SlideShare uma empresa Scribd logo

Measuring black boxes

Transferir como PPTX, PDF
Phil Huggins FBCS CITP
Phil Huggins FBCS CITP

A short presentation (20 minutes) I gave to an internal audience on the use of attack surface and complexity / coupling metrics in analysing system architectures.

NegóciosTecnologia
1 de 20
PracticalArchitecture Analysis 1 Internal Presentation, September 2013, V1 Phil Huggins
 Security Architect for large delivery programmes:  Multiple projects  Challenging stakeholders  Large, complex systems  Multi-year delivery  100+ people customer delivery teams  200+ people supplier delivery teams  Security mattered  Government  Commercial  AirportTerminal New Build  Smart Metering for a Big6 UK Energy Supplier  7x UK Airports security refresh.  UK Banking ecommerce infrastructure  Cloud Software as a Service Provider 2
 Many sub-systems  Multiple stakeholders and connecting parties  Multiple COTS products  Multiple unsupported OSOTS products  System-specific glue code and configuration  Business-specific logic and processes  Shared data models  SDLC doesn’t help for the majority of the vulnerabilities in the systems 3 Trust Issues Design Flaws Software Bugs Configuration Errors Most Vulnerabilities
4
 A measure of attackability NOT of vulnerability.  Doesn’t look inside the box. Michael Howard at Microsoft (2003) Michael Howard & JeanetteWing at Carnegie Mellon (2003)  Relative Attack Surface Quotient  20 AttackVectors (open sockets, weak ACLs, guest accounts etc)  Channels  ProcessTargets  DataTargets  Process Enablers Pretty informal model Needs an expert to apply to software not previously analysed 5
 Pratyusa Manadhata & JeanetteWing at Carnegie Mellon (2004 – 2010)  Positively correlated severity of MS Security Bulletins vulnerabilities with the following indicators:  Method Privilege  MethodAccess Rights  Channel Protocol  ChannelAccess Rights  Data ItemType  Data Item Access Rights  Attackers use a Channel to invoke a Method and send or receive a Data Item 6
Methods Privilege Value Access Rights Value System 5 AuthNAdmin 4 Admin 4 AuthN Priv User 3 Priv User 3 AuthN User 2 User 1 UnAuthN 1 7 Attack Surface Contribution = Method Privilege Value / Method Access Rights Value
8 Channel Protocol Value Access Rights Value Raw Stack Access 5 AuthN Admin 4 Constrained Protocol Access 4 AuthN Priv User 3 Encoded MessageAccess 3 AuthN User 2 SignalOnly 1 UnAuthN 1 Attack Surface Contribution = Channel Protocol Value / Channel Access Rights Value
9 DataType Type Value Access Rights Value Persistent Executable 5 AuthN Admin 4 Persistent File / Data Item 1 AuthN Priv User 3 AuthN User 2 UnAuthN 1 Attack Surface Contribution = Data Type Value / Data Type Access Rights Value
 Attack Surface Measurement = Sum of all Attack Surface Contributions  Assumes probability of a exploitable vulnerability in a Method, Channel or Data Item is 1  Comparing two boxes against each other or against differently configured versions of themselves is relatively easy.  Beware: Similar attack surface scores may hide boxes with a small attack surface but a very high damage potential!  Only considers attackability no consideration of the impact of the attack  This is not risk 10
11
“The worst enemy of security is complexity.” Bruce Schneier “Connectedness and complexity are what cause security disasters.” Marcus Ranum "Risk is a necessary consequence of dependence“ Dan Geer “Left to themselves, creative engineers will deliver the most complicated system they think they can debug.” Mike O’Dell 12
 Coupling  How fast cause and effect propagate through the system.  Time dependent  Rigid ordering  Single path to successful outcome  Complexity  Number of interactions between components.  Branching  Feedback loops  Un-planned sequences of events.  Multiple component failures cause systemic cascade failures or accidents.  Accidents are inevitable in complex, tightly-coupled systems. 13
Also a common solution architecture concern. 14 Simple Component Complexity Fan-In Complexity Sum of all possible protocol connections to the component Fan-Out Complexity Sum of all possible protocol connections from the component Total Component Complexity Sum of Fan-In & Fan-Out Complexity Complex Component Complexity Fan-In Complexity Sum of all Methods offered by the component on each Channel Fan-Out Complexity Sum of all Methods used by the component on each Channel Total Component Complexity Sum of Fan-In & Fan-Out Complexity
 Closely-coupled in security is analogous to highly-trusted.  I propose that measuring the trust of connections has the following aspects: 15 Connection Channel Privilege Value Channel Privacy Value Channel Access Rights Value System 5 PlainText 4 AuthN Admin 4 Admin 4 Binary 4 AuthN Priv User 3 Priv User 3 Obfuscated 3 AuthN User 2 User 1 Encrypted 1 UnAuthN 1 Coupling = Channel Privilege Value x (Channel Privacy Value / Channel Access Rights Value)
 The coupling and connectivity of the system can be represented by a graph:  Components = Nodes  Connections = Edges  Number of Methods = EdgeWeighting  Coupling = EdgeWeighting This doesn’t need special tooling, you can represent a graph in a matrix (A spreadsheet for example). Graphs can be clustered using complexity or coupling to identify structurally related components in a system 16
 A good example representing system graphs matrices in system engineering is a Design Structure Matrix (DSM)  http://www.dsmweb.org  These are easy to knock up while you’re working to aid your analysis. Simple complexity DSM example: 17 WWW APP DB MESSAGE1 MESSAGE2 Fan-Out Total WWW 1 1 1 0 3 3 APP 0 1 1 0 2 3 DB 0 0 0 0 0 2 MESSAGE1 0 0 1 1 4 MESSAGE2 0 0 0 0 0 1 Fan-In 0 1 2 3 1
18
 Components can have  A relative attack surface measurement  A relative total component complexity measurement  Connections between components can be relatively weighted by  Complexity  Coupling  These are all indicators you can use to identify high risk areas of large complex systems that you can then focus to address.  More testing  Re-Design  This has previously highlighted an interesting situation where a firewall HA pair between two logical networks that routed a closely-coupled application protocol connection with a high level of privilege between two components was effectively useless as a security control and was removed. 19
20

