A work in progress presentation given at a private security conference in the UK in the winter of 2008.

1. Phil Huggins
Private Security Conference Winter 2008

2. “Complexity is the worst enemy of security” –
Marcus Ranum
This is a work in progress.
Winter 2008

6.  Is it secure?
 What are the risks?
 Are the risks important?
 Whose fault are the risks?
 Why didn't our external pen test / app test / vuln scan find
all these risks?
 Can I save money on my security investment?
 Why is security always the source of our problems?
 Can you tell us how to fix it?

7.  What are the negative outcomes we want to avoid?
 Pure business focus at this point
 How can we rank them in importance?
 For the example system we identified six key negative
outcomes:
 Loss of Credit Card Data
 Loss of Personal Data
 Compromise of internal network
 Loss of regulatory required data
 Defacement of the website
 Attack on user of the system

8.  Where are the possible sources of the negative outcomes?
 How capable are those sources?
 How do the threat sources get to the outcomes via the
identified system components?
 Attack Trees

9.  Lots of work
 Manually need to build a tree for each outcome
 Some commercial tools available
 Graphviz & Dot

10.  The attack trees identify potential risks NOT vulnerabilities
 No testing at this point
 Map to existing security controls to identify security design gaps

11.  Still very opinion based – hard to compare
results across practitioners
 Manually intensive
 Not pretty for customers
 What does it identify:
 Security design gaps
 Likely vulnerable (complex) components
 Trust relationships between components

12.  Approach to identify complexity and interdependencies
 Component DSM used for system architecture analysis
 Matrix of components
 www.dsmweb.org

13.  Just focus on which component connects to which other
connections
 Sum of each row is the component fan-out complexity
 Sum of each column is the component fan-in complexity
 Sum of row + column for each component is total component
complexity
 Sum of total component complexity is a measure of system
complexity
 Allows you to rank components on connection complexity

14.  Previous Work
 Howard at Microsoft
 Manadhata at Carnegie Mellon
 Manadhata correlated severity of reported public vulns in FTP
servers with:
 Method privilege
 Method access rights
 Channel Protocol
 Channel access rights
 Data item type
 Data item access rights

15.  Measuring Connection Complexity
 Number and type of protocols
 Number and type of API calls
 Number and type of messages
 Number and type of functions
 Measuring Connection Trust
 Authenticated Y/N?
 Integrity checking Y/N?
 Measuring Connection Privilege
 Number of levels of authorisation
 Privilege level of protocol endpoint
 Privilege level of message endpoint
 Persistence of message data
 Measuring Connection Privacy
 Encrypted Y/N?

17.  Assign some arbitrary ordinal numbers to the attack surface
measures
 Implement a clustering tool to map trust / complexity across
systems
 Pretty graphics
 Anyone got any systems they want to try this out on?

18. http://blog.blackswansecurity.com
Winter 2008 UNCON 14