security assessment of information systems standards...
TRANSCRIPT
Security Assessment of Information SystemsStandards, Methods and Tools
Florent Autréau [email protected] 2007
Security Models, Protocols and Certification
Objectives
● Introduction to standards, methods and tools used to assess Security of Information System
● Network or System Administrator● Developer● IT Security Professional● Consultant● Auditor● Security Analyst● CISO – Chief Information Security Officer
This Course is NOT
● Not a complete course on IT security● Not a complete course on IT Security Standards● Not a complete course on IT security audit
Neither ...
This class is NOT ...
Agenda Timetable● Monday Oct 8th Lecture and Tutoring – H 201
● 8.00 am to 10.00 am (Lecture) ● 10.15 am to 11.15 am (Tutoring EN)● 11.15 am to 12.15 am (Tutoring FR)
● Thursday Oct 11th Lecture and Tutoring – H 201● 8.00 am to 10.00 am (Lecture) ● 10.15 am to 11.15 am (Tutoring FR)● 11.15 am to 12.15 am (Tutoring EN)
Agenda – Timetable (cont)● Monday Oct 15th Lab – Room 7 – Fourrier Institute
● 8.00 am to 10.00 am (EN) ● 10.15 am to 12.15 am (FR)
● Thursday Oct 25th Lab – Room 7 – Fourrier Institute● 8.00 am to 10.00 am (FR) ● 10.15 am to 12.15 am (EN)
OR● FrenchSpeaking Group on Oct 15th and English
Speaking Group on Oct 25th ● What do you prefer ?
Outline● Introduction● Concepts● Risks and Threats● Methods and standards
● ISO2700x, OCTAVE, Ebios, Mehari,
● Tools● Nessus, nmap, ethereal, ntop, ...
● Handon Labs
Agenda – Day 1 – Oct 8th ● Introduction● Concepts● Risks and Threats● Methods and standards
● ISO2700x, OCTAVE, Ebios, Mehari,
● Tools● Nessus, nmap, ethereal, ntop, ...
● Handon Labs
Agenda Day 2 – Oct 11th ● Introduction● Concepts● Risks and Threats● Methods and standards
● ISO2700x, OCTAVE, Ebios, Mehari,
● Tools● Nessus, nmap, ethereal, ntop, ...
● Handon Labs
Agenda – Day 3 & 4 – Oct 15th / 25th ● Introduction● Concepts● Risks and Threats● Methods and standards
● ISO2700x, OCTAVE, Ebios, Mehari,
● Tools● Nessus, nmap, ethereal, ntop, ...
● Handon Labs
Books – recommended readings
● 'Beyond Fear', Bruce Schneier● 'Security Engineering', Ross Anderson
Contact information● [email protected]● Available on appointment on Tuesday/Thursday
● ENSIMAG E305
Outline● Introduction● Concepts● Risks and Threats● Methods and standards
● ISO2700x, OCTAVE, Ebios, Mehari,
● Tools● Nessus, nmap, ethereal, ntop, ...
● Handon Labs
First of all, what is IT Security ?
Information Security
● A set of properties for information– Confidentiality,
– Integrity,
– Availability.● The classical CIA triangle
● Goal : insure that Information is always Available ONLY to Authorized People
Information Security (cont)
● A different set of properties for information– Confidentiality,
– Control,
– Integrity,
– Authenticity,
– Utility,
– Availability.
Information Security (cont)
● Other properties of Information System to be considered : – Accessibility,
– Performance,
– Usability,
– Manageability,
– Last and not least Reliability.
What is an Information System ?
● Conventional Support for Information– Desktop,
– Server,
– Network Equipment (switches, routers, ...)
– Printer,
– Laptop,
– ...
Information System
Information System(2)
● Also : – Professional and personal Mobile Phone,
– Phone System (including PABX or VoIP gears),
– Assistant (PDA),
– Connexion Card, Access Token,
– USB Keys,
– MP3 reader, Game System,
– Credit Card, ...
Business Assets
● Availability
Make sure that IT services and resources are available for accredited users (employees, customers, partners, contractors).
● Integrity Make sure that information as well as information
processing is exact, reliable, trusted and eventually provable.
Business Assets (cont.)
● Confidentiality Make sure that IT services and resources are ONLY
available to accredited users .
● Authenticity (authentication and integrity )● Traceability, Auditability, Nonrepudiation● Reputation / Branding● Liability
Employee's Assets
● Employee's Liability● Personal Information
– Political Opinion
– Member of Work Union
– Job Search
● Reputation / Fame
Citizen's Assets● Privacy
– Political opinion,
– Religion,
– Health, Medical Data,
– Confidentiality (ex: Taxes),
– Reputation (rumors), Honor
● Yours (Family, Relatives, Significant Others)– Personal information on forum
– Pornography, ...
