A Holistic View of Enterprise

Security
Rafal Lukawiecki
Strategic Consultant, Project Botticelli Ltd
rafal@projectbotticelli.co.uk
www.projectbotticelli.co.uk

Copyright 2005 © Microsoft Corp & Project Botticelli Ltd. E&OE. For informational purposes only. No warranties of any kind are made and you have to verify all
information before relying on it. You can re-use this presentation as long as you read, agree, and follow the guidelines described in the “Comments” field in
File/Properties.
2

Objectives

Define security in a practical, measurable, and

achievable way
Introduce security frameworks
Introduce OCTAVE
Introduce simple risk assessment
Introduce the concepts of threat modelling for
enterprise security
Overview major security technologies
3

Session Agenda

Defining Security Concepts

Building a Secure Environment
Processes
OCTAVE
Simplified Security Risk Analysis
Formal Threat Modelling
Summary
4

Defining Security
Concepts
5

Security

Definition (Cambridge Dictionary of English)

Ability to avoid being harmed by any risk, danger or
threat
…therefore, in practice, an impossible goal 

What can we do then?

Be as secure as needed
Ability to avoid being harmed too much by reasonably
predictable risks, dangers or threats (Rafal’s Definition)
6

Challenge
Security must be balanced with usability (and
accessibility)

Most secure = useless

Most useful = insecure

Know the balance you need

Factor the price: both security and usability cost a lot
7

Cost-Effectiveness of Security

"Appropriate business security is that which

protects the business from undue operational
risks in a cost-effective manner.“ – Sherwood,
2003
Estimation of cost and effectiveness of security
requires knowledge and estimation of:
Assets to protect
Possible threats or losses
Cost of their prevention
Cost of contingencies
8

Adequate Security

CERT usefully suggests:

“A desired enterprise security state is the condition where the
protection strategies for an organization's critical assets and
business processes are commensurate with the organization's
risk appetite and risk tolerances.” –
www.cert.org/governance/adequate.html
Risk Appetite – defined through executive decision, influences
amount of risk worth taking to achieve enterprise goals and
missions
Relates to risks that must be mitigated and managed
Risk Tolerance – residual risk accepted
Relates to risk for which no mitigation would be in place
9

1st Conclusion

As 100% security is impossible, you need to decide what

needs to be secured and how well it needs to be secured

In other words, you need:

Asset list
Threat analysis to identify risks
Risk impact estimate for each asset
Ongoing process for reviewing assets, threats and risks
Someone responsible for this process
Operational procedures for responding to changing conditions
(emergencies, high risk etc.)
10

Digital Security as Extension of

Physical Security of Key Assets
Strong Physical Weak Physical Strong Physical
Security of KA Security of KA Security of KA

Strong Digital Strong Digital Weak Digital

Security Security Security

Good Security Insecure Insecure

Everywhere Environment Environment
11

Aspects of Security
Static, passive, pervasive
Confidentiality
◄ Your data/service provides no useful information to unauthorised
people
Integrity
◄ If anyone tampers with your asset it will be immediately evident
Authenticity
◄ We can verify that asset is attributable to its authors or caretakers
Identity
◄ We can verify who is the specific individual entity associated with your
asset
Non-repudiation
◄ The author or owner or caretaker of asset cannot deny that they are
associated with it
12

Aspects of Security
Dynamic, active, transient

Authorisation
◄ It is clear what actions are permitted with respect to your asset
Loss
◄ Asset is irrecoverably lost (or the cost of recovery is too high)
Denial of access (aka denial of service)
◄ Access to asset is temporarily impossible
13

Approaches for Achieving Security

Two approaches are needed:

Active, dynamic, transient
Implemented through behaviour and pattern analysis
Passive, static, pervasive
Implemented through cryptography
14

Behaviour (Pattern) Analysis

Prohibits reaching an asset if access is out-of-pattern, e.g.:

Password lock-out after N unsuccessful attempts
Blocking packets at a router if too many come from a given source
Denying a connection based on IPSec filter rules
Stopping a user from seeing more than N records in a database per
day
Time-out of an idle secure session
“Active”
Cannot always prevent unauthorised use of asset
Can prevent legitimate access – need easy and secure “unlock”
mechanisms
Strength varies with sophistication on known attacks
15

