Shamal Faily Bournemouth University

‘Building security in’ with CAIRIS Shamal Faily Bournemouth University

‘Building security in’ is hard

•

“I think we have to assume a naive user and build systems secure around that” Bruce Schneier

http://www.vimeo.com/27190504

Just an engineering problem?

•

Homer

“there are many tensions that engineers have still not begun to explore. For example, ease of use is a priority in control systems design, and security usability is known to be hard. Will we see conflicts between security and safety usability? As a typical plant operator earns less than $40,000, the ‘Homer Simpson’ problem is a real one. How do we design security that Homer can use safely?” Anderson, R., Fuloria, S. Security Economics and Critical National Infrastruture. In Eighth Workshop on the Economics of Information Security (WEIS 2009). 2009

Security Engineer constrains SR 1 SR 2 SR 3

uses User

System attacks designs FR 1 FR 2 FR 3

Software Engineer

Social Engineering DoS XSS

Attacker

interact

System

Sy

ste

m

S

te s y

m

ex

plo

it

e s i m o t s cu

Image (bottom right): Maggie Smith / FreeDigitalPhotos.net

HCI can help

HCI can help EthnoMethodology Contextual Design

User Centered Design

Interaction Programming

Activity Theory

Grounded Design

Task Analysis

Participative Design

ValueCentered HCI

Horses for courses?

Usage Centered Design

HCI can help re m en ts ?

EthnoMethodology Contextual Design

Activity Theory

ui



th e

re q

Grounded Design

ValueCentered HCI

W ha ta bo ut

Task Analysis


Horses for courses?


HCI can help re m en ts ?

EthnoMethodology Contextual Design

Activity Theory

ui

e th ut bo y? t t a ri ha cu e W s



th e

re q

Grounded Design

ValueCentered HCI

W ha ta bo ut

Task Analysis


Horses for courses?


There are some commonalities

•

Security is about the protection of assets

•

Protection against all possible threats and vulnerabilities is untenable, so people need risks

Introducing IRIS Integrating Requirements and Information Security A framework for specifying software systems that are secure for their contexts of use. Context of Use

Establish Scope

Goal Task

1..*

Threat Motive

Asset 1..* * Capability Risk

1..*

1..*

Persona

1..*

*

Misuse 1..* Case 1..* 1 Accept

Transfer Response

*

Task Attacker* 1 * 1..* * 11 * Risk * 1* * * Environment

*

1..*

1

* Response 1..*

Asset

Mitigate 1..* Persona * * Goal *

Scenario * * 1 1 * * * 1..* 1 1..* Threat * Vulnerability Requirement 4 * * * 1 * Countermeasure 1..* 1..* Misuse Usability 1..*1..* * Attribute AssetCase Countermeasure Misuse

Investigate Contexts

*

Vulnerability

Case

* 1..4 Obstacle Security 0..4 Attribute

*

Attacker

*

Requirements Workshops

*

[unresolved contexts]

A Meta-Model for Usable Secure Requirements Engineering

Process Framework

Faily, S. A framework for usable and secure system design. DPhil thesis, University of Oxford, 2011.

http://www.pixteller.com/pdata/t/l-70022.jpg

What is CAIRIS? (Computer Aided Integration of Requirements and Information Security)

1. A model security requirements management tool

2. Decision support for security design & evaluation Security

Usability

WCH_1

PC-9

WCH_2 Account lockout

PC1

PC-67

WCH_3 Site break-in

PC-76

WCH_6

WCH_5

M12

Spoof telemetry

R18

System enumeration

WCH_4

PC-11

SWS-1

Argumentation View

PC-23

PC-24 Barry

PC-25

MR_1

Rick

MR_2

PC2

Risk View

MR_3

MR_4

Location View Task View Asset View

Component View

GRL Goal View

Quality View

KAOS Goal View

Requirements

3. A vehicle for consolidating security design data

Requirements Physical Concept Maps

Graphviz Concept Maps

FP7-ICT-2009-5 257103 page: 1 of 138

Updates on Requirements and available Solutions

webinos project deliverable Updates on Requirements and available Solutions Version 1.1 August 2012 This work is partially funded by webinos, an EU-funded project under the EU FP7 ICT Programme, No 257103. This report is a public deliverable of the webinos project. The project members will review any feedback received; updates will be incorporated as applicable. The webinos project reserves the right to disregard your feedback without explanation. Later in the year, update to the report may be published on www.webinos.org as well as being made available as a live and community maintainable wiki.

