Transcript Security Trends Overview

Security Overview: Trends
Rafal Lukawiecki
Strategic Consultant
Project Botticelli Ltd
[email protected]
2
Objectives
Overview a process-oriented approach to
security
Discuss the recent trends in approaching
security issues
3
Session Agenda
Frameworks, Processes and Concepts
Issues
Trends
4
The Problem
We have (more than enough) security
technologies, but we do not know how (and if)
we are secure
5
Security
Frameworks
6
Security
Definition (Cambridge Dictionary of English)
Ability to avoid being harmed by any risk, danger or
threat
…therefore, in practice, an impossible goal 
What can we do then?
Be as secure as needed
Ability to avoid being harmed too much by
reasonably predictable risks, dangers or threats
(Rafal’s Definition)
7
Adequate Security
CERT usefully suggests:
“A desired enterprise security state is the condition where the
protection strategies for an organization's critical assets and
business processes are commensurate with the organization's
risk appetite and risk tolerances.” –
www.cert.org/governance/adequate.html
Risk Appetite – defined through executive decision, influences
amount of risk worth taking to achieve enterprise goals and
missions
Relates to risks that must be mitigated and managed
Risk Tolerance – residual risk accepted
Relates to risk for which no mitigation would be in place
8
Approaches for Achieving Security
Two approaches are needed:
Active, dynamic, transient
Implemented through behaviour and pattern analysis
Passive, static, pervasive
Implemented through cryptography
9
Holistic View of Security
Security should be:
Static + Active
Across
All Your Assets
Based On
Ongoing Threat Risk Assessment
10
Framework 1: Defense in Depth
Using a layered approach:
Increases an attacker’s risk of detection
Reduces an attacker’s chance of success
Data
Application
Host
Internal Network
Perimeter
Physical Security
Policies, Procedures, &
Awareness
ACL, encryption
Application hardening, antivirus
OS hardening, update management,
authentication
Network segments, IPSec, NIDS
Firewalls, VPN quarantine
Guards, locks, tracking devices,
HSM
User education against social
engineering
11
Secure Environment
A secure environment is a combination of:
Hardened hosts (nodes)
Intrusion Detection System (IDS)
Operating Processes
Standard and Emergency
Threat Modelling and Analysis
Dedicated Responsible Staff
Chief Security Officer (CSO) responsible for all
Continuous Training
Users and security staff – against “social engineering”
12
Framework 2: OCTAVE
Operationally Critical Threat, Asset and
Vulnerability Evaluation
Carnegie-Mellon University guidance
Origin in 2001
Used by US military and a growing number of larger
organisations
www.cert.org/octave
13
Concept of OCTAVE
Workshop-based analysis
Collaborative approach
Guided by an 18-volume publication
Very specific, with suggested timings, personnel selection etc.
www.cert.org/octave/omig.html
Smaller version, OCTAVE-S, for small and medium
organisations
www.cert.org/octave/osig.html
14
OCTAVE Process
Progressive Series of Workshops
Phase 1
Organizational
View
Assets
Threats
Current Practices
Org. Vulnerabilities
Security Req.
Planning
Phase 2
Technological
View
Tech. Vulnerabilities
Phase 3
Strategy and Plan
Development
Risks
Protection Strategy
Mitigation Plans
15
Framework 3: Security Risk Analysis
A simplified approach, taking into account your
assets exposure to security risks
Requires:
1. Identifying your assets
2. Assesing risks and their impact, probability and
exposure
3. Formulating plans to reduce overall risk exposure
16
Risk Impact Assessment
For each asset and risk attach a measure of impact
Monetary scale if possible (difficult) or relative numbers
with agreed meaning
E.g.: Trivial (1), Low (2), Medium (3), High (4), Catastrophic (5)
Ex:
Asset: Internal MD mailbox
Risk: Access to content by press
Impact: Catastrophic (5)
17
Risk Probability Assessment
Now for each entry measure probability the loss
may happen
Real probabilities (difficult) or a relative scale
(easier) such as: Low (0.3), Medium, (0.6), and
High (0.9)
Ex:
Asset: Internal MD mailbox
Risk: Access to content by press
Probability: Low (0.3)
18
Risk Exposure and Risk List
Multiply probability by impact for each entry
Exposure = Probability x Impact
Sort by exposure
High-exposure risks need very strong security measures
Lowest-exposure risks can be covered by default mechanisms or
ignored
Example:
Press may access MD mailbox:
Exposure = P(Low=0.3) x I(Catastrophic=5) = 1.5
By the way, minimum exposure is 0.3 and maximum is 4.5 is our
examples
19
Mitigation and Contingency
For high-exposure risks plan:
Mitigation: Reduce its probability or impact (so
exposure)
Transfer: Make someone else responsible for the risk
Avoidance: avoid the risk by not having the asset
Contingency: what to do if the risk becomes reality
20
Framework 4: Threat Modeling
1. Identify Assets
Structured analysis aimed
at:
2. Create an Architecture Overview
Finding infrastructure
vulnerabilities
3. Decompose the System
Evaluating security threats
4. Identify the Threats
5. Document the Threats
6. Rate the Threats
Identify countermeasures
Originated from software
development security threat
analysis
21
STRIDE
A Technique for Threat Identification (Step 4)
Type of Threat
Spoofing
Examples
Forging Email Message
Replaying Authentication
Tampering
Altering data during transmission
Changing data in database
Repudiation
Delete critical data and deny it
Purchase product and deny it
Information disclosure
Expose information in error messages
Expose code on web site
Denial of Service
Flood web service with invalid request
Flood network with SYN
Elevation of Privilege
Obtain Administrator privileges
Use assembly in GAC to create acct
22
Threat Tree
Inside Attack
Enabled
Attack domain
controller
from inside
OR
AND
AND
SQL Injection
Dev Server
Messenger Xfer
Trojan Soc Eng
An application
doesn’t validate
user’s input and
allows evil texts
Unhardened
SQL server
used by internal
developers
Novice admin
uses an instant
messenger on a
server
Attacker sends
a trojan
masquerading
as network util
23