Recomendados

Evaluating the vulnerability of network traffic using joint security and rout...
Evaluating the vulnerability of network traffic using joint security and rout...Evaluating the vulnerability of network traffic using joint security and rout...
Evaluating the vulnerability of network traffic using joint security and rout...Mumbai Academisc
 
Practical Security Architecture Analysis
Practical Security Architecture AnalysisPractical Security Architecture Analysis
Practical Security Architecture AnalysisPhil Huggins FBCS CITP
 
The Spark
The SparkThe Spark
The Sparkguest5b4748
 
raim-2015-paper31
raim-2015-paper31raim-2015-paper31
raim-2015-paper31John Wu
 
Analysis of Application-Layer Filtering Policies With Application to HTTP
Analysis of Application-Layer Filtering Policies With Application to HTTPAnalysis of Application-Layer Filtering Policies With Application to HTTP
Analysis of Application-Layer Filtering Policies With Application to HTTPNexgen Technology
 
First Responders Course - Session 8 - Digital Evidence Collection [2004]
First Responders Course - Session 8 - Digital Evidence Collection [2004]First Responders Course - Session 8 - Digital Evidence Collection [2004]
First Responders Course - Session 8 - Digital Evidence Collection [2004]Phil Huggins FBCS CITP
 
Delivering Secure Projects
Delivering Secure ProjectsDelivering Secure Projects
Delivering Secure ProjectsPhil Huggins FBCS CITP
 
First Response - Session 11 - Incident Response [2004]
First Response - Session 11 - Incident Response [2004]First Response - Session 11 - Incident Response [2004]
First Response - Session 11 - Incident Response [2004]Phil Huggins FBCS CITP
 

Recomendados

Evaluating the vulnerability of network traffic using joint security and rout...
Evaluating the vulnerability of network traffic using joint security and rout...Evaluating the vulnerability of network traffic using joint security and rout...
Evaluating the vulnerability of network traffic using joint security and rout...Mumbai Academisc
 
Practical Security Architecture Analysis
Practical Security Architecture AnalysisPractical Security Architecture Analysis
Practical Security Architecture AnalysisPhil Huggins FBCS CITP
 
The Spark
The SparkThe Spark
The Sparkguest5b4748
 
raim-2015-paper31
raim-2015-paper31raim-2015-paper31
raim-2015-paper31John Wu
 
Analysis of Application-Layer Filtering Policies With Application to HTTP
Analysis of Application-Layer Filtering Policies With Application to HTTPAnalysis of Application-Layer Filtering Policies With Application to HTTP
Analysis of Application-Layer Filtering Policies With Application to HTTPNexgen Technology
 
First Responders Course - Session 8 - Digital Evidence Collection [2004]
First Responders Course - Session 8 - Digital Evidence Collection [2004]First Responders Course - Session 8 - Digital Evidence Collection [2004]
First Responders Course - Session 8 - Digital Evidence Collection [2004]Phil Huggins FBCS CITP
 
