Metrics to Assess and Manage Software Application Security Risk. M. Sahinoglu, S. Stockton, S. Morton, P. Vasudev, M. Eryilmaz

Transcription

1 Metrics to Assess and Manage Software Application Security Risk M. Sahinoglu, S. Stockton, S. Morton, P. Vasudev, M. Eryilmaz Auburn University at Montgomery (AUM) and ATILIM University, Ankara Abstract: Software application security risk is of critical importance to modern enterprises and organizations. The very existence of these entities often depends on the successful and secure operation of mission critical applications such as the outer space explorations and high assurance scenarios regarding the surgery table for one striking example. Software application security risk is concerned primarily with how security personnel, facility managers, network personnel, management, and other interested parties rate their experience with the various aspects of software security risk, and overall management and maintenance, including issues such as continuity or availability of service, security design and configuration to name a few. To address this need, the principal author has built the fundamental (probability and gametheory related) computational aspects and an associated automated software tool for quantitative risk management. This tool, the Risk-o-Meter (RoM) provides measurable risk, advice for cost and risk mitigation on vulnerabilities and threats associated with the implementation and operation of software applications. I. INTRODUCTION The identification and management of risk is a critical part of operating an IT system. While there are many approaches to identifying and managing risk, many managers focus only on the security of the software and often neglect the other aspects of system operations. Additionally, once all risks are identified, formulating a costoptimized solution to mitigate undesirable risks to a tolerable level is often an ad-hoc process. In this research, we adopt a model of software application risk that quantifies the user s experience with six crucial aspects of the software application security environment. However we will add an original concept of quantification to the existing model through a designed algorithm by the principal author to calculate the software application security risk index [1]. To accomplish this task, numerical and/or cognitive data was collected to supply the input parameters to calculate the quantitative security risk index for software applications. This paper will not only present a quantitative model but also provide a remedial cost-optimized gametheoretic analysis about how to bring

2 an undesirable risk down to a locallydetermined tolerable level. II. METHODOLOGY This applied research paper implements a methodology on how to reduce the risk associated with the Software Application Security Risk associated with implementing and operating an Information Technology (IT) system. A software-centered composite security approach is proposed to aid security personnel, facility managers, and network personnel within an organization. In order to control the risk associated with the implementation of an IT system, concepts such as continuity of operations, security design and configuration of the software, the U.S. Department of Defense s Enclave Boundary Defense construct, a system s identification and authentication process, the physical environment where the system will be operated, and the personnel associated with operating the system (to name a few), should be considered. The primary author s innovation, i.e. RoM (Risk-O-Meter), an automated software tool based on game theory, will provide IT managers a measurable assessment of the current security posture of their implemented IT system by detailing associated cost and risk mitigation suggestions for countering identified vulnerabilities and threats associated with the IT system. The RoM will greatly facilitate the assessment and enhancement of the current security of an implemented IT system. Additionally, the Risk of Operation or Unavailability metric out of 100% will be assessed to provide a remedial cost-optimized gametheoretic analysis to bring an undesirable risk down to a user determined tolerable level [2]. While the Risk-O-Meter can be applied to virtually any organization subject to systemic threats/vulnerabilities to their business operations, this particular implementation focuses on six key areas critical in ensuring Software Application security. Continuity: Regardless of the quality of a given software application, continuous and uninterrupted operations are critical for mission critical applications. In order to achieve such availability, alternate site planning, backup and restoration processes, exercises and drills, enclave boundary defense, and disaster planning have to be considered. Each of these areas must be addressed to ensure optimal user availability of the application. Security Design and Configuration: This area focuses on secure-by-design and subsequent configuration of the software itself as well as the platform you choose to run the application on. This entails industry best practices for acquisition standards and configuration specifications, as well as compliance testing, operational best security practices, and proper implementation of nonrepudiation.

