Cybersecurity & Risks Analysis

Transcription

1 Working Together to Build Confidence Cybersecurity & Risks Analysis Djenana Campara Chief Executive Officer Member, Object Management Group Board of Directors Co-Chair, System Assurance Task Force

2 Cyber Security Trust in System s ability to Execute Trusted Behavior Only and to Prevent Malicious Attacks with objective to Protect Information, Assets & Services Against Compromise 12/6/2016 (c) KDM Analytics Inc. 2

3 OMG Security Community Focus Systematic Threat Risk & Vulnerability Analysis (TRV) Unique, cost-effective approach Automated analysis Supported by integrated tools 12/6/2016 (c) KDM Analytics Inc. 3

4 Threat, Risk and Vulnerability Analysis (TRV) It Starts by Understanding Goal: Risk Assessment Methodology within the RMF that is systematic, objective and allows automation and that can answer a tough question: How do we know that all threats have been addressed How system can be attacked? Risk What are the Vulnerabilities that are exploited by successful attacks? What is the impact of successful attacks? 12/6/2016 (c) KDM Analytics Inc. 4

5 Failing to understand ALL threats Not enough to trust credentials Firewall is no longer sufficient protection Ignorance MUST NOT be an option Organized Crime Smart and knowledge sharing Hackers Effective threat mitigation can only be achieved through identifying, analyzing, classifying and understanding the threat and related risk: Cause & Effect 12/6/2016 (c) KDM Analytics Inc. 5

6 The Challenge: Where are the Vulnerabilities The researcher successfully hacked the principal system on-boards like ADS- B and ACAR POSTED IN SCADA / ICS SECURITY ON APRIL 8, 2014 The point of entry to the system is the individual user The actual security perimeter is often much larger than anticipated Stakeholders often accept risk that they are not aware of 05/12/2016 (c) KDM Analytics Inc. 6

7 Undiscovered Vulnerabilities can Result in Massive Losses STUXNET - Sophisticated, multilevel targeted attack on SCADA system resulted in modification of system s behavior layered attack against three different systems initially exploiting four zero-day vulnerabilities within Windows systems and using it as spring board to install itself on PLC devices unnoticed with aim to periodically modify the frequency and thus affects the operation of the connected motors by changing their rotational speed and leading to destruction of centrifuges A cyberattack against Polish flagship carrier LOT grounded more than 1,400 passengers at Warsaw s Frederic Chopin Airport (June 2015) The airline said in a statement on its website that the IT attack meant it was unable to create flight plans and flights were not able to depart from Warsaw. The International Civil Aviation Organization (ICAO) last year highlighted long-known vulnerabilities in a new aircraft positioning communication system, ADS-B, and called for a working group to be set up to tackle them Researchers have shown that ADS-B, a replacement for radar and other air traffic control systems, could allow a hacker to remotely give wrong or misleading information to pilots and air traffic controller 12/6/2016 (c) KDM Analytics Inc. 7

8 Overcoming the Challenge COMPREHENSIVE AND SYSTEMATIC RISK ANALYSIS 12/6/2016 (c) KDM Analytics Inc. 8

9 Examining Existing Risk Management Methodologies: Providing Assurance & Automation? ISO/IEC ISO/IEC ISO/IEC ISO/IEC CRAMM (UK) EBIOS (France) Mehari (France) Magerit (Spain) HTRA (Canada) NIST SP (US) Octave (SEI CMU) RiskAn (Czech Rep) Microsoft Threat Analysis Methodology Open Group FAIR & others Challenges: 1) no interoperability (an issue in a coalition context) 2) few approaches deal with discernable concepts to be automatable 3) few approaches are systematic enough to provide assurance 12/6/2016 (c) KDM Analytics Inc. 9

10 Ingredients of risk (ISO 15408) 12/6/2016 (c) KDM Analytics Inc. 10

11 Assurance through vulnerability detection 12/6/2016 (c) KDM Analytics Inc. 11

12 Assurance through asset protection 12/6/2016 (c) KDM Analytics Inc. 12

13 Assurance through standard controls 12/6/2016 (c) KDM Analytics Inc. 13

14 Each step can be a reasonable starting point Understand how system can be attacked Understand impact of vulnerabilities Understand entry points Identify vulnerabilities in system 12/6/2016 (c) KDM Analytics Inc. 14

15 Goal: Justifiable Risk Management Justifiable risk management = end-to-end risk mitigation assurance 12/6/2016 (c) KDM Analytics Inc. 15

16 Justifiable Risk Management: FORSA Methodology Influenced by Standard Efforts Achieving justifiable risk management requires a methodology that Is systematic (can enumerate all threats) Deals with discernable concepts Considers assurance (can provide confidence and justification) We selected most suitable methodologies, combined them and further enhanced to Fully support assurance Support import of structured Enterprise operational views (e.g. DoDAF/UAF) Support automation of the methodology steps Including multi-stage attack identification FORSA: - Fact Oriented - Repeatable - Security - Assurance 12/6/2016 (c) KDM Analytics Inc. 16

17 Methodology describes the sequence of steps Who cares? Owners and criteria sensitivity To what? Assets and Targets Identified Risks By who? and Why? Threat Sources What to do about it? Controls, mitigation options How? Attack scenarios Likelihood So what? Undesired events, Operational Impact severity 12/6/2016 (c) KDM Analytics Inc. 17

