Security Analysis Part I: Basics · on Security Analysis Classify security concepts Introduce, motivate and explain a basic apparatus for risk management in general and risk analysis

Security AnalysisPart I: Basics

Ketil Stølen, SINTEF & UiO

CORAS 1

Acknowledgments

The research for the contents of this tutorial has partly been funded by the European Commission through the FP7 project SecureChange and the FP7 network of excellence NESSoS

CORAS 2

Objectives for the three Lectures on Security Analysis

Classify security conceptsIntroduce, motivate and explain a basic apparatus for risk management in general and risk analysis in particularRelate risk management to system developmentDescribe the different processes that risk management involveMotivate and illustrate model-driven security risk analysis (or security analysis, for short)Demonstrate the use of risk analysis techniques

CORAS 3

The three Lectures onSecurity Analysis

Part I : Basics

Part II : Example-Driven Walkthrough of the CORAS Method

Part III : Change Management

CORAS 4

Overview of Part IWhat is security?What is risk?What is risk management?Central termsWhat is CORAS?Main conceptsThe CORAS processRisk modelingSemanticsLikelihood reasoningThe CORAS tool

CORAS 5

What is Security Analysis?

Security analysis is a specialized form of risk analysis focusing on security risks

CORAS 6

What is Security?security

integrity availability accountabilityconfidentiality

Only authorised actors have access to information

Only authorised actors can change, create or delete information

Authorised actors haveaccess toinformation they need whenthey need it

It is possible to audit the sequence of events in the system

CORAS 7

Security is more than Technology

From a technical standpoint, security solutions are available – but what good is security if no one can use the systems?

Security requires more than technical understandingSecurity problems are often of non-technical originA sound security evaluation requires a uniform description of the system as a whole

how it is used, the surrounding organisation, etc.

CORAS 8

Security – Part of System Development

Security is traditionally added as an “afterthought”

Solutions often reactive rather than proactiveSecurity issues often solved in isolationCostly redesignSecurity not completely integrated

Enforcing security only at the end of the development process “by preventing certain behaviors...may result in a so useless system that the complete development effort would be wasted” [Mantel'01].

“It would be desirable to consider security aspects already in the design phase, before a system is actually implemented, since removing security flaws in the design phase saves cost and time” [Jürjens'02].

CORAS 9

In what way is “Security” related to

safetyreliabilitydependabilitymaintainabilitydata protectionprivacytrustworthytrustpublic key infrastructure based on trusted third partyauthentication and authorization

CORAS 10

Oversettelse av Terminologi

asset aktivum (noe med verdi)

threat trussel

unwanted incident uønsket hendelse

risk risiko

vulnerability sårbarhet

consequence konsekvens

probability sannsynlighet

frequency frekvens/hyppighet

treatment behandling

CORAS 11

What is Risk?

Many kinds of riskContractual riskEconomic risk Operational risk Environmental riskHealth riskPolitical riskLegal riskSecurity risk

CORAS 12

Definition of Risk from ISO 31000

Risk: Effect of uncertainty on objectivesNOTE 1 An effect is a deviation from the expected — positive and/or negativeNOTE 2 Objectives can have different aspects (such as financial, health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process)NOTE 3 Risk is often characterized by reference to potential eventsand consequences, or a combination of theseNOTE 4 Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrenceNOTE 5 Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of an event, its consequence, or likelihood

CORAS 13

What is Risk Management?Risk management:Coordinated activities to direct and control an organization with regard to risk[ISO 31000:2009]

CORAS 14

Com

mun

icat

e an

d co

nsul

t

Establish the context

Identify risks

Estimate risks

Evaluate risks

Treat risks

Mon

itor a

nd re

view

Ris

k as

sess

men

t

Risk Analysis InvolvesDetermining what can happen, why and howSystematic use of available information to determine the level of riskPrioritization by comparing the level of risk against predetermined criteriaSelection and implementation of appropriate options for dealing with risk

CORAS 15

Com

mun

icat

e an

d co

nsul

t

Establish the context

Identify risks

Estimate risks

Evaluate risks

Treat risks

Mon

itor a

nd re

view

Ris

k as

sess

men

t

Terms

CORAS 16

Asset Vulnerability

Threat

Risk

Need to introduce risk treatment

Reduced risk

17

Terms

Risk

Threat

Vulnerability

Unwanted incident

Worm

Computer running Outlook

Internet

- Infected twice per year- Infected mail send to all

contacts

Infected PC

V

Install virus scanner

Treatment

Security Analysis Using CORAS

18

Overview

What is CORAS?Main conceptsProcess of eight stepsRisk modelingSemanticsCalculusTool supportFurther reading

CORAS 19

What is CORAS?CORAS consists of

Method for risk analysisLanguage for risk modelingTool for editing diagrams

Stepwise, structured and systematic processDirected by assetsConcrete tasks with practical guidelinesModel-driven

