Build Your Security Portfolio Around Attack Scenarios

Tuesday, February 14, 2012

Danny Lieberman


In our experience, building a security portfolio on attack scenarios has 2 clear benefits;

  • A robust, cost-effective security portfolio based on attack analysis  results in robust compliance over time.
  • Executives related well to the concepts of threat modeling / attack analysis. Competing, understanding the value of their assets, taking risks and protecting themselves from attackers is really, at the end of the day why executives get the big bucks.

As I wrote in a previous essay “The valley of death between IT and security“, there is a fundamental disconnect between IT operations (built on maintaining predictable business processes) and security operations (built on mitigating vulnerabilities).

Business executives delegate information systems to IT and information security to security people on the tacit assumption that they are the experts in information systems and security.  This is a necessary but not sufficient condition.

In the current environment of rapidly evolving types of attacks (hacktivisim, nation-state attacks, credit card attacks mounted by organized crime, script kiddies, competitors and malicious insiders and more…), it is essential that IT and security communicate effectively regarding the types of attacks that their organization may face and what is the potential business impact.

If you have any doubt about the importance of IT and security talking to each other, consider that leading up to 9/11, the CIA  had intelligence on Al Qaeda terrorists and the FBI investigated people taking flying lessons, but no one asked the question why Arabs were learning to fly planes but not land them.

With this fundamental disconnect between two key maintainers of information protection, it is no wonder that organizations are having difficulty effectively protecting their assets – whether Web site availability for an online business, PHI for a healthcare organization or intellectual property for an advanced technology firm.

IT and security  need a common language to execute their mission, and I submit that building the security portfolio around most likely threat scenarios from an attacker perspective is the best way to cross that valley of death.

There seems to be a tacit assumption with many executives that regulatory compliance is already a common language of security for an organization.  Compliance is a good thing as it drives organizations to take action on vulnerabilities but compliance checklists like PCI DSS 2.0, the HIPAA security rule, NIST 800 etc, are a dangerous replacement for thinking through the most likely threats to your business.  I have written about insecurity by compliance here and here.

Let me illustrate why compliance control policies are not the common language we need.

PCI DSS 2.0 has an obsessive preoccupation with anti-virus.  It does not matter if you have a 16 quad-core Linux database server that is not attached the Internet with no removable device nor Windows connectivity.

PCI DSS 2.0 wants you to install ClamAV and open the server up to the Internet for the daily anti-virus signature updates. This is an example of a compliance control policy that is not rooted in a probable threat scenario that creates additional vulnerabilities for the business.

Now, consider some deeper ramifications of compliance control policy-based security.

When a  QSA or HIPAA auditor records an encounter with a customer, he records the planning, penetration testing, controls, and follow-up, not under a threat scenario, but under a control item (like access control).

The next auditor that reviews the  compliance posture of the business  needs to read about the planning, testing, controls, and follow-up and then reverse-engineer the process to arrive at which threats are exploiting which vulnerabilities.

Other actors such as government agencies (DHS for example) and security researchers go through the same process. They all have their own methods of churning through the planning, test results, controls, and follow-up, to reverse-engineer the data in order to arrive at which threats are exploiting which vulnerabilities.

This ongoing process of “reverse-engineering” is the root cause for a series of additional problems:

  • Lack of overview of the the security threats and vulnerabilities that really count
  • No sufficient connection to best practice security controls, no indication on which controls to follow or which have been followed
  • No connection between controls and security events, except circumstantial
  • No ability to detect and warn for negative interactions between countermeasures (for example – configuring a firewall that blocks Internet access but also blocks operating system updates and enables malicious insiders or outsiders to back-door into the systems from inside the network and compromise  firewalled services)
  • No archiving or demoting of less important and solved threat scenarios (since the data models are control based)
  • Lack of overview of security status of a particular business, only a series of historical observations disclosed or not disclosed.  Is Bank of America getting better at data security or worse?
  • An excess of event data that cannot possibly be read by the security and risk analyst at every encounter
  • Confidentiality and privacy borders are hard to define since the border definitions are networks, systems and applications not confidentiality and privacy.

Threat scenarios as an alternative to compliance control policies

When we perform a software security assessment of a medical device or healthcare system, we think in terms of “threat scenarios” or “attack scenarios”, and the result of that thinking manifests itself in planning, penetration testing, security countermeasures, and follow-up for compliance. The threat scenarios are not “one size fits all”.  

The threat scenarios for an AIDS testing lab using medical devices that automatically scan and analyze blood samples, or an Army hospital using a networked brain scanning device to diagnose soldiers with head injuries, or an implanted cardiac device with mobile connectivity are all totally different.

We evaluate the medical device or healthcare product from an attacker point of view, then from the management team point of view, and then recommend specific cost-effective, security countermeasures to mitigate the damage from the most likely attacks.

Threat scenarios consider asset values, vulnerabilities, threats and possible security countermeasures. Threat analysis as a methodology does not look for ROI or ROSI (there is no ROI for security anyhow) but considers the best and cheapest way to reduce asset value at risk.

In our experience, building the security portfolio on threat scenarios has 2 clear benefits;

  • A robust, cost-effective security portfolio based on attack analysis results in robust compliance over time.
  • Executives relate well to the concepts of threat modeling / attack analysis. Competing, understanding the value of their assets, taking risks and protecting themselves from attackers is really, at the end of the day, why executives get the big bucks.

