Since we know that this?particular instance?of the?AppMaker?implements a customer-facing store that processes financial transactions, how does that influence which threat agents may be in
Since we know that this particular instance of the AppMaker implements a customer-facing store that processes financial transactions, how does that influence which threat agents may be interested in attacking it?
Answer the question with a short paragraph, with a minimum of 300 words. Count the words only in the body of your response, not the references. APA formatting but do not include a title page, abstract or table of contents. Body and references only in your post.
A minimum of two references are required. One reference for the book is acceptable but multiple references are allowed. There should be multiple citations within the body of the paper. Note that an in-text citation includes author’s name, year of publication and the page number where the paraphrased material is located.
University of the Cumberlands School of Computer & Information Sciences
ISOL-536 – Security Architecture & Design
Chapter 5 – Prepare for Assessment
Chapter 5 – Prepare for Assessment
5.1 Process Review
5.1.1 Credible Attack Vectors
5.1.2 Applying ATASM
5.2 Architecture and Artifacts
5.2.1 Understand the Logical and Component Architecture of the System
5.2.2 Understand Every Communication Flow and Any Valuable Data Wherever Stored
5.3 Threat Enumeration
5.3.1 List All the Possible Threat Agents for This Type of System
5.3.2 List the Typical Attack Methods of the Threat Agents
5.3.3 List the System-Level Objectives of Threat Agents Using Their Attack Methods
Chapter 5 – Prepare for Assessment – Cont.
5.4 Attack Surfaces
5.4.1 Decompose (factor) the Architecture to a Level That Exposes Every Possible Attack
Surface
5.4.2 Filter Out Threat Agents Who Have No Attack Surfaces Exposed to Their Typical
Methods
5.4.3 List All Existing Security Controls for Each Attack Surface
5.4.4 Filter Out All Attack Surfaces for Which There Is Sufficient Existing Protection
5.5 Data Sensitivity
5.6 A Few Additional Thoughts on Risk
5.7 Possible Controls
5.7.1 Apply New Security Controls to the Set of Attack Services for Which There Isn’t
Sufficient Mitigation
5.7.2 Build a Defense-in-Depth
5.8 Summary
Chapter 5: Summary
Information assurance is achieved when information and information systems are
protected against attacks through the application of security services such as availability, integrity, authentication, confidentiality, and nonrepudiation. The application of these services should be based on the protect, detect, and react paradigm.
This means that in addition to incorporating protection mechanisms, organizations need to expect attacks and include attack detection tools and procedures that allow them to react to and recover from these unexpected attacks.
5.1 Process Review
At the highest level, an assessment follows the mnemonic, ATASM:
Architecture ➤ Threats ➤ Attack Surfaces ➤ Mitigations
Figure 5.1 shows the ATASM flow graphically. There are architecture tasks that will help to determine which threats are relevant to systems of the type under assessment.
Figure 5.1 Architecture, threats, attack surfaces, mitigations.
5.1.1 Credible Attack Vectors
Credible attack vector: A credible threat exercising an exploit on an exposed
vulnerability.
Recalling the risk term discussion from Chapter 4, a CAV encapsulates the three threat sub-terms into a single expression:
Threat
Exposure
Vulnerability
Risk is the critical governing principle that underlies the entire risk assessment and threat modeling process. Ultimately, we must mitigate those computer attacks that are likely to impinge upon the use of the system under assessment and upon efforts to obtain the objectives of the organization.
5.1.2 Applying ATASM
Table 5.1 summarizes the typical background information an assessor brings to an assessment. These topics have been arranged with the “3 S’s” merely for convenience and to provide an ordering principle.
No matter how one may choose to order these topics, it remains that before beginning an ARA and threat model, one will need to have examined the current threat landscape into which the system will be deployed.
5.1.2 Applying ATASM – Cont.
Figure 5.2 orders those steps by the high-level ATASM abstraction. That is, architecture steps are followed by threat-related tasks. The results of these are applied to an enumeration of attack surfaces, which, when prioritized, can then be defended by building a set of risk mitigations, a defense-in-depth of security controls.
