Upload
clara-parsons
View
227
Download
2
Embed Size (px)
Citation preview
Software Security and Security Engineering (Part 1)
Software Engineering
Sources:Introduction to Computer Security, Matt Bishop, Addison Wesley, 2003
Chapter 1Ian Somerville, Software Engineering, Chapter 12, 14
Fundamental of Information Systems Security, Kim and Solomon, Jones and Bartlett, 2012, Chapter 1 and 8
Security: A Persistent Problem
Why? Financial motivation Religious/political motivation Personal grudge Boredom ..
How? Physical access Exploit lack of awareness and training Exploit weak security policies and procedures Exploit vulnerabilities in applications and security mechanisms
Victim? Financial institutions Education institutions Government agencies E-commerce web sites ANYONE
Cost of Security Incidents in USA Average cost to company for security breach: $5.5 million
2011 Cost of Data Breach Study, Ponemon Institute
Dollar loss reported for Internet crime
Latest Internet Crime (IC3) Annual Report (2012)
Source of Security Incidents
Global State of Information Security Survey 2013http://www.pwc.com/gx/en/consulting-services/information-security-survey/giss.jhtml
Impact of Security Incidents
Global State of Information Security Survey 2013http://www.pwc.com/gx/en/consulting-services/information-security-survey/giss.jhtml
We are @top of the game …
Symantec Intelligence Report January 2013
…..
Symantec Intelligence Report January 2013
…..
Symantec Intelligence Report February 2013
…..
Symantec Intelligence Report January 2013
Malicious Activity by Source, Overall Ranking 2011-2012
Symantec 2013 Internet Security Threat Report
Who is Targeting Whom
Symantec 2010 Annual Security Report
Problem with Security
• Most do not understand/know about it• Those who do understand, underestimates it• Those who understands and don’t underestimate, address
it insufficiently
Attention Factors Increased attack frequency
More attacks and attackers, more motivations for attacks, more availability of attack tools
Increased awareness More activities and coverage in media Presidents’ Executive Order on CyberSecurity Cyber Security Act of 2012 controversy Cyber-warfare/cyber-espionage
More Laws The Personal Data Protection and Breach Accountability Act of 2011 The Personal Data Privacy and Security Act of 2011 Data Security and Breach Notification Act of 2012 CyberSecurity and American Cyber Competitiveness Act (2013) Cyber Intelligence Sharing and Protection Act (2013)
What’s Trending in Security
Cyber-crime as a service Cyber-warfare Targeted attacks Attacks/defenses in
Cross platform Mobile platform Web technologies/platforms Cloud computing/Virtual environment Big data Critical Infrastructure
http://www.mcafee.com/us/resources/reports/rp-threat-predictions-2013.pdfhttp://www.websense.com/content/websense-2013-security-predictions.html
http://www.crn.com/slide-shows/security/240145572/10-security-predictions-for-2013.htm
Security Prioritized
http://www.comptia.org/Libraries/Members_Research/Report_-_CompTIA_Security_study_-_Section_1.sflb.ashx
Boost in Security Expenditures
Homeland Security $756 Million in 2013 $786 Million for 2014
US Cyber Command $3.2 Billion in 2012 $3.4 Billion in 2013
Private Sector $35.1 Billion in 2011 $49.1 Billion by 2015
http://appropriations.house.gov/news/documentsingle.aspx?DocumentID=333903http://www.comptia.org/Libraries/Members_Research/Report_-_CompTIA_Security_study_-
_Section_1.sflb.ashx
NSF Spending in Security
http://www.nsf.gov/about/budget/fy2014/pdf/EntireDocument_fy2014.pdf
Security Employment - Current Demand for cyber security professionals grew
73% during the five years from 2007 to 2012– 3.5 times the pace of the overall IT job market– 12 times the overall job market
Bureau of Labor Statistics May 2012 Report 72,670 Information Security Analysts $89,290 Mean Annual Salary
http://blogs.wsj.com/cio/2013/03/04/demand-for-cyber-security-jobs-is-soaring/http://www.bls.gov/oes/current/oes_nat.htm#15-0000
http://data.bls.gov/oep/noeted
Security Job Market
http://www.payscale.com/research/US/Skill=IT_Security_%26_Infrastructure/Salary
Security Employment - Future
http://articles.washingtonpost.com/2013-01-27/world/36583575_1_cyber-protection-forces-cyber-command-cybersecurity
Defense Department’s Cyber Command to recruit 4900 in next few years (now at 900)
Bureau of Labor Statistics 2010 – 20 Projected Growth
Security Fundamentals
Information assurance and security Offensive and defensive goals Threats and attacks CIA model Defense in Depth Security policy/controls
Information Assurance (IA) & Security
22
IA is the perception that systems are operating as expected in a protected environment.
Security is measures and controls to achieve IA.