Delivering Secure Projects
Delivering Secure ProjectsDelivering Secure Projects
Delivering Secure ProjectsPhil Huggins FBCS CITP
 
First Response - Session 11 - Incident Response [2004]
First Response - Session 11 - Incident Response [2004]First Response - Session 11 - Incident Response [2004]
First Response - Session 11 - Incident Response [2004]Phil Huggins FBCS CITP
 
First Responder Course - Session 10 - Static Evidence Collection [2004]
First Responder Course - Session 10 - Static Evidence Collection [2004]First Responder Course - Session 10 - Static Evidence Collection [2004]
First Responder Course - Session 10 - Static Evidence Collection [2004]Phil Huggins FBCS CITP
 
Security Metrics [2008]
Security Metrics [2008]Security Metrics [2008]
Security Metrics [2008]Phil Huggins FBCS CITP
 
Intelligence-led Cybersecurity
Intelligence-led Cybersecurity Intelligence-led Cybersecurity
Intelligence-led Cybersecurity Phil Huggins FBCS CITP
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber ResiliencePhil Huggins FBCS CITP
 
Security Architecture
Security ArchitectureSecurity Architecture
Security ArchitecturePhil Huggins FBCS CITP
 
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks Phil Huggins FBCS CITP
 
Penetration Testing; A customers perspective
Penetration Testing; A customers perspectivePenetration Testing; A customers perspective
Penetration Testing; A customers perspectivePhil Huggins FBCS CITP
 
Resilience is the new cyber security
Resilience is the new cyber securityResilience is the new cyber security
Resilience is the new cyber securityPhil Huggins FBCS CITP
 
UK Legal Framework (2003)
UK Legal Framework (2003)UK Legal Framework (2003)
UK Legal Framework (2003)Phil Huggins FBCS CITP
 
Cyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksCyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksPhil Huggins FBCS CITP
 
Countering Cyber Threats
Countering Cyber ThreatsCountering Cyber Threats
Countering Cyber ThreatsPhil Huggins FBCS CITP
 
First Responders Course- Session 1 - Digital and Other Evidence [2004]
First Responders Course- Session 1 - Digital and Other Evidence [2004]First Responders Course- Session 1 - Digital and Other Evidence [2004]
First Responders Course- Session 1 - Digital and Other Evidence [2004]Phil Huggins FBCS CITP
 
Security Analytics Beyond Cyber
Security Analytics Beyond CyberSecurity Analytics Beyond Cyber
Security Analytics Beyond CyberPhil Huggins FBCS CITP
 
PIANOS: Protecting Information About Networks The Organisation and It's Syste...
PIANOS: Protecting Information About Networks The Organisation and It's Syste...PIANOS: Protecting Information About Networks The Organisation and It's Syste...
PIANOS: Protecting Information About Networks The Organisation and It's Syste...Phil Huggins FBCS CITP
 
Probability Calibration
Probability CalibrationProbability Calibration
Probability CalibrationPhil Huggins FBCS CITP
 
PIANOS: Protecting Information About Networks The Organisation and It's Systems
PIANOS: Protecting Information About Networks The Organisation and It's Systems PIANOS: Protecting Information About Networks The Organisation and It's Systems
PIANOS: Protecting Information About Networks The Organisation and It's Systems Phil Huggins FBCS CITP
 
Network Reconnaissance Infographic
Network Reconnaissance InfographicNetwork Reconnaissance Infographic
Network Reconnaissance InfographicPhil Huggins FBCS CITP
 
First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]Phil Huggins FBCS CITP
 
Introduction to Hacktivism
Introduction to HacktivismIntroduction to Hacktivism
Introduction to HacktivismPhil Huggins FBCS CITP
 
Managing Insider Risk
Managing Insider RiskManaging Insider Risk
Managing Insider RiskPhil Huggins FBCS CITP
 
IRJET- Secure Scheme For Cloud-Based Multimedia Content Storage
IRJET- Secure Scheme For Cloud-Based Multimedia Content StorageIRJET- Secure Scheme For Cloud-Based Multimedia Content Storage
IRJET- Secure Scheme For Cloud-Based Multimedia Content StorageIRJET Journal
 
characteristicsofdistributedsystem-121004123308-phpapp02.ppt
characteristicsofdistributedsystem-121004123308-phpapp02.pptcharacteristicsofdistributedsystem-121004123308-phpapp02.ppt
characteristicsofdistributedsystem-121004123308-phpapp02.pptRamkumardevendiranDe
 

