Considering Operational Security Risks During System Development

Transcription

Considering Operational Security Risks During System Development
Pittsburgh, PA 15213-3890
Considering Operational
Security Risks During System
Development
Christopher Alberts
Audrey Dorofee
Carol Woody
Sponsored by the U.S. Department of Defense
© 2003 by Carnegie Mellon University
page 1
OCTAVE®
Operationally Critical Threat, Asset, and Vulnerability
EvaluationSM
® OCTAVE is registered with the U.S. Patent and Trademark Office by Carnegie Mellon
University
SM Operationally Critical Threat, Asset, and Vulnerability Evaluation is a service mark of
Carnegie Mellon University.
© 2003 by Carnegie Mellon University
page 2
Operational Focus
PreDevelopment
Activities
RFP
concept
Development
Activities
design
requirements
Post
Development
Activities
testing
build
integration
acceptance
operation
OCTAVE was developed for managing security risks in
the operational environment.
© 2003 by Carnegie Mellon University
page 3
A Complex Domain
Threats
• people inside your organization
• people outside your organization
• system problems
• other problems
© 2003 by Carnegie Mellon University
Security Practices
• organizational practices
• technical practices
People Involved
• information technology
(IT) staff
• general staff
• managers
• contractors
• service providers
• partners and
collaborators
page 4
Organizational Gap
© 2003 by Carnegie Mellon University
page 5
OCTAVE Approach - 1
© 2003 by Carnegie Mellon University
page 6
OCTAVE Approach - 2
OCTAVE is at the center of a risk management approach
to information security.
© 2003 by Carnegie Mellon University
page 7
What Is OCTAVE?
OCTAVE is a risk-based strategic assessment and
planning technique for security.
• It leverages people’s knowledge of their organization’s
security-related practices and processes to capture the
current state of security practice within the organization.
• Risks to the most critical assets are used to prioritize
areas of improvement and set the security strategy for
the organization.
© 2003 by Carnegie Mellon University
page 8
OCTAVE Phases
OCTAVE is divided into the following three phases:
• Phase 1: Build Asset-Based Threat Profiles
• Phase 2: Identify Infrastructure Vulnerabilities
• Phase 3: Develop Security Strategy and Plans
© 2003 by Carnegie Mellon University
page 9
© 2003 by Carnegie Mellon University
page 10
OCTAVE Analysis Team
• An interdisciplinary team – consisting of
- business or mission-related staff
- information technology staff
© 2003 by Carnegie Mellon University
page 11
Key Questions
Can some operational risks be reduced by addressing
them during development?
Can the OCTAVE approach be expanded to address
operational risks during development?
© 2003 by Carnegie Mellon University
page 12
The Value in Addressing Risks Earlier
Lower cost to mitigate security risks
More stable solutions can be implemented
Solutions carry forward with future upgrades
Builds on existing operational planning activities
Builds a consistent vocabulary between customers,
developers, users, and maintainers
© 2003 by Carnegie Mellon University
page 13
Challenges in Addressing Risks
Earlier
Only a subset of operational security risks can be
addressed early in the lifecycle.
Solutions implemented early in the lifecycle may affect
security-related activities during operation and
maintenance.
© 2003 by Carnegie Mellon University
page 14
Addressing Security Issues Earlier in
the Lifecycle
PreDevelopment
Activities
RFP
concept
Development
Activities
design
requirements
Post
Development
Activities
testing
build
integration
acceptance
operation
The focus for managing some operational security risks
can be shifted earlier in the lifecycle.
© 2003 by Carnegie Mellon University
page 15
Security Risk Management Activities
Component
protection
Define
target
system
Determine
security
attributes
Identify
threats
Identify
risks
Develop
protection
plan
Procedural
protection
© 2003 by Carnegie Mellon University
page 16
Define Target System
Component
protection
Define
target
system
Determine
security
attributes
Identify
threats
Identify
risks
Develop
protection
plan
Procedural
protection
© 2003 by Carnegie Mellon University
page 17
Target System
What components are part of the target system?
• software applications (interface modules, database
modules, etc.)
• hardware
• operating environment
• COTS
What critical information is stored, processed, and
transmitted by the target system?
© 2003 by Carnegie Mellon University
page 18
Determine Security Attributes
Component
protection
Define
target
system
Determine
security
attributes
Identify
threats
Identify
risks
Develop
protection
plan
Procedural
protection
© 2003 by Carnegie Mellon University
page 19
Security Attributes
What is important about the critical information on the
target system?
• Who will be authorized to view it? (confidentiality)
• To what extent should the information be accurate and
complete? Who will be authorized to modify it?
(integrity)
• How often must the information be available?
(availability)
© 2003 by Carnegie Mellon University
page 20
Identify Threats - 1
Component
protection
Define
target
system
Determine
security
attributes
Identify
threats
Identify
risks
Develop
protection
plan
Procedural
protection
© 2003 by Carnegie Mellon University
page 21
Threats
Who or what could threaten the target system? How could
security attributes be affected?
Are system components interfaced such that a
compromise of one puts others at risk?
© 2003 by Carnegie Mellon University
page 22
Network Attacks - 1
Consider how deliberate/malicious network-based attacks
could affect the target system.
How could system components be compromised by these
attacks?
How could security attributes be affected as a result?
• Can information be disclosed to unauthorized people?
• Can information be modified by unauthorized people?
• Can information be destroyed?
• Can access to information be interrupted?
© 2003 by Carnegie Mellon University
page 23
Network Attacks - 2
Consider how accidental/non-malicious network-based
events could affect the target system.
How could system components be compromised by these
events?
