Presentation is loading. Please wait.

Presentation is loading. Please wait.

Carnegie Mellon University Software Engineering Institute Lecture 3a The Survivable Network Analysis Method: Evaluating Survivability of Critical Systems.

Published byPierce Noel Bridges Modified over 8 years ago

Similar presentations

Presentation on theme: "Carnegie Mellon University Software Engineering Institute Lecture 3a The Survivable Network Analysis Method: Evaluating Survivability of Critical Systems."— Presentation transcript:

1 Carnegie Mellon University Software Engineering Institute Lecture 3a The Survivable Network Analysis Method: Evaluating Survivability of Critical Systems

2 Carnegie Mellon University Software Engineering Institute Survivability Concepts

3 Carnegie Mellon University Software Engineering Institute Survivability Motivation Growing societal dependence on complex, large-scale, networked systems –Sectors: commercial, government, defense,... –Infrastructure: telecom, transportation, utilities, … –Interdependencies and cascade failures Serious consequences of system compromises and failures Presidential Commission on Critical Infrastructure Protection

4 Carnegie Mellon University Software Engineering Institute Expanding network boundaries and connectivity Blurring of Intranets and Extranets Heterogeneous mix of participants with varying trust Lack of central administrative control Unknown components: COTS, Java, … Point security solutions: PKI, VPN, IDS, firewalls,... The fundamental limitation of security: No amount of security can guarantee a system will not be penetrated The Changing System Environment

5 Carnegie Mellon University Software Engineering Institute Survivability is the capability of a system to fulfill its mission, in a timely manner, in the presence of attacks, failures, or accidents. Focus is on the continuity and recovery of the system mission Imperfect defenses are assumed Survivability Defined I

6 Carnegie Mellon University Software Engineering Institute Survivability Defined II Survivability differs from security –Security focuses on static perimeter defenses –Survivability focuses on design and operation to maintain mission support in adverse environments Survivability differs from dependability –Dependability focuses on random faults –Survivability focuses on coordinated attacks by intelligent adversaries

7 Carnegie Mellon University Software Engineering Institute The “Three R’s” of Survivability Resistance –Capability to deter attacks Recognition –Capability to recognize attacks and extent of damage Recovery –Capability to provide essential services/assets during attack and recover full services after attack

8 Carnegie Mellon University Software Engineering Institute The Survivable Network Analysis Method

9 Carnegie Mellon University Software Engineering Institute Understand survivability risks –what system services must survive intrusions? –what are effects of intrusions on the mission? Identify mitigating strategies –what changes can improve survivability? –which changes have highest payoff? SNA Objectives

10 Carnegie Mellon University Software Engineering Institute Architecture is –integrating element of large systems –right level of abstraction for survivability analysis components, connections, software, traces Architecture is focus for system evolution –evolving functional requirements –trend to loosely coupled systems –integration across diverse systems –changes in vendor product architectures SNA Focus is on Architecture

11 Carnegie Mellon University Software Engineering Institute Performed on selected system or system component The four SNA steps: Step 1: Understand the enterprise mission and architecture Step 2: Define essential service scenarios and components Step 3: Define intrusion scenarios and components Step 4: Analyze survivability and make recommendations Performed by SNA team plus client team Joint working sessions to develop findings Management briefing on recommendations The SNA Process

12 Carnegie Mellon University Software Engineering Institute Identify the business mission supported by the system –Examples A government agency: review, select, fund, and monitor government contracts An industrial enterprise: support integration of design teams across internal corporate organization, industry partners, and contractors All stakeholders must be involved –owners, users, architects, developers, administrators SNA Step 1: Mission elicitation

13 Carnegie Mellon University Software Engineering Institute Understand system architecture and environment –network topology and boundaries –hardware and software components –user functions and workflows –critical services and assets –administrative control domains –vendor dependencies –connectivity with other systems –Security components and policies –attack and intrusion experience SNA Step 1: Architecture Elicitation