Mais conteúdo relacionado

Destaque

First Responder Course - Session 10 - Static Evidence Collection [2004]
First Responder Course - Session 10 - Static Evidence Collection [2004]First Responder Course - Session 10 - Static Evidence Collection [2004]
First Responder Course - Session 10 - Static Evidence Collection [2004]Phil Huggins FBCS CITP
 
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks Phil Huggins FBCS CITP
 
Penetration Testing; A customers perspective
Penetration Testing; A customers perspectivePenetration Testing; A customers perspective
Penetration Testing; A customers perspectivePhil Huggins FBCS CITP
 
Cyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksCyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksPhil Huggins FBCS CITP
 
First Responders Course- Session 1 - Digital and Other Evidence [2004]
First Responders Course- Session 1 - Digital and Other Evidence [2004]First Responders Course- Session 1 - Digital and Other Evidence [2004]
First Responders Course- Session 1 - Digital and Other Evidence [2004]Phil Huggins FBCS CITP
 
PIANOS: Protecting Information About Networks The Organisation and It's Syste...
PIANOS: Protecting Information About Networks The Organisation and It's Syste...PIANOS: Protecting Information About Networks The Organisation and It's Syste...
PIANOS: Protecting Information About Networks The Organisation and It's Syste...Phil Huggins FBCS CITP
 
PIANOS: Protecting Information About Networks The Organisation and It's Systems
PIANOS: Protecting Information About Networks The Organisation and It's Systems PIANOS: Protecting Information About Networks The Organisation and It's Systems
PIANOS: Protecting Information About Networks The Organisation and It's Systems Phil Huggins FBCS CITP
 
First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]Phil Huggins FBCS CITP
 

Destaque (20)

First Responder Course - Session 10 - Static Evidence Collection [2004]
First Responder Course - Session 10 - Static Evidence Collection [2004]First Responder Course - Session 10 - Static Evidence Collection [2004]
First Responder Course - Session 10 - Static Evidence Collection [2004]
 
Security Metrics [2008]
Security Metrics [2008]Security Metrics [2008]
Security Metrics [2008]
 
Intelligence-led Cybersecurity
Intelligence-led Cybersecurity Intelligence-led Cybersecurity
Intelligence-led Cybersecurity
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
 
Security Architecture
Security ArchitectureSecurity Architecture
Security Architecture
 
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
Security and Resilience Vulnerabilities in the UK’s Telecoms Networks
 
Penetration Testing; A customers perspective
Penetration Testing; A customers perspectivePenetration Testing; A customers perspective
Penetration Testing; A customers perspective
 
Resilience is the new cyber security
Resilience is the new cyber securityResilience is the new cyber security
Resilience is the new cyber security
 
UK Legal Framework (2003)
UK Legal Framework (2003)UK Legal Framework (2003)
UK Legal Framework (2003)
 
Cyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksCyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber Shocks
 
Countering Cyber Threats
Countering Cyber ThreatsCountering Cyber Threats
Countering Cyber Threats
 
First Responders Course- Session 1 - Digital and Other Evidence [2004]
First Responders Course- Session 1 - Digital and Other Evidence [2004]First Responders Course- Session 1 - Digital and Other Evidence [2004]
First Responders Course- Session 1 - Digital and Other Evidence [2004]
 
Security Analytics Beyond Cyber
Security Analytics Beyond CyberSecurity Analytics Beyond Cyber
Security Analytics Beyond Cyber
 
PIANOS: Protecting Information About Networks The Organisation and It's Syste...
PIANOS: Protecting Information About Networks The Organisation and It's Syste...PIANOS: Protecting Information About Networks The Organisation and It's Syste...
PIANOS: Protecting Information About Networks The Organisation and It's Syste...
 
Probability Calibration
Probability CalibrationProbability Calibration
Probability Calibration
 
PIANOS: Protecting Information About Networks The Organisation and It's Systems
PIANOS: Protecting Information About Networks The Organisation and It's Systems PIANOS: Protecting Information About Networks The Organisation and It's Systems
PIANOS: Protecting Information About Networks The Organisation and It's Systems
 
Network Reconnaissance Infographic
Network Reconnaissance InfographicNetwork Reconnaissance Infographic
Network Reconnaissance Infographic
 
First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]First Responder Course - Session 9 - Volatile Evidence Collection [2004]
First Responder Course - Session 9 - Volatile Evidence Collection [2004]
 
Introduction to Hacktivism
Introduction to HacktivismIntroduction to Hacktivism
Introduction to Hacktivism
 
Managing Insider Risk
Managing Insider RiskManaging Insider Risk
Managing Insider Risk
 

