Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using system security metrics to enhance resiliency Dr. Sara Bitan ENGINEERING RESILIENT & ROBUST SYSTEMS 24-Jan-2011 Bitan: Using system security metrics.

Published byJessica McDaniel Modified over 8 years ago

Similar presentations

Presentation on theme: "Using system security metrics to enhance resiliency Dr. Sara Bitan ENGINEERING RESILIENT & ROBUST SYSTEMS 24-Jan-2011 Bitan: Using system security metrics."— Presentation transcript:

1 Using system security metrics to enhance resiliency Dr. Sara Bitan ENGINEERING RESILIENT & ROBUST SYSTEMS 24-Jan-2011 Bitan: Using system security metrics to enhance resiliency 1

2 Outline Definitions System attack surface measurement Applying the attack surface metric to resiliency ◦Adding resiliency while minimizing attack surface increase ◦Determining resiliency locations through internal attack surface measurement ◦Attack surface during the resilient system timeline Conclusion 24-Jan-2011 Bitan: Using system security metrics to enhance resiliency 2

3 Definitions A Resilient system (*) A Resilient system (*) is a system that can withstand unpredicted or even predicted adverse events A Secure system (**) CIA A Secure system (**) is a system that can protect its information and resources CIA a.Confidentiality a.Confidentiality: is the state of a system in which information flow is controlled to prevent unauthorized disclosure which might be harmful b.Integrity b.Integrity: is the state of being complete or whole; in the context of system it also the state of being consistent c.Availability c.Availability: is the state of the system where all its components are present, accessible and ready to be used (*) Sheard S.: A framework for System Resilience Discussions (**) Title 44, U.S. Code 24-Jan-2011 Bitan: Using system security metrics to enhance resiliency 3

4 A resiliency framework A resilient system fulfils system security requirements if Confidentiality, Integrity and Availability belong to the qualities that the resilient system is required to preserve Sheard S.: A framework for System Resilience Discussions 24-Jan-2011 Bitan: Using system security metrics to enhance resiliency 4

5 The resilient system timeline 24-Jan-2011 Bitan: Using system security metrics to enhance resiliency 5 Sheard S.: A framework for System Resilience Discussions

6 Resiliency – security relationships ResiliencySecurity Resiliency 24-Jan-2011 Bitan: Using system security metrics to enhance resiliency 6

7 Risk assessment Vulnerability LikelihoodLikelihood Threat System Attack/ Exploit Damage Likelihood is a function of the Damage/Impact – which dictate the attacker’s motivation Vulnerability - how easy/hard it is to discover, exploit? Attack - how easy/hard it is? what its cost? In the spirit of NIST SP 800-30 24-Jan-2011 Bitan: Using system security metrics to enhance resiliency 7

8 The system’s attack surface Intuitively – a system’s attack surface is the set of ways in which an adversary can enter the system and potentially cause damage The set of ways to enter a system is determined by the system’s interfaces, commands and data The model is discrete ◦Currently cannot model continuous/analog process Doesn’t model side effects 24-Jan-2011 Bitan: Using system security metrics to enhance resiliency 8

9 Attack surface formal definition The system attack surface is function of its environment. Environment constitutes of users, other systems and data Resources constitute of Methods/ actions or commands Channels/ interfaces Data Formally the system attack surface is the set of resources potentially used in an attack. 24-Jan-2011 Bitan: Using system security metrics to enhance resiliency 9 Manahdata & Wing: An attack surface metric

10 Modeling the system I/O Automaton The model used in this analysis is I/O Automaton which consists of:model ◦States ◦Actions ◦Actions, partitioned into input, output and internal actions and ◦A transition function ◦A transition function moving through action execution from a set of pre-states to a set of post-states A composition of I/O automata is an I/O automaton  good for complex system modeling by composing the I/O automata modeling the system’s simpler components 24-Jan-2011 Bitan: Using system security metrics to enhance resiliency 10

11 Defining the attack surface System, users and persistent data are modeled as I/O automata ◦Files, Database records and cookies are examples of persistent data Attacks are sequences of actions performed by users, systems and data in the environment Channels and data are modeled as states Methods are modeled as actions Attack surface consists of input/output actions and the relevant states 24-Jan-2011 Bitan: Using system security metrics to enhance resiliency 11

12 Comparing attack surfaces Theorem: if S and S’ are two systems, and attack_surface(S,E) ≥attack_surface(S’,E) then attacks(S’) is subset of attack(S) Observations: ◦The theorem decouples the analysis from the attacks ◦If features are added to the system (e.g. to enhance resiliency) then the system attack surface increases ◦But luckily for us not all interfaces contribute equally to the attack surface 24-Jan-2011 Bitan: Using system security metrics to enhance resiliency 12

