CDR by wuxiangyu


									Sensitive Metric Collection
  and Reporting System
        Presentation for Critical Review

  Michael Aiello
  Hanning Gao
  Martin Goldberg
  Michael Sosonkin
  Jason Woloz
   System Overview
   Primary Requirements Analysis
   Preliminary Architecture
   Security Trade Studies
   Preliminary Assessment
   System Design
   Updated Risk Analysis
   Updated Security Requirements
   Security Design
   Updated Security Assessment
   Business Continuity Planning
   Transmissions/Emissions Security
   Physical Security
System Overview
     -Mission Needs
   Procedural Need:
       Currently, several ad-hoc processes collect
        metrics of varying sensitivities.
       Currently, the oversight, organization, calculation,
        grouping and reporting on these metrics is
        accomplished through a tedious manual
   Compliance and Audit Need:
       Operational risk reporting requirement
System Overview
     High Level Requirements
   Repository
       Handle metric storage and archival
       Redundant off-site backup depository
   Metric-collection Subsystem
       Automated metric collection
       Manual metric collection
   Collection Job Configuration
       Specified data point selection
       Scheduled collection
System Overview
     High Level Requirements
   Statistical Application
       Task and execution manager
       Result viewing
       Automated monitoring and execution
   Reporting
       Centrally managed administrative interface
       Multi-level third-party reporting capabilities
System Overview
   Administrative collection job configuration is entered into the
   Specific collection configuration information is entered by the
    administrators (source authentication, collection frequency
   Metric data is collected
   The data collected is archived and organized (automatically)
   Pluggable reporting and statistical packages interface with the
   Users then use these reporting tools to interface and perform
   System may become a data source for other risk systems.
System Overview
     Conops-Data Flow
Primary Requirements Analysis
    Risk Analysis - Assets
   Firm Reputation – The metrics information, if used, can damage
    the company’s reputation.
   Availability of metric repository- If system is unavailable for an
    extended period of time, it may not be able to effectively manage
    security risk.
   Integrity of the computation results – The computation
    produces analysis of the security metrics. Results could
    indicate where and what the vulnerabilities are.
   Contents of the metrics Database – The database contains
    information about the company’s vulnerabilities and information
    system setup. The information may be used to cause further
   Knowledge of firm vulnerabilities – This system provides a way
    of managing this, so if known then the company is exposed.
Primary Requirements Analysis
    Risk Analysis - Threats
Threat        Motive             Capability   Attack       Success
                                              Likelihood   Likelihood
Insider       Career             Medium       High         Med
              steal money or
              information from
Competitors   Obtain competitive High         Med          High
              edge by using
              inside information.
Primary Requirements Analysis
    Risk Analysis - Threats
Threat     Motive               Capability   Attack       Success
                                             Likelihood   Likelihood
Active     find more           Medium        High         High
Attacker   vulnerabilities and
           steal information
           or money directly

Script     Use computing        Low          High         Low
Kiddies    resources for file
           trading or
           attacking other
Asset Threat Combinations

Asset          Threat        Priority   Justification

Firm           Insider /     Highest    Easiest target, highest
Reputation     Competition              value, hardest to
                                        define, must cover the
                                        bases against mal-
                                        intent insiders and
Knowledge of Active          High       Active attackers may
organization's Attacker                 use this information to
vulnerabilities                         further their attempt at
Risk Approach

Asset          Threat        Approach     Justification

Firm           Insider /     Mitigate /   Impossible to function
Reputation     Competition   Accept       without accepting some risk
                                          to firms reputation.
                                          Unknown avenues for
                                          reputational exposures.