Cryptography

Using hard mathematics to implement passive security

aspects mentioned earlier
“Static”
Cannot detect or prevent problems arising from a pattern of
behaviour
Relies of physical security of Key Assets (such as
master private keys etc.)
Strength changes with time, depending on the power of
computers and developments in cryptanalysis
16

Future Security Technologies

Behaviour analysis is under tremendous

development at present
Expect from Microsoft:
Microsoft Operations Manager 2005
Already available, more rules on their way
Active Protection
Set of technologies for intrusion detection and automatic
response and ongoing protection

Imagine: MOM + IDS based on neural network +

GPOs
17

Holistic View of Security

Security should be:

Static + Active
Across
All Your Assets
Based On
Ongoing Threat Risk Assessment
18

Building a Secure
Environment
19

Defense in Depth
Using a layered approach:
Increases an attacker’s risk of detection
Reduces an attacker’s chance of success

Data ACL, encryption

Application Application hardening, antivirus

OS hardening, update management,
Host
authentication
Internal Network Network segments, IPSec, NIDS

Perimeter Firewalls, VPN quarantine

Physical Security Guards, locks, tracking devices,

HSM
Policies, Procedures, &
Awareness User education against social
engineering
20

Secure Environment

A secure environment is a combination of:

Hardened hosts (nodes)
Intrusion Detection System (IDS)
Operating Processes
Standard and Emergency
Threat Modelling and Analysis
Dedicated Responsible Staff
Chief Security Officer (CSO) responsible for all
Continuous Training
Users and security staff – against “social engineering”
21

Processes

Operating Processes
Microsoft Operations Framework (MOF)
IT Infrastructure Library
BS7799 and related ISO
Informal: Standard and Emergency Operating Procedures
Risk and Threat Analysis Processes
Simple Security Risk Analysis
Attack Vectors and Threat Modelling
OCTAVE
22

Operating Processes

As a minimum, define
Standard Operating Procedures
Set of security policies used during “normal” conditions
Could be based on Windows AD Group Policies
Emergency Operating Procedures
Tighter policies used during “high-risk” or “under-attack”
conditions

Aim for compliance with an overall operational process

framework
E.g. Microsoft Operation Framework’s SLAs, OLAs and UCs
23

Education & Research

As minimum, you really need to subscribe to security

advisories:
Microsoft Security Notification Service
www.microsoft.com/security
CERT
www.cert.org
SANS Institute
www.sans.org
Other vendor-specific
CISCO, Oracle, IBM and so on
Apart from notifications, study available operational
security guidance
www.microsoft.com/technet/security
24

OCTAVE
25

OCTAVE

Operationally Critical Threat, Asset and

Vulnerability Evaluation
Carnegie-Mellon University guidance
Origin in 2001
Used by US military and a growing number of larger
organisations
www.cert.org/octave
26

Concept of OCTAVE

Workshop-based analysis
Collaborative approach
Guided by an 18-volume publication
Very specific, with suggested timings, personnel selection etc.
www.cert.org/octave/omig.html

Smaller version, OCTAVE-S, for small and medium

organisations
www.cert.org/octave/osig.html
27

OCTAVE Process
Progressive Series of Workshops

Phase 1
Organizational Assets
View Threats
Current Practices
Org. Vulnerabilities Phase 3
Security Req.
Strategy and Plan
Development
Planning

Risks
Phase 2 Protection Strategy
Tech. Vulnerabilities Mitigation Plans
Technological
View
28

Steps of OCTAVE Processes

29

Simplified Security
Risk Analysis
30

Examples

Asset:
Internal mailbox of your Managing Director
Risk Impact Estimate (examples!)
Risk of loss: Medium impact
Risk of access by staff: High impact
Risk of access by press: Catastrophic impact
Risk of access by a competitor: High impact
Risk of temporary no access by MD: Low impact
Risk of change of content: Medium impact
31

Creating Your Asset List

List all of your named assets starting with the

most sensitive
Your list won’t ever be complete, keep updating
as time goes on
Create default “all other assets” entries
Divide them into logical groups based on their
probability of attacks or the risk of their “location”
between perimeters
32

Risk Impact Assessment

For each asset and risk attach a measure of impact

Monetary scale if possible (difficult) or relative numbers
with agreed meaning
E.g.: Trivial (1), Low (2), Medium (3), High (4), Catastrophic (5)
Ex:
Asset: Internal MD mailbox
Risk: Access to content by press
Impact: Catastrophic (5)
33

