Upload
lemien
View
221
Download
0
Embed Size (px)
Citation preview
Working Together to Build Confidence
Cybersecurity & Risks Analysis
Djenana Campara Chief Executive Officer
Member, Object Management Group Board of Directors
Co-Chair, System Assurance Task Force
2
Cyber Security
Trust in System’s ability to Execute Trusted Behavior
Only and to Prevent Malicious Attacks
with
objective to
Protect Information, Assets & Services Against
Compromise
12/6/2016 (c) KDM Analytics Inc.
OMG Security Community Focus
• Systematic Threat Risk & Vulnerability Analysis (TRV) Unique, cost-effective approach Automated analysis Supported by integrated tools
3 12/6/2016 (c) KDM Analytics Inc.
4
Threat, Risk and Vulnerability Analysis (TRV)
How system can be attacked?
What is the impact of successful attacks?
What are the Vulnerabilities that are exploited by successful attacks?
Goal: Risk Assessment Methodology within the RMF that is systematic, objective and allows automation and that can answer a tough question: How do we know that all threats have been addressed
Risk
It Starts by Understanding …
12/6/2016 (c) KDM Analytics Inc.
Failing to understand ALL threats …
5
• Not enough to trust credentials
• Firewall is no longer sufficient protection
• Ignorance MUST NOT be an option • Organized Crime • Smart and
knowledge sharing Hackers
Effective threat mitigation can only be achieved through identifying, analyzing, classifying and understanding the threat and related risk: Cause & Effect
12/6/2016 (c) KDM Analytics Inc.
The Challenge: Where are the Vulnerabilities
05/12/2016 6
• The point of entry to the system is the individual user
• The actual security perimeter is often much larger than anticipated
• Stakeholders often accept risk that they are not aware of
The researcher successfully hacked the principal system on-boards like ADS-B and ACAR
POSTED IN SCADA / ICS SECURITY ON APRIL 8, 2014
(c) KDM Analytics Inc.
7
Undiscovered Vulnerabilities can Result in Massive Losses
• STUXNET - Sophisticated, multilevel targeted attack on SCADA system resulted in modification of system’s behavior
– layered attack against three different systems initially exploiting four zero-day vulnerabilities within Windows systems and using it as spring board to install itself on PLC devices unnoticed with aim to periodically modify the frequency and thus affects the operation of the connected motors by changing their rotational speed and leading to destruction of centrifuges
• A cyberattack against Polish flagship carrier LOT grounded more than 1,400 passengers at Warsaw’s Frederic Chopin Airport (June 2015)
– The airline said in a statement on its website that the “IT attack” meant it was unable to create flight plans and flights were not able to depart from Warsaw.
• The International Civil Aviation Organization (ICAO) last year highlighted long-known vulnerabilities in a new aircraft positioning communication system, ADS-B, and called for a working group to be set up to tackle them
– Researchers have shown that ADS-B, a replacement for radar and other air traffic control systems, could allow a hacker to remotely give wrong or misleading information to pilots and air traffic controller
12/6/2016 (c) KDM Analytics Inc.
COMPREHENSIVE AND SYSTEMATIC RISK ANALYSIS
Overcoming the Challenge
8 12/6/2016 (c) KDM Analytics Inc.
Examining Existing Risk Management Methodologies: Providing Assurance & Automation?
• ISO/IEC 13335 • ISO/IEC 15408 • ISO/IEC 15443 • ISO/IEC 27001 • CRAMM (UK) • EBIOS (France) • Mehari (France) • Magerit (Spain) • HTRA (Canada) • NIST SP-800-30 (US) • Octave (SEI CMU) • RiskAn (Czech Rep) • Microsoft Threat Analysis Methodology • Open Group FAIR • & others
Challenges: 1) no interoperability (an issue in a
coalition context) 2) few approaches deal with discernable
concepts to be automatable 3) few approaches are systematic enough to provide assurance
9 12/6/2016 (c) KDM Analytics Inc.
“Ingredients” of risk (ISO 15408)
10 12/6/2016 (c) KDM Analytics Inc.
Assurance through vulnerability detection
11 12/6/2016 (c) KDM Analytics Inc.
Assurance through asset protection
12 (c) KDM Analytics Inc. 12/6/2016
Assurance through standard controls
13 (c) KDM Analytics Inc. 12/6/2016
Each step can be a reasonable starting point
14
Understand how system can be
attacked
Understand impact of vulnerabilities
Identify vulnerabilities
in system
Understand entry points
12/6/2016 (c) KDM Analytics Inc.
Goal: Justifiable Risk Management
Justifiable risk management = end-to-end risk mitigation assurance
15 (c) KDM Analytics Inc. 12/6/2016
16 (c) KDM Analytics Inc.
Justifiable Risk Management: FORSA Methodology – Influenced by Standard Efforts
• Achieving justifiable risk management requires a methodology that – Is systematic (can enumerate all threats) – Deals with discernable concepts – Considers assurance (can provide confidence and justification)
• We selected most suitable methodologies, combined them and further
enhanced to – Fully support assurance – Support import of structured Enterprise operational views (e.g. DoDAF/UAF) – Support automation of the methodology steps
• Including multi-stage attack identification
FORSA: - Fact Oriented - Repeatable - Security - Assurance
12/6/2016
Methodology describes the sequence of steps
Identified Risks
How ?
Who cares ? Assets and Targets
Owners and criteria sensitivity
Undesired events, Operational Impact severity Attack scenarios
Likelihood
What to do about it ? Controls, mitigation options
By who ? and Why ?
Threat Sources
So what ?
To what ?
(c) KDM Analytics Inc. 17 12/6/2016
FORSA STEPS
The corresponding FORSA steps
What?
