Embed Size (px)
Citation preview
Security AnalysisPart I: Basics
Ketil Stølen, SINTEF & UiO
CORAS 1
Acknowledgments
The research for the contents of this tutorial has partly been funded by the European Commission through the FP7 project SecureChange and the FP7 network of excellence NESSoS
CORAS 2
Objectives for the three Lectures on Security Analysis
Classify security conceptsIntroduce, motivate and explain a basic apparatus for risk management in general and risk analysis in particularRelate risk management to system developmentDescribe the different processes that risk management involveMotivate and illustrate model-driven security risk analysis (or security analysis, for short)Demonstrate the use of risk analysis techniques
CORAS 3
The three Lectures onSecurity Analysis
Part I : Basics
Part II : Example-Driven Walkthrough of the CORAS Method
Part III : Change Management
CORAS 4
Overview of Part IWhat is security?What is risk?What is risk management?Central termsWhat is CORAS?Main conceptsThe CORAS processRisk modelingSemanticsLikelihood reasoningThe CORAS tool
CORAS 5
What is Security Analysis?
Security analysis is a specialized form of risk analysis focusing on security risks
CORAS 6
What is Security?security
integrity availability accountabilityconfidentiality
Only authorised actors have access to information
Only authorised actors can change, create or delete information
Authorised actors haveaccess toinformation they need whenthey need it
It is possible to audit the sequence of events in the system
CORAS 7
Security is more than Technology
From a technical standpoint, security solutions are available – but what good is security if no one can use the systems?
Security requires more than technical understandingSecurity problems are often of non-technical originA sound security evaluation requires a uniform description of the system as a whole
how it is used, the surrounding organisation, etc.
CORAS 8
Security – Part of System Development
Security is traditionally added as an “afterthought”
Solutions often reactive rather than proactiveSecurity issues often solved in isolationCostly redesignSecurity not completely integrated
Enforcing security only at the end of the development process “by preventing certain behaviors...may result in a so useless system that the complete development effort would be wasted” [Mantel'01].
“It would be desirable to consider security aspects already in the design phase, before a system is actually implemented, since removing security flaws in the design phase saves cost and time” [Jürjens'02].
CORAS 9
In what way is “Security” related to
safetyreliabilitydependabilitymaintainabilitydata protectionprivacytrustworthytrustpublic key infrastructure based on trusted third partyauthentication and authorization
CORAS 10
Oversettelse av Terminologi
asset aktivum (noe med verdi)
threat trussel
unwanted incident uønsket hendelse
risk risiko
vulnerability sårbarhet
consequence konsekvens
probability sannsynlighet
frequency frekvens/hyppighet
treatment behandling
CORAS 11
What is Risk?
Many kinds of riskContractual riskEconomic risk Operational risk Environmental riskHealth riskPolitical riskLegal riskSecurity risk
CORAS 12
Definition of Risk from ISO 31000
Risk: Effect of uncertainty on objectivesNOTE 1 An effect is a deviation from the expected — positive and/or negativeNOTE 2 Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process)NOTE 3 Risk is often characterized by reference to potential eventsand consequences, or a combination of theseNOTE 4 Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrenceNOTE 5 Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of an event, its consequence, or likelihood
CORAS 13
What is Risk Management?Risk management:Coordinated activities to direct and control an organization with regard to risk[ISO 31000:2009]
CORAS 14
Com
mun
icat
e an
d co
nsul
t
Establish the context
Identify risks
Estimate risks
Evaluate risks
Treat risks
Mon
itor a
nd re
view
Ris
k as
sess
men
t
Risk Analysis InvolvesDetermining what can happen, why and howSystematic use of available information to determine the level of riskPrioritization by comparing the level of risk against predetermined criteriaSelection and implementation of appropriate options for dealing with risk
CORAS 15
Com
mun
icat
e an
d co
nsul
t
Establish the context
Identify risks
Estimate risks
Evaluate risks
Treat risks
Mon
itor a
nd re
view
Ris
k as
sess
men
t
Terms
CORAS 16
Asset Vulnerability
Threat
Risk
Need to introduce risk treatment
Reduced risk
17
Terms
Risk
Threat
Vulnerability
Unwanted incident
Worm
Computer running Outlook
Internet
- Infected twice per year- Infected mail send to all
contacts
Infected PC
V
Install virus scanner
Treatment
Security Analysis Using CORAS
18
Overview
What is CORAS?Main conceptsProcess of eight stepsRisk modelingSemanticsCalculusTool supportFurther reading
CORAS 19
What is CORAS?CORAS consists of
Method for risk analysisLanguage for risk modelingTool for editing diagrams
Stepwise, structured and systematic processDirected by assetsConcrete tasks with practical guidelinesModel-driven
Models as basis for analysisModels as documentation of results
Based on international standards
CORAS 20
Main Concepts
CORAS 21
Asset
Vulnerability
Threat
Consequence
Unwanted incident
Likelihood
Risk
Party
Treatment
DefinitionsAsset: Something to which a party assigns value and hence for which the party requires protectionConsequence: The impact of an unwanted incident on an asset in terms of harm or reduced asset valueLikelihood: The frequency or probability of something to occurParty: An organization, company, person, group or other body on whose behalf a risk analysis is conductedRisk: The likelihood of an unwanted incident and its consequence for a specific assetRisk level: The level or value of a risk as derived from its likelihood and consequenceThreat: A potential cause of an unwanted incidentTreatment: An appropriate measure to reduce risk levelUnwanted incident: An event that harms or reduces the value of an assetVulnerability: A weakness, flaw or deficiency that opens for, or may be exploited by, a threat to cause harm to or reduce the value of an asset
CORAS 22
Exercise I
How would you represent risk in UML sequence diagrams?