How could security attributes be affected as a result?
• Can information be disclosed to unauthorized people?
• Can information be modified by unauthorized people?
• Can information be destroyed?
• Can access to information be interrupted?
© 2003 by Carnegie Mellon University
page 24
Network Attacks - 3
Consider how viruses and other malicious code could
affect the target system.
How could system components be compromised by these
events?
How could security attributes be affected as a result?
• Can information be disclosed to unauthorized people?
• Can information be modified by unauthorized people?
• Can information be destroyed?
• Can access to information be interrupted?
© 2003 by Carnegie Mellon University
page 25
Identify Risks
Component
protection
Define
target
system
Determine
security
attributes
Identify
threats
Identify
risks
Develop
protection
plan
Procedural
protection
© 2003 by Carnegie Mellon University
page 26
Risk Identification
What is the potential impact on the organization resulting
from each threat?
Consider what might happen to the operational
environment (organization, system users, etc.) if the target
system is compromised and critical information is
• disclosed
• modified
• destroyed
• inaccessible
Risk = Threat + Impact
© 2003 by Carnegie Mellon University
page 27
Potential Impacts on the Operational
Environment
Lost revenue
Increased operational costs
Reputation damage
Fines and penalties
Safety and health of users
Others
© 2003 by Carnegie Mellon University
page 28
Develop Protection Plan - 1
Component
protection
Define
target
system
Determine
security
attributes
Identify
threats
Identify
risks
Develop
protection
plan
Procedural
protection
© 2003 by Carnegie Mellon University
page 29
What is a Protection Plan?
A plan to reduce operational security risks
Actions in the plan primarily mitigate threats to system
components.
© 2003 by Carnegie Mellon University
page 30
Protection Plan - 1
Who needs to be involved in developing the protection plan?
• users
• operational staff
• 3rd parties
• people responsible for other components
• developers
• customers
• others
© 2003 by Carnegie Mellon University
page 31
Protection Plan - 2
What is the overall protection plan for the target system?
Component Protection
• software applications
• hardware
• operating environment (operating system, I/O
management, networks)
• COTS
Procedural Protection
• transition from development to operational environment
• operational contingency plans
• access control management
© 2003 by Carnegie Mellon University
page 32
Component Protection - 1
Software Applications
What technological measures should be used to restrict
user access to software applications?
What technological measures should be used to
authenticate users to software applications? What degree
of authentication is required?
Should encryption be employed to protect information
while in storage and during transmission?
© 2003 by Carnegie Mellon University
page 33
Component Protection – 2
Software Applications (cont.)
How can the software architecture be designed to
recognize, resist, and recover from network-based
threats? How might these options affect other quality
attributes?
What monitoring capabilities are required to recognize
threats to the software applications as they are occurring?
© 2003 by Carnegie Mellon University
page 34
Component Protection – 3
Hardware
What expectations do you have for hardware security?
Who is responsible for implementing them?
Are these expectations sufficient?
How will they be verified? By whom?
© 2003 by Carnegie Mellon University
page 35
Component Protection – 4
Operating Environment
What expectations do you have for operating environment
security?
Who is responsible for implementing them?
Are these expectations sufficient?
How will they be verified? By whom?
© 2003 by Carnegie Mellon University
page 36
Component Protection - 5
COTS
What expectations do you have for COTS security?
Who is responsible for implementing them?
Are these expectations sufficient?
How will they be verified? By whom?
© 2003 by Carnegie Mellon University
page 37
Procedural Protection - 1
Transition from Development to Operational Environment
How should hardware and software components be locked
down during the transition?
What procedures should be in place for maintaining the
target system (especially validating the integrity of
production software) during the transition?
What helpdesk support procedures should be in place
during the transition?
© 2003 by Carnegie Mellon University
page 38
Procedural Protection - 2
Operational Contingency Plans
How should operational backup procedures be modified or
updated to accommodate the security attributes of the target
system?
How should operational contingency plans be modified or
updated to accommodate the security attributes of the target
system?
© 2003 by Carnegie Mellon University
page 39
Procedural Protection - 3
Access Control Management
Who is monitoring and managing access control to the
target system? What are the requirements for access
control?
How should the access of contractors and vendors with
support contracts be controlled?
What training and support will users need for accessing
and using the target system?
© 2003 by Carnegie Mellon University
page 40
Complicating Factors
Incomplete and/or poorly defined operational security
standards and requirements
Lack of consideration of security within contracts for
outsourced development, COTS software, and/or
operational support
Lack of operational expertise within the development life
cycle
Significant unknowns with respect to the operational
environment during development
© 2003 by Carnegie Mellon University
page 41
Summary - 1
Development Activities
Residual Risk
Start
Uncertainty
Finish
Perfect
System
Certainty
At the end of development, some degree of uncertainty remains
with respect to the target operational environment.
This uncertainty translates into the residual risk that must be
managed during operations and maintenance.
© 2003 by Carnegie Mellon University
page 42
Summary - 2
Residual Risk
Development Activities
Start
Uncertainty
Certainty
New
Start
By addressing some operational security
risks during development, the residual risk
that must be managed during operations
and maintenance is reduced.
© 2003 by Carnegie Mellon University
Perfect
System
Finish
New
Finish
Reduced
Residual Risk
page 43
Questions?
© 2003 by Carnegie Mellon University
page 44
For Additional Information
Telephone 412 / 268-5800
Fax
412 / 268-5758
Internet
[email protected] (for general information)
[email protected] (for licensing inquiries)
WWW
http://www.cert.org/octave
U.S. mail
Customer Relations
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
© 2003 by Carnegie Mellon University
page 45