How?
Analysis of valuables, sensitivities and Impacts => severity
Analysis of targets, Entries and attacks => likelihood
1. Operational Context Identification 2. System Facts 3. Asset Identification 4. Undesired Event Identification 5. Attack Group Identification 6. Threat Scenario Analysis 7. Safeguard Identification 8. Vulnerability Analysis 9. Risk Identification 10. Risk Analysis
Enterprise Architecture
Risk
FORSA STEPS
The sequence of steps is designed to increase confidence, and therefore increase assurance
(c) KDM Analytics Inc. 18 12/6/2016
Results of Justifiable Risk Analysis
ID Description Severity Likeli-hood
Level Resi-dual
Confi-dence
R01 Hacker gains access to confidential assets by information gathering on stored files
high high high low 80%
R02 Targeted virus or timebomb affects integrity or availability of network by attacking programmable node
high high high low 80%
R03 Hacker subverts node by remote attack exploiting vulnerabilities in programmable node’s code
high medium high low 80%
R04 Hacker subverts programmable node by remote attack exploiting vulnerabilities in system software on programmable node
high medium medium low 80%
R05 Criminal learns about forensic activity by attacking software on programmable node
medium high medium low 80%
R06 Targeted virus or timebomb affects availability of other assets by attacking software on programmable node
medium high medium low 80%
R07 Malicious user subverts programmable node by locally attacking node’s code
medium low medium low 70%
19 (c) KDM Analytics Inc. 12/6/2016
20 (c) KDM Analytics Inc.
Risk Assessment Methodology Driven by the Assurance Case
Assurance Case
System Facts
Assurance Process
Risk Metamodel
Assurance Case is structured according to the Risk Metamodel
Assurance Case provides guidance on how to collect evidence
Risk Metamodel describes evidence
Assurance Process delivers evidence
Risk Metamodel describes evidence
System Facts are evidence to the Assurance Case
e.g. operational facts from DoDAF/UAF
Supported by inference rules, Uses generic taxonomies
• Integrating System Assurance into Risk Assessment Methodology • Utilizing Assurance Case to deliver Risk Assessment • Automating end-to-end process
12/6/2016
Unique Approach – Influenced by Standard Efforts
21 (c) KDM Analytics Inc.
•National Vulnerability Database •Compliance Specifications •Fault Patterns •Code Security Defects •Threat-Risk Analysis models
Cybersecurity Knowledge
KDM Blade
Threat Risk Analysis Reports
CONOPS Software System
• threat scenarios • undesired events • system vulnerabilities • safeguards • prioritized risk
Collection of facts A top-down, operational risk analysis producing a quantitative risk report, including risk distribution by component, business assets and threats; associated vulnerability characteristics A bottom-up, targeted vulnerability analysis producing a quantitative residual risk focused on deep analysis of the riskiest components identified/prioritized in the top-down risk report
Effective measurement, prioritization and mediation of the assurance risks posed by system vulnerabilities
12/6/2016
22
Ecosystem Foundation: Common Fact Model Data Fusion & Semantic Integration
Risk Analysis OTRM (Situational awareness)
ISO 15026 SACM GSN/CEA
UPDM/UAF SysML
SFPM/SFP SCAP/CVE Note: SFPs are created using SBVR standard
KDM/ISO 19506 KDM/ISO 19506
Tools integration possible only through standards 12/6/2016 (c) KDM Analytics Inc.
Top Down Operational Risk Analysis
Risk Manager Engine
Risk Knowledge Base
1
DoDAF/UAF
Enterprise Architecture
Risk Assessment
Report
Risk Analyst “in a box”
Manual Adjustments or Manual
Input
Blade Risk Manager
Automatically extracted
facts
4
5
DoDAF Analytics
score & feedback
2
3
7
GUI 6
Manual Input option if no structured data available
1a
(c) KDM Analytics Inc. 23
Risk Report includes: • Constructed risk statements & calculated risk • Constructed risk distribution by components, business assets, and threats • Identified associated vulnerability characteristics
12/6/2016
Bottom Up Vulnerability Analysis: Cost-effective, Targeted
TOIF normalized
data
Raw data
TOIF associated with risks through
SFP &
operational context
TOIF associated with entry points and
attack vectors
Manually validated findings
Evidence & counterevidence to risk statements
Stronger evidence & counterevidence
Because of the filtering – may apply noisier tools for better coverage and
assurance
Normalized data
Mul
tiple
vul
nera
bilit
y de
tect
ion
tool
s
Increased coverage overlaps=confidence
Low level of abstraction & overload, esp on binary code
TOIF
– To
ols O
utpu
t Int
egra
tion
Fram
ewor
k
(c) KDM Analytics Inc. 24
Risk statements obtained from top down risk analysis
12/6/2016
25
Lockheed Martin Case Study
• Identified standards and Frameworks are supported by tools • Lockheed Martin’s performed evaluations
– Structured Assurance Models • Bring structured order to chaos • Interrelated Claims – Arguments – Evidence between various sources of evidence
– System Risk Manager • Analysis of DoDAF model Operation, System, … Views • Automated Gap Assessments in Models • Threat Risk Assessment capability on DoDAF models
– Tools Output Integration Framework (TOIF) and Risk Analyzer tools have demonstrated
• Significant improvement in Software Flaw and Vulnerability assessments • Lower labor costs • Significantly lower tool costs
OMG System Assurance Modeling Tools can Reduce Security Engineering Life-cycle costs 20-50%.
12/6/2016 (c) KDM Analytics Inc.
26
Thank you
12/6/2016 (c) KDM Analytics Inc.