CORAS 23
Process of Eight Steps1. Preparations for the analysis2. Customer presentation of the target3. Refining the target description using
asset diagrams4. Approval of the target description5. Risk identification using threat diagrams6. Risk estimation using threat diagrams7. Risk evaluation using risk diagrams8. Risk treatment using treatment
diagrams
CORAS 24
Establish context
Assess risk
Treat risk
Risk ModelingThe CORAS language consists of five kinds of diagrams
Asset diagramsThreat diagramsRisk diagramsTreatment diagramsTreatment overview diagrams
Each kind supports concrete steps in the risk analysis processIn addition there are three kinds of diagrams for specific needs
High-level CORAS diagramsDependent CORAS diagramsLegal CORAS diagrams
CORAS 25
Example: Threat Diagram
CORAS 26
Server is infectedby computer virus
[possible]
Virus protection not up to date
Servergoes down[unlikely] Availability
of serverComputer
virus
Likelihood
Virus creates back door to server[possible]
Hacker
Hacker gets access to server[unlikely]
Integrity of server
Confidentialityof information
0.2
0.1
Vulnerability
Threat
Threat scenario Unwanted incident
Asset
Likelihood
Consequence
SemanticsHow to interpret and understand a CORAS diagram?Users need a precise and unambiguous explanation of the meaning of a given diagram
Natural language semanticsCORAS comes with rules for systematic translation of any diagram into sentences in English
Formal semanticsSemantics in terms of a probability space on traces
CORAS 27
ExampleElements
Computer virus is a non-human threat.Virus protection not up to date is a vulnerability.Threat scenario Server is infected by computer virus occurs with likelihood possible.Unwanted incident Server goes down occurs with likelihood unlikely.Availability of server is an asset.
RelationsComputer virus exploits vulnerability Virus protection not up to date to initiate Server is infected by computer virus with undefined likelihood.Server is infected by computer virus leads to Server goes down with conditional likelihood 0.2.Server goes down impacts Availability of server with consequencehigh.
CORAS 28
Calculus for Likelihood Reasoning
Relation
Mutually exclusive vertices
Statistically independent vertices
CORAS 29
Guidelines for Consistency Checking
CORAS 30
Tool SupportThe CORAS tool is a diagram editorSupports all kinds of CORAS diagramsSuited for on-the-fly modeling during workshopsEnsures syntactic correctnessMay be used during all the steps of a risk analysis
Documents input to the various tasksSelection and structuring of information during tasksDocumentation of analysis results
CORAS 31
Screenshot
CORAS 32
Pull-down menu
Palette
Tool bar
Outline
Canvas
Properties window
Where to Find the Tool
http://coras.sourceforge.net/Open source
CORAS 33
Mandatory Reading
Mass Soldal Lund, Bjørnar Solhaug, Ketil Stølen: Chapter 3 "A Guided Tour of the CORAS Method" in the book "Model-Driven Risk Analysis: The CORAS Approach", 2011. Springer. The chapter can be downloaded freely.
Mass Soldal Lund, Bjørnar Solhaug, Ketil Stølen: Risk Analysis of Changing and Evolving Systems Using CORAS, 2011. LNCS 6858, Springer. Pages 231-274.
ONLY FOR INF9150: Mass Soldal Lund, Bjørnar Solhaug, Ketil Stølen: Chapter 13 "Analysing Likelihood Using CORAS Diagrams" in the book "Model-Driven Risk Analysis: The CORAS Approach", 2011
CORAS 34
Criticism from System Developers
The CORAS language is too simplisticIt is too cumbersome to use graphicalicons
CORAS 35
Criticism from Risk Analysts
What’s new with the CORAS language?We have been using something similar for years, namely VISIO!
CORAS 36
Exercise II
Discuss the statements made by thecritics?Argue why the critics are wrong.
CORAS 37