13 Damage potential and effort Each action has a set of pre- and post-states The effort corresponds to the action’s required pre-states ◦E.g. input type, authenticated user, SSL channel ◦Determines the potential number of methods who can call this method Damage potential corresponds to post-states ◦E.g. root privileges, supervisor mode ◦Determines the potential number of methods this method can call Each interface is assigned a number (damage potential effort ratio - der) ◦Similar to cost-benefit ratio The attack surface is the sum of ders of all interfaces belonging to the attack surface 24-Jan-2011 Bitan: Using system security metrics to enhance resiliency 13

14 How can we use the metric? Minimize increase to attack surface when resiliency is enhanced ◦Least privileges ◦Separation of duties ◦Example: key escrow, Byzantines protocols Determine resiliency locations ◦Locate resiliency such that size of intersection set of entry/exit point is minimized ◦Example: the Cellcom incident 24-Jan-2011 Bitan: Using system security metrics to enhance resiliency 14

15 The Cellcom incident Do not locate all backup systems on paths starting in the update (event) entry point 24-Jan-2011 Bitan: Using system security metrics to enhance resiliency 15

16 Applying the metric to all periods Track CERT, update DER and fortify increased surface attack Use system composition and internal attack surface to activate internal mitigation mechanisms Re-run attack surface measurements 24-Jan-2011 Bitan: Using system security metrics to enhance resiliency 16

17 Conclusion I/O automata model for attack surface measurement was presented Using the composition property of I/O Automata the model can be extended to measure resiliency, determine best locations to add resiliency, and to offer mechanisms for graceful degradation and recovery 24-Jan-2011 Bitan: Using system security metrics to enhance resiliency 17

18 Thank you mailto: sarabitan@gmail.com 24-Jan-2011 Bitan: Using system security metrics to enhance resiliency 18

Download ppt "Using system security metrics to enhance resiliency Dr. Sara Bitan ENGINEERING RESILIENT & ROBUST SYSTEMS 24-Jan-2011 Bitan: Using system security metrics."

Similar presentations

Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.

Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.
Ranking of security controlling strategies driven by quantitative threat analysis. Tavolo 2: Big data security evaluation UNIFI-CNR Nicola Nostro, Andrea.

Ranking of security controlling strategies driven by quantitative threat analysis. Tavolo 2: "Big data security evaluation" UNIFI-CNR Nicola Nostro, Andrea.
September 10, 2012Introduction to Computer Security ©2004 Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.

September 10, 2012Introduction to Computer Security ©2004 Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
DEEDS Meeting Jan., 16th 2007 Dependable, Embedded Systems and Software Group Department of Computer Science Darmstadt University of Technology Attack.

DEEDS Meeting Jan., 16th 2007 Dependable, Embedded Systems and Software Group Department of Computer Science Darmstadt University of Technology Attack.
Trusted Hardware: Can it be Trustworthy? Design Automation Conference 5 June 2007 Karl Levitt National Science Foundation Cynthia E. Irvine Naval Postgraduate.

Trusted Hardware: Can it be Trustworthy? Design Automation Conference 5 June 2007 Karl Levitt National Science Foundation Cynthia E. Irvine Naval Postgraduate.
Security Controls – What Works

Security Controls – What Works
Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues Computer.

Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues Computer.
Introducing Computer and Network Security

Introducing Computer and Network Security
Security in Databases. 2 Srini & Nandita (CSE2500)DB Security Outline review of databases reliability & integrity protection of sensitive data protection.

Security in Databases. 2 Srini & Nandita (CSE2500)DB Security Outline review of databases reliability & integrity protection of sensitive data protection.
April 1, 2004ECS 235Slide #1 Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational.

April 1, 2004ECS 235Slide #1 Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational.
Security in Databases. 2 Outline review of databases reliability & integrity protection of sensitive data protection against inference multi-level security.

Security in Databases. 2 Outline review of databases reliability & integrity protection of sensitive data protection against inference multi-level security.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Storage Security and Management: Security Framework

Storage Security and Management: Security Framework
Information Security Update CTC 18 March 2015 Julianne Tolson.

Information Security Update CTC 18 March 2015 Julianne Tolson.
Timed UML State Machines Ognyana Hristova Tutor: Priv.-Doz. Dr. Thomas Noll June, 2007.

Timed UML State Machines Ognyana Hristova Tutor: Priv.-Doz. Dr. Thomas Noll June, 2007.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
Hardware Support for Trustworthy Systems Ted Huffmire ACACES 2012 Fiuggi, Italy.

Hardware Support for Trustworthy Systems Ted Huffmire ACACES 2012 Fiuggi, Italy.
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.

Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.

Similar presentations

Ads by Google