Cyber Security Assessment of Enterprise-Wide Architectures
-
Upload
truongtram -
Category
Documents
-
view
219 -
download
0
Transcript of Cyber Security Assessment of Enterprise-Wide Architectures
![Page 1: Cyber Security Assessment of Enterprise-Wide Architectures](https://reader034.fdocuments.us/reader034/viewer/2022051715/589ec9161a28ab7c4a8be90e/html5/thumbnails/1.jpg)
Cyber Security Assessment of Enterprise-Wide Architectures Mathias Ekstedt, Associate Prof. Industrial Information and Control Systems KTH Royal Institute of Technology
![Page 2: Cyber Security Assessment of Enterprise-Wide Architectures](https://reader034.fdocuments.us/reader034/viewer/2022051715/589ec9161a28ab7c4a8be90e/html5/thumbnails/2.jpg)
Agenda
Problem framing Management/design challenge Security metrics
Cyber Security Modeling Language (CySeMoL) What you see and what you get Inside the box
![Page 3: Cyber Security Assessment of Enterprise-Wide Architectures](https://reader034.fdocuments.us/reader034/viewer/2022051715/589ec9161a28ab7c4a8be90e/html5/thumbnails/3.jpg)
Cyber security managment is difficult!
CISO(etc.)
Is my control system secure
enough?
Which parameters decides cyber security?
Interconnected Complex architecture and data flow Many vendors (incl. off-the-shelf components)
![Page 4: Cyber Security Assessment of Enterprise-Wide Architectures](https://reader034.fdocuments.us/reader034/viewer/2022051715/589ec9161a28ab7c4a8be90e/html5/thumbnails/4.jpg)
Geographica l ly d is t r ibuted process
SCADA LAN
B
Workstation for operators
SCADA Server(Online/Standby)
ACommunication Equipment (Front-End)
Communication Networks
Application Servers Modem
System Vendors
Advanced Workstations
CLARiiON
RTU / PLC
CLARiiON
RTU / PLC
CLARiiON
RTU / PLC
Automation Systems for Substations INTERNET WAN
DMZ LAN
Firewall
Office LAN
WebserverHistoric
Firewall
Firewall
ICCP
OtherControl Centers
FirewallAnd how do vulnerabilities relate?
Any vulnerabilities? And where are they?
![Page 5: Cyber Security Assessment of Enterprise-Wide Architectures](https://reader034.fdocuments.us/reader034/viewer/2022051715/589ec9161a28ab7c4a8be90e/html5/thumbnails/5.jpg)
In practice, cyber security management and design has limited resources
Should I spend my budget on: a training program for my staff,
logging functionality, or network scanning?
![Page 6: Cyber Security Assessment of Enterprise-Wide Architectures](https://reader034.fdocuments.us/reader034/viewer/2022051715/589ec9161a28ab7c4a8be90e/html5/thumbnails/6.jpg)
Security assessment – how do you know..?
Theoretical metrics
Geographica l ly d is t r ibuted process
SCADA LAN
B
Workstation for operators
SCADA Server(Online/Standby)
ACommunication Equipment (Front-End)
Communication Networks
Application Servers Modem
System Vendors
Advanced Workstations
CLARiiON
RTU / PLC
CLARiiON
RTU / PLC
CLARiiON
RTU / PLC
Automation Systems for Substations INTERNET WAN
DMZ LAN
Firewall
Office LAN
WebserverHistoric
Firewall
Firewall
ICCP
OtherControl Centers
Firewall
(Penetration) test
Compliance
![Page 7: Cyber Security Assessment of Enterprise-Wide Architectures](https://reader034.fdocuments.us/reader034/viewer/2022051715/589ec9161a28ab7c4a8be90e/html5/thumbnails/7.jpg)
Current decision support
Security audits/penetration tests + Measures actual security - Is only valid for the aspects that are studied - Only valid for the competence of the auditor(s) - Is only valid for a single point in time - Does not capture all types of vulnerabilities - Is not always viable (e.g. ICS, design phase) Literature such as ISO/IEC standards - Cumbersome to interpret and implement
- All encompassing standards à abstract - Detailed standards à unrelated knowledge islands
- Does not necessarily captures security
![Page 8: Cyber Security Assessment of Enterprise-Wide Architectures](https://reader034.fdocuments.us/reader034/viewer/2022051715/589ec9161a28ab7c4a8be90e/html5/thumbnails/8.jpg)
Vulnerability information combined into different
system level metrics
Cyber security metrics A validity study of CWE/CVSS-based metrics:
Snort
t1 = 1400.3 s t2 = 3000.2 s TTC = t2 – t1
Time from start of attack until successful compromise of that host à TTC (Time To Compromise)
Vulnerability scanner
Vulnerabilities ?