3 Enclave Boundary Defense: Unless the software application operates in a stand-alone environment, the security defenses of the enclave it runs within are crucial to the overall security health of an application. This is the first line of defense and determines what barriers are in place to prevent unauthorized access to the platform running the application and to ensure authorized access is securely administered. This key area focuses on overall boundary defense, connection rules, remote access, encryption, confidentiality, and proper network and system auditing. Identification and Authentication: While boundary defenses provide an excellent defense for software systems, one key to a secure system is to ensure that individuals who are allowed access to the application can be identified and authenticated. This key area focuses on account control, use of individual accounts, key management, tokencertificate standards, and group authentication. Physical Environment: While much attention is given to keeping unauthorized/unwanted individuals from gaining access to systems via electronic means, the facilities that house these platforms must also be protected to prevent system compromise. Additionally, the facilities must also be evaluated for their ability to protect the individuals responsible for maintaining the application and ensuring the application remains online and available to users. This key area focuses on the physical protection provided to an application and covers access to the facilities, protection against data interception, emergency lighting and power, use of screen locks, and storage of data/hardware. Personnel: Personnel, in various forms, are often the biggest threat to software applications. While there are many opportunities for individuals to impact the security of an application while it is being developed, tested and fielded, this area focuses on the personnel that may impact the operational security of an application. This key area focuses on personnel access to information, maintenance personnel, IA training, rules of behavior, and background checks. While it is critical to ensure that applications are secure-by-design, the daily challenge is to ensure that a given software application remains operationally secure on a daily basis. This research focuses on the areas vital to secure application operations and provides field managers with an analysis they can use to more efficiently secure their operational environments, including cloud [3].

4 III. VULNERABILITY AND THREAT ASSESSMENT STRUCTURE As previously noted, six vulnerabilities are assessed: Continuity, Security Design and Configuration, Enclave Boundary Defense, Identification and Authentication, Physical and Environmental, and Personnel. Within each vulnerability category, questions pertain to specific threats and countermeasures. For example, within the Continuity vulnerability, users are asked questions regarding Alternate Sites, Backup and Restoration, and Exercises and Drills threats and countermeasures. Within the Enclave Boundary Defense vulnerability, users are asked questions regarding Boundary Defense, Connection Rules, and Remote Access threats and countermeasures. Within the Physical and Environmental vulnerability, users are asked questions regarding Access to Facilities, Data Interception, and Emergency Lighting threats and countermeasures. See Figure 1 below for the Software Application Security Risk diagram detailing vulnerabilities and threats. The user s responses are then used as input for the RoM to generate a quantitative software application security risk index using a gametheoretical mathematical algorithm. Steve Stockton CSIS6952 Continuity Alternate Site Backup & Restoration Exercises & Drills Enclave Boundary Defense Disaster Planning Security Design and Configuration Acquisition Standards Configuration Specifications Compliance Testing Best Security Practices Non-Repudiation Software Application Risk Diagram Enclave Boundary Defense Identification and Authentication Boundary Defense Connection Rules Remote Access Confidentiality - Encryption Auditing Account Control Individual Accounts Key Management Token-Certificate Standards Group Authentication Physical Environment Access to Facilities Data Interception Emergency Lighting Screen Locks Storage Personnel Access to Information Maintenance Personnel IA Training Rules of Behavior Background Checks Figure 1: Software Application Security Risk Tree Diagram

5 IV. SAMPLE ASSESSMENT QUESTIONS Questions are designed to elicit the user s response regarding the perceived risk to software application security from particular threats, and the countermeasures the users may employ to counteract those threats. For example, in the Identification and Authentication vulnerability, questions regarding Account Control include both threat and countermeasure questions. Threat questions would include: Is a comprehensive account management process unimplemented? Are controls lacking to ensure that only authorized users can gain access to workstations, applications, and networks? During the creation of a new account for a system user, does the registration process leave the required information uncollected? While countermeasure questions would include: Are default accounts removed/disabled during installation of servers and workstations? Are accounts disabled and user IDs and passwords removed within 48 hours of notification that a user no longer requires or is authorized system access? Do system administrators immediately disable any account through which unauthorized user activity has been detected? V. RISK CALCULATION AND MITIGATION Essentially, the users are responding yes or no to these questions. These responses are used to calculate residual risk. Using a game-theoretical mathematical approach, the calculated risk index is used to generate an optimization or lowering of risk to desired levels [1]. Further, mitigation advice will be generated to guide security personnel, facility managers, network personnel, management, and other interested parties. Or more specifically, in what areas can the risk be reduced to optimized or desired levels (such as from 37% to 27% in the screenshot representing the median response from the study participants). See Figure 2 below for the screenshot of the Median Software Application Security Risk Meter Results Table displaying threat, countermeasure, and residual risk indices, optimization options, as well as risk mitigation advice. For this study, a random sample of 31 respondents was taken. Their residual risk results are tabulated and presented in Appendix A at the end of this paper. Respondents experience in software application security risk included both corporate and governmental.

