Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dipartimento di Scienze, 27 gennaio 20141 ? What is the scenario? An enterprise and its IT system.

Similar presentations


Presentation on theme: "Dipartimento di Scienze, 27 gennaio 20141 ? What is the scenario? An enterprise and its IT system."— Presentation transcript:

1 Dipartimento di Scienze, 27 gennaio 20141 ? What is the scenario? An enterprise and its IT system

2 Dipartimento di Scienze, 27 gennaio 20142 ? What are the players? AttackerDefender

3 Dipartimento di Scienze, 27 gennaio 20143 What is the game? Interruption of service Diffusion of reserved information Loss of data ?

4 Dipartimento di Scienze, 27 gennaio 20144 What is the game? Interruption of service Diffusion of reserved information Loss of data ?

5 1 2 3 4 1 2 3 4 Defence trees + indexes Strategic games Three novel indicators …… agenda

6 Dipartimento di Scienze, 27 gennaio 20146 1 1. Risk Assessment identification of the: assets, threats and vulnerabilities, countermeasures 2. Risk Analysis determination of the acceptable risk threshold. 3. Risk Mitigation prioritize, evaluate and implement the countermeasure recommended. Economic Indexes Defence trees Risk Management process

7 Dipartimento di Scienze, 27 gennaio 20147 1 Defence tree Defence trees are an extension of attack trees [Schneier00]. Attack tree: the root is an asset of an IT system the paths from the root to the leaf are the way to attack the root the non-leaf nodes can be: and-nodes or-nodes Defence tree: attack tree a set of countermeasures root and -nodes or -nodes

8 An enterprise server is used to store information about customers… An attacker wants to steal this server…

9 Dipartimento di Scienze, 27 gennaio 20149 1 An example: (1) Install a security door Install a video surveillance equipment c4c2 c3 Assume a security guard Install a safety lock Install a video surveillance equipment c2 c3 Assume a security guard c1 Go out unobserved a1 a2 Have the keys Break down the door Go out unobserved Steal the server

10 Dipartimento di Scienze, 27 gennaio 201410 1 Estimate the cost of investment the annual loss produced by an attack the effectiveness of a countermeasure in mitigating the risks the cost of a countermeasure Install a security door Install a video surveillance equipment c4c2 c3 Assume a security guard Install a safety lock Install a video surveillance equipment c2 c3 Assume a security guard c1 Go out unobserved a1 a2 Have the keys Break down the door Go out unobserved Steal the server

11 Dipartimento di Scienze, 27 gennaio 201411 1 The Single Loss Exposure (SLE) represents a measure of an enterprise's loss from a single threat event and can be computed by using the following formula: where: the Asset Value (AV) is the cost of creation, development, support, replacement and ownership values of an asset, the Exposure Factor (EF) represents a measure of the magnitude of loss or impact on the value of an asset arising from a threat event. Economic index: SLE

12 Dipartimento di Scienze, 27 gennaio 201412 1 The Annualized Loss Expectancy (ALE) is the annually expected financial loss of an enterprise that can be ascribed to a threat and can be computed by using the following formula: where: the Annualized Rate of Occurrence, (ARO) is a number that represents the estimated number of annual occurrences of a threat. Economic index: ALE

13 Dipartimento di Scienze, 27 gennaio 201413 1 The Return on Investment (ROI) indicator can be computed by using the following formula: where: MR is the risk mitigated by a countermeasure and represents the effectiveness of a countermeasure in mitigating the risk of loss deriving from exploiting a vulnerability CSI is the cost of security investment that an enterprise must face for implementing a given countermeasure. Economic index: ROI

14 Dipartimento di Scienze, 27 gennaio 201414 1 Economic index: ROI AttackEFAROCountermeasuresRMCSI a1Break down the door and go out unobserved 0,90,1 c1Install a security door0,71500 c2Install a video surveillance...0,13000 c3Employ a security guard0,512000 c4Install a security lock0300 a2Open the door with keys and go out unobserved 0,930,1 c1Install a security door01500 c2Install a video surveillance …0,13000 c3Employ a security guard0,512000 c4Install a security lock0,2300