Each of the steps outlined in Figure 5.2 is, of course, what developers call a “nontrivial” activity.
Figure 5.2 ATASM procedure steps.
5.2 Architecture and Artifacts
Part of understanding a system architecture is to understand the system’s overall functions and what objectives deploying the system is hoping to achieve. An assessment should start at the beginning by determining the system’s intended purpose and how it fits into the overall goals of the deploying organization and its users. This information will “ground” the architecture into the real world and will place the architecture within its intended context.
5.2.1 Understand the Logical and Component Architecture of the System
The logical architecture represents each logical function that will be in the system. These groupings are irrespective of how many individual units of each function get instantiated and irrespective of the physical architecture. Generally, that there are computers (servers?) and operating systems is assumed and not detailed; the physical network addresses assigned to each network interface are unimportant in the logical view. Instead, functions like business logic versus the presentation versus back office accounting systems versus databases are separated out. It is assumed that all of these are connected by some sort of network architecture.
5.2.2 Understand Every Communication Flow and Any Valuable Data Wherever Stored
Figure 5.4 AppMaker DFD with data types.
Data types have been added to the AppMaker diagram to create Figure 5.4. There is a co-located repository containing various types of static content to be served to users (customers). Moving further back in the architecture, every application server must contain configuration data and metadata about the applications that the server is running. Usually, but not always, there is local disk storage, or readily available storage for this application server–specific data.
5.3 Threat Enumeration
We need to understand the attackers in order to know which of them apply to any particular system. And in order to prioritize attack surfaces and attack targets, we need to be able to calculate the risk of any particular attack occurring.
These higher-priority areas are characterized by the existence of threat agents who have the motivation and capabilities to take advantage of likely methods that will lead them to their objectives – and will in turn cause unacceptable losses . . .
5.3.1 List All the Possible Threat Agents for This Type of System
The motives of these undirected attack sweeps are varied; many of these sweeps are conducted by criminal organizations or independent attackers. But there are many other reasons for running constant vulnerability sweeps, as well. Increasing one’s skill as a security tester is certainly among these reasons. Every sweep is not conducted by criminals, though, in many jurisdictions, conducting such a sweep is illegal.
5.3.1 List All the Possible Threat Agents for This Type of System – Cont.
There is one additional threat agent with which most public sites and products must contend. Calling security researchers “threats” is somewhat of a misnomer and might be perceived by researchers as an insult? No insult is intended. Still, if an organization is on the receiving end of vulnerability research, the impact to reputation and brand
may be approximately the same as what can occur following a successful compromise of systems or data.
5.3.1 List All the Possible Threat Agents for This Type of System – Cont.
Essentially, researchers need to find vulnerabilities. They need to find tricky vulnerabilities and then must publish the research. It doesn’t really matter if the vulnerability can result in significant loss for the organization owning the problem. The actuality of an impact does not play a big part of the research equation. Any organization that has had to deal with a well-publicized stunt hack against one of the organization’s systems will know full well that the media attention of the research did not benefit the public image of the organization, especially if that organization’s customers expect a certain level of security from the organization.
5.3.2 List the Typical Attack Methods of the Threat Agents
Spending months or years creating a new method to execute a series of randomly placed instructions in a program to create an attack simply isn’t worth the effort: The research and development costs are too high. At the time of the writing of this book, so called “gadget” programs take too much time. Running gadgets culled by finding bits of
code within widely distributed applications is much more likely to fall into the category of “stunt hack.” Cyber criminals are probably not going to waste their time unless there was a readily available tool (even if on the black market) that would make this attack trivial.
5.3.3 List the System-Level Objectives of Threat Agents Using Their Attack Methods
For many exploits there is a system-level objective that must be attained in order to prosecute the attack to its goal. For security researchers, the system-level objective— that is, getting a piece of scripting code (javascript) to execute in the user’s browser, or
gaining system-level privileges—will be sufficient to prove vulnerability. No more need be accomplished.