Semelhante a Measuring black boxes

IRJET- Secure Scheme For Cloud-Based Multimedia Content Storage
IRJET- Secure Scheme For Cloud-Based Multimedia Content StorageIRJET- Secure Scheme For Cloud-Based Multimedia Content Storage
IRJET- Secure Scheme For Cloud-Based Multimedia Content StorageIRJET Journal
 
characteristicsofdistributedsystem-121004123308-phpapp02.ppt
characteristicsofdistributedsystem-121004123308-phpapp02.pptcharacteristicsofdistributedsystem-121004123308-phpapp02.ppt
characteristicsofdistributedsystem-121004123308-phpapp02.pptRamkumardevendiranDe
 
Deploying Network Taps for Improved Security
Deploying Network Taps for Improved SecurityDeploying Network Taps for Improved Security
Deploying Network Taps for Improved SecurityDatacomsystemsinc
 
Presentation of ditributed system
Presentation of ditributed systemPresentation of ditributed system
Presentation of ditributed systemgoogle
 
Managing Software Risk with CAST
Managing Software Risk with CASTManaging Software Risk with CAST
Managing Software Risk with CASTCAST
 
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...MohamedOmerMusa
 
Intro to distributed systems
Intro to distributed systemsIntro to distributed systems
Intro to distributed systemsblueside7
 
Crypto Mark Scheme for Fast Pollution Detection and Resistance over Networking
Crypto Mark Scheme for Fast Pollution Detection and Resistance over NetworkingCrypto Mark Scheme for Fast Pollution Detection and Resistance over Networking
Crypto Mark Scheme for Fast Pollution Detection and Resistance over NetworkingIRJET Journal
 
An Improved Intrusion Prevention Sytem for WLAN
An Improved Intrusion Prevention Sytem for WLANAn Improved Intrusion Prevention Sytem for WLAN
An Improved Intrusion Prevention Sytem for WLANrahulmonikasharma
 
An Improved Intrusion Prevention Sytem for WLAN
An Improved Intrusion Prevention Sytem for WLANAn Improved Intrusion Prevention Sytem for WLAN
An Improved Intrusion Prevention Sytem for WLANrahulmonikasharma
 
How Romanian companies are developing secure applications on Azure.pptx
How Romanian companies are developing secure applications on Azure.pptxHow Romanian companies are developing secure applications on Azure.pptx
How Romanian companies are developing secure applications on Azure.pptxRadu Vunvulea
 
2010.hari_kannan.phd_thesis.slides.pdf
2010.hari_kannan.phd_thesis.slides.pdf2010.hari_kannan.phd_thesis.slides.pdf
2010.hari_kannan.phd_thesis.slides.pdfAlexKarasulu1
 
Finding Critical Link and Critical Node Vulnerability for Network
Finding Critical Link and Critical Node Vulnerability for NetworkFinding Critical Link and Critical Node Vulnerability for Network
Finding Critical Link and Critical Node Vulnerability for Networkijircee
 
Survey on Security Aspects Related to DOIP
Survey on Security Aspects Related to DOIPSurvey on Security Aspects Related to DOIP
Survey on Security Aspects Related to DOIPIRJET Journal
 
IRJET- The Hidden Virus Propagation Search Engine Attack
IRJET- The Hidden Virus Propagation Search Engine AttackIRJET- The Hidden Virus Propagation Search Engine Attack
IRJET- The Hidden Virus Propagation Search Engine AttackIRJET Journal
 
Security of software defined networking (sdn) and cognitive radio network (crn)
Security of software defined networking (sdn) and cognitive radio network (crn)Security of software defined networking (sdn) and cognitive radio network (crn)
Security of software defined networking (sdn) and cognitive radio network (crn)Ameer Sameer
 

Semelhante a Measuring black boxes (20)

IRJET- Secure Scheme For Cloud-Based Multimedia Content Storage
IRJET- Secure Scheme For Cloud-Based Multimedia Content StorageIRJET- Secure Scheme For Cloud-Based Multimedia Content Storage
IRJET- Secure Scheme For Cloud-Based Multimedia Content Storage
 
characteristicsofdistributedsystem-121004123308-phpapp02.ppt
characteristicsofdistributedsystem-121004123308-phpapp02.pptcharacteristicsofdistributedsystem-121004123308-phpapp02.ppt
characteristicsofdistributedsystem-121004123308-phpapp02.ppt
 
Deploying Network Taps for Improved Security
Deploying Network Taps for Improved SecurityDeploying Network Taps for Improved Security
Deploying Network Taps for Improved Security
 
Presentation of ditributed system
Presentation of ditributed systemPresentation of ditributed system
Presentation of ditributed system
 
