Using system security metrics to enhance resiliency Dr. Sara Bitan ENGINEERING RESILIENT & ROBUST SYSTEMS 24-Jan-2011 Bitan: Using system security metrics.

Slides:



Advertisements
Similar presentations
Risk Assessment What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling.
Advertisements

Ranking of security controlling strategies driven by quantitative threat analysis. Tavolo 2: "Big data security evaluation" UNIFI-CNR Nicola Nostro, Andrea.
September 10, 2012Introduction to Computer Security ©2004 Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
DEEDS Meeting Jan., 16th 2007 Dependable, Embedded Systems and Software Group Department of Computer Science Darmstadt University of Technology Attack.
Trusted Hardware: Can it be Trustworthy? Design Automation Conference 5 June 2007 Karl Levitt National Science Foundation Cynthia E. Irvine Naval Postgraduate.
Security Controls – What Works
Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational Issues Human Issues Computer.
Introducing Computer and Network Security
Security in Databases. 2 Srini & Nandita (CSE2500)DB Security Outline review of databases reliability & integrity protection of sensitive data protection.
April 1, 2004ECS 235Slide #1 Chapter 1: Introduction Components of computer security Threats Policies and mechanisms The role of trust Assurance Operational.
Security in Databases. 2 Outline review of databases reliability & integrity protection of sensitive data protection against inference multi-level security.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
SEC835 Database and Web application security Information Security Architecture.
Storage Security and Management: Security Framework
Information Security Update CTC 18 March 2015 Julianne Tolson.
Timed UML State Machines Ognyana Hristova Tutor: Priv.-Doz. Dr. Thomas Noll June, 2007.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Information Systems Security Computer System Life Cycle Security.
Hardware Support for Trustworthy Systems Ted Huffmire ACACES 2012 Fiuggi, Italy.
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.
Slide 1 Using Models Introduced in ISA-d Standard: Security of Industrial Automation and Control Systems (IACS) Rahul Bhojani ISA SP99 WG4 Meeting.
An Introduction to Software Architecture
Risk Assessment Farrokh Alemi, Ph.D. Monday, July 07, 2003.
Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.
SEC835 Practical aspects of security implementation Part 1.
Systems Analysis and Design in a Changing World, 6th Edition 1 Chapter 12 - Databases, Controls, and Security.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
MetriCon 1.0 An Attack Surface Metric Pratyusa K. Manadhata Jeannette M. Wing Carnegie Mellon University {pratyus,
Measuring Relative Attack Surfaces Michael Howard, Jon Pincus & Jeannette Wing Presented by Bert Bruce.
. 1. Computer Security Concepts 2. The OSI Security Architecture 3. Security Attacks 4. Security Services 5. Security Mechanisms 6. A Model for Network.
1 ITGD 2202 Supervision:- Assistant Professor Dr. Sana’a Wafa Al-Sayegh Dr. Sana’a Wafa Al-SayeghStudent: Anwaar Ahmed Abu-AlQumboz.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
Measuring a System’s Attack Surface Yin Shi. Overview Introduction State Machine Model Definitions and Examples Attack Surface Measurement Method Linux.
Software Security II Karl Lieberherr. What is Security Enforcing a policy that describes rules for accessing resources. Policy may be explicit or implicit.
Chap1: Is there a Security Problem in Computing?.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
What is RISK?  requires vulnerability  likelihood of successful attack  amount of potential damage Two approaches:  threat modeling  OCTAVE Risk/Threat.
Computer Security By Duncan Hall.
Presented by: Dr. Munam Ali Shah
Chapter 8 Asynchronous System Model by Mikhail Nesterenko “Distributed Algorithms” by Nancy A. Lynch.
Chapter 1: Security Governance Through Principles and Policies
Lecture1.1(Chapter 1) Prepared by Dr. Lamiaa M. Elshenawy 1.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Chapter 1: Introduction Components of computer security Threats Policies.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Chapter 29: Program Security Dr. Wayne Summers Department of Computer Science Columbus State University
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
Advanced System Security Dr. Wayne Summers Department of Computer Science Columbus State University
Database Security Threats. Database An essential corporate resource Data is a valuable resource Must be strictly controlled, managed and secured May have.
UNIT 7 SEMINAR Unit 7 Chapter 9, plus Lab 13 Course Name – IT482 Network Design Instructor – David Roberts – Office Hours: Tuesday.
Database Security Carl J. Hoppe 20 November 2013.
Cost23 1 Question of the Day u Which of the following things measure the “size” of the project in terms of the functionality that has to be provided in.
CS457 Introduction to Information Security Systems
Information Security, Theory and Practice.
CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.
Software Security ITGD 2202 Supervision:- Assistant Professor
Evaluating Existing Systems
Evaluating Existing Systems
I have many checklists: how do I get started with cyber security?
Game Theoretic Approaches to Attack Surface Shifting and Reduction
Chapter 1: Introduction
Security Protection Goals
Database Security &Threats
Chapter 29: Program Security
An Attack Surface Metric
M.Eng. Alessandro Mancuso Supervisor: Dr. Piotr Żebrowski
Albeado - Enabling Smart Energy
Presentation transcript:

Using system security metrics to enhance resiliency Dr. Sara Bitan ENGINEERING RESILIENT & ROBUST SYSTEMS 24-Jan-2011 Bitan: Using system security metrics to enhance resiliency 1