Cyber defense excersise net
![Page 9: Cyber Security Assessment of Enterprise-Wide Architectures](https://reader034.fdocuments.us/reader034/viewer/2022051715/589ec9161a28ab7c4a8be90e/html5/thumbnails/9.jpg)
Hannes Holm, Mathias Ekstedt, Dennis Andersson, Empirical analysis of system-level vulnerability metrics through actual attacks, IEEE Transactions on Dependable and Secure Computing, 2012
Cyber security metrics validity
A better security estimation model is needed…
![Page 10: Cyber Security Assessment of Enterprise-Wide Architectures](https://reader034.fdocuments.us/reader034/viewer/2022051715/589ec9161a28ab7c4a8be90e/html5/thumbnails/10.jpg)
The life for our decision-maker in summary… Poor understanding of the system architecture configuration and its environment Poor understanding of how to achieve security in this complex environment Limited resources, time and money, organizational support
! Requirments and constraints for this research
![Page 11: Cyber Security Assessment of Enterprise-Wide Architectures](https://reader034.fdocuments.us/reader034/viewer/2022051715/589ec9161a28ab7c4a8be90e/html5/thumbnails/11.jpg)
Agenda
Problem framing Management/design challenge Security metrics
Cyber Security Modeling Language (CySeMoL) Inside the box What you see and what you get Inside the box
![Page 12: Cyber Security Assessment of Enterprise-Wide Architectures](https://reader034.fdocuments.us/reader034/viewer/2022051715/589ec9161a28ab7c4a8be90e/html5/thumbnails/12.jpg)
Access as root to operating system
Attack and defense graphs
Establish connection
Exploit
Execute arbitrary code Network intrusion detection system
Anti-malware
?
?
?
?
?
Vulnerability exist
?
![Page 13: Cyber Security Assessment of Enterprise-Wide Architectures](https://reader034.fdocuments.us/reader034/viewer/2022051715/589ec9161a28ab7c4a8be90e/html5/thumbnails/13.jpg)
Access as root to operating system
Attack and defense graphs
Establish connection
Exploit
Execute arbitrary code Network intrusion detection system
Anti-malware
?
?
?
?
?
Vulnerability exist
?
Exploit T T T T F F F F
Anti-malware T T F F T T F F
Network intrusion detection T F T F T F T F
Execute code (TRUE) 0.21 0.32 0.41 0.7 0 0 0 0
Bayesian networks
![Page 14: Cyber Security Assessment of Enterprise-Wide Architectures](https://reader034.fdocuments.us/reader034/viewer/2022051715/589ec9161a28ab7c4a8be90e/html5/thumbnails/14.jpg)
Attack and defense graphs
Establish connection
Exploit
Execute arbitrary code
Access as root
Network intrusion detection system
Anti-malware
T
T
T
T
?
Vulnerability exist
T
Exploit T T T T F F F F
Anti-malware T T F F T T F F
Network intrusion detection T F T F T F T F
Execute code (TRUE) 0.21 0.32 0.41 0.7 0 0 0 0
Bayesian networks
![Page 15: Cyber Security Assessment of Enterprise-Wide Architectures](https://reader034.fdocuments.us/reader034/viewer/2022051715/589ec9161a28ab7c4a8be90e/html5/thumbnails/15.jpg)
Network intrusion detection system Application ���
Service
Operating System
Attacks and defenses – relation to assets
Establish connection
Exploit
Execute arbitrary code
Access as root
Anti-malware
Vulnerability exist
Network Interface
Network zone
![Page 16: Cyber Security Assessment of Enterprise-Wide Architectures](https://reader034.fdocuments.us/reader034/viewer/2022051715/589ec9161a28ab7c4a8be90e/html5/thumbnails/16.jpg)
Studies/topics covered by CySeMoL
Attacks/malicious activities: • Zero-day discovery • Memory corruption exploitation • Web application exploitation (XSS, RFI, SQLi,
Command injection) • Social engineering • Code injection using removable media • Password guessing (online/offline) • Denial of service • Man-in-the-middle • Discovery of unknown entry-points • …
![Page 17: Cyber Security Assessment of Enterprise-Wide Architectures](https://reader034.fdocuments.us/reader034/viewer/2022051715/589ec9161a28ab7c4a8be90e/html5/thumbnails/17.jpg)
Studies/topics covered by CySeMoL Defenses • Network intrusion detection systems
– Both detection and prevention-based • Host intrusion detection systems • Web application firewalls • Anti-malware • Firewalls • Security training • Encryption • Software development best practice methods • Network management (e.g., scanning, USB policy, etc) • …
