Copyright 2001 Marchany1 Auditing Networks, Perimeters and Systems Time-Based Security and STAR.

Copyright 2001 Marchany 1

Auditing Networks, Perimeters and Systems

Time-Based Security and STAR


Unit 2: TBS & Star – Theory and Practice

TBS – Time Based Security

STAR – Security Targetting and Analysis of Risk


How the day is going to go

Morning – Principles and Theory– Audit Process and Goals– Time Based Security– Putting it all together

Afternoon – Audit in the Real World– Using CIS Rulers to build audit plans– Applying the process to systems– Putting it all together


The Course Goals Construct a Security Checklist for your site.

– Unix

– NT Use this methodology to develop a response to your

internal auditors. Have a repeatable method of defining the $$$ cost of

implementing security features at your site.

– This method can be used over time to show trends Develop a set of reports/matrices that can be used to

quickly identify the security status of a host at your site.


The General Audit Process Audit Planning

– Review pertinent background info, research policies, prepare the audit program

Entrance Conference

– Meet w/IS group leaders to let them know what is going on and find out if there any specific areas to check.

Fieldwork

– Visiting the IS systems and performing the steps listed in the audit program on a sample of systems.


The General Audit Process

Preparing the Audit Report– The report should:

• State what was done• State the results of these actions• Present recommendations• Include in the appendices the audit checklists used to collect the data.

The Exit Conference– Meet with the people from step 2 and review the results w/them.

This is the time to clear up any misunderstandings. Refine the audit report and prepare the recommendations paper.

Report to Upper Management (CEO, CFO, CIO, VP)– Present a summary report of the audit. Provide recommendation and

implementation cost estimates.


The Auditor’s Goals

Ensure Assets are protected according to company, local,state and federal regulatory policies.

Determine what needs to be done to ensure the protection of the above assets.

Make life miserable for sysadmins…:-)– Not really. They can save a sysadmin if a

problem occurs.


The Sysadmin’s Goals

Keep the systems up. Keep users happy and out of our hair. Keep auditors at arms’ length. Get more resources to do the job properly. Wear jeans or shorts to work when

everyone else has to wear suits…….


The Sysadmin’s Audit Strategy

Turn a perceived weakness (the audit) into a strength (security checklists).

Develop a set of reporting matrices that can be used as audit reports or justification for security expenditures.

The above info can be used to help develop your incident response plan.


Time Base Security

The Time Based Security Model provides:• A methodology that a security officer can use to

quantifiably test and measure the effectiveness of security measures.

• A set of matrices/reports that can be used by security professionals to assign a $ value to the cost. This figure can be given to mgt. to help them prioritize their security expenditures.

• Winn Schwartau’s book describes TBS. The following slides discuss his methodology.


Time Based Security

Schwartau’s Simple Formula for TBS– Protection (P) - the bank vault– Detection(D) - the alarm system– Reaction(R) - the police

Pt > Dt + Rt• Pt - the amount of time the Protection system works

• Dt - the amount of time needed to detect the attack

• Rt - the amount of time needed to react to the attack

pt


Time Based Security

Pt > Dt + Rt (TBS Law)– If the amount of protection time (Pt) you offer is

greater than the sum of the detection time (Dt) and reaction time (Rt), then your systems can be considered secure.

– If the detection & reaction times are very fast then you don’t need as strong a Protection mechanism.

KEY: detect anomalous activity and respond ASAP!


Time Based Security

TBS Corollary– P < D + R

If it takes longer to detect and respond to an intrusion than the amount of protection time afforded by the protection device, P, then effective security is impossible.

Look at specs for each of the components in your network architecture.


Time Based Security

If Pt = Dt + Rt, then Pt implies an Exposure Time, E.

– E=D+R You want D+R -> 0. As your detection &

reaction speeds increase, the need for strong Protection decreases. Hmmm…...

Fortress mentality dictates that P must be extremely high because D+R is really slow or non-existent.


Measuring Security

Measure D+R (sec/min/hrs/day) Assume the best: active logging, good AUP

(Acceptable Usage Policy), decent IRP (Incident Response Policy)

• How long does it take to detect an event? (D=x)

• How long to notify affected parties? How long for them to analyze and respond? (R=y) Out of office? Out to lunch? How long to answer page?