15 Dipartimento di Scienze, 27 gennaio 201415 1 AVAsset Value EFExposure Factor SLESingle Loss Exposure AROAnnualized Rate of Occurrence ALEAnnualized Loss Expectancy RMRisk Mitigated CSICost Security Investment ROI=3,20 ROI= - 0,70 ROI=5,20 ROI= - 0,69 ROI= - 0,61 AV=100.000 EF=90% ARO=0,10 EF=93% ARO=0,10 RM=70% RM=10% RM=20% RM=10% RM=50% CSI=1.500 CSI=3.000 CSI=300 CSI=3.000 CSI=12.000 ROI= - 0,62 RM=50% CSI=12.000 SLE=90.000 ALE=9.000 SLE=93.000 ALE=9.300 Install a security door Install a video surveillance equipment Assume a security guard Install a safety lock Install a video surveillance equipment Assume a security guard Go out unobserved Have the keys Break down the door Go out unobserved Steal the server Economic index: ROI

16 Dipartimento di Scienze, 27 gennaio 201416 1 Estimate the cost of the attack the expected gain from the successful attack on the target the cost sustained by the attacker to succeed, the additional cost brought by a possible countermeasure Install a security door Install a video surveillance equipment c4c2 c3 Assume a security guard Install a safety lock Install a video surveillance equipment c2 c3 Assume a security guard c1 Go out unobserved a1 a2 Have the keys Break down the door Go out unobserved Steal the server

17 Dipartimento di Scienze, 27 gennaio 201417 1 GI is the expected gain from the successful attack on the specified target cost a is the cost sustained by the attacker to succeed, cost ac is the additional cost brought by the countermeasure c adopted by the defender to mitigate the attack a. Return On Attack (ROA) measures the gain that an attacker expects from a successful attack over the losses that he sustains due to the adoption of security measures by his target Economic index: ROA

18 Dipartimento di Scienze, 27 gennaio 201418 1 AttackCost a CountermeasuresCost ac a1Break down the door and go out unobserved 4000 c1Install a security door2000 c2Install a video surveillance equip.1000 c3Employ a security guard1500 c4Install a security lock0 a2Open the door with keys and go out unobserved 4200 c1Install a security door0 c2Install a video surveillance equip.1000 c3Employ a security guard1500 c4Install a security lock200 Economic index: ROA

19 Dipartimento di Scienze, 27 gennaio 201419 1 GIAsset Value RMRisk Mitigated cost a Cost of the attack cost ac Additional cost produced by a countermeasure Install a security door Install a video surveillance equipment Assume a security guard Install a safety lock Install a video surveillance equipment Assume a security guard Go out unobserved Have the keys Break down the door Go out unobserved Steal the server Economic index: ROA ROA=5,00 ROA=6 ROA=6,82 ROA=5,77 ROA=5,26 GI=30.000 cost a =4.000 cost a =4.200 cost ac = 2.000 cost ac =1.000 cost ac =200 cost ac = 1.000 cost ac = 1.500 ROA=5,45 cost ac = 1.500

20 Dipartimento di Scienze, 27 gennaio 201420 1 ROI=3.20 ROA=0.50 ROI=-0.70 ROA=4.40 ROI=-0.63 ROA=1.73 ROI=5.20 ROA=4.45 ROI=-0.69 ROA=4.19 ROI=-0.61 ROA=1.63 Install a security door Go out unobserved Install a video surveillance equipment a1 a2 c4c2 c3 Have the keys Break down the door Go out unobserved Steal the server Assume a security guard Install a safety lock Install a video surveillance equipment c2 c3 Assume a security guard c1 Evaluation

21 Dipartimento di Scienze, 27 gennaio 201421 Install a security door Go out unobserved a1 a2 c4 Have the keys Break down the door Go out unobserved Steal the server Install a safety lock Install a video surveillance equipment c2 c3 Assume a security guard c1 Future Works: attack graphs

