Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Security Overview: Trends Rafal Lukawiecki Strategic Consultant Project Botticelli Ltd [email protected] 2 Objectives Overview a process-oriented approach to security Discuss the recent trends in approaching security issues 3 Session Agenda Frameworks, Processes and Concepts Issues Trends 4 The Problem We have (more than enough) security technologies, but we do not know how (and if) we are secure 5 Security Frameworks 6 Security Definition (Cambridge Dictionary of English) Ability to avoid being harmed by any risk, danger or threat …therefore, in practice, an impossible goal What can we do then? Be as secure as needed Ability to avoid being harmed too much by reasonably predictable risks, dangers or threats (Rafal’s Definition) 7 Adequate Security CERT usefully suggests: “A desired enterprise security state is the condition where the protection strategies for an organization's critical assets and business processes are commensurate with the organization's risk appetite and risk tolerances.” – www.cert.org/governance/adequate.html Risk Appetite – defined through executive decision, influences amount of risk worth taking to achieve enterprise goals and missions Relates to risks that must be mitigated and managed Risk Tolerance – residual risk accepted Relates to risk for which no mitigation would be in place 8 Approaches for Achieving Security Two approaches are needed: Active, dynamic, transient Implemented through behaviour and pattern analysis Passive, static, pervasive Implemented through cryptography 9 Holistic View of Security Security should be: Static + Active Across All Your Assets Based On Ongoing Threat Risk Assessment 10 Framework 1: Defense in Depth Using a layered approach: Increases an attacker’s risk of detection Reduces an attacker’s chance of success Data Application Host Internal Network Perimeter Physical Security Policies, Procedures, & Awareness ACL, encryption Application hardening, antivirus OS hardening, update management, authentication Network segments, IPSec, NIDS Firewalls, VPN quarantine Guards, locks, tracking devices, HSM User education against social engineering 11 Secure Environment A secure environment is a combination of: Hardened hosts (nodes) Intrusion Detection System (IDS) Operating Processes Standard and Emergency Threat Modelling and Analysis Dedicated Responsible Staff Chief Security Officer (CSO) responsible for all Continuous Training Users and security staff – against “social engineering” 12 Framework 2: OCTAVE Operationally Critical Threat, Asset and Vulnerability Evaluation Carnegie-Mellon University guidance Origin in 2001 Used by US military and a growing number of larger organisations www.cert.org/octave 13 Concept of OCTAVE Workshop-based analysis Collaborative approach Guided by an 18-volume publication Very specific, with suggested timings, personnel selection etc. www.cert.org/octave/omig.html Smaller version, OCTAVE-S, for small and medium organisations www.cert.org/octave/osig.html 14 OCTAVE Process Progressive Series of Workshops Phase 1 Organizational View Assets Threats Current Practices Org. Vulnerabilities Security Req. Planning Phase 2 Technological View Tech. Vulnerabilities Phase 3 Strategy and Plan Development Risks Protection Strategy Mitigation Plans 15 Framework 3: Security Risk Analysis A simplified approach, taking into account your assets exposure to security risks Requires: 1. Identifying your assets 2. Assesing risks and their impact, probability and exposure 3. Formulating plans to reduce overall risk exposure 16 Risk Impact Assessment For each asset and risk attach a measure of impact Monetary scale if possible (difficult) or relative numbers with agreed meaning E.g.: Trivial (1), Low (2), Medium (3), High (4), Catastrophic (5) Ex: Asset: Internal MD mailbox Risk: Access to content by press Impact: Catastrophic (5) 17 Risk Probability Assessment Now for each entry measure probability the loss may happen Real probabilities (difficult) or a relative scale (easier) such as: Low (0.3), Medium, (0.6), and High (0.9) Ex: Asset: Internal MD mailbox Risk: Access to content by press Probability: Low (0.3) 18 Risk Exposure and Risk List Multiply probability by impact for each entry Exposure = Probability x Impact Sort by exposure High-exposure risks need very strong security measures Lowest-exposure risks can be covered by default mechanisms or ignored Example: Press may access MD mailbox: Exposure = P(Low=0.3) x I(Catastrophic=5) = 1.5 By the way, minimum exposure is 0.3 and maximum is 4.5 is our examples 19 Mitigation and Contingency For high-exposure risks plan: Mitigation: Reduce its probability or impact (so exposure) Transfer: Make someone else responsible for the risk Avoidance: avoid the risk by not having the asset Contingency: what to do if the risk becomes reality 20 Framework 4: Threat Modeling 1. Identify Assets Structured analysis aimed at: 2. Create an Architecture Overview Finding infrastructure vulnerabilities 3. Decompose the System Evaluating security threats 4. Identify the Threats 5. Document the Threats 6. Rate the Threats Identify countermeasures Originated from software development security threat analysis 21 STRIDE A Technique for Threat Identification (Step 4) Type of Threat Spoofing Examples Forging Email Message Replaying Authentication Tampering Altering data during transmission Changing data in database Repudiation Delete critical data and deny it Purchase product and deny it Information disclosure Expose information in error messages Expose code on web site Denial of Service Flood web service with invalid request Flood network with SYN Elevation of Privilege Obtain Administrator privileges Use assembly in GAC to create acct 22 Threat Tree Inside Attack Enabled Attack domain controller from inside OR AND AND SQL Injection Dev Server Messenger Xfer Trojan Soc Eng An application doesn’t validate user’s input and allows evil texts Unhardened SQL server used by internal developers Novice admin uses an instant messenger on a server Attacker sends a