Presentation is loading. Please wait.

Presentation is loading. Please wait.

Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by the U.S. Department of Defense © 2000 by Carnegie Mellon.

Published byGwendolyn Washington Modified over 9 years ago

Similar presentations

Presentation on theme: "Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by the U.S. Department of Defense © 2000 by Carnegie Mellon."— Presentation transcript:

1 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by the U.S. Department of Defense © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 1 Carnegie Mellon Software Engineering Institute The Survivable Network Analysis Method: Assessing Survivability of Critical Systems

2 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 2 Carnegie Mellon Software Engineering Institute Topics System Survivability Concepts The Survivable Network Analysis (SNA) Method Applying SNA in Practice

3 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 3 Carnegie Mellon Software Engineering Institute System Survivability Concepts

4 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 4 Carnegie Mellon Software Engineering Institute Survivability Motivation Growing societal dependence on complex, large- scale, networked systems Serious consequences of system compromises and failures Security and vulnerability analysis no longer sufficient

5 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 5 Carnegie Mellon Software Engineering Institute Changing Systems Environment System evolution expanding network boundaries additional participants with varying levels of trust numerous point solutions: Public Key Infrastructure, Virtual Private Networks, firewalls blurring of Intranet and Extranet boundaries new technologies -- directory services, XML Impact of attacks is on organizations, and hence on the applications that support an organization’s mission.

6 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 6 Carnegie Mellon Software Engineering Institute Impact on Analysis Lack of complete information physical and logical perimeters unknown participants, untrusted insiders software components -- COTS, Java, etc. Mix of central and local administrative control Critical components more exposed Attacks can impact essential business services

7 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 7 Carnegie Mellon Software Engineering Institute From Security to Survivability - 1 Survivability focus is on system mission assume imperfect defenses identify mission risks and tradeoffs identify decision points with impact provide business justification improve survivability to ensure mission capability Survivability is the ability of a system to fulfill its mission, in a timely manner, in the presence of attacks, failures, or accidents.

8 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 8 Carnegie Mellon Software Engineering Institute From Security to Survivability - 2 Traditional security fortress model: firewalls, protection, security policy assumption of insider trust encryption, authentication, passwords emphasis on resistance and recognition with recovery secondary Survivability is enhanced by security techniques where applicable redundancy, diversity, general trust validation, etc. recovery support

9 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 9 Carnegie Mellon Software Engineering Institute The “Three R’s” of Survivability Resistance capability to deter attacks Recognition capability to recognize attacks and extent of damage Recovery capability to provide essential services/assets during attack and recover full services after attack

10 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 10 Carnegie Mellon Software Engineering Institute Value of Survivability Analysis No amount of security can guarantee systems will not be penetrated Must ensure survivability of business mission in adverse environments For new systems: integrate survivability into early development phases For existing systems: improve survivability characteristics

11 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 11 Carnegie Mellon Software Engineering Institute The Survivable Network Analysis Method

12 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 12 Carnegie Mellon Software Engineering Institute The SNA Process Performed on selected system or system component Conducted by our team (survivability expertise) working with customer team (system expertise) Carried out in structured series of working sessions Findings summarized in report and management briefing

13 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 13 Carnegie Mellon Software Engineering Institute SNA Characteristics Tailorable to stage of development -- from initial requirements to deployed systems Adaptable to variety of development processes Applies to applications as well as infrastructure

14 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 14 Carnegie Mellon Software Engineering Institute SNA Objectives Understand survivability risks to a system Which essential services must survive intrusions/failures? What are the effects of intrusions/failures on the mission? Identify mitigating strategies What process, requirements, or architecture changes can improve survivability? Which changes have the highest payoff?