22 Dipartimento di Scienze, 27 gennaio 201422 Future Works: journal version? 1 attack n countermeasures where f is f C =max(c) or f C =sum(c) and C RM c 1 1 attack 1 countermeasure Old ROI New version of ROI

23 Dipartimento di Scienze, 27 gennaio 201423 Old ROI m attacks 1 countermeasure where g is g A =sum(a) and g A AV m attacks, n countermeasures Future Works: journal version? New version of ROI

24 Dipartimento di Scienze, 27 gennaio 201424 1 attack n countermeasures where f is f C =max(c) or f C =sum(c) and C RM c 1 1 attack 1 countermeasure Old ROA Future Works: journal version? New version of ROA

25 Dipartimento di Scienze, 27 gennaio 201425 Old ROA m attacks 1 countermeasure where g is g A =sum(a) and m attacks, n countermeasures Future Works: journal version? New version of ROA

26 Dipartimento di Scienze, 27 gennaio 201426 Future Works: min set cover a1 a2 a3 c4 c2 c3 c1 a1 a2 a3 c2 c1 c4 c3 RM=[max(c 1,c 2 ), min(1, c 1 +c 2 )]

27 Dipartimento di Scienze, 27 gennaio 201427 Future Works: intervals Intervals to represent the possible values of the exposure factor (EF), and risk mitigated (RM) 20%40%20%40% 30%80% Devo ridefinire tutte le formule considerando adesso gli intervalli! Ad se x { "@context": "http://schema.org", "@type": "ImageObject", "contentUrl": "http://images.slideplayer.com/2/576175/slides/slide_27.jpg", "name": "Dipartimento di Scienze, 27 gennaio 201427 Future Works: intervals Intervals to represent the possible values of the exposure factor (EF), and risk mitigated (RM) 20%40%20%40% 30%80% Devo ridefinire tutte le formule considerando adesso gli intervalli.", "description": "Ad se x

28 Dipartimento di Scienze, 27 gennaio 201428 1 Paper Defense trees for economic evaluation of security investments S. Bistarelli, F. Fioravanti, P. Pamela In: 1st International Conference on Availability, Reliability and Security (ARES 2006). Vienna, Austria, April 20-22 2006.

29 Dipartimento di Scienze, 27 gennaio 201429 2 Strategic game We consider a strategic game: 2 players: the defender and the attacker of a system. S d : the set of defender's strategies (the countermeasures) S a : the set of attacker's strategies (the vulnerability) ROI and ROA: payoff functions for the defender and the attacker

30 Dipartimento di Scienze, 27 gennaio 201430 2 Strategic game: an example a1 a2 c2 c3 c1 U d =1 U a =1 U d =0 U a =2 U d =1 U a =2 U d =1 U a =0 S a ={a 1, a 2 } S d ={c 1, c 2, c 3 } payoff: u d (c i,a i ) and u a (c i,a i )

31 Dipartimento di Scienze, 27 gennaio 201431 2 ! Nash equilibrium Nash Equilibrium The combination of strategy (s 1 *,s 2 *) with s 1 * S 1 and s 2 * S 2 is a Nash Equilibrium if and only if, for each player i, the action s i * is the best response to the other player: This game admits two different Nash Equilibrium: the couple of strategies {c 1,a 1 } and {c 3,a 2 }. Dip. Scienze, 27 gennaio 2014

32 Dipartimento di Scienze, 27 gennaio 201432 2 Mixed strategy: an example p c1 p c2 p c3 p a1 p a2 ½ 1 ½ ? If a player does not know the behaviour of the other player? Mixed strategies

33 Dipartimento di Scienze, 27 gennaio 201433 2 Our game Selection of a single countermeasure/attack ! The set of strategies for the defender and the attacker is composed by a single action. Install a security door Install a video surveillance equipment c4c2 c3 Assume a security guard Install a safety lock Install a video surveillance equipment c2 c3 Assume a security guard c1 Go out unobserved a1 a2 Have the keys Break down the door Go out unobserved Steal the server

34 Dipartimento di Scienze, 27 gennaio 201434 2 Our game Selection of a single countermeasure/attack ! The set of strategies for the defender and the attacker is composed by a single action.

