security overview: trends rafal lukawiecki strategic consultant project botticelli ltd...
TRANSCRIPT
Security Overview: Trends
Rafal LukawieckiStrategic Consultant
Project Botticelli Ltd
22
Objectives
Overview a process-oriented approach to security
Discuss the recent trends in approaching security issues
33
Session Agenda
Frameworks, Processes and Concepts
Issues
Trends
44
The Problem
We have (more than enough) security technologies, but we do not know how (and if) we are secure
55
Security Frameworks
66
Security
Definition (Cambridge Dictionary of English)
Ability to avoid being harmed by any risk, danger or threat
…therefore, in practice, an impossible goal
What can we do then?
Be as secure as needed
Ability to avoid being harmed too much by reasonably predictable risks, dangers or threats (Rafal’s Definition)
77
Adequate Security
CERT usefully suggests:
“A desired enterprise security state is the condition where the protection strategies for an organization's critical assets and business processes are commensurate with the organization's risk appetite and risk tolerances.” – www.cert.org/governance/adequate.html
Risk Appetite – defined through executive decision, influences amount of risk worth taking to achieve enterprise goals and missions
Relates to risks that must be mitigated and managed
Risk Tolerance – residual risk accepted
Relates to risk for which no mitigation would be in place
88
Approaches for Achieving Security
Two approaches are needed:
Active, dynamic, transient
Implemented through behaviour and pattern analysis
Passive, static, pervasive
Implemented through cryptography
99
Holistic View of Security
Security should be:
Static + Active Across All Your Assets Based On Ongoing Threat Risk Assessment
1010
Framework 1: Defense in Depth
Using a layered approach:Increases an attacker’s risk of detection
Reduces an attacker’s chance of success
Policies, Procedures, & Awareness
Policies, Procedures, & Awareness
OS hardening, update management, OS hardening, update management, authenticationauthentication
Firewalls, VPN quarantineFirewalls, VPN quarantine
Guards, locks, tracking devices, Guards, locks, tracking devices, HSMHSM
Network segments, IPSec, NIDSNetwork segments, IPSec, NIDS
Application hardening, antivirusApplication hardening, antivirus
ACL, encryptionACL, encryption
User education against social User education against social engineeringengineering
Physical SecurityPhysical Security
PerimeterPerimeter
Internal NetworkInternal Network
HostHost
ApplicationApplication
DataData
1111
Secure Environment
A secure environment is a combination of:
Hardened hosts (nodes)
Intrusion Detection System (IDS)
Operating ProcessesStandard and Emergency
Threat Modelling and Analysis
Dedicated Responsible StaffChief Security Officer (CSO) responsible for all
Continuous TrainingUsers and security staff – against “social engineering”
1212
Framework 2: OCTAVE
Operationally Critical Threat, Asset and Vulnerability Evaluation
Carnegie-Mellon University guidance
Origin in 2001
Used by US military and a growing number of larger organisations
www.cert.org/octave
1313
Concept of OCTAVE
Workshop-based analysis
Collaborative approach
Guided by an 18-volume publication
Very specific, with suggested timings, personnel selection etc.
www.cert.org/octave/omig.html
Smaller version, OCTAVE-S, for small and medium organisations
www.cert.org/octave/osig.html
1414
OCTAVE ProcessProgressive Series of Workshops
Phase 1
OrganizationalView
Phase 2
TechnologicalView
Phase 3
Strategy and Plan Development
Tech. Vulnerabilities
Planning
AssetsThreatsCurrent PracticesOrg. VulnerabilitiesSecurity Req.