Two Sides in Security
Offensive Side
Defensive Side
Offensive Goal
Threats
& AttacksVulnerabilities Harm/Loss
USE
CAUSE
Risk
Terms Threat
Potential to inflict harm to an asset or cause security violations Attack
Infliction of harm to an asset or causing security violations Vulnerability
A weakness in security procedures or system design, implementation, or operation that can be used to cause security policy violation
Risk Potential loss or harm or security violation Likelihood that a particular threat can exploit a particular
vulnerability or a set of vulnerabilities to violate security policy
General Classes of Threats
Disclosure Deception Disruption Usurpation
Specific Types of Attacks
Snooping/Sniffing Spoofing Modification Repudiation of Origin Delay Denial of Receipt Denial of Service
Security Controls
Defensive Goal
Loss
Confidentiality
Integrity
Availability
Security Perimeter
CIA Model of IA
Confidentiality Keeping data and resources hidden
Integrity (Data and Origin) Keeping data (and data sources) and resources uncorrupted
Availability Keeping data and resources usable
Accountability (a.k.a. Non-Repudiation) Holding one accountable for action
Offensive & Defensive Goal Snooping/Sniffing
Spoofing
Modification
Repudiation of Origin
Denial of Receipt
Delay
Denial of Service
Confidentiality
Origin Integrity
Data Integrity
Origin Integrity, Accountability
Accountability
Availability
Availability
Confidentiality Integrity (Data and origin) Availability Accountability
Cyber Good, bad and ugly
http://www.securitymanagement.com/
archive/library/RBC_security0102.pdf
Ethics
http://computerethicsinstitute.org/http://www.secureworks.com/resources/articles/other_articles/ethics/
http://turing.cs.camosun.bc.ca/COMP112/notes/classnotes/TenCommandments.pdf
Ten Commandments of Computer Ethics1. Thou shalt not use a computer to harm other people.2. Thou shalt not interfere with other people's computer work.3. Thou shalt not snoop around in other people's computer files.4. Thou shalt not use a computer to steal.5. Thou shalt not use a computer to false witness.6. Thou shalt not copy or use proprietary software for which you have not paid.7. Thou shalt not use other people's computer resources without authorization or
proper compensation.8. Thou shalt not appropriate other people's intellectual output.9. Thou shalt think about the social consequences of the program you are writing or
the system you are designing.10. Thou shalt always use a computer in ways that ensure consideration and respect
for your fellow humans.
Goals of Security: Defense in Depth
1) Prevent• Securing an environment to avoid penetration
2) Deter• Applying protection mechanisms to hurdle intruder efforts and thus causing
delays in achieving a malicious goal
3) Detect• Ensuring visibility of suspicious activities
4) Response • Reacting to security incidents by notification, eradication, interdiction,
prosecution• Continuing to survive to some extent
5) Recover• Assessing and repairing damage• Improving
End to End Security
Hardware Software Data
In processing In transit In storage
People
Security Policy
An organizational security policy applies to all systems and its users and sets out what should and should not be allowed.
Types Military
– Readers may not access documents above his/her privilege level Commercial
– A customer may not change price of the product.
A security policy helps identify system security requirements with risk management processes in place.
Enforcing Policy Explicit Policy
X cannot view Y’s notes Y have to protect notes
– If anything happens, both X and Y can be held accountable
Explicit Policy X cannot view Y’s notes Implicit Policy
Y have to protect notes
– If anything happens, only X can be hold accountable
Policy, Model & Mechanism
Security Policy Statement of what is allowed and how
– The system is only available to use by employees. Security Model
Representation of policy– Formal/mathematical models
Security Mechanism Methods and tools to ensure policy by implementing
model– Password based login system
Trust
Trust and assumption play crucial role in policy, especially, integrity policy As trust is hard to quantify, policies are hard to evaluate
completely Attackers look for assumptions and trusted users to find
possible weak points in implementation of policy
Role of Trust
Higher level assumption example• Administrator installs patch
• Trusts patch came from vendor, not tampered with in transit
• Trusts vendor tested patch thoroughly• Trusts vendor’s test environment
corresponds to local environment• Trusts patch is installed correctly
Role of Trust cont.
Lower level assumption example– A security-related program S is formally verified to
work with operating system O• Proof has no errors
» Bugs in automated theorem provers• Preconditions hold in environment in which S is to be used• S transformed into executable S whose actions follow source code
» Compiler bugs, linker/loader/library problems• Hardware executes S as intended
» Hardware bugs
“Secure” vs. “Trusted”
Trusted System A Characteristic
Degrees of Trustworthiness
Judged based on evidence/analysis
Secure System A Goal
Either … or
Asserted based on features
Note “Perfectly” secure system does not exist. Security is difficult
Security is not inherent. Security is not universal. Security is not static. Security is not an absolute.