14 Carnegie Mellon University Software Engineering Institute SNA Step 2: Preliminaries What is a usage scenario? –Defined as the sequence of steps in a system use –A “use” can be thought of as a transaction Example: A usage scenario for checking mail on AOL –Invoke AOL –logon: enter name and password –after connection, select “new mail” –scroll to end of list –select and read new messages if any –save and delete messages as necessary –logoff

15 Carnegie Mellon University Software Engineering Institute SNA Step 2: Essential Capabilities Essential services/assets –System capabilities that support the business mission –Must be available despite intrusions Essential service/asset usage scenarios –Steps in essential service/asset usage Essential components –Architecture parts required by essential service/asset scenarios –Determined by tracing scenarios through the architecture to determine the components reached (compositional reasoning)

16 Carnegie Mellon University Software Engineering Institute Essential Service Scenario Essential Component Essential Service Trace Communication Link Architecture Node Essential Service Scenario Trace

17 Carnegie Mellon University Software Engineering Institute “Target of opportunity” profile: non-specific objectives –readily available tools –defense: increased resistance, configuration control, file-integrity checks “Intermediate” profile: specific objectives –greater patience, higher impact on essential services –defense: increased recognition and recovery “Sophisticated” profile: very focused objectives –customized tools, compromise internal staff –defense: high probability of success; recognition and recovery essential SNA Step 3: Attacker Profiles I

18 Carnegie Mellon University Software Engineering Institute Create taxonomy of probable attackers and impacts –resources:personnel, skill, finances –time:patience and persistence –tools:access to tools, ability to customize –risk:level of risk aversion –access:internal, Internet –objectives:personal, financial, moral Example: government agencies may have attackers with strong political or moral positions who are not risk averse and can be very patient SNA Step 3: Attacker Profiles II

19 Carnegie Mellon University Software Engineering Institute SNA Step 3: Intrusion Capabilities Treat intruders as users Intrusion usage scenarios –Steps in attacker usage Compromisable components –Architecture parts accessible by intrusion scenarios –Determined by intrusion scenario traces

20 Carnegie Mellon University Software Engineering Institute Intrusion Scenario Compromisable Component Intrusion Trace Intrusion Scenario Trace

21 Carnegie Mellon University Software Engineering Institute SNA Step 4: Softspot Components Softspot components are architecture parts that are both essential and compromisable

22 Carnegie Mellon University Software Engineering Institute Essential Service Scenario Intrusion Scenario Softspot Component: both essential and compromisable Architecture Softspot Identification

23 Carnegie Mellon University Software Engineering Institute SNA Step 4: Strategies for the “Three Rs” Resistance –User authentication, firewalls, software diversification,... Recognition –Intrusion usage pattern detection, internal integrity checking,... Recovery –Hot spares, redundant facilities, data replication and reinitialization, alternative service delivery methods,...

24 Carnegie Mellon University Software Engineering Institute SNA Step 4: Survivability Map Defines survivability strategies for the three R’s based on intrusion softspots Relates the strategies to the architecture Makes recommendations for architecture modifications

25 Carnegie Mellon University Software Engineering Institute Survivability Map Template Roadmap for management evaluation and action

26 Carnegie Mellon University Software Engineering Institute Survivable Network Analysis (SNA) Method STEP 1 SYSTEM DEFINITION Mission requirements definition Architecture definition and elicitation STEP 2 ESSENTIAL CAPABILITY DEFINITION Essential service/asset selection/scenarios Essential component identification STEP 3 COMPROMISABLE CAPABILITY DEF’N Intrusion selection/scenarios Compromisable component identification STEP 4 SURVIVABILITY ANALYSIS Softspot component (essential & compromisable) identification Resistance, recognition, and recovery analysis Survivability Map development

