Presentation on theme: "8-1 George Valvis, Expertnet S.A. Panagiotis Sklavos, DECE, National Technical University of Athens Dr. Despina Polemi, ICCS, National Technical University."— Presentation transcript:
8-1 George Valvis, Expertnet S.A. Panagiotis Sklavos, DECE, National Technical University of Athens Dr. Despina Polemi, ICCS, National Technical University of Athens Securing mission-critical core systems
8-2 Outline of the Presentation Introduction Problem description Threats that need to be addressed Solution overview Administrative schema Content Provider Model Three-tier architecture (Enterprise users and roles) Normal behaviourur series of events Automated Reporting Functionality Scalability-Availability considerations
8-3 Introduction Core system – a wealth of sensitive corporate information Legacy system Proprietary database application Unable to decommissioned the system Highly integrated with multiple corporate subsystems Inability to provide a secure infrastructure
8-4 Notes for Slide 3 These legacy databases are integrated with other legacy subsystems in order to obtain this information from various sources and store it in a structured manner. They are, therefore, necessary components of the organizations IT infrastructure and their replacement could have major ripple effects. The proprietary legacy applications are not able to support authentication authorization and accounting (AAA) functions. These functions, however, are fundamental in order to ensure that the access to sensitive information will be controlled and monitored. This inherent lack of security opens the business up to potential negative consequences in the form insider misuse and leak of information. Unable to decomissioned the system Higly integrated with multiple corporate subsystems
8-5 Problem description Multiple Vulnerabilities exist Causing serious threats (high level) insider misuse sensitive information leak That have major Consequences (high level) customer dissatisfaction harm the business reputation legal issues (Greek Act for Personal Data)
8-6 Notes for Slide 4 The lack of infrastructure security can lead to unauthorized transactions, which could expose the business to the risk of insider misuse, leak of information, data modification or replacement, false representation and service interference. The inability to provide a secure infrastructure for the viewing of sensitive corporate information opens the business up to negative consequences in the form of insider misuse and leak of information. Lack of security can lead to customer dissatisfaction, could harm the business reputation and provoke legal issues. Legacy systems and databases are vulnerable to security breaches because of their complex nature, insecure password mechanism, misconfigured operating systems or unrecognised system backdoors.
8-7 Abuse of privilege Lack of fine-grained access control Users always assigned pre-configured set of privileges No flexible way to assign and revoke privileges in an as needed basis Password attacks Users always able to access (confidential) information, even for not legitimate purposes Extensive leak of information (multiple incidents) Data aggregation and correlation (deduce classified information from unclassified information) Poor means of verifying an individuals authorization to receive specific categories of information Threat Potential Consequences Threats that need to be addressed
8-8 Notes for Slide 5 Countermeasures Strong authentication All users connecting to the database authenticate (multi-tier) Establish with certainty who a user is Implementation Public Key Infrastructure-Based Authentication Uniquely identify a user within the Organization The certificate can be used to authenticate the user to multiple services (no need to remember many passwords) Authentication over Secure Sockets Layer (SSL) Strong user authentication and network data confidentiality
8-9 Notes for Slide 5 (Continued) Privilege management Least privilege principle – control which privilege a user has and under what conditions he can use those privilege User assigned only those privileges necessary to perform her duty User has those privileges only when she has a duty to perform Flexible way to assign and revoke privilege
8-10 Notes for Slide 5 (Continued) Implementation 1. A view is a content or context dependent subset of one or more tables Content: Subset of rows – eg. view call details at least 2 weeks old Subset of columns – eg. view only the customer names Context: eg. a manager can view restricted information Customise access to information Limit the data that a user can access within database objects Grant a user the ability to access certain types of views No need to grant the user any access to the database objects
8-11 Notes for Slide 5 (Continued) 2. Roles to manage privilege (Role: User defined collection of privileges) The role should grant the privilege to access specific views The PDPT operators access privileges should be revoked as soon as possible to prevent the duplication or leak of information
8-12 This slide has been deliberately left blank Diapositive intentionnellement blanche
8-13 Threats that need to be addressed (cont.) Privilege level escalation Use of ad-hoc query tool (report writer) accessed by group accounts Misrepresentation of users Bypass user privilege Leak of information Threat Potential Consequences
8-14 Notes for Slide 6 Countermeasure Avoid using ad-hoc query tools View information only through the application No group accounts
8-15 Lack of accountability Difficult to maintain a record of user activity Difficult to identify and track potential suspicious activity No hard evidence Extensive leak of information (multiple incidents) Negative exposure in the customers Damage to organization stature and reputation Threat Potential Consequences Threats that need to be addressed (cont.)
