Carnegie Mellon University Software Engineering Institute Lecture 3a The Survivable Network Analysis Method: Evaluating Survivability of Critical Systems.

Slides:



Advertisements
Similar presentations
Effective Contract Management Planning
Advertisements

Oracle Financial System Project Team: Aseem Gupta Jeng Toa Lee Jun Lu Kevin Patrick Zhu Thomas Verghese Weicheng Wong Xuegong Wang ( Jeff ) Date : 26 th.
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
Software Modeling SWE5441 Lecture 3 Eng. Mohammed Timraz
DARPA ITS PI Meeting – Honolulu – July 17-21, 2000Slide 1 Aegis Research Corporation Intrusion Tolerance Using Masking, Redundancy and Dispersion DARPA.
Student Application System SNA Step 3 Attacker Profiles and Scenarios
© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.
Management’s Role in Information Security V.T. Raja, Ph.D., Oregon State University.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
1 Telstra in Confidence Managing Security for our Mobile Technology.
© 2006 Carnegie Mellon University Establishing a Network Centric Capability: Implications for Acquisition and Engineering Dennis Smith Complex System Symposium.
02/12/00 E-Business Architecture
Guide to Network Defense and Countermeasures Second Edition Chapter 2 Security Policy Design: Risk Analysis.
The Architecture Design Process
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
11/14 SNA Presentation 3 Survivable Network Analysis Oracle Financial System SNA step 3 Ali Ardalan Qianming “Michelle” Chen Yi Hu Jason Milletary Jian.
Earl Crane Hap Huynh Jeongwoo Ko Koichi Tominaga 11/14/2000 Physician Reminder System SNA Step 3.
Extranet for Security Professionals (ESP)
1 Security Architecture and Analysis Management of System Development and Implementation –The System Development Process –Issues and Risks –Mitigation.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Oracle Database Administration. Rana Almurshed 2 course objective After completing this course you should be able to: install, create and administrate.
© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.
Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
Financial Advisory & Litigation Consulting Services Risk Management 2006 September 14-15, 2006 The Metropolitan Club, New York, NY Workshop B: Information.
SEC835 Database and Web application security Information Security Architecture.
1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.
Integrating Security Design Into The Software Development Process For E-Commerce Systems By: M.T. Chan, L.F. Kwok (City University of Hong Kong)
Chapter 6 of the Executive Guide manual Technology.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
1 Smart Grid Cyber Security Annabelle Lee Senior Cyber Security Strategist Computer Security Division National Institute of Standards and Technology June.
CPSC 871 John D. McGregor Module 6 Session 3 System of Systems.
© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.
Chapter VII Security Management for an E-Enterprise -Ramyah Rammohan.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013.
EPA Geospatial Segment United States Environmental Protection Agency Office of Environmental Information Enterprise Architecture Program Segment Architecture.
9 Systems Analysis and Design in a Changing World, Fourth Edition.
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense © 2000 by Carnegie Mellon.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.
The IT Vendor: HIPAA Security Savior for Smaller Health Plans?
IT Security Policy: Case Study March 2008 Copyright , All Rights Reserved.
Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.
Slide 1 Security Engineering. Slide 2 Objectives l To introduce issues that must be considered in the specification and design of secure software l To.
Swedish Risk Management System Internal management and control Aiming to Transport Administration with reasonable certainty to.
Carnegie Mellon University Software Engineering Institute Lecture 4 The Survivable Network Analysis Method: Evaluating Survivability of Critical Systems.
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
Disaster Recovery Planning (DRP) DRP: The definition of business processes, their infrastructure supports and tolerances to interruptions, and formulation.
LECTURE 5 Nangwonvuma M/ Byansi D. Components, interfaces and integration Infrastructure, Middleware and Platforms Techniques – Data warehouses, extending.
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
CS457 Introduction to Information Security Systems
Chapter 6: Securing the Cloud
Critical Security Controls
Data and database administration
Security Engineering.
Software Requirements
Joe, Larry, Josh, Susan, Mary, & Ken
Threat Trends and Protection Strategies Barbara Laswell, Ph. D
TRIP WIRE INTRUSION DETECTION SYSYTEM Presented by.
How to Mitigate the Consequences What are the Countermeasures?
Security week 1 Introductions Class website Syllabus review
PLANNING A SECURE BASELINE INSTALLATION
Luca Simoncini PDCC, Pisa and University of Pisa, Pisa, Italy
Presentation transcript:

Carnegie Mellon University Software Engineering Institute Lecture 3a The Survivable Network Analysis Method: Evaluating Survivability of Critical Systems

Carnegie Mellon University Software Engineering Institute Survivability Concepts

Carnegie Mellon University Software Engineering Institute Survivability Motivation Growing societal dependence on complex, large-scale, networked systems –Sectors: commercial, government, defense,... –Infrastructure: telecom, transportation, utilities, … –Interdependencies and cascade failures Serious consequences of system compromises and failures Presidential Commission on Critical Infrastructure Protection

Carnegie Mellon University Software Engineering Institute Expanding network boundaries and connectivity Blurring of Intranets and Extranets Heterogeneous mix of participants with varying trust Lack of central administrative control Unknown components: COTS, Java, … Point security solutions: PKI, VPN, IDS, firewalls,... The fundamental limitation of security: No amount of security can guarantee a system will not be penetrated The Changing System Environment

Carnegie Mellon University Software Engineering Institute Survivability is the capability of a system to fulfill its mission, in a timely manner, in the presence of attacks, failures, or accidents. Focus is on the continuity and recovery of the system mission Imperfect defenses are assumed Survivability Defined I

Carnegie Mellon University Software Engineering Institute Survivability Defined II Survivability differs from security –Security focuses on static perimeter defenses –Survivability focuses on design and operation to maintain mission support in adverse environments Survivability differs from dependability –Dependability focuses on random faults –Survivability focuses on coordinated attacks by intelligent adversaries

Carnegie Mellon University Software Engineering Institute The “Three R’s” of Survivability Resistance –Capability to deter attacks Recognition –Capability to recognize attacks and extent of damage Recovery –Capability to provide essential services/assets during attack and recover full services after attack

Carnegie Mellon University Software Engineering Institute The Survivable Network Analysis Method

Carnegie Mellon University Software Engineering Institute Understand survivability risks –what system services must survive intrusions? –what are effects of intrusions on the mission? Identify mitigating strategies –what changes can improve survivability? –which changes have highest payoff? SNA Objectives

Carnegie Mellon University Software Engineering Institute Architecture is –integrating element of large systems –right level of abstraction for survivability analysis components, connections, software, traces Architecture is focus for system evolution –evolving functional requirements –trend to loosely coupled systems –integration across diverse systems –changes in vendor product architectures SNA Focus is on Architecture

Carnegie Mellon University Software Engineering Institute Performed on selected system or system component The four SNA steps: Step 1: Understand the enterprise mission and architecture Step 2: Define essential service scenarios and components Step 3: Define intrusion scenarios and components Step 4: Analyze survivability and make recommendations Performed by SNA team plus client team Joint working sessions to develop findings Management briefing on recommendations The SNA Process

Carnegie Mellon University Software Engineering Institute Identify the business mission supported by the system –Examples A government agency: review, select, fund, and monitor government contracts An industrial enterprise: support integration of design teams across internal corporate organization, industry partners, and contractors All stakeholders must be involved –owners, users, architects, developers, administrators SNA Step 1: Mission elicitation

Carnegie Mellon University Software Engineering Institute Understand system architecture and environment –network topology and boundaries –hardware and software components –user functions and workflows –critical services and assets –administrative control domains –vendor dependencies –connectivity with other systems –Security components and policies –attack and intrusion experience SNA Step 1: Architecture Elicitation