![Page 18: Cyber Security Assessment of Enterprise-Wide Architectures](https://reader034.fdocuments.us/reader034/viewer/2022051715/589ec9161a28ab7c4a8be90e/html5/thumbnails/18.jpg)
The Cyber Security Modeling Language (CySeMoL)
Scenario 1
Scenario 2
Scenario 3
Analysis results
Quantified theory
Architecture language
Actual architecture Modeled architecture
![Page 19: Cyber Security Assessment of Enterprise-Wide Architectures](https://reader034.fdocuments.us/reader034/viewer/2022051715/589ec9161a28ab7c4a8be90e/html5/thumbnails/19.jpg)
CySeMoL screen shot
![Page 20: Cyber Security Assessment of Enterprise-Wide Architectures](https://reader034.fdocuments.us/reader034/viewer/2022051715/589ec9161a28ab7c4a8be90e/html5/thumbnails/20.jpg)
CySeMoL screen shot – attack success
Green – low probability Yellow – medium probability Red – high probability
![Page 21: Cyber Security Assessment of Enterprise-Wide Architectures](https://reader034.fdocuments.us/reader034/viewer/2022051715/589ec9161a28ab7c4a8be90e/html5/thumbnails/21.jpg)
CySeMoL screen shot – attack success in detail (same system model but each attack step visualized individually)
![Page 22: Cyber Security Assessment of Enterprise-Wide Architectures](https://reader034.fdocuments.us/reader034/viewer/2022051715/589ec9161a28ab7c4a8be90e/html5/thumbnails/22.jpg)
Data sources Parameters, relationships and dependency-structure: • Literature, e.g. standards or scientific articles. • Review and prioritization by external experts. The probabilities: • Logical necessities, e.g.: if the firewalls allow you to
connect to A from B and you have access to B, then you can connect to A.
• Others’ scientific studies, e.g. time-to-compromise for authentication codes and patch level vs patching procedures.
• Experts’ judgments, Own surveys to researchers and security professionals.
• Own experiments, lab and cyber defense exercises
Exploit T T T T F F F F
Anti-malware T T F F T T F F
Network intrusion detection T F T F T F T F
Execute code (TRUE) 0.21 0.32 0.41 0.7 0 0 0 0
![Page 23: Cyber Security Assessment of Enterprise-Wide Architectures](https://reader034.fdocuments.us/reader034/viewer/2022051715/589ec9161a28ab7c4a8be90e/html5/thumbnails/23.jpg)
Data from expert judgment
Review of variables to include in the scenarios. + Probabilities on scenarios: • Finding unknown entry-points: 4 penetration testers. • Finding unknown vulnerabilities: 18 researchers. • Arbitrary code exploits: 22 penetration testers and
researchers. • Intrusion detection: 165 researchers. • DoS: 50 researchers. • Web application vulnerability discovery and defenses: 21
researchers and penetration testers
![Page 24: Cyber Security Assessment of Enterprise-Wide Architectures](https://reader034.fdocuments.us/reader034/viewer/2022051715/589ec9161a28ab7c4a8be90e/html5/thumbnails/24.jpg)
Cooke’s classical method for weighting experts
Find the “true expert” not the average of experts in general. (It is enough if one person knows the truth, if we can only identify that person…)
A knowledge test with a number of questions (~10) Respondents’ weights are derived from their answers’ on these questions, based on if they are
– calibrated/correct – informative
This is “best practice”
Roger M Cooke, Experts in uncertainty: opinion and subjective probability in science, 1991
![Page 25: Cyber Security Assessment of Enterprise-Wide Architectures](https://reader034.fdocuments.us/reader034/viewer/2022051715/589ec9161a28ab7c4a8be90e/html5/thumbnails/25.jpg)
Survey example
Hannes Holm, Mathias Ekstedt, Teodor Sommestad, Effort estimates on web application vulnerability discovery, Hawaii International Conference on Systems Sciences (HICSS), 2013
Web application vulnerability discovery
![Page 26: Cyber Security Assessment of Enterprise-Wide Architectures](https://reader034.fdocuments.us/reader034/viewer/2022051715/589ec9161a28ab7c4a8be90e/html5/thumbnails/26.jpg)
Conducted experiments
Signature-based network intrusion detection systems Network vulnerability scanners Phishing
![Page 27: Cyber Security Assessment of Enterprise-Wide Architectures](https://reader034.fdocuments.us/reader034/viewer/2022051715/589ec9161a28ab7c4a8be90e/html5/thumbnails/27.jpg)
Effectiveness of network intrusion detection
How effective is Snort at detecting known attacks? How effective is Snort at detecting zero day attacks?
