Presentation is loading. Please wait.

Presentation is loading. Please wait.

INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Models for Security Vulnerabilities and Threats Yuri Demchenko Advanced Internet Research.

Published byDwight Raymond Rose Modified over 8 years ago

Similar presentations

Presentation on theme: "INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Models for Security Vulnerabilities and Threats Yuri Demchenko Advanced Internet Research."— Presentation transcript:

1 INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Models for Security Vulnerabilities and Threats Yuri Demchenko Advanced Internet Research Group (AIRG) University of Amsterdam demch@science.uva.nl

2 INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Outline Background: Addressing known security vulnerabilities From Vulnerability to Incident Existing classifications and models Proposed security threats classification and models

3 Enabling Grids for E-sciencE INFSO-RI-508833 3 Addressing Known Security Vulnerabilities Grid Operational Centers (and JSPG :-) know major security vulnerabilities –Those that are actually obvious  Reason why it happened? –We can expect more will be discovered when we apply regular security vulnerability analysis and risk assessment Approach for security/operational people? –Actively search for vulnerabilities OR wait until somebody will discover them and (mis)use (Already perceived) Problems –There is no common approach/model for analysing security vulnerabilities in Web Services and Grids –All security models and methodologies are complex and multifaceted  Grid is new but not unique – better learn from others’ expereince  Need some efforts and willinness to learn or to listen to experts

4 Enabling Grids for E-sciencE INFSO-RI-508833 4 Vulnerability-Incident life-cycle Vulnerability => Exploit => Threat => Attack/Intrusion => Incident Vulnerability is a flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy Exploit is a known way to take advantage of a specific software vulnerability Threat is a potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm Attack is an assault on system security that derives from an intelligent threat Incident is a result of successful Attack

5 Enabling Grids for E-sciencE INFSO-RI-508833 5 Basic steps in attacking methodology

6 Enabling Grids for E-sciencE INFSO-RI-508833 6 Known Vulnerabilities and Threats Classifications OWASP (Open Web Application Security Project) –http://www.owasp.org/documentation/topten.htmlhttp://www.owasp.org/documentation/topten.html –Developed in 2003-2004 and industry adopted EVDL (Enterprise Vulnerability Description Language) –OASIS WG – http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=washttp://www.oasis-open.org/committees/tc_home.php?wg_abbrev=was Web Applications Security Threats Model by Microsoft –http://msdn.microsoft.com/library/en-us/dnnetsec/html/ThreatCounter.asphttp://msdn.microsoft.com/library/en-us/dnnetsec/html/ThreatCounter.asp XML Web Services Security Vulnerabilities/Threats classification –Proposed in MJRA3.4 and updated in MJRA3.6

7 Enabling Grids for E-sciencE INFSO-RI-508833 7 Top 10 OWASP vulnerabilities A1 - Unvalidated Input A2 - Broken Access Control A3 - Broken Authentication and Session Management A4 - Cross Site Scripting (XSS) Flaws A5 - Buffer Overflows A6 - Injection Flaws A7 - Improper Error Handling A8 – Insecure Credentials Storage A9 - Denial of Service A10 - Insecure Configuration Management

8 Enabling Grids for E-sciencE INFSO-RI-508833 8 XML Web Services threats/ attacks classification (1) XWS1 – Web Services Interface probing –WSDL scanning, WSDL parameters tampering, WSDL error interface probing XWS2 – XML parsing system –Recursive XML document content, oversized XML document XWS3 – Malicious XML content –Malicious code exploiting known vulnerabilities in back-end applications, viruses or Trojan horse programs, malicious XPath or XQuery built-in operations, malicious Unicode content XWS4 – External reference attacks –Malicious XML Schema extensions, namespace resolution manipulation, external entity attacks

9 Enabling Grids for E-sciencE INFSO-RI-508833 9 XML Web Services threats/ attacks classification (2) XWS5 – SOAP/XML Protocol attacks –SOAP flooding attack, replay attack, routing detour, message eavesdropping, “Main-in-the-middle” attack XWS6 – XML security credentials tampering –XML Signature manipulation, secure XML content manipulation, Unicode content manipulation, XML credentials replay, application session hijacking XWS7 – Secure key/session negotiation tampering –Poor WS-Security implementation, poor key generation, poor key/trust management; weak or custom encryption

10 Enabling Grids for E-sciencE INFSO-RI-508833 10 Threats/Attacks grouping in interacting services

11 Enabling Grids for E-sciencE INFSO-RI-508833 11 Threats/Attacks grouping (1) WIA – “Wire” Intelligence Attacks –Network eavesdropping –“Man in the middle” (MITM) –Brute Force –Credentials compromise –Replay/Session hijack –XML/SOAP protocol MIA – Melifactor Initiated Attacks –Denial of Service (DoS) –Brute Force –Dictionary Attacks –WSDL probing UCA – User Credentials Attacks –Credentials theft –Credentials compromise –User impersonation