Managing Software Risk with CAST
Managing Software Risk with CASTManaging Software Risk with CAST
Managing Software Risk with CAST
 
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
 
Intro to distributed systems
Intro to distributed systemsIntro to distributed systems
Intro to distributed systems
 
Crypto Mark Scheme for Fast Pollution Detection and Resistance over Networking
Crypto Mark Scheme for Fast Pollution Detection and Resistance over NetworkingCrypto Mark Scheme for Fast Pollution Detection and Resistance over Networking
Crypto Mark Scheme for Fast Pollution Detection and Resistance over Networking
 
Stream connectors
Stream connectorsStream connectors
Stream connectors
 
An Improved Intrusion Prevention Sytem for WLAN
An Improved Intrusion Prevention Sytem for WLANAn Improved Intrusion Prevention Sytem for WLAN
An Improved Intrusion Prevention Sytem for WLAN
 
An Improved Intrusion Prevention Sytem for WLAN
An Improved Intrusion Prevention Sytem for WLANAn Improved Intrusion Prevention Sytem for WLAN
An Improved Intrusion Prevention Sytem for WLAN
 
spamzombieppt
spamzombiepptspamzombieppt
spamzombieppt
 
How Romanian companies are developing secure applications on Azure.pptx
How Romanian companies are developing secure applications on Azure.pptxHow Romanian companies are developing secure applications on Azure.pptx
How Romanian companies are developing secure applications on Azure.pptx
 
Cloud Storage and Security
Cloud Storage and SecurityCloud Storage and Security
Cloud Storage and Security
 
2010.hari_kannan.phd_thesis.slides.pdf
2010.hari_kannan.phd_thesis.slides.pdf2010.hari_kannan.phd_thesis.slides.pdf
2010.hari_kannan.phd_thesis.slides.pdf
 
Finding Critical Link and Critical Node Vulnerability for Network
Finding Critical Link and Critical Node Vulnerability for NetworkFinding Critical Link and Critical Node Vulnerability for Network
Finding Critical Link and Critical Node Vulnerability for Network
 
Survey on Security Aspects Related to DOIP
Survey on Security Aspects Related to DOIPSurvey on Security Aspects Related to DOIP
Survey on Security Aspects Related to DOIP
 
Ch18
Ch18Ch18
Ch18
 
IRJET- The Hidden Virus Propagation Search Engine Attack
IRJET- The Hidden Virus Propagation Search Engine AttackIRJET- The Hidden Virus Propagation Search Engine Attack
IRJET- The Hidden Virus Propagation Search Engine Attack
 
Security of software defined networking (sdn) and cognitive radio network (crn)
Security of software defined networking (sdn) and cognitive radio network (crn)Security of software defined networking (sdn) and cognitive radio network (crn)
Security of software defined networking (sdn) and cognitive radio network (crn)
 

Último

Supercharge Your eCommerce Stores-acowebs
Supercharge Your eCommerce Stores-acowebsSupercharge Your eCommerce Stores-acowebs
Supercharge Your eCommerce Stores-acowebsGOKUL JS
 
EUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exportersEUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exportersPeter Horsten
 
business environment micro environment macro environment.pptx
business environment micro environment macro environment.pptxbusiness environment micro environment macro environment.pptx
business environment micro environment macro environment.pptxShruti Mittal
 
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdfChris Skinner
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfRbc Rbcua
 
Guide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDFGuide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDFChandresh Chudasama
 
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxThe-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxmbikashkanyari
 
Entrepreneurship lessons in Philippines
Entrepreneurship lessons in PhilippinesEntrepreneurship lessons in Philippines
Entrepreneurship lessons in PhilippinesDavidSamuel525586
 
Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03DallasHaselhorst
 
Memorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMMemorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMVoces Mineras
 
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...Hector Del Castillo, CPM, CPMM
 
Effective Strategies for Maximizing Your Profit When Selling Gold Jewelry
Effective Strategies for Maximizing Your Profit When Selling Gold JewelryEffective Strategies for Maximizing Your Profit When Selling Gold Jewelry
Effective Strategies for Maximizing Your Profit When Selling Gold JewelryWhittensFineJewelry1
 
1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdfShaun Heinrichs
 
Healthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare NewsletterHealthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare NewsletterJamesConcepcion7
 
Planetary and Vedic Yagyas Bring Positive Impacts in Life
Planetary and Vedic Yagyas Bring Positive Impacts in LifePlanetary and Vedic Yagyas Bring Positive Impacts in Life
Planetary and Vedic Yagyas Bring Positive Impacts in LifeBhavana Pujan Kendra
 
Appkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptxAppkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptxappkodes
 
