1. Enterprise Architecture Models for Security AnalysisThe VIKING project TeodorSommestad The Royal Institute of Technology (KTH) Stockholm, Sweden teodor.sommestad@ics.kth.se
3. The VIKING project From security requirements to social costs (consequences) Attack SCADA system Power network Societalcost KTH, this presentation ETH, Zürich ViCiSi, in 15 min.
4. Decision makers in utilitiestypicallyhave… … a poorunderstandingof the system architecture and itsenvironment … a poorunderstanding of how to achievesecurity in thiscomplexenvironment … limitedresources, time and money A Bayesian computational engine analyzes your architecture and possible attacks against it
5. Our solution: the Cyber Security Modeling Language The result for your architecture is visualized, e.g. which attacks are easy to do and which countermeasures that make a big difference. We consolidate theory on security, i.e. what is most important and how important is it. A Bayesian computational engine analyzes your architecture and possible attacks against it You represent your system, e.g. add network zones, draw data flows, specify management processes
6. This tool assess if attacks are possible to do against a system architecture Successprobabilitiesof attacks: P(SCADAServer.Access) = 0.14P(SCADAService.InjectCode) = 0.14P(SCADAServer.FindKnownService) = 0.34 P(SCADAServer.ConnectTo) = 0.43 Effectofchanges: For P(SCADAServer.Access)Install IPS: 0.14=>0.11 Regularsecurityaudits: 0.14=>0.12
7. We do not aim at Inventing some new protection apparatus (e.g. firewall), solution or architecture. Tell cryptography/authentication/…/firewall experts which of their solutions that are secure and which are not. Explain which attacks that probably will be attempted against the system.
8. Qualitative theory What influences what? For example, what influences the possibility for an attacker to compromise a machine? In which ways can it be done? Which of these things are most important? For example, which protection mechanisms against arbitrary code execution attacks are most relevant? In essence: What data should be collected (modeled) to say something about the possibility to succeed with attacks? Quantitative theory How big is the influence? For example, how is the attacker’s chance of success influenced by “address space layout randomization”? What combinations of things are important? For example, does “address space layout randomization” make a difference if you already have an “non-executable memory” turned on? In essence: How probably are different attacks to succeed?
9. [Qualitative theory] The metamodel Attribute dependencies For example: The probability that Remote Arbitrary Code Exploits on a Service can be performed depend on: If you can connect to the Service If it has a high-severity vulnerability The attacker can authenticate itself as a legitimate user If its OS uses ASLR or NX memory protection If there is Deep Packet Inspection Firewall between the attacker and Service
11. Say that your architecture and our “rules” produces these dependencies [Quantitative theory] Canthis attack be done by professional penetration tester?
12. Our tool would answer: [Quantitative theory] 1.00*0.24*1.00*0.51*1.00=0.1224=12.24% chance of success 100% 100% 100% 24% 51%
13. What if analysis:Execute arbitrary code [Quantitative theory] Install a deep-packet-inspection firewall (IPS) As is. Remove Address Space Layout Randomization (ASLR) 15 % probabilitythat the attacker canexecute his/hercode… 24 % probabilitythat the attacker canexecute his/hercode… 27 % probabilitythat the attacker canexecutehis/hercode… …8 % for the attack scenario… …12 % for the attack scenario… …14% for the attack scenario…
14. Data sources The relationships and dependency-structure: Literature, e.g. standards or scientific articles. Review and prioritization by external experts, e.g. FOI, SÄPO, Combitech, Chalmers, Ericsson, BTH, Management Doctors. The probabilities: Logical relationships, e.g.: if the firewalls allow you to connect to A from B and you have access to B, then you can connect. Others’ studies, e.g. time-to-compromise for of authentication codes or patch level vs patching procedures. Experts’ judgments, e.g. 165 intrusion detection system researchers estimating the detection rate in different scenarios.
17. Our solution: the Cyber Security Modeling Language The result for your architecture is visualized, e.g. which attacks are easy to do and which countermeasures that make a big difference. We consolidate theory on security, i.e. what is most important and how important is it. A Bayesian computational engine analyzes your architecture and possible attacks against it You represent your system, e.g. add network zones, draw data flows, specify management processes
18. Today’s status of the tool Our theory consolidation is in version 1.0, soon published. Nah… Calculation engine is completed Tests in real life are ongoing