Current Security
Issues
24
Industry Issues for 2005-2006
Without undue generalisation:
Mobile security at data layer
Malware/spyware
Compliance auditing
Identity management
Patch/update management
Application defence
Intrusion detection
25
Mobile Security at Data Layer
Laptops and PDAs are rarely protected against
physical data extraction
Encryption with removable keys is very effective,
though deployment requires planning and is
sometimes cumbersome
Smartcards plus EFS or an alternative system, such
as PGP etc. can be applied
Data recovery needs (legal and practical)
complicate the matter greatly
26
Spyware (Malware) Protection
90% machines have malicious software, on average 28 separate
spyware programs (report by Earthlink & Webroot)
Zombies
Network bandwidth and CPU degradation
Commercial secrets leaked
Privacy destroyed
3rd party liability arises
Best practice:
SpyBot Search and Destroy (www.spybot.info)
Microsoft AntiSpyware (in beta)
AdAware
Limit use of administrative privileges for end-users
27
Compliance Auditing
An area of rapid growth, primarily due to
Sarbannes/Oxley (“Sarbox”, or “Sox”) and EU
Data Privacy regulation
In hands of specialised providers, mainly
consulting business
Microsoft Operations Manager (MOM) can be
applied for this purpose
28
Identity Management
Heterogeneity of authentication and security
measures is a common fact
Don’t fight it, integrate it
Synchronisation between directories, no matter
how different, is becoming a reality with
solutions build on systems such as MIIS (Identity
Integration Server)
Alternatively, converge onto a client-solution, such
as smartcards or OTP/tokens
29
Patch and Update Management
As of Sept 2005, Microsoft Update is fully functioning,
and integrates, at present:
Windows OS updates
Office
SQL Server
Exchange
More Microsoft products being added over the next
months
Enterprise solutions, however, will still benefit from a
fully-managed software distribution system, such as
SMS (Systems Management Server)
30
Application Defence
As networks and hosts become well protected,
application-level attacks are on the increase
Other than for very new in-house applications,
development security has rarely been a concern
This is a major area of worry from both perspectives of
an insider and outside attacks
Approaches:
Prove it’s safe (threat modelling)
Isolate-and-monitor
Replace
31
Treating Unproven Applications
Until proven to be secure, treat all applications as “evil”
Restrict access only to users on need-to-use basis
Restrict remote use
Isolate to dedicated application servers
Restrict servers through IPSec policies to only allow
communication that applications explicitly require
Monitor usage pattern to establish a baseline and raise alarm
when patterns vary
Enable stringent auditing
Request a formal threat analysis if above restrictions are too
severe
32
Intrusion Detection
Intrusion Detection Systems (IDS) are still fairly
basic, though sophistication grew at networklevel detection
Honeypots, i.e. monitored vulnerable servers
exposed as “bait” are still very effective, though
may pose legal problems
33
Trends for 2006
34
Network Security – IPv6
A major development for 2006+ will be gradual
replacement of IPv4 with IPv6
Amongst many benefits of this move, a crucial
introduction of compulsory IPSec6 will provide much
needed authentication and confidentiality of data at wirelevel
Interesting issues still remain to be solved, but now is a
very good time to seriously evaluate the technology
Windows Vista comes with a new IPv6 stack, as part of
the entirely rewritten TCP/IP substrate, called “Next
Generation TCP/IP”
35
Network Device Port Protection
Though long awaited, “802.1x for wired
networks” is off to a confused start, as many
basic devices, such as switches, are unlikely to
support the technology as expected
With new infrastructure this technology might be
useful in high-risk areas, especially exposed
networks
36
Smartcards
While not a new technology, Microsoft’s support
in Windows Vista promises a serious approach
to solving deployment, manageability and
developer issues
Infocard specification for developers
Alacris acquisition (20 Sept) for smartcard lifecycle
management
Axalto deal for smartcard infrastructure
Windows Vista re-write of smartcard functionality
37
Biometrics
Overhyped: be careful and sceptical
Useful as a secondary protection of a private encryption
key on a smartcard in a controlled environment
Advantage:
Simple and works in some environments, e.g. immigration
control or secondary authentication of staff
Weakness:
Not useful for at-home, remote etc. applications as no way to
ensure it is your real fingerprint, iris, retina etc. being scanned
Biometric data can be stolen and can be used to fake identity
– no way to change it later
Too many positive and negative false matches
38
Application-level Protection
With .NET Framework 2.0 and SQL Server 2005
developers can use a plethora of security technologies –
easily
Developers are increasingly seen as responsible for
security
This extends even to database developers, previously unlikely
to engage in cryptography or ACL management
It is very important that all in-house and vertical solutionprovider application developers undergo security training
Refresher courses or workshops are a good idea
Community participation helps
39
Summary
40
Summary
Viewing security holistically combines
perspectives of people, processes, technologies
and requires ongoing research and education
Security goals oppose those of usability
Frameworks enable achieving security goals
without facing unexpected costs
Network and host protections are fairly mature
Developer-oriented solutions to prevent
application-level attacks must be employed
41
© 2005 Project Botticelli Ltd & Microsoft Corporation. All rights reserved. This presentation is for informational
purposes only. PROJECT BOTTICELLI AND MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN
THIS SUMMARY. You must verify all the information presented before relying on it. E&OE.
Welcome
Clare Dillon
Developer and Platform Group
Microsoft Ireland
[email protected]