1 / 21

The Security Analysis Process

The Security Analysis Process. University of Sunderland CSEM02 Harry R. Erwin, PhD. Security Analysis is a Formal Process. You start by identifying the system (‘TOE’) and assets to be protected. Identify the security policies that must be enforced.

moral
Download Presentation

The Security Analysis Process

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The Security Analysis Process University of Sunderland CSEM02 Harry R. Erwin, PhD

  2. Security Analysis is a Formal Process. • You start by identifying the system (‘TOE’) and assets to be protected. • Identify the security policies that must be enforced. • Define the trust relationships to be supported. • Perform a risk analysis to identify the threats. • Establish the assumptions of secure operation. • List the security objectives you must implement. • Define the resulting security functions (‘TSF’) to be provided. • Provide the detail, implement, and test.

  3. What are the Items to be Protected? • If you try to protect everything, you protect nothing. • Can include data, equipment, reputation, and resources. • Take into account time. Any security can be broken with enough time and resources. So provide alarms and appropriate responses.

  4. Security Policies • The things you must do to avoid going to jail or losing your job. • Be realistic. • If you can’t secure what you need to secure, perhaps your management should reconsider building the system.

  5. Trust Relationships • You must understand trust to be able to secure a system and have the system be usable. • Trust should influence your security architecture.

  6. Risk Analysis • Be realistic. • Hackers are creative—don’t reject vulnerabilities out of hand. “Security by Obscurity” is not a solution. • Don’t try to protect everything, but don’t leave obvious holes.

  7. Assumptions of Secure Operation • “A statement of assumptions which are to be met by the environment of the TOE in order for the TOE to be considered secure.” (from the CCTool Manual) • Should be associated with individual security objectives to help you select your security requirements.

  8. CCTool • An expert system to help you develop protection profiles and security architectures. • Originally developed by NIAP (US Government). • A version updated to Java 5 (UoSTool) is available here at Sunderland. NIAP now directs people needing CCTool to us. • Download and run. • There are a number of possible MSc projects available based on it.

  9. The Security Mapping Process CCTool Manual

  10. Security Analysis Relationships CCTool Manual

  11. Security Objectives Result in Security Requirements CCTool Manual

  12. Designed to assist in this process. Provides recommended solutions. You can also add your own Threats Policies Assumptions Objectives Requirements Tailoring and testing the database for a specific applications area is a suitable MSc project. CCTool: What is it?

  13. Security Objectives • “The results of the analysis of the security environment can then be used to state the security objectives that counter the identified threats and address identified organizational security policies and assumptions. The security objectives should be consistent with the stated operational aim or product purpose of the system, and any knowledge about its physical environment.” CCTool Manual

  14. Where do you get Objectives? • The recommendations of your risk analysis. • The policy requirements, again translated into recommendations. • The trust relationships you need to enforce. Some of these objectives will be quite detailed. This is good, since it clarifies and channels your design.

  15. Intent of the Objectives • “The intent of determining security objectives is to address all of the security concerns and to declare which security aspects are either addressed directly by the system or by its environment. This categorization is based on a process incorporating engineering judgment, security policy, economic factors and risk acceptance decisions.” CCTool Manual

  16. How do you use the Objectives? • You analyze each in the context of your assumptions of secure operation to define your solution. • That produces things you must build or buy (functional requirements) and things you (or your vendor) must do (assurance requirements). • Having objectives allows you to trace your solution to the user’s requirements and justify its cost.

  17. Sources of Security Functional Requirements • “The CC and the associated security functional requirements are not meant to be a definitive answer to all the problems of IT security. Rather, the CC offers a set of well understood security functional requirements that can be used to create trusted products or systems reflecting the needs of the market. These security functional requirements are presented as the current state of the art in requirements specification and evaluation.” (CCTool Manual)

  18. Background Issues of Security Functional Requirements • “The IT security requirements are the refinement of the security objectives into a set of security requirements for the TOE and security requirements for the environment which, if met, will ensure that the TOE can meet its security objectives.” (CCTool Manual) • “The CC presents security requirements under the distinct categories of functional requirements and assurance requirements.” (CCTool Manual)

  19. How do You Use the Security Requirements? • The functional requirements describe what your security solution must do to allow you to operate safely. These can be compared to the functionality provided by vendor software and hardware. • The assurance requirements describe what development practices and testing the vendor must follow to assure the users that the functionality provided actually works.

  20. Role of Security Testing • “Security requirements generally include both requirements for the presence of desired behavior and requirements for the absence of undesired behavior. It is normally possible to demonstrate, by use or testing, the presence of the desired behavior. It is not always possible to perform a conclusive demonstration of absence of undesired behavior. Testing, design review, and implementation review contribute significantly to reducing the risk that such undesired behavior is present.” (CCTool Manual) • Note, penetration-testing is not necessarily required.

  21. Open Problems • Despite the emergence of a formal approach to the definition of security requirements, computer security has gotten worse, not better over the last 30 years. (See Karger and Schell, 1974 and 2002, links from the handbook) • K&S note that current secure systems are less secure than Multics, and “Multics, with its security enhancements, was only deemed suitable for processing in a relatively benign ‘closed’ environment.” • What they see missing is a verifiable security kernel to block professional hacker attacks using malicious software trapdoors. This is a currently emerging threat.

More Related