35 Dipartimento di Scienze, 27 gennaio 201435 2 ! There is one Nash Equilibrium with mixed strategies. Our game Selection of a single countermeasure/attack 205 769 564 769 31 52 21 52

36 Dipartimento di Scienze, 27 gennaio 201436 2 Our game ! Each player can play any set of countermeasures attacks together. Selection of a set of countermeasures/attack Install a security door Install a video surveillance equipment c4c2 c3 Assume a security guard Install a safety lock Install a video surveillance equipment c2 c3 Assume a security guard c1 Go out unobserved a1 a2 Have the keys Break down the door Go out unobserved Steal the server

37 Dipartimento di Scienze, 27 gennaio 201437 2 Our game Selection of a set of countermeasures/attack

38 Dipartimento di Scienze, 27 gennaio 201438 2 ! Our game Selection of a set of countermeasures/attack 5 21 16 21 39 55 There is one Nash Equilibrium with mixed strategies. 16 55

39 Dipartimento di Scienze, 27 gennaio 201439 Future Works Considerare giochi con 1 attaccante e n-1 difensori Tipi di attaccanti (giochi bayesiani) Cooperazione tra attaccanti Giochi dinamici, giochi ripetuti

40 Dipartimento di Scienze, 27 gennaio 201440 Future Works ROI = SLE RM - CSI ROA = GI (1-RM) – C f - C v ROI = (SLE) max(RM) - (CSI) ROA = GI max(1-RM) - (C f ) - (C v )

41 Dipartimento di Scienze, 27 gennaio 201441 2 Papers Strategic game on defense trees S. Bistarelli, M. DallAglio, P. Pamela In: 4th International Workshop on Formal Aspects in Security and Trust (FAST2006). Hamilton, ON, Canada, August 26-27 2006.

42 Dipartimento di Scienze, 27 gennaio 201442 3 Critical time Retaliation Collusion Three novel indicators

43 Dipartimento di Scienze, 27 gennaio 201443 3 Critical time

44 Dipartimento di Scienze, 27 gennaio 201444 3 Exposure Factor during Critical Time expresses the influence that the criticality of a specific time instance plays on the EF as follows: CTF being the Critical Time Factor that expresses the percentage of criticality of a specific time instance. If CTF=0, then EFCT = EF If CTF=1, then EFCT = 1 If EF=0, then EFCT=CTF If EF=1, then EFCT=1 Critical time

45 Dipartimento di Scienze, 27 gennaio 201445 Annualized Rate of Occurrence, AROCT, is the rate of occurrence of an attack at a specific CTF per year. Single Loss Exposure, SLECT, is the cost of a single attack at a specific CTF: Annualized Loss Expectancy, ALECT, is the cost per year of an attack at a specific CTF: Return On Investment, ROICT, is the economic return of an enterprise's investment against an attack mounted at a specific CTF: 3 Critical time: the indicators

46 Dipartimento di Scienze, 27 gennaio 201446 AssetAVCTFEFCTAROCTSLECTALECT Demo machine5000 $95%96,5%25%4825 $1206,25 $ Simulation Infrastructure30000 $98%98,8%60%29640 $17784 $ Researcher's machine3000 $90%91,5%20%2745 $549 $ AssetAV EFAROSLEALE Demo machine5000 $ 30%55%1500 $825$ Simulation Infrastructure30000 $ 40%60%12000 $7200$ Researcher's machine3000 $ 15%20%450 $90$ 3 Critical time: an example