5.3.3 List the System-Level Objectives of Threat Agents Using Their Attack Methods
The subsequent entries in Table 5.3 are drawn from OWASP.org Top 10. In order to gain a place in the list, an attack method has to be one of the most popularly executed as well as used on a regular and continuing basis. When we analyzed cyber criminals, we noted their predilection for well-known and proven attack methods. The OWASP Top 10 list is representative of the most often used attacks on the Internet. Since the Web-Sock-A-Rama site is a typical web store, it will be subjected to attacks drawn from the OWASP Top 10 list, at the very least. Security researchers will also attempt well-known attack methods in order to find and report vulnerabilities.
5.4 Attack Surfaces
In the ATASM process, we try to enumerate all the attack surfaces before we categorize the importance of each surface. It’s useful to avoid the prioritization process during enumeration. Think of it as an attack surface brainstorm: Any discussion about the legitimacy or fitness of an attack surface tends to bog down the enumeration into too many details. In this way, the natural flow resulting from nonjudgmental observation is broken. It’s easy to miss an attack surface, especially when it seems inconsequential, or perhaps that function just seems to be “part of the running program.” For that very reason, getting a good flow of nonjudgmental inspection can help to uncover all the attack surfaces. Prioritization can come later, once everything has been uncovered. In the process being described in this chapter, we simply enumerate all the attack surfaces and try to avoid discussion of their importance and exposure until a later step.
5.4.1 Decompose (factor) the Architecture to a Level That Exposes Every Possible Attack Surface
An integrated web server collapses the web tier and application server tier into a two-tiered architecture. Following the security principles, defense-in-depth and fail securely, the three-tier architecture is usually considered a more defensible approach. Web-Sock-A-Rama, as depicted in Figure 5.5, demonstrates the more standard three-tier web architecture.
Figure 5.5 Web-Sock-A-Rama trust boundaries.
20
5.4.1 Decompose (factor) the Architecture to a Level That Exposes Every Possible Attack Surface – Cont.
Figure 5.6 An obvious attack surface.
Figure 5.6 adds an arrow to Figure 5.5 that points at the most obvious attack surface: the Web server’s Internet facing HTTP receiver. The Web server is open to all Internet traffic, which means that any attacker can probe it. The constant “doorknob rattling” sweeps of the Internet will surely find and investigate whatever interfaces are open and available to unrestricted traffic.
Once an interested attacker finds and catalogs the open HTTP port, then the fun really begins. Like web vulnerability scanners, the attacker will probe every reachable page with every attack variation possible.
5.4.1 Decompose (factor) the Architecture to a Level That Exposes Every Possible Attack Surface – Cont.
The injections for downstream destinations, such as LDAP and databases, are aimed at the application server code because that’s where the capability to pass on these attacks is typically found. These are then attacks against the application code. Contrast these injections with a Cross-Site Request Forgery (CSRF) attack. These attacks can be mitigated at several different layers, depending upon how session management is implemented in the website. Although many would consider this a vulnerability of the custom application code, depending upon how the infrastructure is set up, it may be that the application server handles user and transaction states. If so, then a CSRF vulnerability would lie in front of the application code.
22
5.4.2 Filter Out Threat Agents Who Have No Attack Surfaces Exposed to Their Typical Methods
Through the process of filling out Table 5.4, we have already filtered out a series of attacks that do not have an appropriate attack surface exposed to them. In fact, by attempting to apply attack methods to attack surfaces, we have even eliminated, or significantly reduced, a threat agent: security researchers. Security researchers’ stunt level hacks are unlikely since the attack surfaces required to execute these attacks are not exposed.
23
5.4.3 List All Existing Security Controls for Each Attack Surface
We have made a couple of assumptions for the sake of understanding the process. Namely, we’ve assumed that Web-Sock-A-Rama has a mature website management and administrative function. In previous chapters, we’ve listed what those functions typically are. This assumption provides the usual set of controls to the backend of our website.