Citizen's Assets (cont.)
● Sensitive and/or Confidential Information – Codes
– Documents related to Associations, Union
– Accounting and Banking information
– Passwords, Account information
● Liability● Fame, Reputation
What is Availability ?
Terminology● Fault Defect, imperfection or fault that occurs in hardware
or software.● Error Occurrence of an incorrect value in some unit of
information within a system. Manifestation of a fault.
● FailureDeviation in the expected performance of a system.
Terminology (cont.)● Detection Recognising that a fault/error has occurred.● Containment/Isolation Isolating a fault and preventing its
propagation throughout a system.● Recovery Restoring the system to a stable (operational)
state.● Repair Repairing a faulty FRU
Reliability & Availability ?● Reliability Ability to function correctly over a specified
period of time.● Availability Probability that a system is performing at the
instant t, regardless the number of times it has been repaired.
What is Availability ?● Availability is the measure of time the system is available
and operating– Inherent availability = MTTF / (MTTF + MTTR)
– Operational availability = Uptime / (Uptime + Downtime)
● MTTF = Mean Time To Failure● MTTR = Mean Time To Repair
What is Availability ? (cont.)
As an example, the average lifetime for a given component is 10000 hours and the average time to repair is 4 hours.
The availability of this single repairable system is :
Availability = 10000 / (10000 + 4) = 0.9996
Measuring Availability
0.6 s31.5 s0.0001 %“six nines”
6 s5.25 min0.001 %99.999 %
1 min52.5 min0.01 %99.99 %
10 min 5s8 h 45 min0.1 %99.9 %
1 h 41 min3.65 days1 %99 %
Downtime/weekDowntime/year%Downtime% Uptime
What is Unavailability ?
Unplanned causes of downtime:– Extended Planned Downtime
– Human Error
– Software (OS, Application, Database, Middleware) Failure
– Network Failure
– Disk / Hardware Failure
– Disasters (fire, tornado, earthquake, …)
What is Unavailability ? (cont.)
Planned causes of downtime:– Backup
– Software Maintenance
– Hardware Maintenance
– Application / Database Upgrade
– Operating System Upgrade
– Hardware Upgrade
What is Unavailability ? (cont.)
Percent of Telephone Outages
25%
1%
24%19%
11%
6%
14% Operator
Vandalism
Human error
Hardware
Acts of Nature
Overload
Software
What is Unavailability ? (cont.)
Percent of Customer Minutes Loss
14%1%
14%
7%
18%
44%
2% OperatorVandalismHuman errorHardwareActs of NatureOverloadSoftware
Availability Objectives● Requirement as Platform supplier:
– 40 sec/year (99.999873 %)
– 20 sec/year (99.999937 %) ● Mechanisms for
– Preservation of States
– Detect and Recover failure in given budget.● Number of Scheduled Outages
– ex: 4 Software/Hardware Updates per year
Markov Model Diagram● Diagram of boxes, lines and text to visually and
automatically portray possible system states.● It is a convenient representation of failure/repair situations● Boxes represent States.● Transitions are indicated with Rate between States
– µ = failure rate– m = repair rate
Markov Model Diagram (cont.)
01
λ
µ
Markov Model Diagram (cont.)
01
µ
2λ
2
λ
µ
Purpose of Availability Model● Availability can be improved in several ways :
– Increase the MTTF – Decrease MTTR– Introduce Redundancy– Reduce Detection time– ...
● Modeling allows to easily assert availability by validation of various design.
● Availability in PLC Example
Availability Modeling ?
Prediction is fine as long as it is not about the future.
Performance Analysis
● Performance in PLC Example
Reference – More readings
● 'Blueprints for High Availability', Marcus/Stern
● 'Applied Reliability', Tobias/Trindade
Exercise 1
● Model Service Availability for the following system :
● Web server with warm replication (primary and secondary)
– Enumerate and describe the different states;– Idem with the transitions;– Present a simple Markov Model.
Outline● Introduction● Concepts● Risks and Threats● Methods and standards
● ISO2700x, OCTAVE, Ebios, Mehari,
● Tools● Nessus, nmap, ethereal, ntop, ...
● Handon Labs
Risk Analysis Terminology
• Threat : • what from you want protect valuable assets • anything (man made or act of nature) that has the
potential to cause harm ( a.k.a Menace )
• Vulnerability : • Failure or Deviation of the Information System• weakness that could be used to endanger or cause harm
to an informational asset
• Risk :
• when Threat exploits Vulnerability against Valuable Asset • Probability that event will happen with a negative impact
to an informational asset
Vulnerability
Failure or operational weakness of IS● Eventually known and documented;● Can eventually be exploited.