15 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 15 Carnegie Mellon Software Engineering Institute SNA Architecture Focus Captures assumptions such as boundaries and users Supports architecture evolution as requirements and technologies change evolving functional requirements trend to loosely coupled systems integration across diverse systems changes in vendor product architectures Assists selection and integration of rapidly changing security products

16 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 16 Carnegie Mellon Software Engineering Institute Survivable Network Analysis Method STEP 2 ESSENTIAL CAPABILITY DEFINITION Essential service/asset selection/scenarios Essential component identification STEP 1 SYSTEM DEFINITION Mission requirements definition Architecture definition and elicitation STEP 3 COMPROMISABLE CAPABILITY DEF’N Intrusion selection/scenarios Compromisable component identification STEP 4 SURVIVABILITY ANALYSIS Softspot component (essential & compromisable) identification Resistance, recognition, and recovery analysis Survivability Map development

17 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 17 Carnegie Mellon Software Engineering Institute Essential Capabilities Essential services/assets Capabilities that must be available despite intrusions Essential service/asset scenarios Steps in essential service/asset usage Essential components Architecture parts required by essential services/assets Determined by tracing scenarios through architecture

18 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 18 Carnegie Mellon Software Engineering Institute Essential Service Scenario Essential Component Essential Service Trace Communication Link Architecture Node Essential Service Scenario Trace

19 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 19 Carnegie Mellon Software Engineering Institute Intrusion Capabilities Treat intruders as users Select representative intrusions based on environment and risk Intrusion scenarios steps in attacker usage Compromisable components architecture parts accessible by intrusion scenarios determined by tracing scenarios through architecture

20 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 20 Carnegie Mellon Software Engineering Institute Intrusion Scenario Compromisable Component Intrusion Trace Intrusion Scenario Trace

21 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 21 Carnegie Mellon Software Engineering Institute Softspot Component Identification Softspot components architecture components that are both essential and compromisable members of scenario traces that must be available despite intrusion effects

22 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 22 Carnegie Mellon Software Engineering Institute Essential Service Scenario Intrusion Scenario Softspot Component: both essential and compromisable Architecture Softspots

23 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 23 Carnegie Mellon Software Engineering Institute SNA Analysis Steps 1-3 provide information for extensive, in-depth analysis to develop recommendations for architecture modifications requirements changes policy revisions operational improvements

24 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 24 Carnegie Mellon Software Engineering Institute SNA Survivability Map Defines survivability strategies for the three R’s based on intrusion softspots Relates survivability strategies to the system, its environment, and identified intrusions Provides basis for risk analysis, cost-benefit tradeoffs

25 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 25 Carnegie Mellon Software Engineering Institute SNA Survivability Map ResistanceRecognitionRecovery Architecture Strategies for Intrusion Scenario Softspots Scenario 1... Scenario n Current Recommended

26 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 26 Carnegie Mellon Software Engineering Institute SNA Benefits Clarified requirements Basis to evaluate changes in architecture Early problem identification Increased stakeholder communication Improved system survivability

27 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 27 Carnegie Mellon Software Engineering Institute Applying SNA in Practice

28 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 28 Carnegie Mellon Software Engineering Institute Preliminary Steps Joint Planning Meeting/System Documentation Identify system to be analyzed and documentation Establish scope of work, teams, and schedules Off-Site Preparation Task Review system documentation Prepare for SNA Joint Discovery Sessions

29 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 29 Carnegie Mellon Software Engineering Institute Discussion Existing documentation may only partially meet SNA needs. System architecture description may be little more than a set of boxes and arrows. Discovery sessions will continually add new components and functionality to architecture. Variety of representations for architectures and requirements. Normal usage scenarios for representing requirements are ideal.

30 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 30 Carnegie Mellon Software Engineering Institute Step 1 and 2 Activities Joint Discovery Sessions SNA Step 1 initiation: Briefings by developers on business mission and life-cycle process functional requirements operating environment architecture evolution plans SNA Step 2 initiation: Determination of essential service and asset selection essential service/asset usage scenarios scenario traces and essential components Off-site discovery Integration Task SNA Steps 1 and 2 completion: Analyze system mission, life cycle, requirements, environment, architecture and essential services, assets, and components SNA Step 3 initiation: Assess system vulnerabilities Define representative set of intrusions Define intrusion usage scenarios Joint Discovery Sessions

