FARES:g2 Formal Analysis of Risks in Enterprise Systems: Generation 2

1
FARESg2Formal Analysis of Risks in Enterprise
Systems Generation 2

• A Non-Asset-Based Approach to Information Systems
  Risk Management

Peter R. Stephenson, PhD CISSP, CISM, FICAF The
Center for Digital Forensic Studies,
Ltd. prstephenson_at_earthlink.net
2
What is FARES?

• An advanced next generation information system
  (IS) risk analysis methodology
• A risk-centric approach
• Threats
• Vulnerabilities
• Impacts
• Countermeasures
• Inter-domain communications
• A result of over four years of peer-reviewed,
  published university research

3
Why is FARES Preferable to Classic IS
Vulnerability Assessments and Pen Tests?

• Risk-centric
• Far more comprehensive
• Baseline FARES analysis no more costly than
  classic VA and pen tests, but offers far more
  comprehensive results
• Subsequent maintenance far less expansive
• Does not depend upon recognizing specific known
  threats and vulnerabilities (i.e., attacks and
  attackers)
• Supports defense in depth IS security
• Scalable
• Applied to a 400 node/50 server organization and
  a 100,000 node, 3,000 server organization with
  equal success

4
Why We Should be Risk-, not Vulnerability-,
Centric in Our Approach
Because we want to reduce, redirect or
eliminate the impacts of attacks, misuse attempts
or attempted abuse of information systems and
assets. Vulnerability assessment alone simply
cannot provide that capability.
5
Elements of Risk

• Definition of risk
• Information Systems Risk, ?, is the probability,
  ?, that a threat, t, will successfully exploit a
  vulnerability, v, to create an impact, µ.
• ? ? (t v ? µ) - the formal
  definition of IT risk
• Vulnerability
• A weakness or flaw, in an element of a system,
  that has the potential to be exploited with a
  damaging outcome
• Threat
• A threat is an external stimulus that may lead to
  an incident when the external stimulus is applied
  to an element.
• Impact
• An impact µ results when an external stimulus is
  applied to a state of an element. µ is Boolean.
  An impact either results or it does not.

6
Elements of Risk (2)

• Malicious threat factors
• Capability
• Motivation
• Access
• Catalysts
• Inhibitors
• Amplifiers
• Impacts
• Cannot quantify the unquantifiable
• Complex impacts impact impacts
• Mitigating factors
• Safeguards or countermeasures that reduce,
  redirect or eliminate impact

7
Managing, Not Mitigating, Risk

• Easier to manage the elements of risk as a group
  rather than to manage a single element completely
• No way to know all threats or vulnerabilities
  completely in advance
• Zero-day exploits pose a great challenge
• Patch management becomes more difficult as
  enterprise size and complexity increase

8
FARES is Holistic

• Network
• Provides communication channels between domains
• Hosts and servers
• Targets of attack, abuse and misuse or devices
  that contain those targets
• Business processes
• Contribute to data flow patterns between domains
• Threat and threat agent analysis
• Regulatory, legal and policy issues
• Help define policy domains

9
Ontology

• A formal definition of a set of concepts
• We use several types
• Stratified ontology - layers based upon
  stratification of high level concepts
• Differential ontology interchange of concepts
  between different ontologies
• Distributed ontology a group of interrelated
  ontologies that may be physically dispersed
• Ontologies provide the definitions we need to
  analyze threats, vulnerabilities and impacts

10
Example of Concepts in a Threat Ontology
Administrative Threats Administrative errors of
commission Administrative errors of
omission Hostile administrator modification of
user or system data Administrator violates user
privacy policy Developer Errors Software
containing security-related flaws System Errors A
critical system component fails Failure of a
distributed system component Unexpected
disruption of system or component power Hacker
Threats Hacker undetected system access Hacker
attempts resource denial of service Hacker
eavesdrops on user data communications Cryptanalys
is for theft of information Hacker masquerading
as a legitimate user or as system process Message
content modification Exploitation of
vulnerabilities in the physical environment of
the system
Hacker Threats Cont. Social engineering Malicious
code exploitation Legitimate system services are
spoofed Non Repudiation Recipient denies
receiving information Sender denies sending
information A participant denies performing a
transaction User Threats Hostile user acts cause
confidentiality breaches User abuses
authorization to collect data User errors cause
confidentiality breaches User error makes data
inaccessible User errors cause integrity
breaches User errors undermine the system's
security features User's misuse causes denial of
service User abuses authorization to modify
data User abuses authorization to send data
11
Threat Ontology Development Using the Protégé
Ontology Tool
12
Orbs