Technical Leaders - Working with the Management Team
Technical Leaders - Working with the Management TeamTechnical Leaders - Working with the Management Team
Technical Leaders - Working with the Management TeamArik Fletcher
 
Introducing the Analogic framework for business planning applications
Introducing the Analogic framework for business planning applicationsIntroducing the Analogic framework for business planning applications
Introducing the Analogic framework for business planning applicationsKnowledgeSeed
 
digital marketing , introduction of digital marketing
digital marketing , introduction of digital marketingdigital marketing , introduction of digital marketing
digital marketing , introduction of digital marketingrajputmeenakshi733
 

Último (20)

Supercharge Your eCommerce Stores-acowebs
Supercharge Your eCommerce Stores-acowebsSupercharge Your eCommerce Stores-acowebs
Supercharge Your eCommerce Stores-acowebs
 
EUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exportersEUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exporters
 
business environment micro environment macro environment.pptx
business environment micro environment macro environment.pptxbusiness environment micro environment macro environment.pptx
business environment micro environment macro environment.pptx
 
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdf
 
Guide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDFGuide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDF
 
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptxThe-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
The-Ethical-issues-ghhhhhhhhjof-Byjus.pptx
 
Entrepreneurship lessons in Philippines
Entrepreneurship lessons in PhilippinesEntrepreneurship lessons in Philippines
Entrepreneurship lessons in Philippines
 
Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03Cybersecurity Awareness Training Presentation v2024.03
Cybersecurity Awareness Training Presentation v2024.03
 
Memorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMMemorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQM
 
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptxThe Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
 
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
How Generative AI Is Transforming Your Business | Byond Growth Insights | Apr...
 
Effective Strategies for Maximizing Your Profit When Selling Gold Jewelry
Effective Strategies for Maximizing Your Profit When Selling Gold JewelryEffective Strategies for Maximizing Your Profit When Selling Gold Jewelry
Effective Strategies for Maximizing Your Profit When Selling Gold Jewelry
 
1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf1911 Gold Corporate Presentation Apr 2024.pdf
1911 Gold Corporate Presentation Apr 2024.pdf
 
Healthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare NewsletterHealthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare Newsletter
 
Planetary and Vedic Yagyas Bring Positive Impacts in Life
Planetary and Vedic Yagyas Bring Positive Impacts in LifePlanetary and Vedic Yagyas Bring Positive Impacts in Life
Planetary and Vedic Yagyas Bring Positive Impacts in Life
 
Appkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptxAppkodes Tinder Clone Script with Customisable Solutions.pptx
Appkodes Tinder Clone Script with Customisable Solutions.pptx
 
Technical Leaders - Working with the Management Team
Technical Leaders - Working with the Management TeamTechnical Leaders - Working with the Management Team
Technical Leaders - Working with the Management Team
 
Introducing the Analogic framework for business planning applications
Introducing the Analogic framework for business planning applicationsIntroducing the Analogic framework for business planning applications
Introducing the Analogic framework for business planning applications
 
digital marketing , introduction of digital marketing
digital marketing , introduction of digital marketingdigital marketing , introduction of digital marketing
digital marketing , introduction of digital marketing
 