47 Dipartimento di Scienze, 27 gennaio 201447 3 Retaliation

48 Dipartimento di Scienze, 27 gennaio 201448 3 Exposure Factor under Retaliation expresses the influence that the chance of retaliating an attack to an asset plays on the EF as follows: RF being the Retaliation Factor that expresses the percentage of retaliation that can be performed. If RF=0, then EFR = EF If RF=1, then EFR = 0 If EF=0, then EFR=0 If EF=1, then EFR=1-RF Retaliation

49 Dipartimento di Scienze, 27 gennaio 201449 Annualized Rate of Occurrence, AROR, is the rate of occurrence per year of an attack that can be retaliated. Single Loss Exposure, SLER, is the cost of a single attack that can retaliated: Annualized Loss Expectancy, ALER, is the cost per year of an attack that can be retaliated: Return On Investment, ROIR, is the economic return of an enterprise's investment against an attack that can be retaliated: 3 Retaliation: the indicators

50 Dipartimento di Scienze, 27 gennaio 201450 AssetAV EFAROSLEALE Demo machine5000 $ 30%55%1500 $825$ Simulation Infrastructure30000 $ 40%60%12000 $7200$ Researcher's machine3000 $ 15%20%450 $90$ AssetAVRFEFRARORSLERALER Demo machine5000 $25%23%15%1150 $172,50 $ Simulation Infrastructure30000 $25%30%60%9000 $5400 $ Researcher's machine3000 $130%-4,5%20%-135 $-27 $ 3 Retaliation : an example

51 Dipartimento di Scienze, 27 gennaio 201451 3 Collusion

52 Dipartimento di Scienze, 27 gennaio 201452 3 Mitigated Risk against Collusion expresses the influence that collusion of attackers plays on the MR (mitigated risk) as follows: CF being the Collusion Factor that expresses the percentage of collusion of the attackers. If CF=0, then MRC = MC If CF=1, then MRC = 0 If MR=0, then MRC=0 If MR=1, then MRC=1-CF Collusion

53 Dipartimento di Scienze, 27 gennaio 201453 The Return On Investment against Collusion is the economic return of an enterprise's investment against an attack mounted by one or more colluding attackers: 3 Collusion: the indicators

54 Dipartimento di Scienze, 27 gennaio 201454 AssetAVALECSI MRROI Demo machine5000 $825 $600 $ 85%16,87% Simulation Infrastructure30000 $7200 $4500 $ 75%20% Researcher's machine3000 $90 $70 $ 90%15,71% AssetAVALECSICFMRCROIC Demo machine5000 $825 $600 $45%46,75%-35,71% Simulation Infrastructure30000 $7200 $4500 $35%45%-22% Researcher's machine3000 $90 $70 $10%81%4,14% 3 Collusion: an example

55 Dipartimento di Scienze, 27 gennaio 201455 3 Paper Augmented Risk Analysis G. Bella, S. Bistarelli, P. Peretti, S. Riccobene In: 2nd Workshop in Views On Designing Complex Architectures (VODCA2006). Bertinoro (FC), September 16-17 2006.

56 Dipartimento di Scienze, 27 gennaio 201456 Future Works …. ….. ….

57 Dipartimento di Scienze, 27 gennaio 201457 S u W r S u W w S v W w S v W r SvSv W r > W w SuSu W w W r S v S u S W CP-nets

58 Dipartimento di Scienze, 27 gennaio 201458 CP-nets a1a1 c 1 >c 2 >c 3 a2a2 c 5 >c 3 >c 4 a3a3 c 6 >c 7 a4a4 c 8 >c 9 a5a5 c 11 >c 10 a6a6 c 13 >c 12 A C a 4 >a 3 >a 5 >a 6 >a 1 >a 2 c2 c3 c1 c4 c5 c3 c7 c6 c9 c8 c1 1 c1 0 c1 3 c1 2 a1a2a3a4a5a6