18 The corresponding FORSA steps FORSA STEPS 1. Operational Context Identification 2. System Facts 3. Asset Identification 4. Undesired Event Identification 5. Attack Group Identification 6. Threat Scenario Analysis 7. Safeguard Identification 8. Vulnerability Analysis 9. Risk Identification 10. Risk Analysis Enterprise Architecture What? Analysis of valuables, sensitivities and Impacts => severity How? Analysis of targets, Entries and attacks => likelihood Risk The sequence of steps is designed to increase confidence, and therefore increase assurance 12/6/2016 (c) KDM Analytics Inc. 18

19 Results of Justifiable Risk Analysis R01 R02 R03 R04 R05 R06 R07 Hacker gains access to confidential assets by information gathering on stored files Targeted virus or timebomb affects integrity or availability of network by attacking programmable node Hacker subverts node by remote attack exploiting vulnerabilities in programmable node s code Hacker subverts programmable node by remote attack exploiting vulnerabilities in system software on programmable node Criminal learns about forensic activity by attacking software on programmable node Targeted virus or timebomb affects availability of other assets by attacking software on programmable node Malicious user subverts programmable node by locally attacking node s code Level ID Description Severity Likelihood Residual Confidence high high high low 80% high high high low 80% high medium high low 80% high medium medium low 80% medium high medium low 80% medium high medium low 80% medium low medium low 70% 12/6/2016 (c) KDM Analytics Inc. 19

20 Risk Assessment Methodology Driven by the Assurance Case System Facts e.g. operational facts from DoDAF/UAF System Facts are evidence to the Assurance Case Assurance Case Assurance Process delivers evidence Risk Metamodel describes evidence Assurance Case is structured according to the Risk Metamodel Risk Metamodel Assurance Case provides guidance on how to collect evidence Assurance Process Risk Metamodel describes evidence Supported by inference rules, Uses generic taxonomies Integrating System Assurance into Risk Assessment Methodology Utilizing Assurance Case to deliver Risk Assessment Automating end-to-end process 12/6/2016 (c) KDM Analytics Inc. 20

21 Unique Approach Influenced by Standard Efforts CONOPS KDM Blade Cybersecurity Knowledge National Vulnerability Database Compliance Specifications Fault Patterns Code Security Defects Threat-Risk Analysis models Software System Collection of facts A top-down, operational risk analysis producing a quantitative risk report, including risk distribution by component, business assets and threats; associated vulnerability characteristics Threat Risk Analysis Reports threat scenarios undesired events system vulnerabilities safeguards prioritized risk Effective measurement, prioritization and mediation of the assurance risks posed by system vulnerabilities 12/6/2016 (c) KDM Analytics Inc. A bottom-up, targeted vulnerability analysis producing a quantitative residual risk focused on deep analysis of the riskiest components identified/prioritized in the top-down risk report 21

22 SFPM/SFP SCAP/CVE Note: SFPs are created using SBVR standard Ecosystem Foundation: Common Fact Model Data Fusion & Semantic Integration Risk Analysis OTRM (Situational awareness) ISO SACM GSN/CEA UPDM/UAF SysML KDM/ISO KDM/ISO Tools integration possible only through standards 12/6/2016 (c) KDM Analytics Inc. 22

23 Top Down Operational Risk Analysis Enterprise Architecture 1 DoDAF/UAF Blade Risk Manager 2 3 DoDAF Analytics Automatically extracted facts 4 6 GUI score & feedback Risk Manager Engine 5 Manual Adjustments or Manual Input 7 Risk Assessment Report Risk Knowledge Base Risk Analyst in a box Risk Report includes: Constructed risk statements & calculated risk Constructed risk distribution by components, business assets, and threats Identified associated vulnerability characteristics 12/6/2016 1a Manual Input option if no structured data available (c) KDM Analytics Inc. 23

24 Multiple vulnerability detection tools Raw data TOIF Tools Output Integration Framework Bottom Up Vulnerability Analysis: Cost-effective, Targeted Normalized data TOIF normalized data Increased coverage overlaps=confidence Low level of abstraction & overload, esp on binary code 12/6/2016 Evidence & counterevidence to risk statements Stronger evidence & counterevidence TOIF associated with risks through SFP & operational context TOIF associated with entry points and attack vectors Risk statements obtained from top down risk analysis Manually validated findings Because of the filtering may apply noisier tools for better coverage and assurance (c) KDM Analytics Inc. 24

25 Lockheed Martin Case Study Identified standards and Frameworks are supported by tools Lockheed Martin s performed evaluations Structured Assurance Models Bring structured order to chaos Interrelated Claims Arguments Evidence between various sources of evidence System Risk Manager Analysis of DoDAF model Operation, System, Views Automated Gap Assessments in Models Threat Risk Assessment capability on DoDAF models Tools Output Integration Framework (TOIF) and Risk Analyzer tools have demonstrated Significant improvement in Software Flaw and Vulnerability assessments Lower labor costs Significantly lower tool costs OMG System Assurance Modeling Tools can Reduce Security Engineering Lifecycle costs 20-50%. 12/6/2016 (c) KDM Analytics Inc. 25

26 Thank you 12/6/2016 (c) KDM Analytics Inc. 26