8-1 George Valvis, Expertnet S.A. Panagiotis Sklavos, DECE, National Technical University of Athens Dr. Despina Polemi, ICCS, National Technical University.

8-1

George Valvis, Expertnet S.A.Panagiotis Sklavos, DECE, National Technical University of AthensDr. Despina Polemi, ICCS, National Technical University of Athens

Securing mission-critical core systems

8-2

Outline of the Presentation

• Introduction

• Problem description

• Threats that need to be addressed

• Solution overview

• Administrative schema

• Content Provider Model

• Three-tier architecture (Enterprise users and roles)

• Normal behaviourur series of events

• Automated Reporting Functionality

• Scalability-Availability considerations

8-3

Introduction

• Core system – a wealth of sensitive corporate information

• Legacy system

• Proprietary database application

• Unable to decommissioned the system

• Highly integrated with multiple corporate subsystems

• Inability to provide a secure infrastructure

8-4

Notes for Slide 3

These legacy databases are integrated with other legacy subsystems in order to obtain this information from various sources and store it in a structured manner. They are, therefore, necessary components of the organization’s IT infrastructure and their replacement could have major ripple effects.

The proprietary legacy applications are not able to support authentication authorization and accounting (AAA) functions. These functions, however, are fundamental in order to ensure that the access to sensitive information will be controlled and monitored. This inherent lack of security opens the business up to potential negative consequences in the form insider misuse and leak of information.

Unable to decomissioned the system

•Higly integrated with multiple corporate subsystems

8-5

Problem description

• Multiple Vulnerabilities exist

• Causing serious threats (high level)

• insider misuse

• sensitive information leak

• That have major Consequences (high level)

• customer dissatisfaction

• harm the business reputation

• legal issues (Greek Act for Personal Data)

8-6

Notes for Slide 4

The lack of infrastructure security can lead to unauthorized transactions, which could expose the business to the risk of insider misuse, leak of information, data modification or replacement, false representation and service interference.

The inability to provide a secure infrastructure for the viewing of sensitive corporate information opens the business up to negative consequences in the form of insider misuse and leak of information. Lack of security can lead to customer dissatisfaction, could harm the business reputation and provoke legal issues. Legacy systems and databases are vulnerable to security breaches because of their complex nature, insecure password mechanism, misconfigured operating systems or unrecognised system backdoors.

8-7

Abuse of privilege Lack of fine-grained access control Users always assigned pre-configured set of privileges No flexible way to assign and revoke privileges in an as needed basis Password attacks

Users always able to access (confidential) information, even for not legitimate purposes Extensive leak of information (multiple incidents) Data aggregation and correlation (deduce classified information from unclassified information) Poor means of verifying an individual’s authorization to receive specific categories of information

Threat

Potential Consequences

Threats that need to be addressed

8-8

Notes for Slide 5

Countermeasures

Strong authentication All users connecting to the database authenticate (multi-tier) Establish with certainty who a user is

• Implementation Public Key Infrastructure-Based Authentication

• Uniquely identify a user within the Organization• The certificate can be used to authenticate the user to multiple services (no need to remember many passwords)

Authentication over Secure Sockets Layer (SSL)Strong user authentication and network data confidentiality

8-9

Notes for Slide 5 (Continued)

Privilege management

Least privilege principle – control which privilege a user has and under what conditions he can use those privilege

User assigned only those privileges necessary to perform her duty

User has those privileges only when she has a duty to perform

• Flexible way to assign and revoke privilege

8-10

Notes for Slide 5 (Continued)

•Implementation

1. A view is a content or context dependent subset of one or more tables

Content:Subset of rows – eg. view call details at least 2 weeks oldSubset of columns – eg. view only the customer names

Context: eg. a manager can view restricted information

Customise access to informationLimit the data that a user can access within database objects

Grant a user the ability to access certain types of views No need to grant the user any access to the database objects

8-11

Notes for Slide 5 (Continued)

2. Roles to manage privilege (Role: User defined collection of privileges)

• The role should grant the privilege to access specific views• The PDPT operator’s access privileges should be revoked as

soon as possible to prevent the duplication or leak of information

8-12

This slide has been deliberately left blank

Diapositive intentionnellement blanche

8-13

Threats that need to be addressed (cont.)