59 Dipartimento di Scienze, 27 gennaio 201459 CP-nets Add an identification token c3 c4 Distribute responsibilities among users Corrupt a user with root priv. c5 Motivate employees Steal access to a user with root priv. Change the password periodically c2 c3 Log out the pc after the use c3 Add an identification token a1 Obtain root privileges Use an anti-virus software c8 c9 Stop suspicious attachment Exploit a web server vulnerability Exploit an on-line vulnerability Update the system periodically c6 c7 Separate the contents on the server Attack the system with a remote login Install a video surveillance equipment c12 c13 Employ a security guard Go out unobserved Access to the servers room Install a security door c10 c11 Install a safety lock Steal the server a2a3a4a5a6 Steal data stored in a server

60 Dipartimento di Scienze, 27 gennaio 201460 CP-nets: and -composition The and -composition of the preference tables described by the partial orders (D(x i ), u i ) and (D(x i ), v i ), is described by the partial order (D(x i ), u v i ) where u v i represents the conditional preference of the instantiations of variable x i given an instantiation u v. So given a,b D(x i ) and x j =Pa(x i ):

61 Dipartimento di Scienze, 27 gennaio 201461 CP-nets: and -composition a b cc aa b aaa b c b c b c xyy>x>zx>z>yz

62 Dipartimento di Scienze, 27 gennaio 201462 CP-nets: or -composition Given two sets of countermeasure C={c 1,…,c k } and C'={c' 1 …,c' k' } covering the attacks u 1, …, u k, the or -composition conditional preference table (D(x), u 1 … u k ) is defined as follows:

63 Dipartimento di Scienze, 27 gennaio 201463 CP-nets: or -composition a b cc aa b a,b,c b,c a a,b a,c xyz

64 Dipartimento di Scienze, 27 gennaio 201464 Orange book A system can be used to simultaneously store: unclassified information (U), secret information (S), top-secret information (T). The information may flow from U to T C S T

65 Dipartimento di Scienze, 27 gennaio 201465 Red book: level of assurance Considering the type of information stored into a system we have different level of assurance

66 Dipartimento di Scienze, 27 gennaio 201466 Quantitative level of assurance We want to define a quantitative level of assurance as a function of: f(data; device; environment)

67 Dipartimento di Scienze, 27 gennaio 201467 Quantitative level of assurance Cost of compromise:. The costs associated to a system depend on the type of attack and the type of countermeasure: Cost(attack; countermeasures). The asset value, AV[info], is the value of the information stored in a system.

68 Dipartimento di Scienze, 27 gennaio 201468 Quantitative level of assurance The asset value, AV[info], is the value of the information stored in a system. Given an information flow a { "@context": "http://schema.org", "@type": "ImageObject", "contentUrl": "http://images.slideplayer.com/2/576175/slides/slide_68.jpg", "name": "Dipartimento di Scienze, 27 gennaio 201468 Quantitative level of assurance The asset value, AV[info], is the value of the information stored in a system.", "description": "Given an information flow a

69 Dipartimento di Scienze, 27 gennaio 201469 Quantitative level of assurance The level of assurance: Given a defence tree, the level of assurance of a system depends on: the asset's value, AV[info], the damage produced by an attack (flow), the type of countermeasure, Cost(attack, countermeasures).

70 Dipartimento di Scienze, 27 gennaio 201470 Quantitative level of assurance

71 Dipartimento di Scienze, 27 gennaio 201471 Cascade? Se due sistemi A e B hanno un livello di sicurezza economicamente accettabile, cosa succede se li collego tra loro? Il nuovo sistema così creato può essere ancora considerato sicuro?

72 Dipartimento di Scienze, 27 gennaio 201472 Confronto Data una configurazione di sistema A, come faccio a dire che una nuova configurazione B non è economicamente meno vantaggiosa della precedente?

73 Dipartimento di Scienze, 27 gennaio 201473 Analisi Quando costruisco lalbero e cerco di raggruppare le contromisure, devo stare attenta che non si creino conflitti!!


Download ppt "Dipartimento di Scienze, 27 gennaio 20141 ? What is the scenario? An enterprise and its IT system."

Similar presentations


Ads by Google