1 / 42

Security Overview: Trends

Security Overview: Trends. Rafal Lukawiecki Strategic Consultant Project Botticelli Ltd rafal@projectbotticelli.co.uk. Objectives. Overview a process-oriented approach to security Discuss the recent trends in approaching security issues. Session Agenda. Frameworks, Processes and Concepts

irisa
Download Presentation

Security Overview: Trends

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Overview: Trends Rafal Lukawiecki Strategic Consultant Project Botticelli Ltd rafal@projectbotticelli.co.uk

  2. Objectives • Overview a process-oriented approach to security • Discuss the recent trends in approaching security issues

  3. Session Agenda • Frameworks, Processes and Concepts • Issues • Trends

  4. The Problem • We have (more than enough) security technologies, but we do not know how (and if) we are secure

  5. Security Frameworks

  6. Security • Definition (Cambridge Dictionary of English) • Ability to avoid being harmed by any risk, danger or threat • …therefore, in practice, an impossible goal  • What can we do then? • Be as secure as needed • Ability to avoid being harmed too much by reasonably predictable risks, dangers or threats (Rafal’s Definition)

  7. Adequate Security • CERT usefully suggests: • “A desired enterprise security state is the condition where the protection strategies for an organization's critical assets and business processes are commensurate with the organization's risk appetite and risk tolerances.” – www.cert.org/governance/adequate.html • Risk Appetite – defined through executive decision, influences amount of risk worth taking to achieve enterprise goals and missions • Relates to risks that must be mitigated and managed • Risk Tolerance – residual risk accepted • Relates to risk for which no mitigation would be in place

  8. Approaches for Achieving Security • Two approaches are needed: • Active, dynamic, transient • Implemented through behaviour and pattern analysis • Passive, static, pervasive • Implemented through cryptography

  9. Holistic View of Security • Security should be: Static + Active AcrossAll Your Assets Based OnOngoing Threat Risk Assessment

  10. Framework 1: Defense in Depth • Using a layered approach: • Increases an attacker’s risk of detection • Reduces an attacker’s chance of success Policies, Procedures, & Awareness Physical Security ACL, encryption Data Application Application hardening, antivirus OS hardening, update management, authentication Host Internal Network Network segments, IPSec, NIDS Firewalls, VPN quarantine Perimeter Guards, locks, tracking devices, HSM User education against social engineering

  11. Secure Environment • A secure environment is a combination of: • Hardened hosts (nodes) • Intrusion Detection System (IDS) • Operating Processes • Standard and Emergency • Threat Modelling and Analysis • Dedicated Responsible Staff • Chief Security Officer (CSO) responsible for all • Continuous Training • Users and security staff – against “social engineering”

  12. Framework 2: OCTAVE • Operationally Critical Threat, Asset and Vulnerability Evaluation • Carnegie-Mellon University guidance • Origin in 2001 • Used by US military and a growing number of larger organisations • www.cert.org/octave

  13. Concept of OCTAVE • Workshop-based analysis • Collaborative approach • Guided by an 18-volume publication • Very specific, with suggested timings, personnel selection etc. • www.cert.org/octave/omig.html • Smaller version, OCTAVE-S, for small and medium organisations • www.cert.org/octave/osig.html

  14. AssetsThreatsCurrent PracticesOrg. VulnerabilitiesSecurity Req. RisksProtection StrategyMitigation Plans Tech. Vulnerabilities OCTAVE ProcessProgressive Series of Workshops Phase 1 OrganizationalView Phase 3 Strategy and Plan Development Planning Phase 2 TechnologicalView

  15. Framework 3: Security Risk Analysis • A simplified approach, taking into account your assets exposure to security risks • Requires: • Identifying your assets • Assesing risks and their impact, probability and exposure • Formulating plans to reduce overall risk exposure

  16. Risk Impact Assessment • For each asset and risk attach a measure of impact • Monetary scale if possible (difficult) or relative numbers with agreed meaning • E.g.: Trivial (1), Low (2), Medium (3), High (4), Catastrophic (5) • Ex: • Asset: Internal MD mailbox • Risk: Access to content by press • Impact: Catastrophic (5)

  17. Risk Probability Assessment • Now for each entry measure probability the loss may happen • Real probabilities (difficult) or a relative scale (easier) such as: Low (0.3), Medium, (0.6), and High (0.9) • Ex: • Asset: Internal MD mailbox • Risk: Access to content by press • Probability: Low (0.3)

  18. Risk Exposure and Risk List • Multiply probability by impact for each entry • Exposure = Probability x Impact • Sort by exposure • High-exposure risks need very strong security measures • Lowest-exposure risks can be covered by default mechanisms or ignored • Example: • Press may access MD mailbox: Exposure = P(Low=0.3) x I(Catastrophic=5) = 1.5 • By the way, minimum exposure is 0.3 and maximum is 4.5 is our examples

  19. Mitigation and Contingency • For high-exposure risks plan: • Mitigation: Reduce its probability or impact (so exposure) • Transfer: Make someone else responsible for the risk • Avoidance: avoid the risk by not having the asset • Contingency: what to do if the risk becomes reality

  20. 1. Identify Assets 2. Create an Architecture Overview 3. Decompose the System 4. Identify the Threats 5. Document the Threats 6. Rate the Threats Framework 4: Threat Modeling • Structured analysis aimed at: • Finding infrastructure vulnerabilities • Evaluating security threats • Identify countermeasures • Originated from software development security threat analysis