Knowledge of Active          Mitigate     Technical avenues for
organization's Attacker                   information leakage can be
vulnerabilities                           monitored, secured and
Primary Requirements Analysis
     Risk Analysis-Vulnerable and likelihood areas
   Automated Collection Component
   Statistical Modules
   Reporting System
   Configuration System
   Metric Repository
Primary Requirements Analysis
1.   System Level
        All communications must be secure between repository
         and its associated modules
2.   Automated Collection Component
        Will only connect to authorized information gathering
3.   Statistical Packages
        The statistical providers must not have write access to
         the database.
Primary Requirements Analysis
4.   Reporting System
        Should only have read access to the repository
5.   Configuration System
        Only administrator authorized modules can be imported
         into the collection system.
6.   Metric Repository
        Metric database information should securely and
         redundantly in compliance with the mission critical
         information storage policy.
Primary Requirements Analysis
    Legal Requirements
   The system in it’s most generic form does not suffer
    from compliancy issues
   The system is meant as a way for companies to
    meet compliancy requirements
   Due to its extensibility it can be deployed in a
    manner that would require it to meet a compliancy
Primary Requirements Analysis
    Legal Requirements
   SOX
       Certifies the effectiveness of internal controls
   Basel II
       Monitors controls for operational risks
   GLB
       Controls for identified risks
Security Requirements Based on Risk Analysis,
Global Policies Legal Requirements.
   Encryption Requirements
       Communications between data center and
   Reporting Agents must be Authorized
   Availability Requirements
   Reporting Requirements
       Auditors must easily be able to access system.
        They may wish to do this from an offsite location.
Preliminary Functional Architecture
Preliminary Security Architecture
Preliminary Security Architecture
   Confidentiality requirements elicited
       Encrypted Channels
   Integrity requirements elicited
       Central repository and backup
       Firewalls
   Availability requirements elicited
       Segregation of backend hardware
       Repository Backup
Trade study
    -Product selection drivers
   Functionality
   Support Model
   Time to deploy
   Compliance with our security policies
   Scalability
Trade study
 System Feature                  Product         Cost (with support)     Provider
Repository Database   Oracle Database Standard   4,995 + 1,098.90      Oracle
Intermediate          MySQL                      $595.00/Server/Year   MySQL
    Collection DBs
Backup connection     FreeS/WAN                  Administrator Time

Packet switching      Cisco Catalyst 2950        $629.00               Cisco
Intrusion Detection   Snort                      Administrator Time    Cisco
System Secure         OpenSSL                    Developer Time        Openssl
Authentication        SSL Certificate                                  In house
Traffic control       IPTables                   Administrator Time
Trade Study
    -Product Requirements Review
   Vendor support
       Vendor support is required for large components
   Compliance with laws
       Vendor must show how product is compliant
   Compliance with standards
       Interfaces must be standardized
   Must be cheaper than building in house
       Licensing
       TCO
           When deployed, cost of operation must be low
Trade study
 System Feature                Product             Cost (with support)     Provider
Repository Database   Oracle Database Standard     4,995 + 1,098.90      Oracle
Intermediate          MySQL                        $595.00/Server/Year   MySQL
    Collection DBs
Backup connection     Check Point Enterprise Pro   $25,000               CheckPoint

Packet switching      Cisco Catalyst 2950          $629.00               Cisco
Intrusion Detection   CISCO 3725 SERIES            $3156                 Cisco
System Secure         SSLBlackbox                  $1,245.00             ELDOS
Authentication        SSL Certificate              $4395                 VeriSign
Traffic control       FireWall-1 SecureServer      $600                  CheckPoint
Security Matrix (selected items)
Security Requirement               Process/Hardware                     Justification
Depository system will be          Database will be setup to run in     To ensure metric data collection
distributed to provide fail over   a cluster environment                is not interrupted or backlogged.
Encrypted communication            Use industry standard                To protect metric data’s integrity
between repository and             encryption protocol such as SSL      and confidentiality
subsystems                         or VPN
The repository network is          Use firewall to restrict access to   To protect repository from
segmented from rest of             repository network                   unauthorized access and also to
corporate network                                                       protect data confidentiality
 Communications between the        Use VPN to connect onsite and        To protect metric data’s integrity
offsite backup system and the      off site depository system           and confidentiality
primary system should be
Direct access to the repository    Enclose depository system in         To protect repository from
will be restricted to system       locked down physical area and        unauthorized access and also to
administrators                     issue access only to sys admins      protect data confidentiality
Newly Identified Vulnerable Areas