Outline Definitions System attack surface measurement Applying the attack surface metric to resiliency ◦Adding resiliency while minimizing attack surface increase ◦Determining resiliency locations through internal attack surface measurement ◦Attack surface during the resilient system timeline Conclusion 24-Jan-2011 Bitan: Using system security metrics to enhance resiliency 2

Definitions A Resilient system (*) A Resilient system (*) is a system that can withstand unpredicted or even predicted adverse events A Secure system (**) CIA A Secure system (**) is a system that can protect its information and resources CIA a.Confidentiality a.Confidentiality: is the state of a system in which information flow is controlled to prevent unauthorized disclosure which might be harmful b.Integrity b.Integrity: is the state of being complete or whole; in the context of system it also the state of being consistent c.Availability c.Availability: is the state of the system where all its components are present, accessible and ready to be used (*) Sheard S.: A framework for System Resilience Discussions (**) Title 44, U.S. Code 24-Jan-2011 Bitan: Using system security metrics to enhance resiliency 3

A resiliency framework A resilient system fulfils system security requirements if Confidentiality, Integrity and Availability belong to the qualities that the resilient system is required to preserve Sheard S.: A framework for System Resilience Discussions 24-Jan-2011 Bitan: Using system security metrics to enhance resiliency 4

The resilient system timeline 24-Jan-2011 Bitan: Using system security metrics to enhance resiliency 5 Sheard S.: A framework for System Resilience Discussions

Resiliency – security relationships ResiliencySecurity Resiliency 24-Jan-2011 Bitan: Using system security metrics to enhance resiliency 6

Risk assessment Vulnerability LikelihoodLikelihood Threat System Attack/ Exploit Damage Likelihood is a function of the Damage/Impact – which dictate the attacker’s motivation Vulnerability - how easy/hard it is to discover, exploit? Attack - how easy/hard it is? what its cost? In the spirit of NIST SP Jan-2011 Bitan: Using system security metrics to enhance resiliency 7

The system’s attack surface Intuitively – a system’s attack surface is the set of ways in which an adversary can enter the system and potentially cause damage The set of ways to enter a system is determined by the system’s interfaces, commands and data The model is discrete ◦Currently cannot model continuous/analog process Doesn’t model side effects 24-Jan-2011 Bitan: Using system security metrics to enhance resiliency 8

Attack surface formal definition The system attack surface is function of its environment. Environment constitutes of users, other systems and data Resources constitute of Methods/ actions or commands Channels/ interfaces Data Formally the system attack surface is the set of resources potentially used in an attack. 24-Jan-2011 Bitan: Using system security metrics to enhance resiliency 9 Manahdata & Wing: An attack surface metric

Modeling the system I/O Automaton The model used in this analysis is I/O Automaton which consists of:model ◦States ◦Actions ◦Actions, partitioned into input, output and internal actions and ◦A transition function ◦A transition function moving through action execution from a set of pre-states to a set of post-states A composition of I/O automata is an I/O automaton  good for complex system modeling by composing the I/O automata modeling the system’s simpler components 24-Jan-2011 Bitan: Using system security metrics to enhance resiliency 10

Defining the attack surface System, users and persistent data are modeled as I/O automata ◦Files, Database records and cookies are examples of persistent data Attacks are sequences of actions performed by users, systems and data in the environment Channels and data are modeled as states Methods are modeled as actions Attack surface consists of input/output actions and the relevant states 24-Jan-2011 Bitan: Using system security metrics to enhance resiliency 11

Comparing attack surfaces Theorem: if S and S’ are two systems, and attack_surface(S,E) ≥attack_surface(S’,E) then attacks(S’) is subset of attack(S) Observations: ◦The theorem decouples the analysis from the attacks ◦If features are added to the system (e.g. to enhance resiliency) then the system attack surface increases ◦But luckily for us not all interfaces contribute equally to the attack surface 24-Jan-2011 Bitan: Using system security metrics to enhance resiliency 12

Damage potential and effort Each action has a set of pre- and post-states The effort corresponds to the action’s required pre-states ◦E.g. input type, authenticated user, SSL channel ◦Determines the potential number of methods who can call this method Damage potential corresponds to post-states ◦E.g. root privileges, supervisor mode ◦Determines the potential number of methods this method can call Each interface is assigned a number (damage potential effort ratio - der) ◦Similar to cost-benefit ratio The attack surface is the sum of ders of all interfaces belonging to the attack surface 24-Jan-2011 Bitan: Using system security metrics to enhance resiliency 13

How can we use the metric? Minimize increase to attack surface when resiliency is enhanced ◦Least privileges ◦Separation of duties ◦Example: key escrow, Byzantines protocols Determine resiliency locations ◦Locate resiliency such that size of intersection set of entry/exit point is minimized ◦Example: the Cellcom incident 24-Jan-2011 Bitan: Using system security metrics to enhance resiliency 14

The Cellcom incident Do not locate all backup systems on paths starting in the update (event) entry point 24-Jan-2011 Bitan: Using system security metrics to enhance resiliency 15

Applying the metric to all periods Track CERT, update DER and fortify increased surface attack Use system composition and internal attack surface to activate internal mitigation mechanisms Re-run attack surface measurements 24-Jan-2011 Bitan: Using system security metrics to enhance resiliency 16

Conclusion I/O automata model for attack surface measurement was presented Using the composition property of I/O Automata the model can be extended to measure resiliency, determine best locations to add resiliency, and to offer mechanisms for graceful degradation and recovery 24-Jan-2011 Bitan: Using system security metrics to enhance resiliency 17

Thank you mailto: 24-Jan-2011 Bitan: Using system security metrics to enhance resiliency 18

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.