300 likes | 501 Views
Security Assurance in Design, Implementation and Operation. Bo Cheng. Source: Special Pub 800-12 -- An Introduction to Computer Security: The NIST Handbook. Security Assurance - The Concept. The degree of confidence one has that the security measures, both technical and operational.
E N D
Security Assurance in Design, Implementation and Operation Bo Cheng Source: Special Pub 800-12 -- An Introduction to Computer Security: The NIST Handbook
Security Assurance - The Concept • The degree of confidence one has that the security measures, both technical and operational. • Not a true measure of how secure the system actually is. • It is extremely difficult -- and in many cases virtually impossible -- to know exactly how secure a system is.
Accreditation • Accreditation is a management official's formal acceptance of the adequacy of a system's security. • A process used primarily within the federal government • A form of quality control. • It forces managers and technical staff to work together to find • workable, • cost-effective solutions given security needs, • technical constraints, • operational constraints, and • mission or business requirements.
When to Do Accreditation • A computer system should be accredited before the system becomes operational with periodic re-accreditation after major system changes or when significant time has elapsed. • Even if a system was not initially accredited, the accreditation process can be initiated at any time.
Who & What • Who needs to be assured? • the management official who is ultimately responsible for the security of the system. • What types of assurance can be obtained? • Design assurance • Implementation assurance • Operational assurance
Design and ImplementationAssurance • Addresses the quality of security features built into systems • Whether the features of a system, application, or component meets security requirements and specifications • Whether they are they are well designed and well built. • Examines system design, development, and installation. • Associated with • The development/acquisition and implementation phase of the system life cycle • Throughout the life cycle as the system is modified
Testing and Certification • Testing can address the quality of the system as built, as implemented, or as operated. • Two common testing techniques • Functional testing (to see if a given function works according to its requirements) or • Penetration testing (to see if security can be bypassed). • Range from trying several test cases to in-depth studies using metrics, automated tools, or multiple detailed test cases. • Certification is a formal process for testing components or systems against a specified set of security requirements. • Normally performed by an independent reviewer
Operational Assurance • Addresses • Whether the system's technical features are being bypassed or have vulnerabilities • Whether required procedures are being followed. • Two basic methods to maintain operational assurance: • A system audit: a one-time or periodic event to evaluate security. • May examine an entire system for the purpose of reaccreditation • May investigate a single anomalous event. • Monitoring: an ongoing activity that checks on the system, its users, or the environment.
The Auditing Process • Less formal audits are often called security reviews. • Can be self-administered or independent (either internal or external). • Two types of automated tools are used to help find a variety of threats and vulnerabilities • Active tools: find vulnerabilities by trying to exploit them • Passive tests: only examine the system and infer the existence of problems from the state of the system. Not taking advantage of these tools puts system administrators at a disadvantage.
The Monitoring Process • Review of System Logs • Automated Tools • Virus scanners: checks for virus infections. • Checksumming: presumes that program files should not change between updates. • Password crackers: check passwords against a dictionary (either a "regular" dictionary or a specialized one with easy-to-guess passwords) and also check if passwords are common permutations of the user ID. • Integrity verification programs: can be used by such applications to look for evidence of data tampering, errors, and omissions. • Intrusion detectors: analyze the system audit trail, especially log-ons, connections, operating system calls, and various command parameters, for activity that could represent unauthorized activity. • System performance monitoring: analyzes system performance logs in real time to look for availability problems, including active attacks (such as the 1988 Internet worm) and system and network slowdowns and crashes.
Incident Response Bo Cheng Source: Special Pub 800-61 Computer Security Incident Handling Guide Incident Response and Computer Forensics, Second Edition Chris Prosise, Kevin Mandia, Matt Pepe McGraw-Hill, Paperback, 2nd edition, Published July 2003, 507 pages, ISBN 007222696X
Incident Handling (Incident Response) • Incident: A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices. • Incident Handling: The mitigation of violations of security policies and recommended practices. • become an important component of information technology (IT) programs. • An incident response capability: • Detecting incidents, • Minimizing loss and destruction, • Mitigating the weaknesses that were exploited, and • Restoring computing services.
Investigate the Incident Data Collection Data Analysis Seven components of incident response Incident Occurs: Point-In-Time or Ongoing Pre-Incident Preparation Detection of Incidents Initial Response Formulate Response Strategy Reporting Resolution Recovery Implement Security Measures
Pre-incident Preparation (1/2) • Preparing the Organization: • Implement host-based security measures. • Implement network-based security measures. • Training end user. • Employing an intrusion detection system (IDS) • Creating strong access control. • Performing timely vulnerability assessments. • Ensuring backups are performed on a regular basis.
