Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
Chapter 2: Domain Model for
Information Systems Security Risk Management
Raimundas Matulevičius University of Tartu, Estonia, [email protected]
Fundamentals of
Secure System Modelling Springer, 2017
Goal
• To understand domain terminology • To introduce guidelines for determining
– Business and system assets – Security risks – Security countermeasures
2
Outline • Domain model
– Asset-Related concepts – Risk-Related Concepts – Risk Treatment-Related Concepts
• Relationships and multiplicities • Metrics • Process • Example • Further reading
3
Outline • Domain model
– Asset-Related concepts – Risk-Related Concepts – Risk Treatment-Related Concepts
• Relationships and multiplicities • Metrics • Process • Example • Further reading
4
Domain Model
5
Outline • Domain model
– Asset-Related concepts – Risk-Related Concepts – Risk Treatment-Related Concepts
• Relationships and multiplicities • Metrics • Process • Example • Further reading
6
Asset-Related Concepts
7
• Specify important assets to protect, Define criteria to guarantee asset security
Asset
8
• Anything that has value to the organisation and is necessary for achieving its objectives
• Technical plan • Structure calculation process • Architectural competence • Operating system • Ethernet network • People encoding data • System administrator • Air conditioning of server room
• This concept is the generalisation of the business asset and IS asset concepts
Business Asset
9
• Information, process, skill inherent to the business of the organisation that has value to the organisation in terms of its business model and is necessary for achieving its objectives
• Technical plan • Structure calculation process • Architectural competence
• Business assets are immaterial
System Asset
10
• A component or part of the IS that has value to the organisation and is necessary for achieving its objectives and supporting business assets
• Operating system • Ethernet network • People encoding data • System administrator • Air conditioning of server room
• System assets are material – Exception – software
Security Criterion
11
• Property or constraint on business assets
– Characterise security needs • Confidentiality • Integrity • Availability
– Act as indicators to assess the significance of a risk
• The Security objective of the system is defined using security criteria on business assets
• Confidentiality of the technical plans • Integrity of the structure calculation process
Outline • Domain model
– Asset-Related concepts – Risk-Related Concepts – Risk Treatment-Related Concepts
• Relationships and multiplicities • Metrics • Process • Example • Further reading
12
Risk-Related Concepts
13
• Describe how the risk itself and its immediate components are defined
Threat Agent
14
• An agent that can potentially cause harm to system assets – triggers a threat and is
the source of a risk • Staff members with little technical
skills and time and possibly a strong motivation to carry out an attack;
• Hacker with considerable technical skills, well equipped and strongly motivated by the money he could make
• A threat agent is characterised by – Opportunity – Capability – Motivation – Expertise
Attack Method
15
• Standard means by which a threat agent carries out a threat
• System intrusion
• Theft of media or documents
Threat
16
• Potential attack, carried out by an agent that targets one or more IS assets and that may lead to harm to assets
– A hacker using social engineering on a member of the company
– A thief entering a company building and stealing media or documents
Vulnerability
17
• Characteristic of a system asset or group of system assets that can constitute a weakness or a flaw in terms of system security
• Weak awareness of the staff
• Deficient physical access control
• Lack of fire detection
Event
18
• Combination of a threat and one or more vulnerabilities
– A hacker using social engineering on a member of the company, exploiting weak awareness of the staff
– A thief entering a company building thanks to deficient physical access control
Impact
19
• Potential negative consequence of a risk that may harm assets of a system or an organisation, when a threat is accomplished
• Password discovery (impact on IS assets) • Data destruction • Failure of a component • A loss of confidentiality of technical
plans (impact on business assets) • A loss of confidentiality of an information • A loss of integrity of a process
• An impact can provoke a chain reaction of impacts (or indirect impacts) – A loss of confidentiality on sensitive information leads to
a loss of customer confidence
Risk
20
• Combination of a threat with one or more vulnerabilities leading to a negative impact harming at least two or more of the assets