27 Carnegie Mellon University Software Engineering Institute A Survivability Case Study: The Sentinel Subsystem

28 Carnegie Mellon University Software Engineering Institute The Vigilant Healthcare System Large-scale, distributed mental healthcare management system by CarnegieWorks, Inc. Many business rules and regulations, many users and stakeholders Sentinel subsystem –Maintains patient data, provider teams, goals, actions, treatment plans,... –Sentinel prototype was subject of survivability study

29 Carnegie Mellon University Software Engineering Institute Applying the SNA method Evaluation team/customer meetings –Sentinel architecture elicited –Essential services/assets selected, scenarios defined –Essential components of architecture traced –Intrusion types selected, scenarios defined –Compromisable components of architecture traced Evaluation team sessions –Softspots identified, Survivability Map and architecture impacts defined Customer briefed on findings

30 Carnegie Mellon University Software Engineering Institute List Manager Reporting Engine Treatment Plan Builder Treatment Plan Validator Action Team Builder User Interface Sentinel Application Sentinel Back End Business Logic Common Database API Other System Components Other System Components Original Sentinel Architecture

31 Carnegie Mellon University Software Engineering Institute Initial Analysis Essential capabilities identified –A single service: Treatment plan display on demand –A single asset: Treatment plans Five intrusion scenarios identified

32 Carnegie Mellon University Software Engineering Institute Sentinel Survivability Map -- Intrusion 1

33 Carnegie Mellon University Software Engineering Institute Sentinel Survivability Map -- Intrusion 2

34 Carnegie Mellon University Software Engineering Institute List Manager Reporting Engine [2] Action Team Builder User Interface Sentinel Application Sentinel Back End Business Logic Common Database - Replicated and Daily Backups [5] API Other System Components Other System Components Isolated Reporting System [6] Modified Sentinel Architecture TP Builder crypto-chk [3] TP Validator crypto-chk [4] Security [1] Minimal User Interface Minimal Reporting Engine/TPs Security Layer [1]

35 Carnegie Mellon University Software Engineering Institute Client: A large distributed organization, many legacy systems, major redesigning underway –Define a security architecture: integrate directory services support mix of central and distributed administration develop common API to security infrastructure provide architecture support for managing active content (Javascript, email attachments) –support architecture evolution: incorporate security product upgrades assess survivability of vendor architecture changes Recommendations: Example I

36 Carnegie Mellon University Software Engineering Institute Client: administrative unit inside large, diverse organization, heterogeneous user environment (university-like), significant research component –revise security/survivability policies –increase separation between internal components and components accessed by general public –add internal firewalls to better manage diverse user community –extend attacker analysis beyond script-kiddies –improve system recovery Recommendations: Example II

37 Carnegie Mellon University Software Engineering Institute Survivability in the Requirements Phase

38 Carnegie Mellon University Software Engineering Institute System/ Survivability Requirements Usage/ Intrusion Requirements System Development/ Evolution Usage Model Development/ Evolution System Testing/ Evaluation System Operation/ Administration Survivability Operations Requirements Survivability Development Requirements Survivability Evolution Requirements Legacy/Acquired Software, Survivability Strategies Survivability Requirements Types (1) (2) (3)(4) (5)

39 Carnegie Mellon University Software Engineering Institute Augment traditional system requirements with survivability requirements – partition system services essential: maintained during intrusion non-essential: recovered post-intrusion –define survivability service requirements resistance, recognition, recovery (1) System/Survivability Requirements

40 Carnegie Mellon University Software Engineering Institute Augment traditional system usage requirements with intruder usage Treat intruders as users –model intrusion scenarios –specify, design and test systems for correct responses to intrusions (2) Usage/Intrusion Requirements

41 Carnegie Mellon University Software Engineering Institute Integrate survivability strategies into specifications and designs Sound engineering practices are required to develop survivable systems Five principles for survivable system development –specify required functions in all circumstances of use –verify implementation correctness against function specifications –specify usage in all circumstances of use, including intruder usage –test and certify fitness based on usage specifications –establish readiness teams for system monitoring and evolution (3) Survivability Development Requirements