Models as basis for analysisModels as documentation of results

Based on international standards

CORAS 20

Main Concepts

CORAS 21

Asset

Vulnerability

Threat

Consequence

Unwanted incident

Likelihood

Risk

Party

Treatment

DefinitionsAsset: Something to which a party assigns value and hence for which the party requires protectionConsequence: The impact of an unwanted incident on an asset in terms of harm or reduced asset valueLikelihood: The frequency or probability of something to occurParty: An organization, company, person, group or other body on whose behalf a risk analysis is conductedRisk: The likelihood of an unwanted incident and its consequence for a specific assetRisk level: The level or value of a risk as derived from its likelihood and consequenceThreat: A potential cause of an unwanted incidentTreatment: An appropriate measure to reduce risk levelUnwanted incident: An event that harms or reduces the value of an assetVulnerability: A weakness, flaw or deficiency that opens for, or may be exploited by, a threat to cause harm to or reduce the value of an asset

CORAS 22

Exercise I

How would you represent risk in UML sequence diagrams?

CORAS 23

Process of Eight Steps1. Preparations for the analysis2. Customer presentation of the target3. Refining the target description using

asset diagrams4. Approval of the target description5. Risk identification using threat diagrams6. Risk estimation using threat diagrams7. Risk evaluation using risk diagrams8. Risk treatment using treatment

diagrams

CORAS 24

Establish context

Assess risk

Treat risk

Risk ModelingThe CORAS language consists of five kinds of diagrams

Asset diagramsThreat diagramsRisk diagramsTreatment diagramsTreatment overview diagrams

Each kind supports concrete steps in the risk analysis processIn addition there are three kinds of diagrams for specific needs

High-level CORAS diagramsDependent CORAS diagramsLegal CORAS diagrams

CORAS 25

Example: Threat Diagram

CORAS 26

Server is infectedby computer virus

[possible]

Virus protection not up to date

Servergoes down[unlikely] Availability

of serverComputer

virus

Likelihood

Virus creates back door to server[possible]

Hacker

Hacker gets access to server[unlikely]

Integrity of server

Confidentialityof information

0.2

0.1

Vulnerability

Threat

Threat scenario Unwanted incident

Asset

Likelihood

Consequence

SemanticsHow to interpret and understand a CORAS diagram?Users need a precise and unambiguous explanation of the meaning of a given diagram

Natural language semanticsCORAS comes with rules for systematic translation of any diagram into sentences in English

Formal semanticsSemantics in terms of a probability space on traces

CORAS 27

ExampleElements

Computer virus is a non-human threat.Virus protection not up to date is a vulnerability.Threat scenario Server is infected by computer virus occurs with likelihood possible.Unwanted incident Server goes down occurs with likelihood unlikely.Availability of server is an asset.

RelationsComputer virus exploits vulnerability Virus protection not up to date to initiate Server is infected by computer virus with undefined likelihood.Server is infected by computer virus leads to Server goes down with conditional likelihood 0.2.Server goes down impacts Availability of server with consequencehigh.

CORAS 28

Calculus for Likelihood Reasoning

Relation

Mutually exclusive vertices

Statistically independent vertices

CORAS 29

Guidelines for Consistency Checking

CORAS 30

Tool SupportThe CORAS tool is a diagram editorSupports all kinds of CORAS diagramsSuited for on-the-fly modeling during workshopsEnsures syntactic correctnessMay be used during all the steps of a risk analysis

Documents input to the various tasksSelection and structuring of information during tasksDocumentation of analysis results

CORAS 31

Screenshot

CORAS 32

Pull-down menu

Palette

Tool bar

Outline

Canvas

Properties window

Where to Find the Tool

http://coras.sourceforge.net/Open source

CORAS 33

Mandatory Reading

Mass Soldal Lund, Bjørnar Solhaug, Ketil Stølen: Chapter 3 "A Guided Tour of the CORAS Method" in the book "Model-Driven Risk Analysis: The CORAS Approach", 2011. Springer. The chapter can be downloaded freely.

Mass Soldal Lund, Bjørnar Solhaug, Ketil Stølen: Risk Analysis of Changing and Evolving Systems Using CORAS, 2011. LNCS 6858, Springer. Pages 231-274.

ONLY FOR INF9150: Mass Soldal Lund, Bjørnar Solhaug, Ketil Stølen: Chapter 13 "Analysing Likelihood Using CORAS Diagrams" in the book "Model-Driven Risk Analysis: The CORAS Approach", 2011

CORAS 34

Criticism from System Developers

The CORAS language is too simplisticIt is too cumbersome to use graphicalicons

CORAS 35

Criticism from Risk Analysts

What’s new with the CORAS language?We have been using something similar for years, namely VISIO!

CORAS 36

Exercise II

Discuss the statements made by thecritics?Argue why the critics are wrong.

CORAS 37