Security is a compromise between usability, cost and peace of mind.
Security engineering
Tools, techniques and methods to support the development and maintenance of systems that can resist malicious attacks that are intended to damage a computer-based system or its data.
The End
44
______________________Devon M. Simmonds
Computer Science Department
University of North Carolina Wilmington____________________________________________ _________________
Qu es ti ons?
Risk Management Risk assessment Risk mitigation/control Risk evaluation/assurance
Phased Risk Assessment Types Preliminary Life cycle Operational
Preliminary Risk Assessment
Identifies risks from analyzing environment prior to development
Independent of technology Aim is to develop an initial set of security requirements Steps:
Identify Risk– Inventory of assets– Determine value of asset– Estimate percentage of asset that will be lost per incident (exposure)– Identify threats and vulnerabilities
Evaluate Risk
Asset analysis in a preliminary risk assessment report for the
MHC-PMS
Asset Value Exposure
The information system High. Required to support all clinical consultations. Potentially safety-critical.
High. Financial loss as clinics may have to be canceled. Costs of restoring system. Possible patient harm if treatment cannot be prescribed.
The patient database High. Required to support all clinical consultations. Potentially safety-critical.
High. Financial loss as clinics may have to be canceled. Costs of restoring system. Possible patient harm if treatment cannot be prescribed.
An individual patient record Normally low although may be high for specific high-profile patients.
Low direct losses but possible loss of reputation.
Threat Identification with Misuse cases
Identify the most probable threats to the system assets Misuse cases are instances of threats to a system Models malicious user actions to figure out strategies to
prevent the actions. Relationship with use case
Misuse case threatens use case Use case mitigates misuse case
Threat Identification with Misuse cases
Sindre G, Opdahl AL (2001) Templates for misuse casedescription. In: Proceedings of the 7th international workshopon requirements engineering: foundation for software quality(REFSQ’01), Interlaken, Switzerland
Risk AssessmentIdentify RiskEvaluate Risk
Risks are quantified based on importanceor impact severity
Risks are prioritized for probable impact
Quantitative (Objective) Risk Analysis
Single loss expectancy (SLE) Total loss expected from a single incident Asset value X Exposure
Annual rate of occurrence (ARO) Number of times an incident is expected to
occur in a year
Annual loss expectancy (ALE) Expected loss for a year
SLE X ARO = ALE
Qualitative (Subjective) Risk Analysis
Probability Likelihood a threat will exploit a
vulnerabilityImpact
Result if a risk occurs
Risk level = Subjective measure of probability AND impact
Risk Mitigation Risk reduction
Uses security controls for potential prevention Risk transference
Delegating controls to another entity Risk acceptance
Taking conscious decision to accept the consequences should undesirable event occur
Risk avoidance Not taking the risk at all
Risk and Mitigation
Risk Level Mitigation Feasibility
Unauthorized user may gain access to information system left unsecured with machine in an open environment
Very high (Reduction) Keep machines running the system physically secure
Low cost of implementation but care must be taken with key distribution and to ensure that keys are available in the event of an emergency.
Unauthorized user may gain access as patient database
High (Reduction) Require all users to authenticate themselves before accessing the DB.
Technically feasible but cost to implement solution. Possible user resistance.
Derived Security requirements for the MHC-PMS
Only allow systems to installed in machines that are physically secure.
Require all users to authenticate themselves prior to accessing database.
Risk Evaluation/Assurance Assessment of control strategies
Selection of control strategies Cost effectiveness evaluation
Planning Incident response plan Business continuity plan Disaster recovery plan
Implementation Compliance
Life cycle risk assessment
Identifies risks that emerge during design and development Risks that are associated with the technologies used for
system construction. More information is available - system platform, tools,
middleware and the system architecture and data organization.
Requirements are extended to protect against new risks.
Additional Security Requirements generated from
Design Choice
Design Decision Patient information shall be downloaded at the start of a clinic
session to an area on the system that is used by clinical staff. Additional security requirement
All patient information on the system client shall be encrypted. Patient information shall be uploaded to the database after a
clinic session has finished and deleted from the client computer.
Additional Security Requirements generated from Technology Choice
Technology Decision The system architecture is client-server with clients accessing
the system through a standard web browser. Additional security requirement
Browser has to be secured against common web attacks
Operational risk assessment
Identifies risks that emerge from actual use of the system with additional information about the environment where the system is used. Environment characteristics can lead to new system risks
Further protection requirements may be added to cope with these.
Additional Security Requirements generated from Operational Use
Observation Employees frequently leave work station for administrative
reasons leaving system unprotected and accessible Additional security requirement
Computer must have password protected screen saver
The End
63
______________________Devon M. Simmonds
Computer Science Department
University of North Carolina Wilmington____________________________________________ _________________
Qu es ti ons?