12 Enabling Grids for E-sciencE INFSO-RI-508833 12 Threats/Attacks grouping (1) SIA – Site Management Attacks –Configuration vulnerabilities –Improper Key/Trust Management –Improper Privilege Management –Improper Error Handling –Insecure audit/logging ESA – End Services Attacks –Resource misuse and quota violation –Malicious input –Dynamic XML –XML/SQL Injection –(XSS)

13 Enabling Grids for E-sciencE INFSO-RI-508833 13 Security models for interacting Grid/XWS services Requestor/User site security zones Service/Resource site security zones

14 Enabling Grids for E-sciencE INFSO-RI-508833 14 Requestor/User site security zones

15 Enabling Grids for E-sciencE INFSO-RI-508833 15 Service/Resource site security zones

16 Enabling Grids for E-sciencE INFSO-RI-508833 16 Example use of security models Collaboratory.nl project (CNL) Providing secure remote access to unique analytical equipment Job-centric security model for Open Collaborative Environment –Distributed security services model –Security context handling addressed –Trust model for distributed security services

17 Enabling Grids for E-sciencE INFSO-RI-508833 17 Authorisation Service operation in a CNL2 Demo system JNLP – Java Network Launch Protocol CHEF – Collaborative tool Surabaya – Collaborative Workspace environment Locations

18 Enabling Grids for E-sciencE INFSO-RI-508833 18 Security and trust issues in the OCE Job-centric security model TA – Trust Anchor; TR# - trust path from root (resource); RAM – Resource Allocation and Management; UserCT – User Collaborative Tools

19 Enabling Grids for E-sciencE INFSO-RI-508833 19 Trust relations in distributed access control infra Obtaining required permissions to perform requested action by the user: User => AuthN(HomeOrg.staff, Job.members) => => AuthZ(Member.roles, Policy.permissions) => => Resource.permissions Trust/credentials chain and delegation between major modules: User => => HomeOrg.staff(TA2) => Job.members => Member.roles => Role.permissions

20 Enabling Grids for E-sciencE INFSO-RI-508833 20 Summary and next steps Security vulnerabilities and attacks classification provides an input to further analysis of existing and to be discovered vulnerabilities Proposed Requestor and Resource security models need discussion and trial with analysing real middleware products –Need to be developed to cover case with the delegation Need some organisational form to proceed as an ad- hoc activity to target improving Grid middleware security

21 Enabling Grids for E-sciencE INFSO-RI-508833 21 Additional materials Users vs hackers Application security layers Host security components Implementation suggestions for OCE/CNL Job-centric security architecture

22 Enabling Grids for E-sciencE INFSO-RI-508833 22 Users vs hackers Users go regular route Potential hacker use any possible opportunity to bypass

23 Enabling Grids for E-sciencE INFSO-RI-508833 23 Application Security Layers Grid and application security must be build on solid base of lower layers Grid middleware constitutes Tier 3 layer and must protect actual applications from possible attacks

24 Enabling Grids for E-sciencE INFSO-RI-508833 24 Host security components Protocols and Ports that provides network access and communication services for applications. Common OS Services Files and Directories User Accounts and privileges Registries Auditing and Logging Patches and Updates management

25 Enabling Grids for E-sciencE INFSO-RI-508833 25 Trust relations in distributed Access Control Implementation suggestions for OCE/CNL security model –Root of trust and authority belong to the Resource –Trust anchor TA2 embedded into the Job Description is the main trust anchor shared between the resource and the customer.  In more business integrated model the signed order may contain TA1  Both TA2 and TA1 may have the same trust path to the root/resource –To become a shared trust anchor for the resource and the customer trust domains, the Order or JobDescription must contain mutually signed credentials/certificates –Although the main PEP operation assumes authorisation decision request from the trusted PDP, in general PEP may accept an AuthzTicket from other trusted/external PDP

Download ppt "INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Models for Security Vulnerabilities and Threats Yuri Demchenko Advanced Internet Research."

Similar presentations

Webgoat.

Webgoat.
Instant Messenger Security with a focus on implementing security policies in corporate IM services Kaushal S Chandrashekar CS 691 Dr. Edward Chow UCCS.

Instant Messenger Security with a focus on implementing security policies in corporate IM services Kaushal S Chandrashekar CS 691 Dr. Edward Chow UCCS.
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.

Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
OV 2- 1 Copyright © 2005 Element K Content LLC. All rights reserved. Security Threats  Social Engineering  Software-based Threats  Hardware-based Threats.

OV 2- 1 Copyright © 2005 Element K Content LLC. All rights reserved. Security Threats  Social Engineering  Software-based Threats  Hardware-based Threats.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Data Security in Local Networks using Distributed Firewalls

Data Security in Local Networks using Distributed Firewalls
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN121051 Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.

BUILDING A SECURE STANDARD LIBRARY Information Assurance Project I MN Tajuddin hj. Tappe Supervisor Mdm. Rasimah Che Mohd Yusoff ASP.NET TECHNOLOGY.
Software Security Course Course Outline 2-27-09. Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.

Software Security Course Course Outline Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.
The 10 Most Critical Web Application Security Vulnerabilities

The 10 Most Critical Web Application Security Vulnerabilities

Similar presentations

Ads by Google