Measuring black boxes

  • 2.  Security Architect for large delivery programmes:  Multiple projects  Challenging stakeholders  Large, complex systems  Multi-year delivery  100+ people customer delivery teams  200+ people supplier delivery teams  Security mattered  Government  Commercial  AirportTerminal New Build  Smart Metering for a Big6 UK Energy Supplier  7x UK Airports security refresh.  UK Banking ecommerce infrastructure  Cloud Software as a Service Provider 2
  • 3.  Many sub-systems  Multiple stakeholders and connecting parties  Multiple COTS products  Multiple unsupported OSOTS products  System-specific glue code and configuration  Business-specific logic and processes  Shared data models  SDLC doesn’t help for the majority of the vulnerabilities in the systems 3 Trust Issues Design Flaws Software Bugs Configuration Errors Most Vulnerabilities
  • 4. 4
  • 5.  A measure of attackability NOT of vulnerability.  Doesn’t look inside the box. Michael Howard at Microsoft (2003) Michael Howard & JeanetteWing at Carnegie Mellon (2003)  Relative Attack Surface Quotient  20 AttackVectors (open sockets, weak ACLs, guest accounts etc)  Channels  ProcessTargets  DataTargets  Process Enablers Pretty informal model Needs an expert to apply to software not previously analysed 5
  • 6.  Pratyusa Manadhata & JeanetteWing at Carnegie Mellon (2004 – 2010)  Positively correlated severity of MS Security Bulletins vulnerabilities with the following indicators:  Method Privilege  MethodAccess Rights  Channel Protocol  ChannelAccess Rights  Data ItemType  Data Item Access Rights  Attackers use a Channel to invoke a Method and send or receive a Data Item 6
  • 7. Methods Privilege Value Access Rights Value System 5 AuthNAdmin 4 Admin 4 AuthN Priv User 3 Priv User 3 AuthN User 2 User 1 UnAuthN 1 7 Attack Surface Contribution = Method Privilege Value / Method Access Rights Value
  • 8. 8 Channel Protocol Value Access Rights Value Raw Stack Access 5 AuthN Admin 4 Constrained Protocol Access 4 AuthN Priv User 3 Encoded MessageAccess 3 AuthN User 2 SignalOnly 1 UnAuthN 1 Attack Surface Contribution = Channel Protocol Value / Channel Access Rights Value
  • 9. 9 DataType Type Value Access Rights Value Persistent Executable 5 AuthN Admin 4 Persistent File / Data Item 1 AuthN Priv User 3 AuthN User 2 UnAuthN 1 Attack Surface Contribution = Data Type Value / Data Type Access Rights Value
  • 10.  Attack Surface Measurement = Sum of all Attack Surface Contributions  Assumes probability of a exploitable vulnerability in a Method, Channel or Data Item is 1  Comparing two boxes against each other or against differently configured versions of themselves is relatively easy.  Beware: Similar attack surface scores may hide boxes with a small attack surface but a very high damage potential!  Only considers attackability no consideration of the impact of the attack  This is not risk 10
  • 11. 11
  • 12. “The worst enemy of security is complexity.” Bruce Schneier “Connectedness and complexity are what cause security disasters.” Marcus Ranum "Risk is a necessary consequence of dependence“ Dan Geer “Left to themselves, creative engineers will deliver the most complicated system they think they can debug.” Mike O’Dell 12
  • 13.  Coupling  How fast cause and effect propagate through the system.  Time dependent  Rigid ordering  Single path to successful outcome  Complexity  Number of interactions between components.  Branching  Feedback loops  Un-planned sequences of events.  Multiple component failures cause systemic cascade failures or accidents.  Accidents are inevitable in complex, tightly-coupled systems. 13
  • 14. Also a common solution architecture concern. 14 Simple Component Complexity Fan-In Complexity Sum of all possible protocol connections to the component Fan-Out Complexity Sum of all possible protocol connections from the component Total Component Complexity Sum of Fan-In & Fan-Out Complexity Complex Component Complexity Fan-In Complexity Sum of all Methods offered by the component on each Channel Fan-Out Complexity Sum of all Methods used by the component on each Channel Total Component Complexity Sum of Fan-In & Fan-Out Complexity
  • 15.  Closely-coupled in security is analogous to highly-trusted.  I propose that measuring the trust of connections has the following aspects: 15 Connection Channel Privilege Value Channel Privacy Value Channel Access Rights Value System 5 PlainText 4 AuthN Admin 4 Admin 4 Binary 4 AuthN Priv User 3 Priv User 3 Obfuscated 3 AuthN User 2 User 1 Encrypted 1 UnAuthN 1 Coupling = Channel Privilege Value x (Channel Privacy Value / Channel Access Rights Value)
  • 16.  The coupling and connectivity of the system can be represented by a graph:  Components = Nodes  Connections = Edges  Number of Methods = EdgeWeighting  Coupling = EdgeWeighting This doesn’t need special tooling, you can represent a graph in a matrix (A spreadsheet for example). Graphs can be clustered using complexity or coupling to identify structurally related components in a system 16
  • 17.  A good example representing system graphs matrices in system engineering is a Design Structure Matrix (DSM)  http://www.dsmweb.org  These are easy to knock up while you’re working to aid your analysis. Simple complexity DSM example: 17 WWW APP DB MESSAGE1 MESSAGE2 Fan-Out Total WWW 1 1 1 0 3 3 APP 0 1 1 0 2 3 DB 0 0 0 0 0 2 MESSAGE1 0 0 1 1 4 MESSAGE2 0 0 0 0 0 1 Fan-In 0 1 2 3 1
  • 18. 18
  • 19.  Components can have  A relative attack surface measurement  A relative total component complexity measurement  Connections between components can be relatively weighted by  Complexity  Coupling  These are all indicators you can use to identify high risk areas of large complex systems that you can then focus to address.  More testing  Re-Design  This has previously highlighted an interesting situation where a firewall HA pair between two logical networks that routed a closely-coupled application protocol connection with a high level of privilege between two components was effectively useless as a security control and was removed. 19
  • 20. 20