Privilege level escalation

Use of ad-hoc query tool (report writer) accessed by group accounts

Misrepresentation of users Bypass user privilege Leak of information

Threat

Potential Consequences

8-14

Notes for Slide 6

Countermeasure

Avoid using ad-hoc query tools

View information only through the application No group accounts

8-15

Lack of accountability

Difficult to maintain a record of user activity

Difficult to identify and track potential suspicious activity No hard evidence Extensive leak of information (multiple incidents) Negative exposure in the customers Damage to organization stature and reputation

Threat

Potential Consequences

Threats that need to be addressed (cont.)

8-16

Notes for Slide 7

Countermeasure

Auditing

Users held accountable for their actions

Maintain and periodically review audit information

The security policy should define the back up procedures of audit data

Tampering with log files can disguise illegal activities being done in the database

• The security administrators should not own any tables in the database

• The security administrators should only be able to create views of the audit tables in order to generate user activity reports

• Design an mechanism to automate the review of audit data

8-17

• Defined security policy and procedures • Modular design

• Three tier architecture – content provider approach • Practice Defense in depth - multiple layers of protection

• Database Security• Enforce ACLs on the databases • Dynamic Assignment of User Rights (Roles)

• General OS hardening principles

• Ensure strong host-level security on all servers

• Assess system level vulnerabilities • Restrict network access, provide detection capability

• Deploy firewall, NIDS

• Audit Policy – automated tool for reviewing audit data

Solution overview

8-18

Notes for Slide 8

The design should allow seamless integration to the existing mission-critical systems, securing them at the same time, so that normal business operations are not disturbed.

In order to provide a solution for the aforementioned security challenge we adopted a methodology which combines the following generic approaches for IT security provisioning:

• The definition of an appropriate administrative schema that determines the followed procedures to access the sensitive corporate information. The administrative schema is directly derived by the security policy.

• A building-block approach for designing a security solution that utilizes various technologies in multiple stages in order to provide authentication, authorization and accounting mechanisms upon accessing sensitive information within the defined administrative schema.

8-19

Notes for Slide 8 (Continued)

• Exercise Defence in Depth as a general principle, in order to apply several layers of defense, sometimes overlapping and achieve the broadest and most complete coverage of the content provider platform. This would be accomplished utilizing diverse methods and technologies under the unified umbrella of a comprehensive security policy.

• Additionally, an automated reporting procedure has been suggested that will help indicate any behaviour that deviates from the one imposed by the security policy, thus providing near real-time misuse detection support for the overall platform. For defense in depth to work effectively, auditing information could be correlated before being analyzed and aggregated in order to provide a complete platform-wide view of the security posture.

8-20

This slide has been deliberately left blank

Diapositive intentionnellement blanche

8-21

Security Officer

PDPT

Problem management SystemRead-Close

Ticket

Customer Care(CC)

Open Ticket

CustomersReply

Request

Administrative schema

8-22

Notes for Slide 9

A special department, that in this document will call “Personal-Data Processing Team” (PDPT) will be servicing requests originated from the organization’s customer care departments and the organization’s external commercial partners.

8-23

Network and Hosts Layered Security Services and Tools

DBMS Services

Database Security Services-

Legacy Provider

Content Adaptation (filtering)

Three-tier Platform

Thin client

Web Presentation

Imposed by the

security policy

Content Provider Model

8-24

Notes for Slide 10

This platform (content provider platform) should be capable of performing the necessary authentication authorization and accounting functionality.

The transactions take place only on the legacy system whereas the platform just makes possible the view of the sensitive content when the conditions defined by the security policy can be met. Subsequently, direct access to the legacy system will be denied for all users except for the users that need to update or modify non-sensitive information.

The content provider platform will be implemented by a modern RDBMS system with enhanced security mechanisms and will engage mechanisms that allow data to be exported from the legacy database and imported to a modern RDBMS system. Most modern RDBMS provide utilities that could load data from external files into tables in the databases. The utilities could accept input data in a variety of formats (for example ASCII delimited files), can perform filtering, and can load data into multiple database tables during the same load session. The specific fields that should be included in this import process shall be defined by the security policy of the organization with regard to the sensitivity of the content. Based on the estimated load and bandwidth limitations, the process of periodic content replication is expected to last less than two hours. It also will be scheduled to take place during the hours of less utilisation of the mainframe in order to avoid degradation of its performance.

