Security Architecture & Design
University of the Cumberlands School of Computer & Information Sciences
ISOL-536 - Security Architecture & Design
Chapter 2: The Art of Security Assessment Spring 2020
Dr. Errol Waithe
Chapter 2: The Art of Security Assessment • 2.1 Why Art and Not Engineering? • 2.2 Introducing “The Process” • 2.3 Necessary Ingredients • 2.4 The Threat Landscape
• 2.4.1 Who Are These Attackers? Why Do They Want to Attack My System? • 2.5 How Much Risk to Tolerate? • 2.6 Getting Started
2.1 Why Art and Not Engineering?
The branch of science and technology concerned with the design, building, and use of engines, machines, and structures.
Definition of “engineering”:
• In contrast, a security architect must use her or his understanding of the currently active threat agents in order to apply these appropriately to a particular system. Whether a particular threat agent will aim at a particular system is as much a matter of understanding, knowledge, and experience as it is cold hard fact. Applying threat agents and their capabilities to any particular system is an essential activity within the art of threat modeling. Hence, a security assessment of an architecture is an act of craft.
2.2 Introducing “The Process”
• Because we security architects have methodologies, or I should say, I have a map in my mind while I assess, I can allow myself to run down threads into details without losing the whole of both the architecture and the methodology.
• Practitioners will express these steps in different ways, and there are certainly many different means to express the process, all of them valid.
• This series of steps assumes that the analyst has sufficient understanding of system architecture and security architecture going into the analysis.
2.2 Introducing “The Process” – Cont.
• As you read the following list, please remember that there are significant prerequisite understandings and knowledge domains that contribute to a successful ARA.
• Collect the set of credible attack surfaces. • Enumerate threats for this type of system and its intended deployment
• Consider threats’ usual attack methods. • Consider threats’ usual goals.
• Risk assess each attack surface. Risk rating will help to prioritize attack. surfaces and remediation.
• Factor in each existing security control (mitigations). • Intersect threat’s attack methods against the inputs and connections.
These are the set of attack surfaces. • Enumerate inputs and connections
2.2 Introducing “The Process” – Cont. • An analysis must first uncover all the credible attack vectors of the
system. This simple statement hides significant detail. At this point in this work, it may be sufficient to outline the following mnemonic, “ATASM.” Figure 2.1 graphically shows an ATASM flow:
Figure 2.1 Architecture, threats, attack surfaces, and mitigations.
2.2 Introducing “The Process” – Cont.
• These four steps are sketched in the Picture 2.1 – If we break these down into their constituent parts, we might have a list something like the following, more detailed list:
• Diagram (and understand) the logical architecture of the system. • List all the possible threat agents for this type of system. • List the goals of each of these threat agents. • List the typical attack methods of the threat agents. • List the technical objectives of threat agents applying their attack methods. • Decompose (factor) the architecture to a level that exposes every possible attack
surface. • Apply attack methods for expected goals to the attack surfaces.
2.3 Necessary Ingredients • Just as a good cook pulls out all the ingredients from the cupboards and arranges
them for ready access, so the experienced assessor has at her fingertips information that must feed into the assessment.
Figure 2.2 Knowledge sets that feed a security analysis.
Figure 2.3 Strategy knowledge, structure information, and system specifi cs.
2.3 Necessary Ingredients – Cont. • Figure 2.3 places each contributing knowledge domain within the area for which it is
most useful. If it helps you to remember, these are the “3 S’s.” Strategy, infrastructure and security structures, and specifications about the system help determine what is important: “Strategy, Structures, Specification.”
Figure 2.3 Strategy knowledge, structure information, and system specifics.
2.4 The Threat Landscape
• Differing groups target and attack different types of systems in different ways for different reasons. Each unique type of attacker is called a “threat agent.” The threat agent is simply an individual, organization, or group that is capable and motivated to promulgate an attack of one sort or another.
• Threat agents are not created equal. • They have different goals. • They have different methods. • They have different capabilities and access. • They have different risk profiles and will go to quite different lengths to be
successful.
2.4 The Threat Landscape – Cont.
• There are three key attributes of human attackers, as follows: • Intelligence • Adaptivity • Creativity
This means that whatever security is put into place can and will be probed, tested, and reverse engineered.
2.4.1 Who Are These Attackers? Why Do They Want to Attack My System? • Cyber crime can be an organized criminal’s “dream come true.” Attacks
can be largely anonymous. Plenty of attack scenarios are invisible to the target until after success: Bank accounts can be drained in seconds. There’s typically no need for heavy handed thuggery, no guns, no physical interaction whatsoever. These activities can be conducted with far less risk than physical violence. “Clean crime?”
2.4.1 Who Are These Attackers? Why Do They Want to Attack My System? – Cont. • There are documented cases of criminals carefully targeting a particular
organization. But even in this case, the attacks have gone after the weak links of the system, such as poorly constructed user passwords and unpatched systems with well-known vulnerabilities, rather than highly sophisticated attack scenarios making use of unknown vulnerabilities.
• Further, there’s little incentive to carefully map out a particular person’s digital life. That’s too much trouble when there are so many (unfortunately) who don’t patch their systems and who use the same, easily guessed password for many systems. It’s a simple matter of time and effort. When not successful, move on to the next mark.
2.4.1 Who Are These Attackers? Why Do They Want to Attack My System? – Cont. • Sometimes a single set of data is targeted, and sometimes the attacks
seem to be after whatever may be available. Multiple diversionary attacks may be exercised to hide the data theft. Note the level of sophistication here:
• Carefully planned and coordinated • Highly secretive • Combination of techniques (sometimes highly sophisticated)
2.4.1 Who Are These Attackers? Why Do They Want to Attack My System? – Cont. • Figure 2.4 attempts to provide a visual mapping of the relationships
between various attributes that we might associate with threat agents. This figure includes inanimate threats, with which we are not concerned here. Attributes include capabilities, activity level, risk tolerance, strength of the motivation, and reward goals.
• Next slide - Figure 2.4 Threat agent attribute relationships.
Chapter 2: Summary Information assurance is achieved when information and information systems are protected against attacks through the application of security services such as availability, integrity, authentication, confidentiality, and nonrepudiation. The application of these services should be based on the protect, detect, and react paradigm.
• This means that in addition to incorporating protection mechanisms, organizations need to expect attacks and include attack detection tools and procedures that allow them to react to and recover from these unexpected attacks.
- University of the Cumberlands�School of Computer & Information Sciences��
- Chapter 2: The Art of Security Assessment
- 2.1 Why Art and Not Engineering?
- 2.2 Introducing “The Process”
- 2.2 Introducing “The Process” – Cont.
- 2.2 Introducing “The Process” – Cont.
- 2.2 Introducing “The Process” – Cont.
- 2.3 Necessary Ingredients
- 2.3 Necessary Ingredients – Cont.
- 2.4 The Threat Landscape
- 2.4 The Threat Landscape – Cont.
- 2.4.1 Who Are These Attackers? Why Do They Want to Attack My System?
- 2.4.1 Who Are These Attackers? Why Do They Want to Attack My System? – Cont.
- 2.4.1 Who Are These Attackers? Why Do They Want to Attack My System? – Cont.
- 2.4.1 Who Are These Attackers? Why Do They Want to Attack My System? – Cont.
- Slide Number 16
- Chapter 2: Summary