RisksProtection Strategy
Mitigation Plans
1515
Framework 3: Security Risk Analysis
A simplified approach, taking into account your assets exposure to security risks
Requires:
1. Identifying your assets
2. Assesing risks and their impact, probability and exposure
3. Formulating plans to reduce overall risk exposure
1616
Risk Impact Assessment
For each asset and risk attach a measure of impact
Monetary scale if possible (difficult) or relative numbers with agreed meaning
E.g.: Trivial (1), Low (2), Medium (3), High (4), Catastrophic (5)
Ex:
Asset: Internal MD mailbox
Risk: Access to content by press
Impact: Catastrophic (5)
1717
Risk Probability Assessment
Now for each entry measure probability the loss may happen
Real probabilities (difficult) or a relative scale (easier) such as: Low (0.3), Medium, (0.6), and High (0.9)
Ex:
Asset: Internal MD mailbox
Risk: Access to content by press
Probability: Low (0.3)
1818
Risk Exposure and Risk List
Multiply probability by impact for each entryExposure = Probability x Impact
Sort by exposureHigh-exposure risks need very strong security measures
Lowest-exposure risks can be covered by default mechanisms or ignored
Example:Press may access MD mailbox: Exposure = P(Low=0.3) x I(Catastrophic=5) = 1.5
By the way, minimum exposure is 0.3 and maximum is 4.5 is our examples
1919
Mitigation and Contingency
For high-exposure risks plan:
Mitigation: Reduce its probability or impact (so exposure)
Transfer: Make someone else responsible for the risk
Avoidance: avoid the risk by not having the asset
Contingency: what to do if the risk becomes reality
2020
Framework 4: Threat Modeling
Structured analysis aimed at:
Finding infrastructure vulnerabilities
Evaluating security threats
Identify countermeasures
Originated from software development security threat analysis
1. Identify Assets1. Identify Assets
2. Create an Architecture Overview2. Create an Architecture Overview
3. Decompose the System3. Decompose the System
4. Identify the Threats4. Identify the Threats
5. Document the Threats5. Document the Threats
6. Rate the Threats6. Rate the Threats
2121
STRIDEA Technique for Threat Identification (Step 4)
Type of Threat Examples
Spoofing Forging Email Message
Replaying Authentication
Tampering Altering data during transmission
Changing data in database
Repudiation Delete critical data and deny it
Purchase product and deny it
Information disclosure Expose information in error messages
Expose code on web site
Denial of Service Flood web service with invalid request
Flood network with SYN
Elevation of Privilege Obtain Administrator privileges
Use assembly in GAC to create acct
2222
Threat Tree
Inside AttackEnabled
Inside AttackEnabled
Attack domain controller from inside
Attack domain controller from inside
SQL InjectionSQL Injection
An application doesn’t validate user’s input and allows evil texts
An application doesn’t validate user’s input and allows evil texts
Dev ServerDev Server
Unhardened SQL server used by internal developers
Unhardened SQL server used by internal developers
Messenger XferMessenger Xfer
Novice admin uses an instant messenger on a server
Novice admin uses an instant messenger on a server
Trojan Soc EngTrojan Soc Eng
Attacker sends a trojan masquerading as network util
Attacker sends a trojan masquerading as network util
OR
AND AND
2323
Current Security Issues
2424
Industry Issues for 2005-2006
Without undue generalisation:
Mobile security at data layer
Malware/spyware
Compliance auditing
Identity management
Patch/update management
Application defence
Intrusion detection
2525
Mobile Security at Data Layer
Laptops and PDAs are rarely protected against physical data extraction
Encryption with removable keys is very effective, though deployment requires planning and is sometimes cumbersome
Smartcards plus EFS or an alternative system, such as PGP etc. can be applied
Data recovery needs (legal and practical) complicate the matter greatly
2626
Spyware (Malware) Protection
90% machines have malicious software, on average 28 separate spyware programs (report by Earthlink & Webroot)
Zombies
Network bandwidth and CPU degradation
Commercial secrets leaked
Privacy destroyed
3rd party liability arises
Best practice:SpyBot Search and Destroy (www.spybot.info)
Microsoft AntiSpyware (in beta)
AdAware
Limit use of administrative privileges for end-users
2727
Compliance Auditing
An area of rapid growth, primarily due to Sarbannes/Oxley (“Sarbox”, or “Sox”) and EU Data Privacy regulation
In hands of specialised providers, mainly consulting business
Microsoft Operations Manager (MOM) can be applied for this purpose
2828
Identity Management
Heterogeneity of authentication and security measures is a common fact
