We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byAngelique Stricklan
Modified over 2 years ago
Gerald R. Larocque, Ph.D. TIAX LLC firstname.lastname@example.org Sean Martin, Ph.D. Genspire, Ltd. Sean.email@example.com What Can Security-Critical Engineering learn from Safety-Critical Engineering? NDIA Symposium June, 2003 Copyright © 2003 TIAX LLC, Genspire, Ltd.
Page 2 © Tiax LLC & Genspire, LTD 2003 Introduction Considerations for Safety Systems How would you expect this to be designed? Sensors Response Actuation System (e.g. Shutdown) Limit (Threshold) Detector Historical experience in safety critical systems has led to a careful, systematic approach to design and analysis. Safety critical components –temperature sensors –threshold detector –actuators –robust fault tolerant design
Page 3 © Tiax LLC & Genspire, LTD 2003 Introduction Considerations for Safety Systems Good practice in safety engineering follows several principles that are applicable to critical systems in general. Careful segregation of system functions Systematic identification of potential failures Characterization and quantification of risks Design of risk/hazard mitigation measures Assessment of effectiveness of mitigation measures Analysis of safety system reliability
Page 4 © Tiax LLC & Genspire, LTD 2003 Integrity Authentication Confidentiality Non-repudiation Can others observe our communications? How do I know that I am communicating with the person I think I am? Can someone tamper with my message? Once agreed, can the communication be disputed? Approach Unique Considerations for Security Systems Several key security issues are highlighted by the “Cain” principles that comprise major functions of electronic security systems.
Page 5 © Tiax LLC & Genspire, LTD 2003 1. System Functions 2. Definitions of “Usage Modes” 3. Analysis of Critical Data Transfers (Keys, Plain-text, Cipher-text) 4. Definitions of Compromise Scenarios 5. Characterization of Likelihood and Severity 6. Specification of Remedial Actions Approach Security Analysis An overall system security review can go far to increase the difficulty of compromise and thus, to identify and close the “back door.”
Page 6 © Tiax LLC & Genspire, LTD 2003 Danger Zone represents “back doors” that are “easy” attacks with significant effects For example: Ease Effect Approach Threat Analysis A formal analysis to identify threats in a standard form has proven a useful analysis tool and leads to an instructive graphical presentation.
Page 7 © Tiax LLC & Genspire, LTD 2003 delivery tasks business drivers logical model vendor selection physical design usage scenarios threat analysis critical? segregate mitigation Establish the business drivers Analyse & define usage scenarios Identify the critical scenarios, for example, where disputes could arise; Produce a logical model meeting the usage scenarios and buildable with OTS products Conduct a threat and vulnerability analysis, and consider mitigation actions Assess and select vendors’ offerings; Produce a physical design; Now segregate it focusing on how the critical usage scenarios are delivered; Repeat a threat and vulnerability analysis and mitigation actions; and Now go build it, and of course test, and so on. Approach Design and Analysis Several practical steps are generally required to secure business processes, many of which are analogous to safety system design and analysis.
Page 8 © Tiax LLC & Genspire, LTD 2003 High Integrity zone The scope is kept as small as possible and limited to critical functionality Production engineering zone Rarely updated Stringent configuration management and control processes are applied, e.g., all s/w and h/w subject to peer review processes. The highly controlled functionality produces records that can be implicitly trusted. Highly restricted access thus denying opportunities for attacks by internal staff The scope may naturally be extensive May undergo continual updates Regular configuration management and control processes are applied Regular zoning access controls Reporting without requiring administrator access or intervention, for example, performance, heart- beats, resource usage, log files, etc. Produces tamper-evident records – designed so that any tamper will result in an observable discrepancy Approach Security Zones By partitioning the design into distinct security “zones,” design activities may be appropriately focussed.
Page 9 © Tiax LLC & Genspire, LTD 2003 A standard, layered architecture is often structured similar to that shown. –An exterior facing firewall with IDS –Three internal server layers with web servers, application servers and database servers –Two internal firewall layers between the three layers. By design, this layered approach requires an intruder to progressively surmount firewalls to reach increasingly critical areas. Although this is a good practice, it may be possible to enhance it. Interior firewall Exterior firewall Web & IDS zones Application server zone Interior firewall Database server zone Approach Conventional Layering Although a common IT network architecture provides effective security, “safety-critical” methods may help to enhance it.
Page 10 © Tiax LLC & Genspire, LTD 2003 The partitioning is based on functional rather than security considerations –By analogy, using this approach, a reactor system might group sensors in one zone; control logic in a 2 nd zone and response actuators in a 3 rd zone –These zones do not relate to critical usage functions and thus complicate securing the system Conventional partitioning leads to “horizontal zones”, whereas security partitioning leads to “vertical zones” Despite its attractive architecture, this partitioning suffers from several limitations from a security standpoint. Functional zone Regular zoneCritical zone Approach Limitations of Conventional Method
Page 11 © Tiax LLC & Genspire, LTD 2003 Isolates “production” or working environment from “critical zone” Surrounds critical zones with resilient firewalls Locally contains compromise Electronic “fingerprints” detect compromise High-integrity critical zone access firewall Regular production environment interior firewall Exterior firewall Web & IDS zones Application server zone interior firewall Database server zone Critical web server Critical application or business logic functionality containment firewall Critical database functionality access firewall Approach Enhanced Partitioning By applying safety-like considerations, a more defensible partitioning may be realized.
Page 12 © Tiax LLC & Genspire, LTD 2003 The message is not new: “He who defends everything, defends nothing” —Frederick the Great Conclusion Although conventional approaches provide effective security, it appears likely that the most critical systems can benefit from enhanced partitioning methods. By learning from safety engineering, a criticality based partitioning can be realized. Similar to safety engineering, formal analysis and characterization can be used to guide design. Effective mediation measures can be designed and enhanced through analysis of effectiveness. Resulting system should exhibit enhanced security Keeping the critical zone design simple is crucial: “KISS—Keep It Small and Simple”
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Physical Security at Data Center: A survey. Objective of the Survey 1. To identify the current physical security in data centre. 2.To analyse the.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
Introduction to Network Defense
Software Engineering for Safety : A Roadmap Presentation by: Manu D Vij CS 599 Software Engineering for Embedded Systems.
Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
LINUX Security, Firewalls & Proxies. Course Title Introduction to LINUX Security Models Objectives To understand the concept of system security To understand.
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
Slide 1 Security Engineering. Slide 2 Objectives l To introduce issues that must be considered in the specification and design of secure software l To.
ON “SOFTWARE ENGINEERING” SUBJECT TOPIC “RISK ANALYSIS AND MANAGEMENT” MASTER OF COMPUTER APPLICATION (5th Semester) Presented by: ANOOP GANGWAR SRMSCET,
What security is about in general? Security is about protection of assets –D. Gollmann, Computer Security, Wiley Prevention –take measures that prevent.
© University of Reading Information Technology Services 23 December 2015 Information Security Policy Mike Roch - Director of IT.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 9 Slide 1 Critical Systems Specification 1.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 5 Slide 1 Project management.
POSITIONING STATEMENT For people who operate shared computers with Genuine Windows XP, the Shared Computer Toolkit is an affordable, integrated, and easy-to-use.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
© 2017 SlidePlayer.com Inc. All rights reserved.