The Inf orma tion Security Ca seevans/malware/cases.pdf · 2004. 12. 1. · the se p r ob a bil it...
Transcript of The Inf orma tion Security Ca seevans/malware/cases.pdf · 2004. 12. 1. · the se p r ob a bil it...
![Page 1: The Inf orma tion Security Ca seevans/malware/cases.pdf · 2004. 12. 1. · the se p r ob a bil it ie s ? Probabilities of b asic events in Fault Trees comes from testing of ha rdwa](https://reader036.fdocuments.in/reader036/viewer/2022071507/61283c84f0d4ea44f562dd26/html5/thumbnails/1.jpg)
The Information Security Case
M. Anthony Aiello
Overview
The major players
The hunt
The epiphany
The end of the story
![Page 2: The Inf orma tion Security Ca seevans/malware/cases.pdf · 2004. 12. 1. · the se p r ob a bil it ie s ? Probabilities of b asic events in Fault Trees comes from testing of ha rdwa](https://reader036.fdocuments.in/reader036/viewer/2022071507/61283c84f0d4ea44f562dd26/html5/thumbnails/2.jpg)
Overview
The major players
The hunt
The epiphany
The end of the story
or: Motivation
___________
An HSARPA BAA
Information Security Cases: Security assessment must not merely result in a single number — a one-dimensional metric cannot possibly capture the range of properties or aspects that need to be assessed. This has long been recognized in safety critical systems where assessment is multidimensional and captures both process and product elements in a safety case - a reasoned coherent argument that supplies evidence to support the system designer claims. Research is needed to define appropriate argument structures in the case of information security, and to create supporting tools to aid the construction and maintenance of information security cases.
______________________________
______ ________ __________________________________________________________________
![Page 3: The Inf orma tion Security Ca seevans/malware/cases.pdf · 2004. 12. 1. · the se p r ob a bil it ie s ? Probabilities of b asic events in Fault Trees comes from testing of ha rdwa](https://reader036.fdocuments.in/reader036/viewer/2022071507/61283c84f0d4ea44f562dd26/html5/thumbnails/3.jpg)
The Safety Case
“A safety case should communicate a clear, comprehensive and defensible argument that a system is acceptably safe to operate in a particular context.”
Kelly, Timothy P. “Arguing Safety — A Systematic Approach to Managing Safety Cases” PhD Thesis, York, 1998
_________
____ ___________
The Safety Case
“A safety case should communicate a clear, comprehensive and defensible argument that a system is acceptably safe to operate in a particular context.”
Kelly, Timothy P. “Arguing Safety — A Systematic Approach to Managing Safety Cases” PhD Thesis, York, 1998
————Information Security
—————An information security
———secure
and Ton
y Aiello
_________
____ ___________
![Page 4: The Inf orma tion Security Ca seevans/malware/cases.pdf · 2004. 12. 1. · the se p r ob a bil it ie s ? Probabilities of b asic events in Fault Trees comes from testing of ha rdwa](https://reader036.fdocuments.in/reader036/viewer/2022071507/61283c84f0d4ea44f562dd26/html5/thumbnails/4.jpg)
The HSARPA BAA
Information Security Cases: Security assessment must not merely result in a single number — a one-dimensional metric cannot possibly capture the range of properties or aspects that need to be assessed. This has long been recognized in safety critical systems where assessment is multidimensional and captures both process and product elements in a safety case - a reasoned coherent argument that supplies evidence to support the system designer claims. Research is needed to define appropriate argument structures in the case of information security, and to create supporting tools to aid the construction and maintenance of information security cases.
________________________________________
______________________________
______ ________
What kind of ev
idence?
Overview
The major players
The hunt
The epiphany
The end of the story
_____ finding Evidence
![Page 5: The Inf orma tion Security Ca seevans/malware/cases.pdf · 2004. 12. 1. · the se p r ob a bil it ie s ? Probabilities of b asic events in Fault Trees comes from testing of ha rdwa](https://reader036.fdocuments.in/reader036/viewer/2022071507/61283c84f0d4ea44f562dd26/html5/thumbnails/5.jpg)
Evidence in Safety Cases
Mathematical Analysis
Event Trees
Fault Trees
FMECA
Hazop
Evidence in Information Security Cases
Attack Trees
…but these are hardly rigorous
![Page 6: The Inf orma tion Security Ca seevans/malware/cases.pdf · 2004. 12. 1. · the se p r ob a bil it ie s ? Probabilities of b asic events in Fault Trees comes from testing of ha rdwa](https://reader036.fdocuments.in/reader036/viewer/2022071507/61283c84f0d4ea44f562dd26/html5/thumbnails/6.jpg)
An Attack TreeClient Data
Compromised
Client Reveals Password
SSL Compromised
Firewall Violated
Database Compromised
Database Accessed from
Outside
Webserver Compromised
Database Password
Discovered
Database Accessed Illegitimately through
Webserver
Illegitimate Database Access
How do you come up with
these probabilities?