31 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 31 Carnegie Mellon Software Engineering Institute Step 1: Mission Definition Inputs required from diverse system stakeholders: owners, users, architects, developers, and administrators Identify business mission supported by the system government agency: review, select, fund, and monitor government contracts industry: support integration of design teams across internal corporate organization and industry partners or contractors

32 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 32 Carnegie Mellon Software Engineering Institute Step 1: Architecture Definition System architecture and operating environment evaluation team reviews understanding of architecture from preliminary materials and discussion review key system boundaries such as where administrative control changes -risks may be with external systems or with systems outside the immediate control of the sponsoring organization identify both explicit and implicit assumptions such as choice of vendors, operating systems identify critical dependencies upon other systems

33 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 33 Carnegie Mellon Software Engineering Institute Step 2: Essential Service Def’n Identify essential system functionality -- normal usage identify existing and future user communities ask users to describe how they use the system -for one SNA, the file system was an essential component but users also used the email server as an alternative file system with extensive storage of attachments identify proposed changes in functionality and user communities -government agency: electronic submission of grant proposals and financial reports -industry: exchange of design specifications

34 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 34 Carnegie Mellon Software Engineering Institute Step 2: Essential Services Trace normal usage through architecture to identify essential components Identify a small number of essential services: government agency -grant administration -internal administration -dissemination of public information Trace those services through architecture to identify essential components

35 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 35 Carnegie Mellon Software Engineering Institute

36 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 36 Carnegie Mellon Software Engineering Institute

37 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 37 Carnegie Mellon Software Engineering Institute Step 3: Initial Attacker Profiles Preliminary selection of probable attacks Discussion of impacts of attacks Identification of profiles of actual attacks

38 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 38 Carnegie Mellon Software Engineering Institute Step 3: Attacker Profiles - 2 Generate table of likely attackers and impacts For each class of attacker consider resources -- personnel, skill, finances time -- patience of the attacker tools -- access to tools, ability to customize risk -- how risk averse is the attacker access -- internal, Internet objectives -- personnel, financial, moral Example: Government agencies may have attackers who have strong political or moral position. These attackers are not risk averse and are very patient.

39 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 39 Carnegie Mellon Software Engineering Institute Step 3: Model Attacker Profiles “Target of opportunity” profile -- general objectives readily available tools defenses: increased resistance, system configurations, file-integrity checks “Intermediate” profile -- specific target use of trusted resources, greater patience higher impact on essential services defenses: increased recognition and recovery “Sophisticated” profile -- very focused customized tools, compromise internal staff defenses: high probability of success; recognition and recovery essential

40 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 40 Carnegie Mellon Software Engineering Institute Step 3 and 4 Activities Joint Analysis Sessions SNA Step 3 completion: Briefing by SEI on system vulnerabilities selected intrusions and their usage scenarios Validation of intrusions by customer team Determination of scenario traces/compromisable components SNA Step 4 initiation: Determination of softspot components current resistance, recognition, and recovery Off-site Analysis Integration Task SNA Step 4 completion: Define recommended mitigation strategies for resistance, recognition, and recovery Assess architecture modifications and impacts Document findings in the Survivability Map Prepare customer briefing Briefing

41 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 41 Carnegie Mellon Software Engineering Institute Step 3: Vulnerabilities Review initial analysis of likely attacks and impacts with stakeholders and users significant variation in stakeholder view of intruder impact script-kiddie attackers generate the most attention but may draw attention away from the skilled attacker with clear objectives generate stakeholder consensus on likely attackers and impacts

42 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 42 Carnegie Mellon Software Engineering Institute Step 3: Current Strategies Identify current strategies including normal operations for backup, configuration management -- i.e., recovery usually weak Get input from users, management, and system administrators

43 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 43 Carnegie Mellon Software Engineering Institute Step 4: Analysis Evaluate system in terms of response to scenarios Make recommendations for survivability improvements requirements: propose response to intrusions architecture: evaluate system and operational behavior Identify decision and tradeoff points areas of high risk tradeoffs with safety, reliability, performance, usability