Carnegie Mellon University Software Engineering Institute SNA Step 2: Preliminaries What is a usage scenario? –Defined as the sequence of steps in a system use –A “use” can be thought of as a transaction Example: A usage scenario for checking mail on AOL –Invoke AOL –logon: enter name and password –after connection, select “new mail” –scroll to end of list –select and read new messages if any –save and delete messages as necessary –logoff

Carnegie Mellon University Software Engineering Institute SNA Step 2: Essential Capabilities Essential services/assets –System capabilities that support the business mission –Must be available despite intrusions Essential service/asset usage scenarios –Steps in essential service/asset usage Essential components –Architecture parts required by essential service/asset scenarios –Determined by tracing scenarios through the architecture to determine the components reached (compositional reasoning)

Carnegie Mellon University Software Engineering Institute Essential Service Scenario Essential Component Essential Service Trace Communication Link Architecture Node Essential Service Scenario Trace

Carnegie Mellon University Software Engineering Institute “Target of opportunity” profile: non-specific objectives –readily available tools –defense: increased resistance, configuration control, file-integrity checks “Intermediate” profile: specific objectives –greater patience, higher impact on essential services –defense: increased recognition and recovery “Sophisticated” profile: very focused objectives –customized tools, compromise internal staff –defense: high probability of success; recognition and recovery essential SNA Step 3: Attacker Profiles I

Carnegie Mellon University Software Engineering Institute Create taxonomy of probable attackers and impacts –resources:personnel, skill, finances –time:patience and persistence –tools:access to tools, ability to customize –risk:level of risk aversion –access:internal, Internet –objectives:personal, financial, moral Example: government agencies may have attackers with strong political or moral positions who are not risk averse and can be very patient SNA Step 3: Attacker Profiles II

Carnegie Mellon University Software Engineering Institute SNA Step 3: Intrusion Capabilities Treat intruders as users Intrusion usage scenarios –Steps in attacker usage Compromisable components –Architecture parts accessible by intrusion scenarios –Determined by intrusion scenario traces

Carnegie Mellon University Software Engineering Institute Intrusion Scenario Compromisable Component Intrusion Trace Intrusion Scenario Trace

Carnegie Mellon University Software Engineering Institute SNA Step 4: Softspot Components Softspot components are architecture parts that are both essential and compromisable

Carnegie Mellon University Software Engineering Institute Essential Service Scenario Intrusion Scenario Softspot Component: both essential and compromisable Architecture Softspot Identification

Carnegie Mellon University Software Engineering Institute SNA Step 4: Strategies for the “Three Rs” Resistance –User authentication, firewalls, software diversification,... Recognition –Intrusion usage pattern detection, internal integrity checking,... Recovery –Hot spares, redundant facilities, data replication and reinitialization, alternative service delivery methods,...

Carnegie Mellon University Software Engineering Institute SNA Step 4: Survivability Map Defines survivability strategies for the three R’s based on intrusion softspots Relates the strategies to the architecture Makes recommendations for architecture modifications

Carnegie Mellon University Software Engineering Institute Survivability Map Template Roadmap for management evaluation and action

Carnegie Mellon University Software Engineering Institute Survivable Network Analysis (SNA) Method STEP 1 SYSTEM DEFINITION Mission requirements definition Architecture definition and elicitation STEP 2 ESSENTIAL CAPABILITY DEFINITION Essential service/asset selection/scenarios Essential component identification STEP 3 COMPROMISABLE CAPABILITY DEF’N Intrusion selection/scenarios Compromisable component identification STEP 4 SURVIVABILITY ANALYSIS Softspot component (essential & compromisable) identification Resistance, recognition, and recovery analysis Survivability Map development

Carnegie Mellon University Software Engineering Institute A Survivability Case Study: The Sentinel Subsystem

Carnegie Mellon University Software Engineering Institute The Vigilant Healthcare System Large-scale, distributed mental healthcare management system by CarnegieWorks, Inc. Many business rules and regulations, many users and stakeholders Sentinel subsystem –Maintains patient data, provider teams, goals, actions, treatment plans,... –Sentinel prototype was subject of survivability study

