A Model-Driven Approach for Dev. & Operations of Security-sensitive IS Hasan Sayani Jim Chen Mary Hoferek Graduate School of Mgmt & Technology University.

A Model-Driven Approach for Dev. & Operations of Security-sensitive IS

Hasan SayaniJim Chen

Mary HoferekGraduate School of Mgmt & Technology

University of Maryland University College

Copyright, H. Sayani, MD., March 2, 2006 2

Introduction

Leveraging Work Flow Originated in Industrial Engineering

Tracking Materials through Processes Applies to Information Systems as well

May be used to model Information Systems At any phase of the development cycle Non-threatening to functional users

Available as part of Microsoft’s Vista and Office 2007 Document management packages (e.g. Hershey

Systems) We use it to model Security Fits into a Meta-Meta view of IS

Copyright, H. Sayani, MD., March 2, 2006 3

Data-Activity-Control-Constraint (Meta-meta)

Copyright, H. Sayani, MD., March 2, 2006 4

Major Building Block of WF

The Activity (e.g., in IDEF0) components Control (logical) Performance (using specified Procedure) Data Input Data Output Database Interaction (added explicitly)

Enhanced for our model

Copyright, H. Sayani, MD., March 2, 2006 5

The Visualized Activity Model

Copyright, H. Sayani, MD., March 2, 2006 6

Diagrammatic Ontology of the Activity Model

PROCESS OUTPUT ICOM

ICOM

CONTROL

DATABASE

DATA

ICOM INPUT

PROCESS

ACTIVITY

ICOM

MECHANI-SM

PROCED-URE

Copyright, H. Sayani, MD., March 2, 2006 7

Ontology of the Activity Model (Culture) CULTURE CONTENTS REPORT Wed Feb 28 17:49:08 2007

OBJECTS: --------

1) ACTIVITY 2) DATABASE 3) ICOM

RELATIONSHIPS: --------------

1) PROCESS Role:1 OUTPUT Role Player(s) OBJ: ICOM Role:2 INPUT Role Player(s) OBJ: ICOM Role:3 PROCESS Role Player(s) OBJ: ACTIVITY Role:4 CONTROL Role Player(s) OBJ: ICOM Role:5 DATA Role Player(s) OBJ: DATABASE Role:6 MECHANISM Role Player(s) OBJ: ICOM

PROPERTIES ----------

1) PROCEDURE

Copyright, H. Sayani, MD., March 2, 2006 8

Work Flow

“The stringing together of Activities to perform a functional task”

Interspersed with a special type of Activity Routes to the next Activity Via Procedure using classic control constructs Can be used across Life Cycle

Copyright, H. Sayani, MD., March 2, 2006 9

Security Concerns

Components Specifically targeted

Control (logical)Performance (using specified Procedure)Data InputData OutputDatabase Interaction

Or, generally aimed at Activity

Copyright, H. Sayani, MD., March 2, 2006 10

Diagrammatic Ontology of the Security Model

s-OUTPUT ICOM

ICOM

s-CONTR-OL

DATABASE

s-DATA

PROCESS

ICOM

ss-PROC-ESS

s-INPUT

ss-PROC-ESS

SECURITY

s-PROCE-SS

ACTIVITY

ICOM

s-MECHA-NISM

PROCED-URE

Copyright, H. Sayani, MD., March 2, 2006 11

Overlay of Security on Work Flow

OUTPUT

s-PROCE-SS

s-ACTIVIT-Y

ICOM

s-OUTPUT

ss-PROC-ESS

SECURITY

s-CONTR-OL

ICOM

CONTROL

DATABASE

DATA

ICOM INPUT

s-INPUT PROC

ACTIVITY

PROCESS

ICOM

MECHANI-SM

PROCED-URE

s-DATA

s-MECHA-NISM

Copyright, H. Sayani, MD., March 2, 2006 12

Copyright, H. Sayani, MD., March 2, 2006 13

Visualization of Work Flow

Copyright, H. Sayani, MD., March 2, 2006 14

Control

Functional control Security Control

Copyright, H. Sayani, MD., March 2, 2006 15

Control Constraints

Sequence of control flow constructs

Conditional constructs (if-then-else)

Iteration constructs (while loop)