24
5.4.4 Filter Out All Attack Surfaces for Which There Is Sufficient Existing Protection
Authentication is an interesting security control because, although it does reduce exposure to only those who’ve been authenticated, there are plenty of techniques an attacker can use to get an account, depending upon the site: steal or crack weak credentials, or perhaps simply sign up for the free version. In addition, once a site or system implements authentication, it now has another system that will need protection! Authentication systems are often considered critical, thus requiring tight security control: a high security posture. Implementing authentication adds significant complexity to the security requirements of the system.
25
5.4.4 Filter Out All Attack Surfaces for Which There Is Sufficient Existing Protection – Cont.
26
5.5 Data Sensitivity
Data classification is a key component of risk, both for assessing impact and for understanding likely targets in a system. As has been explained earlier, attackers often string more than one attack method together in order to achieve their objectives. An attacker might execute an SQL injection against the payment card database, thereby gaining financial information, if applications accepting user input were poorly written such that SQL injection to databases were allowed.
Data sensitivity mustn't become the sole measure of CAV or impact. Each of these risk terms are multidimensional; terms shouldn’t be reduced in a simplistic way or assessments will suffer by possibly excluding other key factors.
27
5.6 A Few Additional Thoughts on Risk
The goal of risk calculation during ATASM is to identify those CAVs whose lack of mitigation will prevent reaching the intended security posture. Concomitantly, there is an imperative to limit the number of risk treatments to that which is affordable, that which is doable. Few organizations can “do it all.” Hence, there has to be a process to eliminate unlikely attacks while prioritizing the most dangerous ones for mitigation.
28
5.7 Possible Controls
Due to the realities of email impersonation and payment card theft, an authentication based upon these factors isn’t really worth much, which leaves our Web-Sock-Arama website without much attack mitigation based upon authentication. Obviously, the organization’s security team will have their hands full with fraud attempts, operationally removing fraudulent and fake accounts as soon as malicious behavior is observed. Still, at account initialization, there isn’t much that can be done.
29
5.7.1 Apply New Security Controls to the Set of Attack Services for Which There Isn’t Sufficient Mitigation
Table 5.6 adds defenses to each of the attack methods that we enumerated in previous ATASM steps. These are the five attacks and their associated attack surfaces (the CAVs) that we believe are applicable to this system, in this organizational context. (Continued on following page 167 – Prepare for Assessment)
30
5.7.2 Build a Defense-in-Depth
Because the system handles sensitive data from users originating from the untrusted
Internet, the Transport Layer Security (TLS), most often implemented as HTTPS,
must be used between the user’s browser and the web server, at least for sensitive data
transmission. Some architectures would also require TLS (or more properly, communication encryption of some sort) between the web server and the application server, and perhaps even between the application server and the database server? We assumed that the networks in this system are tightly controlled through a mature administrative practice. Therefore, the networks can be considered a trusted infrastructure. Since we’ve separated out three tiers, and there is only a single piece of trusted networking equipment separating each tier (a new assumption and requirement), the store doesn’t feel the need to encrypt the data as it moves between tiers.
32
5.8 Summary
Defenses are applied such that these specifically interrupt each CAV, as was discussed in the chapter on risk. Then, the entire set of defenses is considered as a set of overlapping, interlocking, and supporting defenses to build enough redundancy to create a defense-in-depth. The security requirements should be achievable, relevant, and “real world.”
ATASM has been presented as a series of linear steps. However, in practice, an assessment might proceed to requirements and uncover a previously unknown part of the system, thus returning to the architecture stage of the process. Ultimately, the goal of the ARA and threat model is to achieve a unity between security posture and intended risk tolerance, to achieve balance between defenses and resource limitations.
33
Chapter 4: Summary
END
image4.emf
image5.png
image6.emf
image7.emf
image8.png
image9.emf
image10.emf
image11.png
image12.png
image13.png
image14.png
image15.png
image1.emf
image2.emf
Collepals.com Plagiarism Free Papers
Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.
Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS
Why Hire Collepals.com writers to do your paper?
Quality- We are experienced and have access to ample research materials.
We write plagiarism Free Content
Confidential- We never share or sell your personal information to third parties.
Support-Chat with us today! We are always waiting to answer all your questions.