PPT - Center for Software Engineering
Download
Report
Transcript PPT - Center for Software Engineering
COTS Based System Security Economics
- A Stakeholder/Value Centric Approach
Related tool demo session:
COTS Based System Security Test-bed (Tiramisu)
Tuesday at Davidson Conference Center
Yue Chen
PhD Candidate in Computer Science
Advisor: Dr. Barry Boehm
941 W. 37th Place, SAL Room 330
University of Southern California
Los Angeles, CA, 90089, USA
Phone: (213)740-6470
Email: [email protected]
©All rights are reserved by the authors
Agenda
Background
Goal of Research
Nature of the Problem
T-MAP Framework
Tiramisu tool Demo
Model Applications
Initial Validation Results
Conclusions and Future Work
2
Background
Trends
– Increasing usage of COTS software in IT systems
– Increasing concerns on COTS software vulnerabilities
Challenges
– Evaluating CBS security in business context
– Benefit of security investment is difficult to measure
– “Twenty percent of vulnerabilities caused eighty
percent of the security risk”, but, what are they?
3
Goals of T-MAP
T-MAP: Threat Modeling based on Attack Path analysis
– A Stakeholder Value Centric Approach
Help making decisions on how much security investment
would be optimal
– Max security strategy
– Max cost-effectiveness strategy
Help system designers understand the security of COTS
combinations in early project life-cycle
Help network administrators determine vulnerability
priorities
4
Nature of The Problem
Attacking Paths
Permitted Ports
Unblocked vulnerabilities
Vulnerabilities impacting
confidentiality, availability,
integrity
Blocked vulnerabilities
Firewall Wrapper
e.g. Windows Server
2003
e.g. SQL Server
2000
Software Applications, COTS
e.g. Web Server
e.g. IIS 6.0
e.g. CRM Server
IT Infrastructure
e.g. Regulatory
Productivity
Org. Values
Reputation
5
T-MAP Framework
Three key steps:
– Step 1: Interview with key stakeholders to determine
how organizational value rely upon IT security
– Step 2: Enumerate what are the scenarios that COTS
system vulnerability can compromise organizational
values
– Step 3: Evaluate the severity of each scenario by
weights, and model COTS system security threat with
total weights of all scenarios
Step 2 and 3 are tool automated (Tiramisu)
6
USC-ITS Server X Case Study – Background
Security protection of Server X, a sensitive database
Determine best practice under limited budget
Key stakeholders: students, faculties, staff
Organizational goals
– Productivity of the teaching and research community
– Regulation compliance
– Privacy of students, faculties, and staff
COTS software installed on Server X:
7
Step 1 – Determine stakeholder/value dependencies on IT
security
Evaluate the severity of security hazard scenarios by
stakeholder/value impacts
Involves both qualitative and quantitative criteria
Technical approach: Figure of merits and Analytical
Hierarchy Process (AHP)
Example output (from USC Server X Case Study)
8
Determine the Weights - AHP Pair-wise Comparison
Example – Stakeholder value priority weights:
Reading: regulation is “very
strongly” more important than
productivity
9
Step 2 – Attack Scenario Analysis
Enumerate the scenarios how an attacker can
compromise stakeholder values through COTS system
vulnerabilities
Attack Graph is established based on a comprehensive
COTS vulnerability database involves 18,800 known
vulnerabilities reside in 31,713 COTS software
10
Step 2 (Continued) – Example Output and Observations
Example out put of Step 2 (Tiramisu screenshot below)
(Example output – from USC Server X Case Study)
11
Step 3 – Security Scenario Severity Evaluation
Severity Drivers
Stakeholder value impacts
Vulnerability technical
attributes
– Impact on confidentiality,
integrity and/or availability
– Remotely exploitable
– Require valid user
account on victim host
– Needs user activities
Attackers
– Group size
– Skill level
– Motivation to attack
12
Step 3 (continued) T-MAP Severity Rating System
Severity Weight of Attack Path P:
Overall Security Threat Score of COTS System G:
ThreatKey of elements in Attack Graph:
Effectiveness of Security Practice:
13
Tiramisu Tool Demo
Tiramisu is the software implementation of T-MAP
14
T-MAP Applications (1)
Security Investment Effectiveness Estimation
How much security threats can be avoided by implementing
Firewall, Software hardening (patching), user account control, or
file system encryption?
Results as well depends on the total value of the protected system
* Case study results estimated by professional security manager at USC-ITS
15
T-MAP Applications (2) Security Patching Economics
Prioritize COTS Based System vulnerabilities under
business context
– “20% percent of vulnerabilities causes 80% of the
security risks”, T-MAP tells what are the 20%
Rational: Prioritize vulnerabilities with its ThreatKey;
Example screenshot:
16
T-MAP Applications(3) COTS Security Economics
Economic curve of security
patching
(from USC Server X case study)
Sweet spot to invest in security
Also driven by the total value of
system
(from USC Server X case study)
Sweet spots to invest
17
Initial Validation Results
Vulnerability priority comparison:
Security Manager’s manual results vs. Tiramisu results
Tow case studies conducted at USC Information Technology
Services Division
Two more case studies in progress with:
– Manual Art Senior High School
– African Millennium Foundation
18
Limitations
Only sensitive to known COTS vulnerabilities
– Empirical study by Arora shows that the average attacks per host per
day jumped from 0.31 to 5.45 after vulnerability get published
Only cover “one-step-attacks” that exploiting COTS
vulnerabilities
Depends on comprehensive vulnerability database
– Our database: 188,000 vulnerability published from 1999-2006 that
resides in 31,313 COTS software
Cannot effectively address passive attacks such as
Phishing
19
Conclusions
A COTS security evaluation framework that captures
stakeholder value propositions
Distill the potential impacts of thousands of vulnerabilities
into management friendly numbers at a high-level
Results are organizational IT infrastructure specific
20
Future work
Explore applying game theory in T-MAP
We are looking for real-life projects/system to further
validate and mature the framework
Close integration with risk driven win-win spiral process
to engineer more secure COTS Based System (CBS)
– Proactively evaluate CBS security in early life-cycle
– Making convincing security business case for CBS
– Help make better security protection plan
Contact: Yue Chen, [email protected]
21