8-25

When a user attempts to connect to the Application server, the directory is queried to obtain the enterprise roles associated with the user.

Directory Server

Security Manager

LDAP over SSL

Client

Three-tier architecture (Enterprise users and roles)

SSL to loginProxies user ID

Database Server

Application Server

The workstation would authenticate with the application server, and the application server would authenticate with the database server

Legacy Database

Server

Content

8-26

Notes for Slide 11

A three-tier architecture will be adopted for the content provider platform, in order to enhance the efficient resource management, improved scalability and security. In a three-tier system, the middle tier, typically implemented by deploying web servers, can act as a concentrator, mediating access to the back end system and allowing many user devices to share a relatively few connections to the back-end system (database server).

8-27

3.Operator connects to the database

2. SA provides privileges to an operator

Ticket number

Role

Date/time

Operator’s user name

Security administrator’s user name

Operator’s user nameCustomer’s name

RoleDate/time

Accessed View

Ticket number

Date/time

Type of problem

Customer’s name

Status (Open)

Ticket number

Date/time

Customer’s name

Status (Close)

Operator’s user name

Normal behaviour series of events

1. A ticket regarding sensitive information is opened

4. A ticket regarding sensitive information is closed

8-28

Notes for Slide 12

In the framework of the content provider we can define as normal user behavior a set of well-defined events that appear in sequence. In fact this set is composed by four major events that should occur in the following time order:

1.       A ticket of specific type is opened. To resolve these types of cases, access to sensitive customer personal data is required.

2.       A security administrator reads the ticket and assigns privileges to an PDTD member

3.       An operator connects to the database (through the middle tier) and access the data

4.       The operator closes this ticket

A ticket number uniquely identifies every ticket. When the security administrator provides the privileges, the application should require her to provide that ticket number. That number should be recorded to the audit table of the database, along with administrator’s user name,

8-29

Notes for Slide 12 (Continued)

date/time, operator’s user name and the role that the operator was assigned. The operator’s user name along with the procedure she executed, the customer’s user name, date/time should also be logged in the audit table. Finally the ticket with the specific ticket number is closed. There is log information, located in two different systems that will be useful to trace and it would be helpful for incident analysis to collect these logs in a central analysis server. The central analysis server will be the center of the automated reporting operation. This server would ideally consist of a database and a Web server. This should allow the interactive querying of log data for analysis. Also, an easy to use Web interface will help to evaluate the current attack status of the PDPT operations. It will also allow analysts to perform pre-programmed queries, such as aggregation and statistics gathering, to identify suspicious patterns and to perform rudimentary incident analysis. Finally, the information gathered in the server will provide a broader view of the user community activity in respect with the content provider platform.

8-30

This slide has been deliberately left blank

Diapositive intentionnellement blanche

8-31

Audit data

ClientProxies user ID

Database ServerApplication Server

Event correlation

Information fusionGroup normal events

Easy check of normal behaviour

Misuse detection

Noteworthy sessions

Alerts

Ticketing data

Ticketing system

Logic

Filter

User ProfilesTemplates

Central Analysis Server

Automated Reporting Functionality

8-32

Corporate Data Network

Back -end systems NIDS

IDS console

NIDS

SiSi

J J

Mainframe clusterApplication servers

PDPT user community

SiSi

8-33

The presented solution attempts to integrate a mission-critical legacy system into a modern e-business environment (three-tier architecture) in order to provide a cost-effective and manageable secure method for accessing sensitive mission-critical corporate data.

The main goal was to mitigate the trusted insider misuse threat.

The countermeasures were the

• Regulation and access control to sensitive corporate information utilizing best security practices (defense in depth, AAA functions)

• Addition of the misuse detection functionality based on a behavioral model and implemented by automated reporting tool

Conclusions

8-34

This slide has been deliberately left blank

Diapositive intentionnellement blanche

8-35

This slide has been deliberately left blank

Diapositive intentionnellement blanche