Conceptual Modeling for Information Security Strategy

Austin Winkleman

Information Security Officer

Saint Louis University

St Louis, MO

EDUCAUSE

Midwest Conference

May 21, 2005

Copyright Austin F Winkleman, 2005. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Outline

• Background, Context

• Challenges and Questions

• Answers without Conceptual Model

• Answers with Conceptual Model

• The Three Models

• Q&A

The SLU Context

• 11,000 Students (3,500 Residential)• Private• Mission: Teaching, Research, Clinical• Centralized IT organization• One campus, one infrastructure (including

clinical areas)

Information Security Context, 1/2003

• Only one policy: Appropriate Use• No policy review/development structure; re-write

of the AUP was a 6-year odyssey• No existing security strategy• New position: Information Security Officer (with

no staff)• New committee for developing information

security policies• New project for infrastructure technologies

Outline

• Background, Context

• Challenges and Questions

• Answers without Conceptual Model

• Answers with Conceptual Model

• The Three Models

• Q&A

Challenges…

• Regulations: HIPAA-Security, Gramm-Leach-Bliley, and more…?

• Communications– With Executives

– Among Staff

• Questions of Priority“We must have X, or we’ll suffer consequence Y!!!”

X= [policies, anti-virus, backups, incident response, …]

…And More Challenges• Systemic issues, beyond duct tape• Efficiency of effort

– Deadlines– Minimize disruption (no false starts)– Coordinated

• Vulnerabilities in operational environment• Needed sustainable strategy for current and

long-term

…And More Challenges

• Rules of bureaucracy:

“Never do anything the first time”

Outline

• Background, Context

• Challenges and Questions

• Answers without Conceptual Model

• Answers with Conceptual Model

• The Three Models

• Q&A

Answer: Purely Technical?

• Technology implementation as the complete solution to every problem

• Tends to focus by product: - Firewall

- Intrusion detection

- Single sign-on

Purely Technical? (more)

“Here is our access strategy!”

VAX VAX VAX

Router

Router

Router

Firewall

Mainframe

Server

Server

Server

Hub

Workstation

WorkstationWorkstation

Purely Technical? (more)

• Tends to appeal to– Vendors– Technical staff

Answer: Brute Force?• Each requirement is a separate effort

– Regulation provision– Solving each technical and organizational

problem in isolation

• Direct reaction to incidents or risks

Brute Force? (more)

• Use of diagnostic model as prescription– List of characteristics of successful

completion used as a “to do list”• Lists of “Key Strategies” or “Common

Elements”• Tends to appeal to

– Non-technical staff

Problems with Technical & Brute Force Approaches…

• Insufficient representation of relationship among strategy elements– Difficult to group related items– Difficult to identify efficiencies

• Non-Intuitive– Does not enable Executive communication– Does not enable Team communication

• Difficult to measure strategic alignment

Problems (more)

• Difficult to evaluate effectiveness– may miss root causes

• Tends to isolate security function; not integrated into the organization

• Difficult to adapt over time

Outline

• Background, Context

• Challenges and Questions

• Answers without Conceptual Model

• Answers with Conceptual Model

• The Three Models

• Q&A

Using Conceptual Models• Intermediate step between the problem and

designing the solution • Represent the significant concepts

– Various types and shapes – “Make it as simple as possible, but no simpler”* – Use “Best Fit” as the standard

• Provides a common language between technical, non-technical; accessible

• Organizational responsibility– not vendors’

*Albert Einstein

“Systems” Approach

• Collective noun for Policy– Set of policies?– System of policies

• Strategy vs. Tactics– Strategy as a set of tactics?– Strategy as a system of tactics

Other Conceptual Models

• Flowchart

• Architectural blueprint

• Organizational chart

Outline

• Background, Context

• Challenges and Questions

• Answers without Conceptual Model

• Answers with Conceptual Model

• The Three Models

• Q&A

The Three Models1. Strategy

Framework

2. Threat Levels

3. Access

•Purpose

•Structure and Rules

•Uses

•Value

•Plans

Strategy Framework Model

• Purpose: – One representation of all strategy components

and their relationships– Grouping of related components– Started with policies; scaled up to strategy

