. It is capable of providing a comprehensive risk map, which is driven by a wide variety of aspects which affect organization security. This includes: human behavior,
cal Information Infrastructure Protection (CIIP). The too
policies and regulations, critical business processes, architecture of IT systems, and technical vulnerabilities, among others. WCK provides the ability to implement infrastructure-specific analysis parameters while operating under an assessment framework such as COBIT® in order to manage security risks in distributed environments, to follow-up risk mitigation activities, and finally, allows the Chief Security Officer (CSO) and the IT manager to measure their success over time.
Epilogue
This article is a milestone in a joint research effort, aiming to identify through cooperation the specific threats, vulnerabilities, and risk management solutions for the telecom era, that can be
an efficient way by an automated tool.
assessed in
8 http://www.WhiteCyberKnight.com
References
[i] Sandro Bologna, Ruaridh Macdonald (2002). Advanced Modeling and Simulation Methods and Tools for Critical Infrastructure Protection. In ACIP Project (2002), Brussels, Belgium. See: http://www.iabg.de/acip/doc/wp4/D4_5_v0_1_RM.pdf
[ii] Bernhard M. Hämmerli, Eric Luiijf, Willi Stein, Eyal Adar (2005). ECN, European CIIP Newsletter. See: http://www.ci2rco.org
[iii] Andreas Wuchner, Eyal Adar (2005). Risk Management for Critical Infrastructure Protection (CIP) – Challenges, Best Practices & Tools. In Proceedings of the 1st IEEE International Workshop on Critical Infrastructure Protection (IWCIP 2005), Darmstadt, Germany.
[iv] Franck Springinsfeld, Michel Riguidel, Gwendal Le Grand (2002). Policy Based Management for Critical Infrastructure Protection. In ACIP Project (2002), Brussels, Belgium. See: http://perso.enst.fr/~legrand/Publis/CIP_wkshop_2003_frank.pdf
[v] Professor Heinz Thielmann, Eyal Adar (2004). End to End Security Assessment für CIP. J. Digma Magazine, Vol. 4, No. 2, June 2004, pp.76-80. Zurich, Switzerland. ISSN: 14249944. See: http://www.digma.info
Authors' Biographies
Gwendal Le Grand*
Gwendal Le Grand works as an Associate Professor in the Computer Science and Network Department of ENST (Ecole Nationale Supérieure des Télécommunications, Paris, France) since 2001. Gwendal received his PhD in computer science from the University of Paris 6 in July 2001. His main research interests are oriented towards security of information systems, critical information infrastructure protection, and wireless mesh networking. He is currently involved in several European projects in the field of security and critical infrastructures protection (IST FP6 SEINIT, CI2RCO, DESEREC, and IRRIIS). He is teaching advanced networks and security at ENST.
Eyal Adar†
Eyal Adar is one of the leading experts in the area of CIP (Critical Infrastructure Protection) and information security. Eyal is the founder and CEO of iTcon Ltd., a consulting firm specializing in enterprise security architecture in the telecom, finance and energy sectors. Mr. Adar is one of the founding editors of the European CIIP Newsletter (see: http://www.ci2rco.org/ecn/European CIIP newsletter No 1.pdf), and participated in several European projects such as ACIP which determined the research plan in the field for the EU in the next 5 years. He is also a member in the advisory board of CI2RCO, which coordinates European research in the field of CIP. Mr. Adar is also one of the chief security strategists behind the Israeli government E-Government project.
Télécom Paris, 46 rue Barrault, 75634 Paris Cedex, France Tel: +33 1 45 81 77 77, Fax: +33 1 45 89 79 06
† [email protected] iTcon Ltd, Atidim – Building 4, P.O.B 10147, Tel Aviv 61101, Israel Tel: +972 3 6490039, Fax: +972 3 6490110