trojan masquerading as network util 23 Current Security Issues 24 Industry Issues for 2005-2006 Without undue generalisation: Mobile security at data layer Malware/spyware Compliance auditing Identity management Patch/update management Application defence Intrusion detection 25 Mobile Security at Data Layer Laptops and PDAs are rarely protected against physical data extraction Encryption with removable keys is very effective, though deployment requires planning and is sometimes cumbersome Smartcards plus EFS or an alternative system, such as PGP etc. can be applied Data recovery needs (legal and practical) complicate the matter greatly 26 Spyware (Malware) Protection 90% machines have malicious software, on average 28 separate spyware programs (report by Earthlink & Webroot) Zombies Network bandwidth and CPU degradation Commercial secrets leaked Privacy destroyed 3rd party liability arises Best practice: SpyBot Search and Destroy (www.spybot.info) Microsoft AntiSpyware (in beta) AdAware Limit use of administrative privileges for end-users 27 Compliance Auditing An area of rapid growth, primarily due to Sarbannes/Oxley (“Sarbox”, or “Sox”) and EU Data Privacy regulation In hands of specialised providers, mainly consulting business Microsoft Operations Manager (MOM) can be applied for this purpose 28 Identity Management Heterogeneity of authentication and security measures is a common fact Don’t fight it, integrate it Synchronisation between directories, no matter how different, is becoming a reality with solutions build on systems such as MIIS (Identity Integration Server) Alternatively, converge onto a client-solution, such as smartcards or OTP/tokens 29 Patch and Update Management As of Sept 2005, Microsoft Update is fully functioning, and integrates, at present: Windows OS updates Office SQL Server Exchange More Microsoft products being added over the next months Enterprise solutions, however, will still benefit from a fully-managed software distribution system, such as SMS (Systems Management Server) 30 Application Defence As networks and hosts become well protected, application-level attacks are on the increase Other than for very new in-house applications, development security has rarely been a concern This is a major area of worry from both perspectives of an insider and outside attacks Approaches: Prove it’s safe (threat modelling) Isolate-and-monitor Replace 31 Treating Unproven Applications Until proven to be secure, treat all applications as “evil” Restrict access only to users on need-to-use basis Restrict remote use Isolate to dedicated application servers Restrict servers through IPSec policies to only allow communication that applications explicitly require Monitor usage pattern to establish a baseline and raise alarm when patterns vary Enable stringent auditing Request a formal threat analysis if above restrictions are too severe 32 Intrusion Detection Intrusion Detection Systems (IDS) are still fairly basic, though sophistication grew at networklevel detection Honeypots, i.e. monitored vulnerable servers exposed as “bait” are still very effective, though may pose legal problems 33 Trends for 2006 34 Network Security – IPv6 A major development for 2006+ will be gradual replacement of IPv4 with IPv6 Amongst many benefits of this move, a crucial introduction of compulsory IPSec6 will provide much needed authentication and confidentiality of data at wirelevel Interesting issues still remain to be solved, but now is a very good time to seriously evaluate the technology Windows Vista comes with a new IPv6 stack, as part of the entirely rewritten TCP/IP substrate, called “Next Generation TCP/IP” 35 Network Device Port Protection Though long awaited, “802.1x for wired networks” is off to a confused start, as many basic devices, such as switches, are unlikely to support the technology as expected With new infrastructure this technology might be useful in high-risk areas, especially exposed networks 36 Smartcards While not a new technology, Microsoft’s support in Windows Vista promises a serious approach to solving deployment, manageability and developer issues Infocard specification for developers Alacris acquisition (20 Sept) for smartcard lifecycle management Axalto deal for smartcard infrastructure Windows Vista re-write of smartcard functionality 37 Biometrics Overhyped: be careful and sceptical Useful as a secondary protection of a private encryption key on a smartcard in a controlled environment Advantage: Simple and works in some environments, e.g. immigration control or secondary authentication of staff Weakness: Not useful for at-home, remote etc. applications as no way to ensure it is your real fingerprint, iris, retina etc. being scanned Biometric data can be stolen and can be used to fake identity – no way to change it later Too many positive and negative false matches 38 Application-level Protection With .NET Framework 2.0 and SQL Server 2005 developers can use a plethora of security technologies – easily Developers are increasingly seen as responsible for security This extends even to database developers, previously unlikely to engage in cryptography or ACL management It is very important that all in-house and vertical solutionprovider application developers undergo security training Refresher courses or workshops are a good idea Community participation helps 39 Summary 40 Summary Viewing security holistically combines perspectives of people, processes, technologies and requires ongoing research and education Security goals oppose those of usability Frameworks enable achieving security goals without facing unexpected costs Network and host protections are fairly mature Developer-oriented solutions to prevent application-level attacks must be employed 41 © 2005 Project Botticelli Ltd & Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. PROJECT BOTTICELLI AND MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. You must verify all the information presented before relying on it. E&OE. Welcome Clare Dillon Developer and Platform Group Microsoft Ireland [email protected]