Carnegie Mellon University Software Engineering Institute Applying the SNA method Evaluation team/customer meetings –Sentinel architecture elicited –Essential services/assets selected, scenarios defined –Essential components of architecture traced –Intrusion types selected, scenarios defined –Compromisable components of architecture traced Evaluation team sessions –Softspots identified, Survivability Map and architecture impacts defined Customer briefed on findings

Carnegie Mellon University Software Engineering Institute List Manager Reporting Engine Treatment Plan Builder Treatment Plan Validator Action Team Builder User Interface Sentinel Application Sentinel Back End Business Logic Common Database API Other System Components Other System Components Original Sentinel Architecture

Carnegie Mellon University Software Engineering Institute Initial Analysis Essential capabilities identified –A single service: Treatment plan display on demand –A single asset: Treatment plans Five intrusion scenarios identified

Carnegie Mellon University Software Engineering Institute Sentinel Survivability Map -- Intrusion 1

Carnegie Mellon University Software Engineering Institute Sentinel Survivability Map -- Intrusion 2

Carnegie Mellon University Software Engineering Institute List Manager Reporting Engine [2] Action Team Builder User Interface Sentinel Application Sentinel Back End Business Logic Common Database - Replicated and Daily Backups [5] API Other System Components Other System Components Isolated Reporting System [6] Modified Sentinel Architecture TP Builder crypto-chk [3] TP Validator crypto-chk [4] Security [1] Minimal User Interface Minimal Reporting Engine/TPs Security Layer [1]

Carnegie Mellon University Software Engineering Institute Client: A large distributed organization, many legacy systems, major redesigning underway –Define a security architecture: integrate directory services support mix of central and distributed administration develop common API to security infrastructure provide architecture support for managing active content (Javascript, attachments) –support architecture evolution: incorporate security product upgrades assess survivability of vendor architecture changes Recommendations: Example I

Carnegie Mellon University Software Engineering Institute Client: administrative unit inside large, diverse organization, heterogeneous user environment (university-like), significant research component –revise security/survivability policies –increase separation between internal components and components accessed by general public –add internal firewalls to better manage diverse user community –extend attacker analysis beyond script-kiddies –improve system recovery Recommendations: Example II

Carnegie Mellon University Software Engineering Institute Survivability in the Requirements Phase

Carnegie Mellon University Software Engineering Institute System/ Survivability Requirements Usage/ Intrusion Requirements System Development/ Evolution Usage Model Development/ Evolution System Testing/ Evaluation System Operation/ Administration Survivability Operations Requirements Survivability Development Requirements Survivability Evolution Requirements Legacy/Acquired Software, Survivability Strategies Survivability Requirements Types (1) (2) (3)(4) (5)

Carnegie Mellon University Software Engineering Institute Augment traditional system requirements with survivability requirements – partition system services essential: maintained during intrusion non-essential: recovered post-intrusion –define survivability service requirements resistance, recognition, recovery (1) System/Survivability Requirements

Carnegie Mellon University Software Engineering Institute Augment traditional system usage requirements with intruder usage Treat intruders as users –model intrusion scenarios –specify, design and test systems for correct responses to intrusions (2) Usage/Intrusion Requirements

Carnegie Mellon University Software Engineering Institute Integrate survivability strategies into specifications and designs Sound engineering practices are required to develop survivable systems Five principles for survivable system development –specify required functions in all circumstances of use –verify implementation correctness against function specifications –specify usage in all circumstances of use, including intruder usage –test and certify fitness based on usage specifications –establish readiness teams for system monitoring and evolution (3) Survivability Development Requirements

Carnegie Mellon University Software Engineering Institute Staff the survivability mission in the organization Define and administer survivability policies Apply patches to known intrusion and failure problems Maintain readiness teams and conduct readiness drills (4) Survivability Operations Requirements

Carnegie Mellon University Software Engineering Institute Adapt the system to deal with new intrusions Evolve survivability capabilities more rapidly than intruder’s can accumulate system knowledge Ensure new system functions include survivability capabilities (5) Survivability Evolution Requirements

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.