– How much damage could be done in D+R time?


TBS Methodology

Assume P=0. Build the following matrix– Detection systems in place? No then D= ,

E= and you have 100% exposure (E).– Reaction System in place? No then R= ,

E= and you have 100% system exposure(E).

– How long does the detection mechanism take to detect an attack? Answer in sec/min/hrs.


TBS Methodology - Detection

– Once an attack is detected, how are you notified? Logs? Pager? Phone? Future audit trails?

– How long does the above take? (sec/min/hr/day)• Sitting at your desk: _________

• When you’re at lunch: _______

• Break time: _______

• Headed home: _______

• Sleeping: _______

• At the movies: _______


TBS Methodology - Reaction

– Once notified, how long does it take to do something about it? (sec/min/hrs/day)

• Sitting at your desk: _______• At lunch: _______• On break: _______• Headed home: _______• Sleeping: _______

– How long does it take to determine the cause/effect/solution? Include other folks

• Onsite: _____ Offsite: _____


TBS Methodology - D+R

– Severe Attacks: How long does it take to get permission to take any/all steps to protect the net/assets including shutting them down? _____

Add the best-case numbers: ______ s/m/h Add the worst-case numbers: _____ s/m/h Exposure Time (E) = ______ to _____

best case worst case


Measure Exposure Time - E

Rule of Thumb: Bw/10/bits = Bw/bytes• Example: T-1: 1.54Mb/s -> 154KB/s=9.2MB/m

This gives: File Size/Bandwidth=Req.Attack Time or MB/Mb/S=(Attack Time) or F/Bw = T= E (Exposure Time)

If the goal is file theft, the size of the target file F divided by the max. bandwidth of the network path Bw determines the amount of time T needed to get the info.


Measure Exposure Time - E

This is 1 measure of risk. Info theft can be measured using T + intrinsic value of info. Remember Bw could be data transfer rates of floppy or tape drives.

Example: A net has Exposure Time, E=(D+R) = 10 minutes and a tape drive with a xfer rate of 6 GB/hr.

• T = 10 minutes = 1/6 hr, Bw = 6 GB/hr, F=Bw*T= 1GB of data could be stolen before detection/reaction kills the attack.


Measure Exposure - External

Bandwidth limiting is an effective response method.

Data Padding: pad the critical files so their size exceeds E. Using the previous example:– E=10 min, Bw=6 Gb/hr.

• File Size = (1/6 hr)/ (6 Gb/hr) = 1 GB=F

• All critical files should be padded to 1Gb.


TBS - Integrity Attacks

Attacker’s Goal: make undetected, unauthorized changes to data

TBS analysis:• Assume you’re an insider w/access to the net &

system. How long does it take you to manually get to the target application? _____(s/m/h) How long would a script take to do the same? ______(s/m/h)

• Once logged into that application, how long does it take as a trusted user to make unauthorized changes to those records? ______(s/m/h)


TBS - Integrity Attacks (cont)

• What steps would a knowledgeable user take to cover their tracks? How long does it take to effect those changes? _______ (s/m/h)

• Add up the times for manual & automatic navigation.

– This gives a target maximum value for E and provides a target guideline for D+R.


TBS - Measure the $ Damage

Two Formulas: E=D+R, F/Bw=T• If we know E, we can get F if E=T.

• If we know T, we can get E and D+R.

Coordinate w/Auditors & Mgt. and ask:• If a critical file gets out, what would be the financial

effect on the company?

• DoS attacks could cripple the company nets. What is the hourly/daily cost to the company if this happens?

• What is our legal liability if client records or employee records are compromised?


TBS Asset Organization

Information Value– Some info loses value over time. Example:

advance notification, Product announcements– Some info’s value is still changing. Example:

idea before its time.

4 Categories of Info Assets• Company Proprietary - product designs, pricing

strategies, patents, source code, customer lists

• Private Employee - HR records, perf reviews, SSN


TBS Information Assets

Information Asset Categories (cont)• Customer Private - pricing info, purchase history,

non-disclosure info

• Partner/Gov’t - info assets that don’t fit into the other categories

Risk Categories• Critical - if it gets out, we’re out of business

• Essential - Survivable but a major hit. It’ll hurt but we can spin back to normal

• Normal - may be embarrassing, disruptive only


Prepare matrices listing each asset and risk. Use the matrices to build an affordable,

workable and maintainable security environment.