6 Figure 2: Median Software Application Security Risk Meter Results Table

7 VI. CONCLUSION The Software Application Security Risk Meter breaks new ground in that it provides a quantitative assessment of risk to the user as well as recommendations for mitigating that risk. As such, it will be a highly useful tool for security personnel, facility managers, network personnel, management, and other interested parties seeking to minimize and mitigate software application security risk in an objective, quantitatively based manner. Future work will involve the incorporation of new questions so as to better refine user responses and subsequent calculation of risk and mitigation recommendations. Minimization and mitigation of software application security risk will greatly benefit not only the organizations deploying the applications, but society at large through the minimization of security breaches leading to monetary loss and ID theft. The Software Application Security Risk Meter tool and its future refinement provide the means to do so as there are and always will be software application security risks in cyberspace [4,5]. VII. REFERENCES [1] M. Sahinoglu, Trustworthy Computing, John Wiley, [2] M. Sahinoglu, An Input-Output Measurable Design for the Security Meter Model to Quantify and Manage Software Security Risk, IEEE Transactions on Instrumentation and Measurement, Vol. 57, No. 6, pp , June [3] K. Hashizume, D. G. Rosdao, E. Fernandez-Medina, E. B. Fernandez, An Analysis of Security Issues for Cloud Computing, Journal of Internet Services and Applications,, 2013; doi: / t/4/1/5 (Accessed 12/18/2013) [4] 3/Top-10-Security-Risks (Accessed 12/18/2013) [5] M. Sahinoglu, L. Cueva-Parra, D. Ang, Game-theoretic computing in risk analysis, WIREs Comput. Stat 2012, doi: /wics, 1205, or/onlinelibrarytps.asp?doi= /wics.1205&ArticleID=961931

8 Appendix A: Respondent Residual Risk Results Table SURVEY TAKER RESIDUAL RISK % RANKED OVERALL (OUT OF 31) REMARKS Company A th 1 st out of 11 within Company A Company A st 11 th out of 11 within Company A Company A th 8 th out of 11 within Company A Company A th ~OVERALL 4 th out of 11 within Company A AVERAGE Company A th 5 th out of 11within Company A Company A th 10 th out of 11 within Company A Company A th 9 th out of 11 within Company A Company A th 2 nd out of 11 within Company A Company A th 7 th out of 11 within Company A Company A st 6 th out of 11 within Company A (Group Median for Company A) Company A th 3 rd out of 11 within Company A Company B th 5 th out of 11 within Company B Company B nd 2 nd out of 11 within Company B Company B th 4 th out of 11 within Company B Company B th 6 th out of 11 within Company B (Group Median for Company B) Company B st 1 st out of 11 within Company B Company B th 8 th out of 11 within Company B Company B th 7 th out of 11 within Company B Company B th 10 th out of 11 within Company B Company B rd 3 rd out of 11 within Company B Company B th 9 th out of 11 within Company B Company B th 11 th out of 11 within Company B Company C rd 8 th out of 9 within Company C Company C th 3 rd out of 9 within Company C Company C nd 7 th out of 9 within Company C Company C th 1 st out of 9 within Company C Company C th 5 th out of 9 within Company C (Group Median for Company C) Company C th = OVERALL MEDIAN 4 th out of 9 within Company C Company C th 9 th out of 9 within Company C Company C th 6 th out of 9 within Company C Company C th 2 nd out of 9 within Company C Table 1. Companies (A, B, C) Survey Results for the Risk-O-Meter study, ranked within and overall, where Median: 37.06% (C6) and Average: 38.58% (A4: 39.47% is the result that comes the closest).