• A hacker using social engineering on a member of the company, because of weak awareness of the staff, leading to unauthorised access to personal computers and loss of integrity of the structure calculation process
• Threat and vulnerabilities are part of the risk event and impact is the consequence of the risk
Outline • Domain model
– Asset-Related concepts – Risk-Related Concepts – Risk Treatment-Related Concepts
• Relationships and multiplicities • Metrics • Process • Example • Further reading
21
Risk Treatment-Related Concepts
22
• Characterise what decisions, requirements and controls should be defined and implemented in order to mitigate possible risks
Risk Treatment Decision
• Decision of how to treat the identified risks
– satisfies a security need, expressed in generic and functional terms, and can lead to security requirements
• Risk avoidance • Risk reduction • Risk transfer • Risk retention
23
Risk Treatment Decision
Risk Avoidance
• Decision not to become involved in, or to withdraw from, a risk
– Functionality of the IS are modified or discarded for avoiding the risk
• Not connecting the IS to the Internet
24
Risk Treatment Decision Risk Reduction
• Action to lessen the probability, negative consequences, or both, associated with a risk
– Security requirements are selected for reducing the risk
• Taking measures to avoid network intrusions
25
Risk Treatment Decision
Risk Transfer
• Sharing with another party the burden of loss from a risk
– A third party is thus related to the (or part of the) IS, ensuing sometimes some additional security requirements about third parties
• Taking an insurance for covering a loss of service
26
Risk Treatment Decision
Risk Retention
• Accepting the burden of loss from a risk
– No design decision is necessary in this case
• Accepting that the service could be unavailable for 1 hour
27
Security Requirement
• A condition over the phenomena of the environment that we wish to make true by installing the system, in order to mitigate risks
• Appropriate authentication methods shall be used to control access by remote users
• System documentation shall be protected against unauthorised access
28
Control
• Designed means to improve security, specified by a security requirement, and implemented to comply with it
• Firewall • Backup procedure • Building guard
29
Outline • Domain model
– Asset-Related concepts – Risk-Related Concepts – Risk Treatment-Related Concepts
• Relationships and multiplicities • Metrics • Process • Example • Further reading
30
Relationships and Multiplicities
31
Outline • Domain model
– Asset-Related concepts – Risk-Related Concepts – Risk Treatment-Related Concepts
• Relationships and multiplicities • Metrics • Process • Example • Further reading
32
Metrics
33
• Security needs – Security objective that characterizes
the application of a security criterion on a business asset
• Business asset Value – Only business assets are estimated in
terms of value – Business assets are involved to define
and estimate security objectives and to assess the significance of risk
Metrics
• Risk level – Depends on event
potentiality and impact level
• Potentiality – Is estimated through
threat likelihood and vulnerability level
3434
Metrics
3535
• Cost – Cost of buying a firewall – Cost of maintaining it by a security officer
• Risk reduction – Risk reduction, avoidance and transfer
treatment – For risk retention risk reduction equals 0
Outline • Domain model
– Asset-Related concepts – Risk-Related Concepts – Risk Treatment-Related Concepts
• Relationships and multiplicities • Metrics • Process • Example • Further reading
36
Context and Asset Identification
• Description of organisation and its environment – sensitive activities related to
information security
– Example: • Design of technical plans • The technical plans are created by
drawers and engineers on computers connected to the Internet
37
Security Objective Determination
• Determine the security objectives to be reached – Confidentiality – Integrity – Availability
– Example: • During their design, the technical
plans should be kept confidential
38
Risk Analysis and Assessment
• Identify risks and estimate them qualitatively or quantitatively – Example:
• A rival of tries to use common operating system and network protocol weaknesses to penetrate on the personal computer of an employee, where confidential technical plans are stored
• Estimated level: sufficiently high
39
Risk Treatment
• Risk treatment measures – Risk avoidance – Risk reduction – Risk transfer – Risk retention – Example:
• Reduce the preceding risk with some security controls implemented in the system
40
Security Requirements Definition
• Security requirements - security solutions to mitigate the risks
• If security requirements are unsatisfactory – Revise the risk treatment step – Revise all of the preceding steps – Example:
• Procedures for monitoring the use of information processing facilities should be established and the results of the monitoring activities reviewed regularly
41
Security Control Selection and Implementation
• Implement system countermeasures within organisation – Example:
• A firewall and an Intrusion Detection System are selected and implemented
42
Outline • Domain model
– Asset-Related concepts – Risk-Related Concepts – Risk Treatment-Related Concepts
• Relationships and multiplicities • Metrics • Process • Example • Further reading
43
Example Asset-Related Concepts
44
Asset-Related Concepts
Assets
Business assets Game report data submitted at the frame to Submit game report and stored in the Game storage
System assets Frame to Submit game report used by umpire Transmission medium that transfers game report Game storage to store ERIS data
Security criteria Confidentiality of game report Integrity of game report
45
Risk-Related Concepts
Threat An attacker intercepts the transmission medium, and captures, modifies and passes Game report to Game storage
Threat Agent An attacker with means to intercept transmission medium by acting as a proxy
Attack Method 1. Intercept the transmission medium between the frame to
Submit game report and Game storage 2. Capture, modify and pass data to the Game storage
Example Threat Definition
Risk-Related Concepts
Event
An attacker intercepts the transmission medium due to its characteristics to be intercepted, captures Game report due to the lack of crypto-functionality at the frame to Submit game report, and modifies and passes data to Game storage due to the lack of crypto-functionality at the Game storage
Vulnerability • Characteristics of transmission medium to be intercepted • Lack of crypto-functionality at the frame to Submit game report
and Game storage
Threat An attacker intercepts the transmission medium, and captures, modifies and passes Game report to Game storage
Example Event Definition
46
Risk-Related Concepts
Risk
An attacker intercepts the transmission medium, and captures, modifies and passes Game report due to the transmission medium characteristic to be intercepted and due to the lack of crypto-functionality at the frame to Submit game report and Game storage, leading to loss of Game report integrity.
Impact • Loss of Game report integrity • Game report is not securely submitted and stored • Loss of transmission medium reliability
Event
An attacker intercepts the transmission medium due to its characteristics to be intercepted, captures Game report due to the lack of crypto-functionality at the frame to Submit game report, and modifies and passes data to Game storage due to the lack of crypto-functionality at the Game storage
Example Risk Definition
47
Example
48
Risk Treatment-Related Concepts Risk Treatment Decision Risk reduction Risk avoidance
Security Requirement
Verify the received Game report with the original
Change the transmission medium that does not have the ability to be intercepted
Control Checksum algorithm
• Physically delivers the Game report to the football federation
• Game report saved to Game storage by entering it manually
Outline • Domain model
– Asset-Related concepts – Risk-Related Concepts – Risk Treatment-Related Concepts
• Relationships and multiplicities • Metrics • Process • Example • Further Reading
49
Further Reading • AURUM: Automated Risk and Utility Management
– Ekelhart, A., Fenz, S., Neubauer, T.: AURUM: a framework for information security risk management. In: Proceedings of the 42nd Hawaii International Conference on System Sciences (2009)
• CORAS – Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis: The CORAS Approach.
Springer, Heidelberg (2011)
• CRAMM: CCTA Risk Analysis and Management Method – Yazar, Z.: A qualitative risk analysis and management tool: CRAMM. Technical Report, SANS
Institute (2002)
• EBIOS: Expression des Besoinset Identification des Objectifs de Sécurite ́ – DCSSI Advisory Office: EBIOS 2010: Expression of Needs and Identification of Security
Objectives. Technical Report, Secrétariat général de la défense nationale, Direction centrale de la sécurite ́ des systèmes d’information (2010)
• MEHARI: Methode Harmoniséed’ Analyse du Risque Informatique – CLUSIF: MEHARI 2010: Fundamental concepts and principles-specifications. Technical Report,
Club de la Securite de L’Information Francais (2010)
• OCTAVE: Operationally Critical Threat, Asset, and Vulnerability Evaluation – Alberts, C.J., Dorofee, A.J., Stevens, J., Wooky, C.: Introduction to the OCTAVE approach.
Technical Report, Software Engineering Institute, Carnegie Mellon University (2003) 50
Summary • Domain model
– Asset-Related concepts – Risk-Related Concepts – Risk Treatment-Related Concepts
• Relationships and multiplicities • Metrics • Process • Example • Further reading
51