Strategy Framework Structure

Oversight of InformationHandling

Information Security PolicyCommittee Physical ProvisionsPlanning Evaluation

Access

Users Data Media

Oversight Level

Direct Handling Level

Level 1: OversightOversight of Information

Handling

InformationSecurity Policy

Committee

PhysicalProvisionsPlanning Evaluation

• Planning

• Policy Development

• Physical Provisions

• Evaluation

Level 2: Direct Handling

Access

Users Data Media

• Access– Users– Data– Media

• Level 2 inherits characteristics from Level 1

Each Component

• Represents a Strategy Component, addressing the aspects of:– Policy– Process– People– Mechanisms

Each Component May Have Sub-Components; Planning

• Strategic Planning• Contingency

Planning– Business Continuity

– Technical Recovery

Planning

BusinessContinuity

ContingencyPlanning

Strategic Planning

TechnicalRecovery

Evaluation Component

• Regulation Compliance

• Program Compliance

• Industry• Risks• Contracts

Evaluation

Contracts

Compliance withProgram

Compliance withRegulations

IndustryStandards and

Norms

Risks

Policy Development Component

• Policy Committee oversees two functions– Change Review– Vulnerability

Oversight

Policy Committee

Response

VulnerabilityOversight

Change Review

Prevention

Physical Provisions

• Facilities

• IT Assets (as a group)

• External World

PhysicalProvisions

External WorldIT AssetsFacilities

In Level 2, Access

• Intersection of users, data, and media (hosts)

Access

Users Data Media

Users Component

• Internal– Basic– Power– Administrator

• External– Guest– Anonymous

ExternalInternal

Users

Data Component• Classification

• Encryption

• Types– Teaching/Learning– Research– Clinical– Administrative

Data

Classification Data TypesEncryption

Media Component

• Host

• Devices

• Connectivity– Wired– Wireless

Media

Host ConnectivityDevices

Uses of the Model• Enabled view of (new) policies as a system• Priorities in perspective• Policy grouping and consolidation options• Representation of combined policy requirements of

HIPAA-Security, GLB, and our goals• Shifted policy development focus from wording to

strategy• Integrated technologies and policy in each

component, then processes and people

Value• Answers the first question:

“Where does it fit?”

Four Phases of Technology Assimilation

1. Initiation; Where does it fit?

2. Contagion; What can’t this solve?

3. Control; Where is all the money going?

4. Maturity; What is the appropriate, managed use?

(Gibson-Nolan 1974)

Value (more)• Realized need for role of Data Steward

– Key to strategy for data component– Responsible for knowing locations and uses of

a category of data (Health, Student, Financial)– Integrated; Existing position in area – Role in assessing risk, policy review and

development, and operational handling of information

Value (more)

• Focus of each proposed policy for a specific purpose (e.g. Dial-in Policy and Password Policy: one policy, or two?)

• Separation of policy from procedure and standards

• For planning and development phases• Discussion of level of generalization– avoid

race to the details

Plans

• Develop documented strategy per component

• Develop “people” aspect more

• Proposed use as governance structure for administrative information

Strategy Framework Structure

Oversight of InformationHandling

Information Security PolicyCommittee Physical ProvisionsPlanning Evaluation

Access

Users Data Media

Oversight Level

Direct Handling Level

The Three Models1. Strategy

Framework

2. Threat Levels

3. Access

•Purpose

•Structure and Rules

•Uses

•Value

•Plans

Model of Threat Levels• Purpose:

– To represent threats on a single scale– To use a metric for communicating posture:

current and planned

• Within strategy framework: – Level 1 (Oversight)– Component of Vulnerability Oversight

NIST 800-53* Threat Types• Origin: local or remote• Sophistication level: low or high• Access: insider or outsider• Resource level: minimal, moderate, or substantial• Intent: malicious or not

• 48 combinations• Simplify: Segment Automated vs. Human

*First Draft, October 2003

Automated Attack Threat• Examples of malware (virus, worm, Trojan horse)• Origin and access: external• Sophistication: low (does not adapt)• Resource level: low to moderate• Malicious intent: usually low