Risk Probability Assessment

Now for each entry measure probability the loss

may happen
Real probabilities (difficult) or a relative scale
(easier) such as: Low (0.3), Medium, (0.6), and
High (0.9)
Ex:
Asset: Internal MD mailbox
Risk: Access to content by press
Probability: Low (0.3)
34

Risk Exposure and Risk List

Multiply probability by impact for each entry

Exposure = Probability x Impact
Sort by exposure
High-exposure risks need very strong security measures
Lowest-exposure risks can be covered by default mechanisms
or ignored
Example:
Press may access MD mailbox:
Exposure = P(Low=0.3) x I(Catastrophic=5) = 1.5
By the way, minimum exposure is 0.3 and maximum is 4.5 is our
examples
35

Mitigation and Contingency

For high-exposure risks plan:

Mitigation: Reduce its probability or impact (so
exposure)
Transfer: Make someone else responsible for the risk
Avoidance: avoid the risk by not having the asset
Contingency: what to do if the risk becomes reality
36

Formal Threat
Modelling
37

Threat Modeling

Structured analysis aimed

1. Identify Assets
at:
2. Create an Architecture Overview Finding infrastructure
vulnerabilities
3. Decompose the System Evaluating security threats
Identify countermeasures
4. Identify the Threats

5. Document the Threats Originated from software

development security threat
6. Rate the Threats analysis
38

Architecture Diagram (Step 2)

Asset #1 Asset #2 Asset #3

Web Server Database Server

Bob
Login
Alice IIS ASP.NET
Firewall

Bill Main

State

Asset #4 Asset #5 Asset #6

39

Decomposition (Step 3)
Forms Authentication URL Authorization

Web Server Database Server

Trust

Bob
Login
Alice
IIS ASP.NET
Firewall

Bill Main

State

DPAPI Windows Authentication

40

STRIDE
A Technique for Threat Identification (Step 4)
Type of Threat Examples

Spoofing Forging Email Message

Replaying Authentication

Tampering Altering data during transmission

Changing data in database

Repudiation Delete critical data and deny it

Purchase product and deny it

Information disclosure Expose information in error messages

Expose code on web site

Denial of Service Flood web service with invalid request

Flood network with SYN

Elevation of Privilege Obtain Administrator privileges

Use assembly in GAC to create acct
41

Threat Tree
Inside Attack
Enabled
Attack domain
controller
from inside

OR

AND AND

SQL Injection Dev Server Messenger Xfer Trojan Soc Eng

An application Unhardened Novice admin Attacker sends

doesn’t validate SQL server uses an instant a trojan
user’s input and used by internal messenger on a masquerading
allows evil texts developers server as network util
42

Attack Vector in a Threat Tree

Theft of
Auth Cookies
Obtain auth
cookie to
spoof identity

OR

AND AND
Unencrypted Cross-Site XSS
Eavesdropping
Connection Scripting Vulnerability
Cookies travel Attacker uses Attacker Application is
over sniffer to possesses vulnerable to
unencrypted monitor HTTP means and XSS attacks
HTTP traffic knowledge
43

Document Threats (Step 5)

Description Target Risk Attack Countermeasures

Techniques

Attacker User Auth Sniffer Use SSL to encrypt

obtains process channel
credentials

Injection of Data Access Append SQL toValidate user name

SQL commandsComponent user name Parameterized stored
procedure for data
access
44

Rate Threats (Step 6)

Rate Risk
Probability-Impact-Exposure
Risk Exposure = Probability * Damage Potential
DREAD
45

DREAD

D – Damage Potential
R – Reproducibility
E – Exploitability
A – Affected Users
D – Discoverability

Rate each category High(3), Medium(2) and Low(1)

Threat D R E A D Total Rating

Attacker obtains credentials 3 3 2 2 2 12 High
Injection of SQL commands 3 3 3 3 2 14 High
46

Summary
47

Summary

Viewing security holistically combines perspectives of

people, processes, technologies and requires ongoing
research and education
Security goals oppose those of usability
Cost of protection is a factor that necessitates a risk
assessment
Processes such as OCTAVE allow for threat
identification as well as cost-effectiveness analysis
Lower security needs can be solved with cheaper,
reactive approaches
High security needs require more expensive, formal
methods