Use Cases & Scenarios

If you want to comment or contribute on the content of the webinos project and its deliverables you shall agree to make available any Essential Claims related to the work of webinos under the conditions of section 5 of the W3C Patent Policy; the exact Royalty Free Terms can be found at: http://www.w3.org/Consortium/Patent-Policy-20040205/. This report is for personal use only. Other individuals who are interested to receive a copy, need to register to http://webinos.org/downloads. For feedback or further questions, contact: [email protected] DISCLAIMER: webinos believes the statements contained in this publication to be based upon information that we consider reliable, but we do not represent that it is accurate or complete and it should not be relied upon as such. Opinions expressed are current opinions as of the date appearing on this publication only and the information, including the opinions contained herein, are subject to change without notice. Use of this publication by any third party for whatever purpose should not and does not, absolve such third party from using due diligence in verifying the publication's contents. webinos disclaims all implied warranties, including, with limitation, warranties of merchantability or fitness for a particular purpose. webinos, its partners, affiliates, and representatives, shall have no liability for any direct, incidental, special, or consequential damages or lost profits, if any, suffered by any third party as a result of decisions made, or not made, or actions taken, or not taken, based on this publication.

Copyright webinos project © 2012 webinos.org

Requirements Specification

Backlog

4. An open source project

https://www.openhub.net/p/CAIRIS

What can you use CAIRIS for?

…to elicit and analyse risks

… to identify unwarranted assumptions PLC Software

Laptop

Windows login Credentials Credential sharing Victor

Logic bomb

Bob

Credentials sharing

Plant logic bomb via borrowed credentials

Exploit Plant logic bomb via borrowed credentials


Laptop


Bob

Bob visits a depot where several instrument techs are currently working. Seeing Barry, Bob asks him if he can borrow his login details because he Logic bomb Credentials sharing has accidentally locked himself out and can't download some PLC changes he needs to make for a job he is about to do. After giving him his credentials, Bob downloads the software he needs for a site change, makes thePlantrequired software modifications, before making a logic bomb via borrowed credentials further change to turn off all the pumps connected to the PLC at a specific time. Exploit Plant logic bomb via borrowed credentials


Laptop


Logic bomb

Bob

Credentials sharing

Plant logic bomb via borrowed credentials

Exploit Plant logic bomb via borrowed credentials

…to model threats

…to model threats digraph AT { node [shape=box]; edge [dir=none]; "Backdoor to host" [style=rounded]; "or_1" [shape=triangle,label="or"]; "Exploit vsftpd backdoor" [style=rounded]; "and_1" [shape=triangle,label="and"]; "Telnet to vulnerable host" [style=rounded]; "Append smiley to credentials" [style=rounded]; "Run vsftpd as daemon" [style=rounded]; "or_2" [shape=triangle,label="or"]; "and_2" [shape=triangle,label="and"]; "Disable telnet"; "Install exploited vsftpd package" [style=rounded]; "Build exploited vsftpd software" [style=rounded]; "Download exploited vsftpd source" [style=rounded]; "Compile exploited vsftpd source" [style=rounded]; "Configure inetd for vsftpd" [style=rounded]; "Disable vsftpd in inetd"; "Backdoor to host" -> "or_1"; "or_1" -> "Exploit vsftpd backdoor"; "Exploit vsftpd backdoor" -> "and_1"; "and_1" -> "Telnet to vulnerable host"; "Telnet to vulnerable host" -> "Disable telnet"; "and_1" -> "Append smiley to credentials"; "and_1" -> "Run vsftpd as daemon"; "Run vsftpd as daemon" -> "or_2"; "or_2" -> "Install exploited vsftpd package"; "or_2" -> "Build exploited vsftpd software"; "Build exploited vsftpd software" -> "and_2"; "and_2" -> "Download exploited vsftpd source"; "and_2" -> "Compile exploited vsftpd source"; "and_2" -> "Configure inetd for vsftpd"; "Configure inetd for vsftpd" -> "Disable vsftpd in inetd"; }

…to model threats

./at2om.py --context "Metasploitable default setup" --author "EHC Group A" --out Exploit_vsftpd_backdoor.xml $HOME/ Exploit_vsftpd_backdoor_graphviz.dot

…to model threats

… to make security design participative

… to make security design participative

… to evaluate architectures

Goal View

Asset View

Component & Connector View Faily, S., Lyle, J., Namiluko, C., Atzeni, A., and Cameroni, C. Model-driven architectural risk analysis using architectural and contextualised attack patterns. In Proceedings of the Workshop on Model-Driven Security (2012), ACM, pp. 3:1–3:6.