Cross-posted from Israeli Software

Possibly Related Articles:
Information Security
PCI DSS Compliance Risk Management Security Strategies Security Audits Attacks Network Security Attack Vector Assessments IT Security Danny Lieberman
Post Rating I Like this!
Dr. H.R. Goetting US Publisher John Wiley & Sons (JW/A @ NYSE) spying on employees & secretly listening on conversations

Is the criminal versatile John Wiley & Sons publishing empire violating the right to privacy in the workplace under U.S. Constitution’s 4th Amendment as well as Chinese, German and EU privacy laws?
Yes, John Wiley & Sons (SOPA shark) commits felonies by secretly listening on employee conversations at the workplace. John Wiley & Sons culture is a fangs-out, snoop-snoop-snoop culture. This nightmare is aided and abetted by Chairman Peter Booth Wiley and his entourage, who engage vulnerable employees in the literary equivalent of trench warfare. The smoldering banality of evil Chairman Peter Booth Wiley does a bad, bad thing in the name of John Wiley & Sons.

The magnitude of information John Wiley & Sons has available about each of its employees for discriminatory practices must be enough to create digital Doppelgangers of their employees. In the US private companies such as SPOKEO provide John Wiley & Sons with information what their employees do on social networks, which relationships they have and John Wiley & Sons uses the data to hire and fire. There are no laws in the US to tell employees what information John Wiley & Sons has about them.

To write my strange memoir about secrets, I worked for eighteen months at John Wiley & Sons’ San Francisco archive, located in Chairman Peter Booth Wiley’s office. After eighteen months of interviews with Chairman Peter Booth Wiley, the quotes from him were a big pile of unorganized papers in a shoe-box containing only my hand-scribbled notes before I edited and made them ready for publication. I tried to report word by word what I had penciled down during the intimate ‘interviews’. I also played the devil’s advocate by brainstorming and debating the tongue wagging of Chairman Peter Booth Wiley. I gave his words satirical interpretations and used the method of dramatizing and narrating. My sarcastic undertones fall under the protection of the First Amendment. It’s a new kind of investigative journalism, where obsolete rules where thrown out. I use an intermediate standard for publishing, since the quotes from Chairman Peter Booth Wiley do not lend themselves to firm corroboration. Should I check out my deep-throat with U.S. authorities?

As editor I was not only participant in reconstructing the conversations, its perverse drama of unwanted soap opera homo-sex (there was no DSK-button in his office) and the Chairman’s alcoholism, but also commentator of John Wiley & Sons ugly history. It is an opinion-driven investigation that has an interview basis, in which I tried to get answers from Chairman-no-shame Peter Booth Wiley.

Find out the story behind the story: Black-ops textbook publisher John Wiley & Sons is snooping with Orwellian intelligence methods on its own employees. No matter what the human cost, greed rules at John Wiley & Sons. Quote from Chairman Peter Booth Wiley’s Mission Statement: "We can intercept telephone conversations, supervise e-mail messages and get through a contractor banking information". Demagogue & Chairman Peter Booth Wiley thinks rules do not apply to him. For him profit means more than to the meanest frak; what Wiley cannot buy he steals.

The self-proclaimed fifth and sixth Wiley generations at John Wiley & Sons are hunting for in-house employee dissidents. "I secretly searched through offices [at NYC offices in the 1960s]; my daddy [former CEO W. Bradford Wiley] had a contractor monitor homes when necessary". Daddy Wiley, blessed with social-Darwinist brutishness, became paranoid about his stock grubbing critics among John Wiley & Sons employees. Why? "My daddy’s branch of the family was so far removed from the line of inheritance [at John Wiley & Sons Inc.] that all he got was the name Wiley" said the privileged son of an unprivileged son. Growing up in a rural two-room house with concrete walls and an outdoor latrine, ‘Jackpot Daddy’ had enriched himself in Glimmerglass New York City with twenty per cent of John Wiley & Sons shares, which he grabbed from legitimate John Wiley & Sons Inc. shareholders. This mundane reality explains why ‘Daddy Wiley’ was beggaring the career chances of John Wiley & Sons’ key employees with fat dossiers. "Our employee monitoring system pays instant results up to this day were we use more sophisticated methods". John Wiley & Sons is a human-rights crushing industrial publishing machine. Electronic stalking, the tracking of employees with Global Positioning System tracking boxes replaced Daddy Wiley’s monitoring of homes. GPS is a common corporate tool in America and turn U.S. workers lives into the proverbial open book.

John Wiley & Sons treats his national and international subsidiaries like sweatshops. All quotes are from Chairman Peter Booth Wiley’s Mission Statement. "Through an American security contractor we collect fingerprints from overseas employees". "... Details about the past five employers..." "…The previous three addresses..." "…Medical records indicating any trouble..." "…Travel destinations for the past five years..." "... Reported income and expenses..." "… Migration background and country of origin..." "I have this information put together as soon as we acquire a new company." "…That’s in violation of the privacy laws but improves our security..." Such a bundle of hate all in one place! You burly bearded and tattooed American security people from John Wiley & Sons are just special!

Why John Wiley & Sons is a dirty word: Whilst the middleclass is being eliminated, Chairman Peter Booth Wiley’s mind has hardened into hatred against all his employees.

Shake John Wiley & Sons’ employee spying system to its roots and expose super-bad Chairman Peter Booth Wiley, known for his weakness for the bottle.

America’s Most Wanted: Take the Gloves off with John Wiley & Sons, Punish the Perpetrators of these Crimes.

"And they conspire to silence us" — Rainer Maria Rilke
Sometimes, silence is not an option
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.