Cyril Onwubiko Networking and Communications Group ncg.kingston.ac.

Transcription

1 Cyril Onwubiko Networking and Communications Group ncg.kingston.ac..ac.uk (0)

2 Security Threats & Vulnerabilities in assets are two most fundamental challenges Characterised as being Unavoidable present in most assets Evolving freshly identified (Day-Zero attacks) Increasing growing incidents Increased risk of network attack Technical models without proper evaluation Existing Classification models not comprehensive Impact leading to huge financial losses Cost an issue for Small to Mid-size

3 Threats Ranking Deliberate Software threats viruses & worms Unauthorised Access growing incidents Theft of hardware Mobile and laptop Theft of Proprietary Information According to CSI/FBI 11 th Annual Computer Crime & Security Survey of 2006 Threats exploit vulnerabilities to harm systems Code Red Incident - Exploited (buffer overflow) in MS DLL vulnerability to infect systems MSBlast,, Slammer, Sasser As attack agent to DoS and DDoS

4 Comparison in Security Management Faculty of Computing, Information Systems and Mathematics Technical Solutions Direction Use of security mechanisms without proper evaluation E.g. Firewalls, IDS, local virus detection Weakness Each organisation requires unique security measures Different countermeasures maybe required Security Concepts & Relationships Comprehensive Framework for security evaluation Advantage Better requirement : able to Identify valuable assets, vulnerabilities in classified assets, & threats adequate response : able to recommend multiple countermeasures across a network. However this approach has been stipulated by The CC (Common Criteria) ISO/IEC 15408, but their model is limited in perspective.

5 What is required is a security management framework for SME that assists in identifying valuable assets for the SME vulnerabilities in classified assets threat agents that give rise to threats threats that exploit vulnerabilities associated risks due to threats & Vulnerabilities. appropriate mix of countermeasures to threats & vulnerabilities

6 Proposal: Security Concepts & Relationships Framework Faculty of Computing, Information Systems and Mathematics Owners wish to minimise value impose Countermeasures to mitigate be aware of to mitigate Vulnerabilities exist in Threat agents give rise to exploit Threats increase likelihood of Risks increase likelihood of cause harm to wish to abuse and/or cause harm Assets Security Concepts and Relationships Framework

7 Framework Descriptors Faculty of Computing, Information Systems and Mathematics Owners : SMEs that own assets. Assets : Systems, infrastructures, programs, information, or data owned by SMEs. Vulnerabilities : Flaws in assets, or the absence of controls that could lead to a security breach when exploited by threats. Threat agents : Entities with the capability to impose threats to assets. Threats : Entities that exploit vulnerabilities in assets to cause harm or predispose assets to harm. Risks : The Likelihood that assets may be compromise due to threats or vulnerabilities. Countermeasures: Preventive and mitigation controls

8 Asset Classification Model Faculty of Computing, Information Systems and Mathematics Minor Major Critical Information classified as very sensitive and confidential Failures leading to Huge Financial Losses Failure affects multiple parts of the network at the same time; POPs or multiple POPs Information classified as confidential Failures leading to Huge Financial Losses Failure affects part of the network Information classified as personal Failures leading to Minimal financial Losses Failure affects a single user 3-tier Asset classification model

9 Threat Propagation Dynamics Faculty of Computing, Information Systems and Mathematics Attack Timeline Initial Phase Second Phase Last Phase F(t) Probing stage Penetration stage Perpetuation stage Threat propagation based on Attack Timeline

10 Threat Propagation Descriptors Faculty of Computing, Information Systems and Mathematics Probing Stage: Reconnaissance - information gathering and network mapping Eg = Port scan, social engineering deception Penetration Stage: Unauthorised access - threat bypasses access control mechanisms to breach system Denial of Service threat does not require authorised access to invade system Eg = brute force attacks, dictionary attacks, DoS and DDoS

11 Descriptors to Threat Propagation Faculty of Computing, Information Systems and Mathematics Perpetuation Stage: Disclosure of information & data when threat intent is to breach confidentiality of system Manipulation of data intent is to alter assets Destruction of system intent is to destroy asset Clean-up attacker removes traces of footprint to prevent forensic investigate and litigation Eg = Intrusions, deliberate software agents, rootkits

12 1 Two fundamental Threat Categories: Natural Phenomena Human Action Network Error software bugs & hardware caveats Deliberate Software viruses and worms Natural Disasters wildfire, flooding, earthquakes and tidal waves Tsunami Cyber-threats terrorism, political warfare Insiders threats disgruntled employee

13 2 Human-made Faults Category Intentional Unintentional Motive Non-malicious Malicious Non-malicious Intent Non-deliberate Deliberate Deliberate Non-deliberate Deliberate Capability Acc. Incomp. Acc. Incomp. N/A Acc. Incomp. Acc. Incomp. KEY:Acc. -Accidental; Incomp. Incompetence; N/A Not Applicable Adapted from Avizienis et.al. [ Basic Concepts and Taxonomy of Dependable and Secure Computing, IEEE Transactions on Dependable and Secure Computing, Vol. 1, NO. 1, January-March 2004, pp ]

14 3 Network Error: Caused by unintentional, non-deliberate, non-malicious, accidental human actions. Example: faulty system designs Deliberate Software: Caused by intentional, malicious, deliberate human actions.. Example: viruses and computer worms Natural Disasters: Caused by natural, accidental phenomena.. Example: wildfire, flooding, earthquakes and tidal waves Tsunami Cyber-threats threats: Caused by intentional, malicious, deliberate human actions.. Example: terrorism, political warfare Insiders threats: Caused by intentional, malicious, deliberate human actions.. Example: disgruntled employee

15 Proposed is a process/model based approach to managing security for Small, Medium and Enterprise (SME). To mitigate vulnerabilities & threats a requirement is to implement adequate countermeasures. But adequate countermeasures are attainable through models that assists to: Identify what needs to be protected, what they should be protected against, and how best to protect them, including associated risks This leads to recommending adequate Responses Most SMEs focus on Technical controls without properly evaluating needs and requirements. This leads to implementation of controls that are Isolated, less efficient and uncoordinated.

16 +44 (0)