Policy-based Audit of Security Configuration. April 24-25, Berlin Serena Ponta, Henrik Plate (SAP)

Transcription

1 Policy-based Audit of Security Configuration Cyber Security & Privacy EU Forum 2012 Cyber Security & Privacy EU Forum 2012 April 24-25, Berlin Serena Ponta, Henrik Plate (SAP)

2 Audit objective Gain assurance that an organization s control framework meets and met defined security objectives Requirement Policy Objectives Design Effectiveness Abstract Config Control Design Concrete Config Control Implement. Operating Effectiveness 2

3 Design Effectiveness Check that controls are properly designed Requirement Policy Leverage models present in central repository & ontology accessible to internals & externals (restricted to audit scope) current and past versions build audit program Audit Scope Abstract Config Concrete Config Explore system & security models Show IT security policies linked to CC Data! Show IT security policies linked to the inbound interface for CC data! Query models to check coverage Is CC data sent over communication channels w/o being protected by a policy for confidentiality? 3

4 Operating Effectiveness Check that controls work as designed Compliance Assessment Checklists/checks reflect policy chain Check known targets XML Checklists and Checks to describe (un)desired configurations Vulnerability Assessment Checklists/checks provided by externals, e.g., vendors, researchers and initiatives such as OWASP Check every potentially affected target Repository &Processor CMDB Auditee 4

5 Compliance Assessment Checklist structure follows policy chain build automatically, starting from model elements references checks for all relevant targets draft audit program given to auditors and reimported AuthC Policy AuthZ Policy AC Requirement Abstract Config Checklist Access Control Req. for Business Service einvoice AuthZ for Webapp einvoice Check 1: Rev-proxy on Apache server (IP-add1) Check 2: Realm on Tomcat (IP-add2) Check 3: web.xml of Webapp einvoice (IP-add2) AuthCfor einvoice Concrete Config Check 4 on target1 Check 5 on target2 5

6 Compliance Assessment AuthC Policy AC Requirement AuthZ Policy Assessment of configuration discrepancies Discrepancy security issue Judge by looking up in the policy chain Reflect analysis and result in fulfillment state of upper-layer concepts Pi Prioritization iti by means of weights and CCSS Remediation Redeployment of golden configuration Acceptance Re-design 6

7 Vulnerability Assessment Standardized representation of security knowledge Fosters collaboration and communication Allows exchange of security content Created independently from particular env. Fastens detection of vulnerabilities at increased precision and coverage Extended OVAL checks Conditions over software properties, software relationships, and configuration Relate targets t in distributed ib t d environments From OS-centric checks to Web apps & services Abstract from configuration retrieval Best-Practice Check (SANS) A Web app is securely configured if Deployed in a Servlet container supporting the Servlet spec = 3.0, HttpOnly flag is enabled in deployment descriptor 7

8 Vulnerability Assessment Examples & Screenshot Vulnerability check (CVE ) Tomcat vulnerability exploitable if Version < , AND APJ connector class Y used, AND Apache reverse proxy and Tomcat do not use a share password Best-Practice Check (SANS) A Web app is securely configured if Deployed in a Servlet container supporting the Servlet spec = 3.0, HttpOnly flag is enabled in deployment descriptor 8

9 Take-aways Get involved Work with us to experiment With our automatic generator of (optimized) configuration for network security controls, based on a description of your network and its policies i With tools for audit and configuration assessment based on public standards Get early access to project results (and influence them) Get information Download documents and scientific papers from Contact the speakers 9

10 Get more information PoSecCo website: Public documents related to audit D4.1 Standardized Audit Interfaces D4.4 Concept and architecture for automated model creation, population, maintenance and audit D4.5 Final version of a configuration validation language Contacts Dr. Serena Ponta (SAP) serena.ponta@sap.com Henrik Plate (SAP) henrik.plate@sap.com 10

11 THANK YOU!

12 Disclaimer EU Disclaimer PoSecCo project (project no ) is partially supported/co-funded by the European Community/ European Union/EU under the Information and Communication Technologies (ICT) theme of the 7th Framework Programme for R&D (FP7). This document does not represent the opinion of the European Community, and the European Community is not responsible for any use that might be made of its content. PoSecCo Disclaimer The information in this document is provided "as is", and no guarantee or warranty is given that the information is fit for any particular purpose. The above referenced consortium members shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials subject to any liability which h is mandatory due to applicable law. 12

13