44 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 44 Carnegie Mellon Software Engineering Institute Step 4: Recommendations Case Study A: large distributed organization, large number of legacy systems, currently involved in redesign of most major systems security architecture -- directory services, support for a mix of central and distributed administration, develop common application interface to security infrastructure, architectural support for managing active content (Javascript, email attachments) support architecture evolution to support product changes, interoperability among security vendors and changes in vendor architecture

45 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 45 Carnegie Mellon Software Engineering Institute Step 4: Recommendations - 2 Case Study B: administrative unit inside a large, diverse organization. Very heterogeneous user environment (university-like) including significant research component revised policies -- design guidance establish better separation between internal systems and those accessed by general public and by employees outside the administrative unit add internal firewalls to better manage diverse user community extend likely attackers beyond script-kiddies explicit recommendations on better system recovery

46 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 46 Carnegie Mellon Software Engineering Institute Future Work Define survivability architecture patterns Develop improved methods for system and intrusion definition Create automation support for SNA

47 © 2000 by Carnegie Mellon University Version 1 SNA Tutorial - page 47 Carnegie Mellon Software Engineering Institute Additional Information SNA Case Study: The Vigilant Healthcare System IEEE Software: July/August 1999 Survivability: Protecting Your Critical Systems IEEE Internet Computing: November/December 1999 Web site: IEEE article and other reports On www.sei.cmu.edu /organization/programs/nss/surv-net-tech.html

Download ppt "Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by the U.S. Department of Defense © 2000 by Carnegie Mellon."

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering 2.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering 2.
<<Date>><<SDLC Phase>>

<<Date>><<SDLC Phase>>
SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.

SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by the U.S. Department of Defense © 1998 by Carnegie Mellon.

Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense © 1998 by Carnegie Mellon.
© 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213.

© 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,

CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
© 2006 Carnegie Mellon University Establishing a Network Centric Capability: Implications for Acquisition and Engineering Dennis Smith Complex System Symposium.

© 2006 Carnegie Mellon University Establishing a Network Centric Capability: Implications for Acquisition and Engineering Dennis Smith Complex System Symposium.
S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,

S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,
02/12/00 E-Business Architecture

02/12/00 E-Business Architecture
Introduction and Overview “the grid” – a proposed distributed computing infrastructure for advanced science and engineering. Purpose: grid concept is motivated.

Introduction and Overview “the grid” – a proposed distributed computing infrastructure for advanced science and engineering. Purpose: grid concept is motivated.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
MSIS 110: Introduction to Computers; Instructor: S. Mathiyalakan1 Systems Design, Implementation, Maintenance, and Review Chapter 13.

MSIS 110: Introduction to Computers; Instructor: S. Mathiyalakan1 Systems Design, Implementation, Maintenance, and Review Chapter 13.
11/14 SNA Presentation 3 Survivable Network Analysis Oracle Financial System SNA step 3 Ali Ardalan Qianming “Michelle” Chen Yi Hu Jason Milletary Jian.

11/14 SNA Presentation 3 Survivable Network Analysis Oracle Financial System SNA step 3 Ali Ardalan Qianming “Michelle” Chen Yi Hu Jason Milletary Jian.
Earl Crane Hap Huynh Jeongwoo Ko Koichi Tominaga 11/14/2000 Physician Reminder System SNA Step 3.

Earl Crane Hap Huynh Jeongwoo Ko Koichi Tominaga 11/14/2000 Physician Reminder System SNA Step 3.
Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.

Security Engineering II. Problem Sources 1.Requirements definitions, omissions, and mistakes 2.System design flaws 3.Hardware implementation flaws, such.
Extranet for Security Professionals (ESP)

Extranet for Security Professionals (ESP)
Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.

Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.
1 Security Architecture and Analysis Management of System Development and Implementation –The System Development Process –Issues and Risks –Mitigation.

1 Security Architecture and Analysis Management of System Development and Implementation –The System Development Process –Issues and Risks –Mitigation.

Similar presentations

Ads by Google