On-going Work

Specification Exemplars for Critical Infrastructure Security

Faily, S., Stergiopoulos, G., Katos, V., and Gritzalis, D. “Water, Water, Every Where”: Nuances for a Water Industry Critical Infrastructure Specification Exemplar. In Proceedings of the 10th International Conference on Critical Information Infrastructures Security (2015), Springer, pp.https://www.flickr.com/photos/nicksie2008/14718839979 243–246.

advancement of software development practices (Parnas et al., 1991; Hinchey and Bowen, 1995; Modugno et al., 1997). 4. Examples of exemplars

Specification Exemplars

As illustration of our general points, we present two commonly used exemplars, drawn from different domains. We have chosen these because we have first-hand experience of working with them. 4.1. Library

Figure 1 holds the description of the library exemplar (Kemmerer, 1985). Consider a small library system with the following transactions: 1. 2. 3. 4. 5.

Check out a copy of a book/ Return a copy of a book. Add a copy of a book to/ Remove a copy of a book from the library. Get the list of books by a particular author or in a particular subject area. Find out the list of books currently checked out by a particular borrower. Find out what borrower last checked out a particular copy of a book.

There are two types of users: staff users and ordinary borrowers. Transactions 1, 2, 4 and 5 are restricted to staff users, except that ordinary borrowers can perform transaction 4 to find out the list of books currently borrowed by themselves. The system must also satisfy the following constraints:

•

•

Self-contained, informal descriptions of a problem in some application domain, and are designed to capture the harshness of reality

1. All copies in the library must be available for check-out or checked out. 2. No copy of a book may be both available and checked out at the same time. 3. A borrower may not have more than a pre-defined number of books checked out at one time.

Figure 1. The library exemplar.

Nuances rarely given the attention they deserve

https://www.flickr.com/photos/jamesclay/11456143645/

Feather, M. S., Fickas, S., Finkelstein, A., and van Lamsweerde, A. Requirements and specification exemplars. Automated Software Engineering 4, 4 (1997), 419–438.

Exemplars for Critical Infrastructure Security •

Operating environments of a critical infrastructure company

•

Incorporate models of people and their activities

•

Contain realistic threats, vulnerabilities, and risks

•

Models vary by context

•

Exemplars are machine readable

Faily, S., Lykou, G., Partridge, A., Gritzalis, D., Mylonas, A., and Katos, V. Human-Centered Specification Exemplars for Critical Infrastructure Environments. In Proceedings of the 30th British HCI Group Annual Conference on People and Computers (2016). To Appear.

Novel approaches for participative security design

https://www.flickr.com/photos/piljun/7063510951

MR_3

MR_4

PC_1

MR_1

MR_2

SWS1

WCH_5 Rick

PC-23

WCH_4

PC-24

Barry PC-25

PC-11

M12

R18

WCH_6

PC_2

WCH_1

PC-9

WCH_2

PC-67

WCH_3

PC-76

http://www.washington.edu/news/files/2012/07/ControlAltHack_game.jpg

Beckers, K., and Pape, S. A serious game for eliciting social engineering security requirements. In Proceedings of the 24th IEEE International Conference on Requirements Engineering (2016), RE ‘16, IEEE Computer Society. To Appear.

WCH_1

PC-9

WCH_2 Account lockout

PC1

PC-67

WCH_3 Site break-in

PC-76

WCH_6

WCH_5

WCH_4 M12

Spoof telemetry

R18

System enumeration

PC-11

SWS-1

PC-23

PC-24 Barry

PC-25

MR_1

Rick

MR_2

MR_3

MR_4

PC2

Identifying ethical hazards and safeguards in penetration testing

“Ethical” Ethical Hacking?