Prepare separate matrices for criticality (like above), integrity and availability.

TBS Info Asset Matrices

Criticality Co. Proprietary Private Employee Customer Private Partner/GovtCriticalEssentialNormal


TBS Review Process

Identify and categorize the Info assets Specify the logical locations of the assets Identify the physical locations of the assets The above info tells us:

• If critical assets are all over the place then your defenses are spread out and cost more

• If you have a single point of failure.• Negligible info is mixed in with Critical info.

Some info has no place being on the net!


Layered TBS

Assume your net has a Firewall, fully patched OS on the DB server and an application Password server (Oracle passwords) in place.

TBS variables– E(db) - Overall Exposure time for the DB– E(pw) – Exposure time for the Appl password– E(os) – Exposure time for the server’s OS– E(fw) – Exposure time for the FW


Layered TBS

TBS Equations:

E(db) = P(pw) + E(fw) + E(os) E(os) > D(os)+R(os)

E(fw) > D(fw) + R(fw)E(pw) > D(pw) + R(pw)

The intruder needs to overcome E(pw), E(fw) and E(os)in order to get to the data E(db).


Layered TBS Conclusions

All assets are NOT created equal and they do NOT deserve equal protection.

Asset distribution by physical and logical separation is a security process but performed under the network architecture and topology banner

Design the killing zones, in other words.


TBS Reaction Matrices

Goal: make D+R as small as possible– A smaller R reduces the reliance on a higher P value.

R Components– Notification - tells someone/something that a detection mechanism

was triggered. Schwartau’s 3am rule: “notify someone” means “tell someone other than the boss who doesn’t want to be bothered at 3am” which increases the R time.

Fill out the matrix with the target E, R or T times.– This documentation is important since it help mgt. understand the

quantitative nature of TBS. The matrix is based upon AUP, disaster recovery plans,

amount of risk the org is willing to take - measured in EXPOSURE TIME - T


Notification Means - REACTION Desired Time Predicted Time Measured Time

During Work Hoursemail to desk at peak traffic timesemail to dest at off-hoursemail when not at deskpager with return # or 911pager with full messagephone call to desknotify 2nd in charge

Non Business Hours

email to homeemail when not at homepager with return # or 911pager with full messagePhone call to home

TBS Reaction Matrix - I


TBS Reaction Matrix - II

Detected Event Response Desired Time Measured Time5 bad password attempts Log/call sysadminMultiple Port Scan Shoot personPing of Death Reaction #30

The sysadmin represents the greatest room for error by making R unacceptably high. Why? People hesitate tomake tough decisions like shut down part of a net.The “sacrifice the pawn to save the king” strategy canbe very risky if you don’t have policies in place and MGT support. Automated responses can eliminate this BUT I saw “Colossus: The Forbin Project”…:-)


TBS Reaction Matrix

Questions the Reaction Matrix should answer:

• Is the attack real? What was the goal? Is it ongoing?

• Did the R-matrix come to the proper conclusion?

• Was the attack thwarted? Post-mortem analysis?

• What further steps are needed?

• Who did it?

Must be empowered by mgt. and policy to limit R. Necessary for TBS to work.


TBS - Evaluating Protection

Previous slides used TBS to evaluate D+R. Applying E=D+R to Access Control (User Logins)

– E = max. amt. of time needed to accomplish proper authentication.

– D = time needed to detect the authentication request and determine its authenticity.

– R = time needed for the detection module to trigger a PROCEED or STOP reaction.

Applying E=D+R to Enterprise Audit Trails– D = time needed for an audit tool to record, analyze, transmit data.– R = time it takes for the detection tool to trigger the reaction and

how long the reaction takes.


Course Revision History

Copyright 2001 Marchany1 Auditing Networks, Perimeters and Systems Time-Based Security and STAR.

Documents

Transcript of Copyright 2001 Marchany1 Auditing Networks, Perimeters and Systems Time-Based Security and STAR.