8-16 Notes for Slide 7 Countermeasure Auditing Users held accountable for their actions Maintain and periodically review audit information The security policy should define the back up procedures of audit data Tampering with log files can disguise illegal activities being done in the database The security administrators should not own any tables in the database The security administrators should only be able to create views of the audit tables in order to generate user activity reports Design an mechanism to automate the review of audit data
8-17 Defined security policy and procedures Modular design Three tier architecture – content provider approach Practice Defense in depth - multiple layers of protection Database Security Enforce ACLs on the databases Dynamic Assignment of User Rights (Roles) General OS hardening principles Ensure strong host-level security on all servers Assess system level vulnerabilities Restrict network access, provide detection capability Deploy firewall, NIDS Audit Policy – automated tool for reviewing audit data Solution overview
8-18 Notes for Slide 8 The design should allow seamless integration to the existing mission- critical systems, securing them at the same time, so that normal business operations are not disturbed. In order to provide a solution for the aforementioned security challenge we adopted a methodology which combines the following generic approaches for IT security provisioning: The definition of an appropriate administrative schema that determines the followed procedures to access the sensitive corporate information. The administrative schema is directly derived by the security policy. A building-block approach for designing a security solution that utilizes various technologies in multiple stages in order to provide authentication, authorization and accounting mechanisms upon accessing sensitive information within the defined administrative schema.
8-19 Notes for Slide 8 (Continued) Exercise Defence in Depth as a general principle, in order to apply several layers of defense, sometimes overlapping and achieve the broadest and most complete coverage of the content provider platform. This would be accomplished utilizing diverse methods and technologies under the unified umbrella of a comprehensive security policy. Additionally, an automated reporting procedure has been suggested that will help indicate any behaviour that deviates from the one imposed by the security policy, thus providing near real-time misuse detection support for the overall platform. For defense in depth to work effectively, auditing information could be correlated before being analyzed and aggregated in order to provide a complete platform-wide view of the security posture.
8-20 This slide has been deliberately left blank Diapositive intentionnellement blanche
8-21 Security Officer PDPT Problem management System Read-Close Ticket Customer Care (CC) Open Ticket Customers Reply Request Administrative schema
8-22 Notes for Slide 9 A special department, that in this document will call Personal- Data Processing Team (PDPT) will be servicing requests originated from the organizations customer care departments and the organizations external commercial partners.
8-23 Network and Hosts Layered Security Services and Tools DBMS Services Database Security Services- Legacy Provider Content Adaptation (filtering) Three-tier Platform Thin client Web Presentation Imposed by the security policy Content Provider Model
8-24 Notes for Slide 10 This platform (content provider platform) should be capable of performing the necessary authentication authorization and accounting functionality. The transactions take place only on the legacy system whereas the platform just makes possible the view of the sensitive content when the conditions defined by the security policy can be met. Subsequently, direct access to the legacy system will be denied for all users except for the users that need to update or modify non-sensitive information. The content provider platform will be implemented by a modern RDBMS system with enhanced security mechanisms and will engage mechanisms that allow data to be exported from the legacy database and imported to a modern RDBMS system. Most modern RDBMS provide utilities that could load data from external files into tables in the databases. The utilities could accept input data in a variety of formats (for example ASCII delimited files), can perform filtering, and can load data into multiple database tables during the same load session. The specific fields that should be included in this import process shall be defined by the security policy of the organization with regard to the sensitivity of the content. Based on the estimated load and bandwidth limitations, the process of periodic content replication is expected to last less than two hours. It also will be scheduled to take place during the hours of less utilisation of the mainframe in order to avoid degradation of its performance.