• Ontology Referential Base
• Uses ontology to create a knowledge base of
  relationships in the form of where a
  and b are concepts and r is a relationship
  between them
• Lets us create the set a, r, b of all of the
  relationships between pairs of related concepts
• Much more efficient that database for identifying
  search targets
• Used with shallow link analysis to create visual
  maps of relationships using the SLIP browser tool

13
(No Transcript)
14
Security Policy Domains

• All of the elements of an enterprise that are
  subject to the same security policy.
• Formally
• A security policy domain, Ep, consists of all of
  the elements, e, of an enterprise that conform to
  the same security policy, p.
• Ep e ? E e conforms to a policy p

15
Security Policy Domains (2)

• Concerned with both the scope of the domain and
  the interconnections between it and other
  security policy domains
• Represent communications channels
• May be overt or covert
• Impact data flows
• May contain multiple components or a single high
  sensitivity/criticality component
• Policy may be explicit (corporate policy,
  procedure or guideline)
• Policy may be implicit (configuration of devices
  governed by a policy)
• Instantiation of the policy

16
An Example of Inter-Domain Communications for a
Financial Services Company
17
Threat Identification and Analysis

• Identification begins with the Common Criteria
  (ISO 15408) Profiling Knowledge Base of 30
  general and over 100 specific threats
• Interviews help fine tune specific threats
• Threat review and policy domain analysis follow
  BS 7799 (ISO17799), and applicable laws,
  regulations and local policies
• Logical and physical threats considered

18
A Threat Matrix
Ad Admin Co Core Gu General
User Pu Public Cc Call Ctr. Is Int.
Srvrs. Hr HR Br Branches Pa Partner Ma
Maint.
19
FARES Simple Communications Model

• No subject may read an object of higher
  confidentiality than itself
• No subject may write to an object of lower
  confidentiality than itself
• No subject may write to an object of higher
  integrity than itself
• No subject may execute another subject of higher
  integrity than itself

20
Shallow Link Analysis Showing Inter-Domain
Communication Channels from the Public Domain -
Possible Risk
21
CPNets Used to Map Inter-Domain Communications
Processes/Flows - Pre
Is a Communications Risk Present Between the
Public Domain and the Core?
22
CPNets Used to Map Inter-Domain Communications
Processes/Flows - Post
Protection in Place from Firewall and Filtering
Router - No Risk Present
23
Shallow Link Analysis Showing Threats and
Vulnerabilities Forming a Privacy Risk
Vulnerability
Threat
Risk Orb
vi, t, vj
24
The Forensic Issues

• FARES uses forensic techniques developed for
  incident post mortems
• Tools include EnCase Enterprise Edition and
  ProDiscover for host data collection
• Hypothesizes threats against policy domains and
  analyzes impacts using forensic techniques
• What would a forensic investigator find if an
  incident succeeded?
• Seeks to mitigate the consequences of a threat
  and, using theoretical forensics, analyzes
  countermeasures to determine their success

25
What to Expect During a FARES Review On-Site
Portion

• Access to accurate network maps is a core
  requirement
• Analysts use tools to verify accuracy of network
  maps
• Interviews to uncover policy domains, data flow
  patterns, threats and business impacts
• Interviews to identify applicable laws,
  regulations and policies
• Gathering of detailed configuration data from
  appropriate devices
• Traditional vulnerability scans of demark to the
  public Internet

26
What to Expect During a FARES Review Off-Site
Portion

• Development of policy domain models
• Models policy domain activities, not the domains
  themselves
• Modeling of threats as determined during on-site
  portion of the process
• Simulation of policy domain activity and the
  interactions between policy domains
• Considers data flows, in-place controls, etc.
• Application of threat models against policy
  domain models followed by simulation
• Imposition of safeguards and further simulation

27
Results to Expect from a FARES Review

• Clear picture of enterprise activity from a
  security and policy perspective
• Clear picture of threats against current state of
  the enterprise
• Mapping of enterprise behavior against applicable
  regulations, laws and local policies
• Gap analysis between current state and desired
  future state
• Recommendations for appropriate safeguards
• Countermeasures, preventive controls and
  detective controls

28
After the FARES Review Ongoing Maintenance

• Models updated as the enterprise changes
• Models updated as threats change
• New simulations may suggest new safeguards
• Spot tests of enterprise security using
  traditional methods may help verify success and
  improve comfort levels of management
• Formal post-incident root cause analysis (post
  mortem) of any successful breaches
• Enabled by existing enterprise models

29
Coming Soon Quantitative Analysis

• Will allow analysts to answer 3 important
  questions about qualitatively identified risks
• What is the probability, based upon global
  actuarial data for my industry that this risk
  will produce an impact on my business?
• If this threat produces an impact, as a
  percentage of a standardized set of metrics for
  my industry, what is my loss exposure?
• As of the last update to my IT risk profile, what
  is my current loss exposure and what probability
  is attached to it?

30
QUESTIONS ?