Don’t fight it, integrate it
Synchronisation between directories, no matter how different, is becoming a reality with solutions build on systems such as MIIS (Identity Integration Server)
Alternatively, converge onto a client-solution, such as smartcards or OTP/tokens
2929
Patch and Update Management
As of Sept 2005, Microsoft Update is fully functioning, and integrates, at present:
Windows OS updates
Office
SQL Server
Exchange
More Microsoft products being added over the next months
Enterprise solutions, however, will still benefit from a fully-managed software distribution system, such as SMS (Systems Management Server)
3030
Application Defence
As networks and hosts become well protected, application-level attacks are on the increase
Other than for very new in-house applications, development security has rarely been a concern
This is a major area of worry from both perspectives of an insider and outside attacks
Approaches:
Prove it’s safe (threat modelling)
Isolate-and-monitor
Replace
3131
Treating Unproven Applications
Until proven to be secure, treat all applications as “evil”
Restrict access only to users on need-to-use basis
Restrict remote use
Isolate to dedicated application servers
Restrict servers through IPSec policies to only allow communication that applications explicitly require
Monitor usage pattern to establish a baseline and raise alarm when patterns vary
Enable stringent auditing
Request a formal threat analysis if above restrictions are too severe
3232
Intrusion Detection
Intrusion Detection Systems (IDS) are still fairly basic, though sophistication grew at network-level detection
Honeypots, i.e. monitored vulnerable servers exposed as “bait” are still very effective, though may pose legal problems
3333
Trends for 2006
3434
Network Security – IPv6
A major development for 2006+ will be gradual replacement of IPv4 with IPv6
Amongst many benefits of this move, a crucial introduction of compulsory IPSec6 will provide much needed authentication and confidentiality of data at wire-level
Interesting issues still remain to be solved, but now is a very good time to seriously evaluate the technology
Windows Vista comes with a new IPv6 stack, as part of the entirely rewritten TCP/IP substrate, called “Next Generation TCP/IP”
3535
Network Device Port Protection
Though long awaited, “802.1x for wired networks” is off to a confused start, as many basic devices, such as switches, are unlikely to support the technology as expected
With new infrastructure this technology might be useful in high-risk areas, especially exposed networks
3636
Smartcards
While not a new technology, Microsoft’s support in Windows Vista promises a serious approach to solving deployment, manageability and developer issues
Infocard specification for developers
Alacris acquisition (20 Sept) for smartcard lifecycle management
Axalto deal for smartcard infrastructure
Windows Vista re-write of smartcard functionality
3737
Biometrics
Overhyped: be careful and sceptical
Useful as a secondary protection of a private encryption key on a smartcard in a controlled environment
Advantage:Simple and works in some environments, e.g. immigration control or secondary authentication of staff
Weakness:Not useful for at-home, remote etc. applications as no way to ensure it is your real fingerprint, iris, retina etc. being scanned
Biometric data can be stolen and can be used to fake identity – no way to change it later
Too many positive and negative false matches
3838
Application-level Protection
With .NET Framework 2.0 and SQL Server 2005 developers can use a plethora of security technologies – easily
Developers are increasingly seen as responsible for security
This extends even to database developers, previously unlikely to engage in cryptography or ACL management
It is very important that all in-house and vertical solution-provider application developers undergo security training
Refresher courses or workshops are a good idea
Community participation helps
3939
Summary
4040
Summary
Viewing security holistically combines perspectives of people, processes, technologies and requires ongoing research and education
Security goals oppose those of usability
Frameworks enable achieving security goals without facing unexpected costs
Network and host protections are fairly mature
Developer-oriented solutions to prevent application-level attacks must be employed
4141
© 2005 Project Botticelli Ltd & Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. PROJECT BOTTICELLI AND MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN
THIS SUMMARY. You must verify all the information presented before relying on it. E&OE.