Main reasons :● Design/inception;● Implementation;● Operation.
Statistical Approach
Risk = Pm * (1Pc) * C
Pm = proba(menace)Pc = proba(efficiency of countermeasures)C = cost of incident
● Source “Barometer 2006 – IRSN”● French Institute for Radiological Protection
and Nuclear Safety / Institut de radioprotection et de sûreté nucléaire
● http://www.irsn.org
Risk Management :A Matter of Perception ?
Risks Perception (1)
Taxonomy of Risks
● Accidents● Disaster ● Malfunction or Misfunction
● Errors● Operation, Exploitation● Bug
● Malicious● Intruders, Hackers, Organized Criminals ● Competition, Economic Intelligence
Taxonomy of Risks (cont.)
● Infrastructure– Unavailability, Faults, Defects
– Illegal Use of Unlicensed Software
● Data– Unauthorized use or access
– Storage of illegal material/information
– Loss of data
Taxonomy of Risks (cont.)
● Trading or Operating Losses– Impact on Manufacturing Plant
– Loss of configuration
– Loss of data
● Data Leakage– Financial Information
– Pricing or Sales Information
– Customer Database
– Contract, Answers to RFP (Request For Proposal)
Taxonomy of Risks (cont.)
● Identity Theft● Fraud● Employee's abuse● Corporate's abuse● Blackmail● ...
Classification
Incident Security Incident Disaster
Class 4 : Critical Major Failure of Server DNS redirection Tornado, fire
Class 3 : Severe Application Error DdoS, Root CompromiseSpying, theft
Class 2: Serious Bug, Incomplete Backups Scans, Probes
Class 1 : Low Impact User's Mistake Virus , Abuse
Outline● Introduction● Concepts● Risks and Threats● Methods and standards
● ISO2700x, OCTAVE, Ebios, Mehari,
● Tools● Nessus, nmap, ethereal, ntop, ...
● Handon Labs
Threats – Clusif
Threats ClusifSource CLUSIF Panorama Cybercriminalité 2004
– Data Theft
– Malware (spyware, bots, keyloggers)
– Extortion (ex: crypted file)
– Attacks from Competitors
– GSM
– VoIP
– WiFi, RFID
« New » Threats ?
Historical Motivations Extortion Unfair Competition Spying, Economic Intelligence Money Theft of data Identity theft
« New » Threats ? New Targets
● Intellectual Property● Market Share● MindShare / Fame● I.S. Availability / Operation● Executive's Liability● Finance● Profiles or Virtual Goods (Paypal, Online game),● ...
New Vectors● Malware (spyware, bots, keyloggers)
● Active or Executable Contents
● Bluetooth,
● Wifi,
● USB keys,
● GSM,
● VoIP,
● RFID
● ...
Top 20 – Vulnerabilities sans.org● Operating Systems
– W1. Internet Explorer– W2. Windows Libraries– W3. Microsoft Office– W4. Windows Services– W5. Windows Configuration Weaknesses– M1. Mac OS X– U1. UNIX Configuration Weaknesses
Top 20 – Vulnerabilities (2)● Cross-platform Applications
– C1 Web Applications
– C2. Database Software
– C3. P2P File Sharing Applications
– C4 Instant Messaging
– C5. Media Players
– C6. DNS Servers
– C7. Backup Software
– C8. Security, Enterprise, and Directory Management Servers
Top 20 – Vulnerabilities (3)● Network Devices
– N1. VoIP Servers and Phones– N2. Network and Other Devices Common
Configuration Weaknesses● Security Policy and Personnel
– H1. Excessive User Rights and Unauthorized Devices
– H2. Users (Phishing/Spear Phishing)● Special Section
– Z1. Zero Day Attacks /Prevention Strategies
References – More readings
● 'Secret and Lies', Bruce Schneier● http://catless.ncl.ac.uk/Risks
Tutoring
Exercise 2
● Identify, quantify and classify the risks for the following scenario:
● As a system administrator of an SMB, you are requested to deploy laptops with nomadic access to corporate network. You will present the company management with a risk analysis as well as way to mitigate the threats.
Exercise 3
● Identify, quantify and classify the risks for the following scenario:
● As a consultant for a software company, you must conduct a risk awareness campaign for the use of permanent connexion to Internet from Corporate network, for daily operation. Again this has to be presented as a highlevel risk analysis.
Exercise 4
● Identify, quantify and classify the risks for the following scenarios (preparation for lab):
● As a student in Master 2 CSCIS, conduct a risk analysis for your personal informational assets in your usage of IT resources.
● Idem acting as a sysadmin working for the university, when providing and managing shared facilities such as room 7 of Fourrier Institute.