Copyright, H. Sayani, MD., March 2, 2006 16

Routing

Copyright, H. Sayani, MD., March 2, 2006 17

Security: Access Control

Identification Authentication Authorization

Copyright, H. Sayani, MD., March 2, 2006 18

Example

IF (Identification = OK) AND (Authentication = OK) AND (Authorization = OK)

THEN DO XELSE EXIT

Copyright, H. Sayani, MD., March 2, 2006 19

Benefits

Good tracking mechanism in the hierarchy

Good tracking mechanism in the systems development life cycle

Copyright, H. Sayani, MD., March 2, 2006 20

Application Environments

Role-based access of data Network security Intrusion detection Forensics

Copyright, H. Sayani, MD., March 2, 2006 21

A Database Perspective

Last year, we talked about data centric view rather than work flow.

Copyright, H. Sayani, MD., March 2, 2006 22

Meta-Model of IS

Copyright, H. Sayani, MD., March 2, 2006 23

A Database Perspective

Last year, looked at 3 dimensional perspective of data analysis.

Processes

Risk

A Database Perspective

Processes

Threat Threshold Values

Severe: 21-30Moderate: 11-20

Minor: 1-10

Threat Threshold Values

Severe: 21-30Moderate: 11-20

Minor: 1-10

Column Sensitivity Values

Highly Sensitive: 5Sensitive: 4Moderate: 3

Minor: 2Not Sensitive: 1

Column Sensitivity Values

Highly Sensitive: 5Sensitive: 4Moderate: 3

Minor: 2Not Sensitive: 1

55 443322 11 44 55 44

3322 11 44 4455

3322 11 44 4455Some Threat!!!

Data elements of different sensitivities. Data elements of different sensitivities. Aggregated columns are triggered by the highest Aggregated columns are triggered by the highest

sensitivity value.sensitivity value.

Copyright, H. Sayani, MD., September 2001 24

Copyright, H. Sayani, MD., March 2, 2006 25

A Database Perspective

Identify “code red” data items

Based on that, workflow could vary substantially

Copyright, H. Sayani, MD., March 2, 2006 26

Meta-Model of IS

Copyright, H. Sayani, MD., March 2, 2006 27

A Database Perspective

Could view preceding diagram as a commercial database engine.

Copyright, H. Sayani, MD., March 2, 2006 28

A Database Perspective

Look at just one aspect of workflow and see how security concerns could be addressed - Performer

Copyright, H. Sayani, MD., March 2, 2006 29

A Database Perspective

Data Mining attack characteristics: Organized, technical, professional adversary Compromised user and system credentials Key logging programs strategically deployed Used SQL injection to get IDs and passwords Compiled, malicious code was encrypted- to prevent reverse

engineering Large amount of traffic to external address High volume of traffic during non-working hours Familiar with organization – went after executive, research

and technical accounts New users appeared on system Stole valid ID and established their own (Windsor, 2007).

Copyright, H. Sayani, MD., March 2, 2006 30

A Database Perspective

Look again at workflow model and apply to database – assume this attack. What counter measures could database professionals establish for Performer? Stole IDs so looked like authorized user Created own ID and gave privileges

Copyright, H. Sayani, MD., March 2, 2006 31

A Database Perspective

Counter measures: Set up dummy IDs Determined who was targeted Identify data that was stolen Identify earliest known unauthorized action Identify malicious code

Copyright, H. Sayani, MD., March 2, 2006 32

A Database Perspective

If protecting “code red”, could establish code in DBMS Trigger when dummy ID accessed Trigger to audit all access to data Trigger to send back false data – basically to lie Limit access to catalog – can’t get schema Limit all accesses to code in DBMS

Copyright, H. Sayani, MD., March 2, 2006 33

A Database Perspective

Outside of DBMS – problem Went after files themselves Common file names in industry Encrypted files ASM – help or hurt? Can DBMS files be set up so that only DBMS

can access? Just a thought

Copyright, H. Sayani, MD., March 2, 2006 34

A Database Perspective

Data and workflow interwoven

Just some ideas today. Good food for thought

Copyright, H. Sayani, MD., March 2, 2006 35

A Database Perspective

Reference: Windsor, S. Case Study of a Professional Hacker’s Data Mining Intrusion. Presented at 2007 Maryland CyberSecurity Forum. February 22, 2007 at UMUC.