2. “Complexity is the worst enemy of security” –
Marcus Ranum
This is a work in progress.
Winter 2008
3.
4.
5.
6. Is it secure?
What are the risks?
Are the risks important?
Whose fault are the risks?
Why didn't our external pen test / app test / vuln scan find
all these risks?
Can I save money on my security investment?
Why is security always the source of our problems?
Can you tell us how to fix it?
7. What are the negative outcomes we want to avoid?
Pure business focus at this point
How can we rank them in importance?
For the example system we identified six key negative
outcomes:
Loss of Credit Card Data
Loss of Personal Data
Compromise of internal network
Loss of regulatory required data
Defacement of the website
Attack on user of the system
8. Where are the possible sources of the negative outcomes?
How capable are those sources?
How do the threat sources get to the outcomes via the
identified system components?
Attack Trees
9. Lots of work
Manually need to build a tree for each outcome
Some commercial tools available
Graphviz & Dot
10. The attack trees identify potential risks NOT vulnerabilities
No testing at this point
Map to existing security controls to identify security design gaps
11. Still very opinion based – hard to compare
results across practitioners
Manually intensive
Not pretty for customers
What does it identify:
Security design gaps
Likely vulnerable (complex) components
Trust relationships between components
12. Approach to identify complexity and interdependencies
Component DSM used for system architecture analysis
Matrix of components
www.dsmweb.org
13. Just focus on which component connects to which other
connections
Sum of each row is the component fan-out complexity
Sum of each column is the component fan-in complexity
Sum of row + column for each component is total component
complexity
Sum of total component complexity is a measure of system
complexity
Allows you to rank components on connection complexity
14. Previous Work
Howard at Microsoft
Manadhata at Carnegie Mellon
Manadhata correlated severity of reported public vulns in FTP
servers with:
Method privilege
Method access rights
Channel Protocol
Channel access rights
Data item type
Data item access rights
15. Measuring Connection Complexity
Number and type of protocols
Number and type of API calls
Number and type of messages
Number and type of functions
Measuring Connection Trust
Authenticated Y/N?
Integrity checking Y/N?
Measuring Connection Privilege
Number of levels of authorisation
Privilege level of protocol endpoint
Privilege level of message endpoint
Persistence of message data
Measuring Connection Privacy
Encrypted Y/N?
16.
17. Assign some arbitrary ordinal numbers to the attack surface
measures
Implement a clustering tool to map trust / complexity across
systems
Pretty graphics
Anyone got any systems they want to try this out on?