Pre-incident Preparation (2/2) • Preparing the CSIRT: • The hardware needed to investigate computer security incidents. • The software needed to investigate computer security incidents. • The documentation needed to investigate computer security incidents. • The appropriate policies and operating procedures to implement your response strategies. • The training your staff or employee require to perform incident response in a manner that promotes successful forensics, investigations, and remediation.
Detection of Incidents (1/2) Company X Indicator IDS Detection of Remote Attack Numerous Failed Logon Attempts Logins into Dormant or Default Accounts Activity during Nonworking Hours Unfamiliar Files or Executable Programs Altered Pages on Web Server Gaps in Log files or Erasure of Log Files Slower System Performance System Crash Functional Areas IDS End User Help Desk System Administrator Security Human Resources
Detection of Incidents (2/2) • Some of the critical details include the following: • Current time and date • Who/What reported the incident • Nature of the incident • When the incident occurred • Hardware/software involved • Points of contact for involved personnel
Initial Response • One of the first steps of any investigation is to obtain enough information an appropriate response. • Assembling the CSIRT • Collecting network-based and other data • Determining the type of incident that has occurred • Assessing the impact of the incident. • Initial Response will not involve touching the affected system(s).
Formulate response strategy (1/3) • Considering the Totality of Circumstances: • How many resources are need to investigate an incident ? • How critical are the affected systems ? • How sensitive is the compromised or stolen information ? • Who are potential perpetrators ? • What is the apparent skill of the attacker ? • How much system and user downtime is involved ? • What is the overall dollar loss ?
Formulate response strategy (2/3) • Considering Appropriate Responses: Incident Example Response Strategy Likely Outcome Effect of attack mitigated by router countermeasures. Establishment of perpetrator’s identity may require too many resources to be worthwhile investment. Reconfigure router to minimize effect of the flooding. Dos Attack TFN DDoS attack
Formulate response strategy (3/3) Response strategy option should be quantified with pros and cons related to the following: • Estimated dollar loss • Network downtime and its impact to operations. • User downtime and its impact to operations. • Whether or not your organization is legally compelled to take certain action. • Public disclosure of the incident and its impact to the organization’s reputation/business. • Tacking Action • Legal Action • Administrative Action
Investigate the Incident • The investigation phase involves determining the who, what, when, where, how, and why surrounding an incident. • A computer security investigation can be divided into two phases: • Data Collection • Forensic Analysis
Possible investigation phase steps Data Collection Analysis • Network-Based Evidence • Obtain IDS Logs • Obtain Existing Router Logs • Obtain Relevant Firewall Logs • Obtain Remote Logs from a • Centralized Host (SYSLOG) • Perform Network Monitoring • Obtain Backups • Host-Based Evidence • Obtain the Volatile Data • during a Live Response • Obtain the System time • Obtain the Time/Data stamps • for Every File on the Victim System • Obtain all Relevant Files that • Confirm or Dispel Allegation • Obtain Backups • Other Evidence • Obtain Oral testimony from Witnesses • 1.Review the Volatile Data. • Review the Network Connections. • Identify Any Rogue Processes (Backdoors, • Sniffers). • 2.Analyze the Relevant Time/Data Stamps. • Identify Files Uploaded to the system by an • Attacker. • Identify File Downloaded or taken from the • System. • 3.Review the Log Files. • 4.Identify Unauthorized User Accounts. • 5.Look for Unusual or Hidden Files. • 6.Examine Jobs Run by the Scheduler Service. • 7.Review the Registry. • 8.Perform Keyword searches.
Performing Forensic Analysis Analysis of Data Preparation of Data Extract Email and Attachments Review Browser History Files Review Installed Application Create File Lists Perform Statistical Data Partition Table File System Review Data Collected During Live Response Search for Relevant Strings Review all the Network-Based Evidence Create a Working Copy of all Evidence Media Perform Forensic Duplication Recover Deleted Data Perform File Signature Analysis Perform Software Analysis Identify and Decrypt Encrypted Files Recover Unallocated Space Identify Known System File Perform File-by-File Review Perform Specialized Analysis
Reporting • Some guidelines to ensure that the reporting phase does not become your CSIRT’s nemesis: • Document immediately • Write concisely and clearly • Use a standard format • Use editor