Probabilities of basic events in Fault Trees comes fromtesting of hardware
components.
This is just a fault tree
with a different name
Evidence in Information Security Cases
Attack Trees
Evidence that a process has been followed
For example, that certain precautions have been taken with certificate storage
That certain technologies have been employed to mitigate risks (SSL, etc.)
![Page 7: The Inf orma tion Security Ca seevans/malware/cases.pdf · 2004. 12. 1. · the se p r ob a bil it ie s ? Probabilities of b asic events in Fault Trees comes from testing of ha rdwa](https://reader036.fdocuments.in/reader036/viewer/2022071507/61283c84f0d4ea44f562dd26/html5/thumbnails/7.jpg)
These aren’t too exciting...
http://www.megatokyo.com
Overview
The major players
The hunt
The epiphany
The end of the story
________ I’ve seen this b
efore…
![Page 8: The Inf orma tion Security Ca seevans/malware/cases.pdf · 2004. 12. 1. · the se p r ob a bil it ie s ? Probabilities of b asic events in Fault Trees comes from testing of ha rdwa](https://reader036.fdocuments.in/reader036/viewer/2022071507/61283c84f0d4ea44f562dd26/html5/thumbnails/8.jpg)
This Kind of Evidence is Familiar
Attack Trees
Evidence that a process has been followed
For example, that certain precautions have been taken with certificate storage
That certain technologies have been employed to mitigate risks (SSL, etc.)
(formal, but
non-rigorous)
(varying degrees of ri
gor,
but informal)
Evidence in Safety Cases
Mathematical Analysis
Event Tree
Fault Trees
FMECA
Hazop
These are for Hardware
![Page 9: The Inf orma tion Security Ca seevans/malware/cases.pdf · 2004. 12. 1. · the se p r ob a bil it ie s ? Probabilities of b asic events in Fault Trees comes from testing of ha rdwa](https://reader036.fdocuments.in/reader036/viewer/2022071507/61283c84f0d4ea44f562dd26/html5/thumbnails/9.jpg)
Software Evidence
What kinds of evidence might be generated for software systems?
Lots of evidence that processes have been followed
Meaningless fault trees (how meaningful are made-up probabilities?)
Some formal analysisrarely system-wide
Information Security Evidence
At best, we can hope to match the rigor of software evidence
And this makes sense: software forms the basis of information security…
![Page 10: The Inf orma tion Security Ca seevans/malware/cases.pdf · 2004. 12. 1. · the se p r ob a bil it ie s ? Probabilities of b asic events in Fault Trees comes from testing of ha rdwa](https://reader036.fdocuments.in/reader036/viewer/2022071507/61283c84f0d4ea44f562dd26/html5/thumbnails/10.jpg)
…and security is only as strong as the weakest link
http://www.megatokyo.com
Overview
The major players
The hunt
The epiphany
The end of the story_____________ My conclusions
![Page 11: The Inf orma tion Security Ca seevans/malware/cases.pdf · 2004. 12. 1. · the se p r ob a bil it ie s ? Probabilities of b asic events in Fault Trees comes from testing of ha rdwa](https://reader036.fdocuments.in/reader036/viewer/2022071507/61283c84f0d4ea44f562dd26/html5/thumbnails/11.jpg)
Place for the Information Security Case
It will have its place as a semi-formal structure
It will enable better forensic analysis:
Tracing from the failed goal to its evidence should reveal what went wrong
Looking Forward
We need better kinds of evidence
More formal techniques
Practically, this will be hard:
Our ability to reason about security is limited by our ability to reason about the underlying software
![Page 12: The Inf orma tion Security Ca seevans/malware/cases.pdf · 2004. 12. 1. · the se p r ob a bil it ie s ? Probabilities of b asic events in Fault Trees comes from testing of ha rdwa](https://reader036.fdocuments.in/reader036/viewer/2022071507/61283c84f0d4ea44f562dd26/html5/thumbnails/12.jpg)
http://www.megatokyo.com