       Automated Collection Component
        Reception of manipulated information from in house
         developed systems- Medium
        Reception of manipulated vendor feeds - Medium
        Reception of manipulated emails with fraudulent metrics -
        Vulnerabilities in collecting software – Medium
        Vulnerabilities on vendor interfaces- Low
        Denial of Service attacks on collection system – Low
Identified Vulnerable Areas

       Statistical Modules
        Social engineering on the people that work at the
         company with this system – Low
        External database interface vulnerabilities - High
        Module database interfaces - Medium
        Vulnerabilities in the software or hardware
         provided by a third party to analyze the data –
Identified Vulnerable Areas

       Reporting System
        External interfaces (web reporting) - High
        Forgery of reports - Low
        Manipulation of communication between
         database and reporting subsystem - Low
        Third party reporting software – Medium
        Sniffing of report data - High
Identified Vulnerable Areas

       Configuration System
        Configuration integrity (administrators
         misconfigure) – High
        User authentication credentials and storage –
       Metric Repository
        Denial of service – High
        Communication interfaces – High
Updated risk analysis

   Highly vulnerable areas identified
       Reception of manipulated emails with fraudulent
       External database interface vulnerabilities
       Reporting interfaces (web reporting)
       Configuration integrity
       Denial of service
       Communication interfaces
Updated risk analysis

   Highest (Threat * Impact * Vulnerability)
       Reporting interfaces (web reporting)
           High impact (loss of CIA),
           High vulnerability (may be exposed to non internal users)
       Communication interfaces
           High Impact, (loss of CIA)
           High vulnerability (database may interact concurrently with
            several client applications)
       Reception of manipulated emails with fraudulent metrics
           Medium Impact (loss of integrity)
           High vulnerability (difficult to verify source of email)
Updated Security Requirements

   Email authentication support
   Intrusion detection
   Secure and segregated reporting Interfaces
Proposed Security Design
Updated Security Assessment

   Additional hardware and design clarification meets
    new security requirements.

   Additional items added to matrix

    Security Requirement          Process/Hardware        Justification
    An intrusion detection        IDS system              High risk vulnerabilities may
    system shall monitor and                              exist in web reporting. IDS
    report potential attacks on                           system alerts administrators
    the backend system                                    of attempted break ins.
    System should allow for the   Authentication server   To protect metric data’s
    reception of signed email                             integrity. Email spoofing is
    metric data input                                     trivial.
Business Continuity Plan Outline

   3 Major Areas
         Unable to connect to data storage system
             Use of local storage until the data storage system becomes
              available again.
           If the data storage system becomes unavailable for an
            extended period, switch to redundancy data storage
         Metric collection server is unavailable (configuration/reporting)
             Equipment repaired by the manufacturer or by internal staff.
              Temporary server loaded with the back up and ran in the
              production environment.
         Remote data sources become unreachable
             Manager of local data source can maintain the storage of data for
              an extended period of time until the network outage is remedied.
             Manager or an authorized individual can send the data through
              one of the other methods of data collection (i.e. manually enter
              data through a form or email the data)
       Vulnerability
           Traffic Analysis, Eavesdropping
       Countermeasure
           Wire placement, access control for data centers, encryption

       Vulnerability
           Electromagnetic radiation leak, observation, power signal
       Countermeasure
           Shielding, Zone of Control, Power filtering for highly critical systems in data centers

   Solution
       Partial implementation ( no network encryptor nor building shielding for non
        database aspects)
       Most Risk of EMSEC is taken by data center (cheaper, keep all of the
        EMSEC sensitive equipment in one location)
Physical Security
   Access Control
     Access Authorization

     Monitoring

   Infrastructure
     Power

     Lighting
     Secure Server Room

     Equipment Protection
     HVAC

     Alarm
     Security Guard

   Standard data center security concerns. Risks transferred to Physical
    Security Group.
                                             Mission Need
 Assets at
                      Threat                   CONOPS

             Prelim. Risk                      Functional
               Analysis                          Rqmts
             Sec Rqmts                          System
 Corp/Org                                        Arch.
  Other       Derived                                       System
  Rqmts      Sec Rqmts            Risk      Vulner.         Design
                                Analysis    Analysis

                                           Security             Assess

To top