Rule set release 183 attacks more novel than
the rule set 173 attacks less novel than the rule set
![Page 28: Cyber Security Assessment of Enterprise-Wide Architectures](https://reader034.fdocuments.us/reader034/viewer/2022051715/589ec9161a28ab7c4a8be90e/html5/thumbnails/28.jpg)
Effectiveness of network intrusion detection – known
![Page 29: Cyber Security Assessment of Enterprise-Wide Architectures](https://reader034.fdocuments.us/reader034/viewer/2022051715/589ec9161a28ab7c4a8be90e/html5/thumbnails/29.jpg)
Effectiveness of network intrusion detection – zero day
![Page 30: Cyber Security Assessment of Enterprise-Wide Architectures](https://reader034.fdocuments.us/reader034/viewer/2022051715/589ec9161a28ab7c4a8be90e/html5/thumbnails/30.jpg)
Validity and reliability
CySeMoL has been validated on a component-level through the studies used to create it CySeMoL has been validated on a system-level through a Turing-test
![Page 31: Cyber Security Assessment of Enterprise-Wide Architectures](https://reader034.fdocuments.us/reader034/viewer/2022051715/589ec9161a28ab7c4a8be90e/html5/thumbnails/31.jpg)
Turing-test
DE 400
DevelopUnpatchableExploitForHighSeverityVuln T=2%GetBinaryCode T=3%GetProductInformation T=3%
CheckedWithStaticCodeAnalysis T=NOHasBeenScrutinized T=NOOnlyUsesSafeLanguages T=NOSourceCodeClosed T=YESBinaryCodeSecret T=NO
Windows 2007OperatingSystem
AccessFromOtherZone T=YES
Engineering serverOperatingSystem
AddressSpaceLayoutRandomization T=NONonExecutableMemory T=YES
Access T=1%AccessFromOtherZone T=1%
Application serverOperatingSystem
AddressSpaceLayoutRandomization T=NONonExecutableMemory T=YES
Engineering databaseService
ConnectToFromOtherZone T=3%FindHighSeverityVulnerability T=2%ExecutionOfArbitaryCodeFromOtherZone T=1%
OperatingSystem
Engineering dataData Flow
ProduceRequest T=3%
IISSoftwareProduct
DevelopPatchableExploitForHighSeverityVuln T=33%ProbeProduct T=33%
InternetNetworkZone
Internet PerimeterNetworkInterface
Zone
Office networkNetworkZone
FindUnknownEntryPoint T=33% ObtainOwnAddress T=33%
UntrustedZone TrustedZone
Web serverService
ConnectToFromSameZone T=33%FindHighSeverityVulnerability T=13%ExecutionOfArbitaryCodeFromSameZone T=3%
OperatingSystem
Office managent proceduresZoneManagementProcess
RegularLogReviews T=NORegularSecurityAudits T=YESFormalChangeManagentProcess T=NOAutomatedPatchingProcedures T=NO
ManagementProcess
Access T=3%AccessFromSameZone T=3%
Client
Product
Server
Control centerNetworkZone
Office to Control centerNetworkInterface UntrustedZone
TrustedZone
Product
Zone
Allow
1
3
4
89
10
11
13
17
19
CiscoFirewall
Functioning T=46%
Firewall Firewall12
12
18
HasAllHighSeverityPatches T=61%
ObtainOwnAddress T=100% 2
BinaryCodeSecret T=NOHasNoPublicPatchableHighSeverityVuln T=NO
56
7
14
16
15
Mean Median Pen-tester 1 3.3 4 Pen-tester 2 2.8 3 Pen-tester 3 3.3 3 Pen-tester 4 3.2 3 Pen-tester 5 1.8 2 CySeMoL 2.8 2.5 Novice 1 2.2 2 Novice 2 2.2 2 Novice 3 2.5 2
Sommestad, Teodor, Mathias Ekstedt, and Hannes Holm. "The Cyber Security Modeling Language: A Tool for Assessing the Vulnerability of Enterprise System Architectures." IEEE Systems Journal, 2012.
![Page 32: Cyber Security Assessment of Enterprise-Wide Architectures](https://reader034.fdocuments.us/reader034/viewer/2022051715/589ec9161a28ab7c4a8be90e/html5/thumbnails/32.jpg)
In summary: what CySeMoL can do for you
Probably, I can’t say for sure, but it seems as if scenario 2 is the most secure
alternative
This is (roughly) what my future system alternatives look like
Scenario 1
Scenario 2
Scenario 3
CySeMoL
![Page 33: Cyber Security Assessment of Enterprise-Wide Architectures](https://reader034.fdocuments.us/reader034/viewer/2022051715/589ec9161a28ab7c4a8be90e/html5/thumbnails/33.jpg)
More information
Please visit:
www.ics.kth.se/cysemol