  21. STRIDEA Technique for Threat Identification (Step 4)

  22. Threat Tree Inside Attack Enabled Attack domain controller from inside OR AND AND SQL Injection Dev Server Messenger Xfer Trojan Soc Eng An application doesn’t validate user’s input and allows evil texts Unhardened SQL server used by internal developers Novice admin uses an instant messenger on a server Attacker sends a trojan masquerading as network util

  23. Current Security Issues

  24. Industry Issues for 2005-2006 • Without undue generalisation: • Mobile security at data layer • Malware/spyware • Compliance auditing • Identity management • Patch/update management • Application defence • Intrusion detection

  25. Mobile Security at Data Layer • Laptops and PDAs are rarely protected against physical data extraction • Encryption with removable keys is very effective, though deployment requires planning and is sometimes cumbersome • Smartcards plus EFS or an alternative system, such as PGP etc. can be applied • Data recovery needs (legal and practical) complicate the matter greatly

  26. Spyware (Malware) Protection • 90% machines have malicious software, on average 28 separate spyware programs (report by Earthlink & Webroot) • Zombies • Network bandwidth and CPU degradation • Commercial secrets leaked • Privacy destroyed • 3rd party liability arises • Best practice: • SpyBot Search and Destroy (www.spybot.info) • Microsoft AntiSpyware (in beta) • AdAware • Limit use of administrative privileges for end-users

  27. Compliance Auditing • An area of rapid growth, primarily due to Sarbannes/Oxley (“Sarbox”, or “Sox”) and EU Data Privacy regulation • In hands of specialised providers, mainly consulting business • Microsoft Operations Manager (MOM) can be applied for this purpose

  28. Identity Management • Heterogeneity of authentication and security measures is a common fact • Don’t fight it, integrate it • Synchronisation between directories, no matter how different, is becoming a reality with solutions build on systems such as MIIS (Identity Integration Server) • Alternatively, converge onto a client-solution, such as smartcards or OTP/tokens

  29. Patch and Update Management • As of Sept 2005, Microsoft Update is fully functioning, and integrates, at present: • Windows OS updates • Office • SQL Server • Exchange • More Microsoft products being added over the next months • Enterprise solutions, however, will still benefit from a fully-managed software distribution system, such as SMS (Systems Management Server)

  30. Application Defence • As networks and hosts become well protected, application-level attacks are on the increase • Other than for very new in-house applications, development security has rarely been a concern • This is a major area of worry from both perspectives of an insider and outside attacks • Approaches: • Prove it’s safe (threat modelling) • Isolate-and-monitor • Replace

  31. Treating Unproven Applications • Until proven to be secure, treat all applications as “evil” • Restrict access only to users on need-to-use basis • Restrict remote use • Isolate to dedicated application servers • Restrict servers through IPSec policies to only allow communication that applications explicitly require • Monitor usage pattern to establish a baseline and raise alarm when patterns vary • Enable stringent auditing • Request a formal threat analysis if above restrictions are too severe

  32. Intrusion Detection • Intrusion Detection Systems (IDS) are still fairly basic, though sophistication grew at network-level detection • Honeypots, i.e. monitored vulnerable servers exposed as “bait” are still very effective, though may pose legal problems

  33. Trends for 2006

  34. Network Security – IPv6 • A major development for 2006+ will be gradual replacement of IPv4 with IPv6 • Amongst many benefits of this move, a crucial introduction of compulsory IPSec6 will provide much needed authentication and confidentiality of data at wire-level • Interesting issues still remain to be solved, but now is a very good time to seriously evaluate the technology • Windows Vista comes with a new IPv6 stack, as part of the entirely rewritten TCP/IP substrate, called “Next Generation TCP/IP”

  35. Network Device Port Protection • Though long awaited, “802.1x for wired networks” is off to a confused start, as many basic devices, such as switches, are unlikely to support the technology as expected • With new infrastructure this technology might be useful in high-risk areas, especially exposed networks

  36. Smartcards • While not a new technology, Microsoft’s support in Windows Vista promises a serious approach to solving deployment, manageability and developer issues • Infocard specification for developers • Alacris acquisition (20 Sept) for smartcard lifecycle management • Axalto deal for smartcard infrastructure • Windows Vista re-write of smartcard functionality

  37. Biometrics • Overhyped: be careful and sceptical • Useful as a secondary protection of a private encryption key on a smartcard in a controlled environment • Advantage: • Simple and works in some environments, e.g. immigration control or secondary authentication of staff • Weakness: • Not useful for at-home, remote etc. applications as no way to ensure it is your real fingerprint, iris, retina etc. being scanned • Biometric data can be stolen and can be used to fake identity – no way to change it later • Too many positive and negative false matches

  38. Application-level Protection • With .NET Framework 2.0 and SQL Server 2005 developers can use a plethora of security technologies – easily • Developers are increasingly seen as responsible for security • This extends even to database developers, previously unlikely to engage in cryptography or ACL management • It is very important that all in-house and vertical solution-provider application developers undergo security training • Refresher courses or workshops are a good idea • Community participation helps

  39. Summary

  40. Summary • Viewing security holistically combines perspectives of people, processes, technologies and requires ongoing research and education • Security goals oppose those of usability • Frameworks enable achieving security goals without facing unexpected costs • Network and host protections are fairly mature • Developer-oriented solutions to prevent application-level attacks must be employed

  41. © 2005 Project Botticelli Ltd & Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. PROJECT BOTTICELLI AND MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. You must verify all the information presented before relying on it. E&OE.

  42. Welcome Clare Dillon Developer and Platform Group Microsoft Ireland Clare.Dillon@microsoft.com

More Related