• Automated defense system• Entry point to more sophisticated attacks• High probability, high damage

Human Attack Threat• Sophistication level:

– Low: • Noisy

• Brute force entry, “script kiddie”

– High: • Quiet, “low and slow”

• Skilled hacker, with resources

• Social engineering among other techniques

Human Attack Threat (more)• Origin and access: external or internal• Resource level: low to high• Malicious intent: all levels

• More deliberate target selection• Various damage levels possible• Combination of automated and organizational

defense system

Threat Level Scale• Use sophistication level of attacker as the

primary scale

• Use defense maturity level as the secondary scale

Defense Maturity Levels• Awareness of the problem• Reactive mitigation• Partial coverage

– High risk areas

– Available areas (“easy to reach”)

• Robust coverage– Thorough and tested

– Automated where feasible

– Training

Threat Levels as TableAutomated Human, Low

SophisticationHuman, High Sophistication

No Awareness 1

Reactive 2 5 8

Partial 3 6 9

Robust 4 7 10Def

ense

Mat

uri

ty

The Scale1. No Awareness2. Automated, Low Defense (reactive)3. Automated, Medium Defense (partial)4. Automated, High Defense (robust)5. Low Sophistication Human, Low6. Low Sophistication Human, Medium7. Low Sophistication Human, High8. High Sophistication Human, Low9. High Sophistication Human, Medium10. High Sophistication Human, High

The Scale (more)• Best Fit

• Integers only!

Uses• Where are we now? What risks?

• Focus assessment and testing per level

• Map technologies to levels– List of all technologies on the market– For technologies in our environment, at what level

are we using it?– Technologies to acquire?

Mapping Technologies to Scale, Sample

1 2 3 4 5 6 7 8 9 10

Anti-Virus

No Awareness of need

React post- infection

High risk areas

Robust with updates

Honeypot

No Awareness of need

Reliably detects Auto-Attack

Reliably detects Low Soph

Reliably detects High Soph

ESIM (IDS Correlation)

No Awareness of need

Some input

Partial system of sensors

Set sensitivity low

Full system of sensors

Set sensitivity high

Value• Communication

– Internal coordination (see “first question”)– Executive

• Simplified to the three general types

• Avoid “cut and dried” impression

• Assessment: current, future, gap

• Framework for comparison of relative benefit of technologies

Plans• Agreement on target level and time frame; correlate

with other strategy components• Remove noise of lower levels, to increase sensitivity

to higher level activities• On-going

– Update with new technologies; evaluate

– Evaluate/confirm current level through testing

The Three Models1. Strategy

Framework

2. Threat Levels

3. Access

•Purpose

•Structure and Rules

•Uses

•Value

•Plans

Access Model

• Representation of user locations, network access paths, resources, and defenses

• Within strategy framework: Access

• Network view– Does not represent host-based access controls– Each host has authentication controls

Structure and Rules

User Paths to Services

Internet ResNet Dial-In Partner Org

Wireless Fac/Staff/Admin

Control 1 Packet Filter Registration Kerberos LDAP

Control 2 Firewall Firewall Firewall

Services, Level 1

Public Services (web, e-mail, WebCT)

Control 3 VPN VPN VPN VPN

Services, Level 2

Proprietary Services (ERP, LAN file/print, Dept-specific Server)

Control Point Per High-Protection Service

Controls 4 DW VPNMed Rec

VPNACL Rules ACLRules

Services, Level 3

Data Warehouse

Medical Records

Network Device Adm

Phone Switch

Uses• IT-Internal coordination/communication

• Simple representation of all paths

• Identify gaps

• Guidance for configuration/design of technologies (firewall, VPN)

Value• Understanding current state of network

controls

• Focus on purpose of technology, rather than function

• Available for diagnostics

Plans• Keep current

• Evaluate regularly

Outline

• Background, Context

• Challenges and Questions

• Answers without Conceptual Model

• Answers with Conceptual Model

• The Three Models

• Q&A

Conceptual Modeling for Information Security

Austin Winkleman

Information Security Officer

Saint Louis University, St Louis, MO

winkleaf@slu.edu