42 Carnegie Mellon University Software Engineering Institute Staff the survivability mission in the organization Define and administer survivability policies Apply patches to known intrusion and failure problems Maintain readiness teams and conduct readiness drills (4) Survivability Operations Requirements

43 Carnegie Mellon University Software Engineering Institute Adapt the system to deal with new intrusions Evolve survivability capabilities more rapidly than intruder’s can accumulate system knowledge Ensure new system functions include survivability capabilities (5) Survivability Evolution Requirements

Download ppt "Carnegie Mellon University Software Engineering Institute Lecture 3a The Survivable Network Analysis Method: Evaluating Survivability of Critical Systems."

Similar presentations

Effective Contract Management Planning

Effective Contract Management Planning
Oracle Financial System Project Team: Aseem Gupta Jeng Toa Lee Jun Lu Kevin Patrick Zhu Thomas Verghese Weicheng Wong Xuegong Wang ( Jeff ) Date : 26 th.

Oracle Financial System Project Team: Aseem Gupta Jeng Toa Lee Jun Lu Kevin Patrick Zhu Thomas Verghese Weicheng Wong Xuegong Wang ( Jeff ) Date : 26 th.
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
Software Modeling SWE5441 Lecture 3 Eng. Mohammed Timraz

Software Modeling SWE5441 Lecture 3 Eng. Mohammed Timraz
DARPA ITS PI Meeting – Honolulu – July 17-21, 2000Slide 1 Aegis Research Corporation Intrusion Tolerance Using Masking, Redundancy and Dispersion DARPA.

DARPA ITS PI Meeting – Honolulu – July 17-21, 2000Slide 1 Aegis Research Corporation Intrusion Tolerance Using Masking, Redundancy and Dispersion DARPA.
Student Application System SNA Step 3 Attacker Profiles and Scenarios 11.14.2001.

Student Application System SNA Step 3 Attacker Profiles and Scenarios
© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.
Management’s Role in Information Security V.T. Raja, Ph.D., Oregon State University.

Management’s Role in Information Security V.T. Raja, Ph.D., Oregon State University.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
© 2006 Carnegie Mellon University Establishing a Network Centric Capability: Implications for Acquisition and Engineering Dennis Smith Complex System Symposium.

© 2006 Carnegie Mellon University Establishing a Network Centric Capability: Implications for Acquisition and Engineering Dennis Smith Complex System Symposium.
02/12/00 E-Business Architecture

02/12/00 E-Business Architecture
Guide to Network Defense and Countermeasures Second Edition Chapter 2 Security Policy Design: Risk Analysis.

Guide to Network Defense and Countermeasures Second Edition Chapter 2 Security Policy Design: Risk Analysis.
The Architecture Design Process

The Architecture Design Process
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
11/14 SNA Presentation 3 Survivable Network Analysis Oracle Financial System SNA step 3 Ali Ardalan Qianming “Michelle” Chen Yi Hu Jason Milletary Jian.

11/14 SNA Presentation 3 Survivable Network Analysis Oracle Financial System SNA step 3 Ali Ardalan Qianming “Michelle” Chen Yi Hu Jason Milletary Jian.
Earl Crane Hap Huynh Jeongwoo Ko Koichi Tominaga 11/14/2000 Physician Reminder System SNA Step 3.

Earl Crane Hap Huynh Jeongwoo Ko Koichi Tominaga 11/14/2000 Physician Reminder System SNA Step 3.
Extranet for Security Professionals (ESP)

Extranet for Security Professionals (ESP)
1 Security Architecture and Analysis Management of System Development and Implementation –The System Development Process –Issues and Risks –Mitigation.

1 Security Architecture and Analysis Management of System Development and Implementation –The System Development Process –Issues and Risks –Mitigation.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

Similar presentations

Ads by Google