8-25 When a user attempts to connect to the Application server, the directory is queried to obtain the enterprise roles associated with the user. Directory Server Security Manager LDAP over SSL Client Three-tier architecture (Enterprise users and roles ) SSL to login Proxies user ID Database Server Application Server The workstation would authenticate with the application server, and the application server would authenticate with the database server Legacy Database Server Content
8-26 Notes for Slide 11 A three-tier architecture will be adopted for the content provider platform, in order to enhance the efficient resource management, improved scalability and security. In a three-tier system, the middle tier, typically implemented by deploying web servers, can act as a concentrator, mediating access to the back end system and allowing many user devices to share a relatively few connections to the back-end system (database server).
Operator connects to the database 2. SA provides privileges to an operator Ticket number Role Date/time Operators user name Security administrators user name Operators user name Customers name Role Date/time Accessed View Ticket number Date/time Type of problem Customers name Status (Open) Ticket number Date/time Customers name Status (Close) Operators user name Normal behaviour series of events 1. A ticket regarding sensitive information is opened 4. A ticket regarding sensitive information is closed
8-28 Notes for Slide 12 In the framework of the content provider we can define as normal user behavior a set of well-defined events that appear in sequence. In fact this set is composed by four major events that should occur in the following time order: 1. A ticket of specific type is opened. To resolve these types of cases, access to sensitive customer personal data is required. 2. A security administrator reads the ticket and assigns privileges to an PDTD member 3. An operator connects to the database (through the middle tier) and access the data 4. The operator closes this ticket A ticket number uniquely identifies every ticket. When the security administrator provides the privileges, the application should require her to provide that ticket number. That number should be recorded to the audit table of the database, along with administrators user name,
8-29 Notes for Slide 12 (Continued) date/time, operators user name and the role that the operator was assigned. The operators user name along with the procedure she executed, the customers user name, date/time should also be logged in the audit table. Finally the ticket with the specific ticket number is closed. There is log information, located in two different systems that will be useful to trace and it would be helpful for incident analysis to collect these logs in a central analysis server. The central analysis server will be the center of the automated reporting operation. This server would ideally consist of a database and a Web server. This should allow the interactive querying of log data for analysis. Also, an easy to use Web interface will help to evaluate the current attack status of the PDPT operations. It will also allow analysts to perform pre-programmed queries, such as aggregation and statistics gathering, to identify suspicious patterns and to perform rudimentary incident analysis. Finally, the information gathered in the server will provide a broader view of the user community activity in respect with the content provider platform.
8-30 This slide has been deliberately left blank Diapositive intentionnellement blanche
8-31 Audit data Client Proxies user ID Database Server Application Server Event correlation Information fusion Group normal events Easy check of normal behaviour Misuse detection Noteworthy sessions Alerts Ticketing data Ticketing system Logic Filter User Profiles Templates Central Analysis Server Automated Reporting Functionality
8-32 Corporate Data Network Back-end systems NIDS IDS console NIDS Si J J Mainframe cluster Application servers PDPT user community Si
8-33 The presented solution attempts to integrate a mission-critical legacy system into a modern e-business environment (three-tier architecture) in order to provide a cost-effective and manageable secure method for accessing sensitive mission-critical corporate data. The main goal was to mitigate the trusted insider misuse threat. The countermeasures were the Regulation and access control to sensitive corporate information utilizing best security practices (defense in depth, AAA functions) Addition of the misuse detection functionality based on a behavioral model and implemented by automated reporting tool Conclusions
8-34 This slide has been deliberately left blank Diapositive intentionnellement blanche
8-35 This slide has been deliberately left blank Diapositive intentionnellement blanche