“Ethical” Ethical Hacking?

technical training

is associated with

state of art is cause of

tool selection

professional credentials

is cause of

is cause of

escalation protocols

ethics training

is cause of

is cause of

responsibility to practice

is a

is cause of

career sensitivity shadowing

team protocols is associated with

information management

is cause of

is cause of

risk articulation

hidden risk instincts

engagement structure

is cause of

is part of

is cause of

fieldwork

informational protocols

scoping

service comprehension

is associated with

is associated with

is associated with

is associated with

is cause of

is cause of

contradicts

3rd party responsibility

expectation management

red teaming

test authority

client instincts

is cause of

scope caveats is associated with

is associated with contradicts is cause of

scope creep

is associated with

is cause of

issue context

is cause of

is part of is associated with

is associated with

remediation responsibility

client indifference

red team / blue team conflict

hacker mindset

is cause of

is cause of

social engineering

legal instincts

Faily, S., and Fléchais, I. Persona cases: a technique for grounding personas. In Proceedings of the 29th international conference on Human factors in computing systems (2011), CHI ’11, ACM, pp. 2267– 2270.

Faily, S., and Fléchais, I. Eliciting and Visualising Trust Expectations using Persona Trust Characteristics and Goal Models. In Proceedings of the 6th International Workshop on Social Software Engineering (2014), SSE 2014, ACM, pp. 17–24.

Floods caused by Red Team ACME Water are seeking damages from RedTeam LLP (a CREST member company) for locking a water treatment plant operator (Rick) out of their IT network. ACME consider this was the root cause of flooding that caused significant disruption in the Dorset region. As an expert witness, you have been asked to uncover evidence of unprofessional behaviour by a RedTeam engineer (Ben). It is 1530 on a rainy Tuesday afternoon. Ben and Alex are security engineers for RedTeam. Both are working as part of a larger project conducting a red team test on ACME Water; they are evaluating ACME’s security posture to ensure their security policies on the use of IT are being followed. For this engagement, Alex is shadowing Ben. For the past week, Ben and Alex have been working out of the RedTeam office in Bournemouth but, for today only, both are working from hot desks in ACME’s head office in Dorchester. Alex is running RedTeam’s ICS network auditing tool (RETINAT) to identify potential vulnerabilities on ACME’s corporate IT network. For the past week, Alex has been customising RETINAT to include protocols and services used by ACME, as well as ACME phone number ranges for the tool’s wardriving functionality. RETINAT was written and maintained by RedTeam staff, but the tool interfaces with various open source tools. Alex's testing with RETINAT appeared to proceed smoothly and, after writing up notes on his findings, both Ben and Alex left shortly after 5pm. At 1950, Rick arrived at Moorside Water Treatment Works to start his shift. What started as light rain in the morning had now developed into a torrential downpour. Rick was worried about the potential for flooding caused by the rain, so decided to check the water level at various points across the water distribution network using the AJS tool. Unfortunately, after several attempts, Rick discovered that he was unable to login into Windows in order to access AJS. Without access to AJS, not only would Rick be unable to check the water level, he would also be unable to control the defences available to him for reducing the water flow. Rick attempted to called the ACME IT help-desk, but was greeted with an automated reply because help is only available between 0900 - 1700 on weekdays. Because he was on his own for the rest of the night, Rick attempted to call Barry — an on-call instrument technician — in the hope that he could use his credentials to access AJS. After several hours, Rick was finally able to reach Barry at 2200. Barry had been working on other jobs in an area lacking mobile phone coverage. Barry provided Rick with his own Window login details over the phone, which finally allowed him to access AJS to check and control the water level. Rick discovered that the water level was so high that several downstream villages and the main rail line to London was now flooded. The flooding subsequently disrupted transport links to the region for nearly 24 hours, causing over £1 million of property damage. An review of the incident by ACME concluded that Rick was unable to login because his Windows account was locked due to an excessive number of login attempts; these login attempts appear to have been made by RETINAT. The review concluded that, had the upstream water levels been reduced by 2030, much of the downstream flooding could have been avoided. The review also noted the additional factors: • Alex was a recent graduate. He had joined RedTeam a few months before the engagement, and started work on the ACME project the previous week. • ACME were broadly aware that vulnerability evaluation tests would be taking place during the week, and that these test would entail the enumeration of discovered network applications during working hours. • Ben examined the test results before going home on Tuesday. He noted nothing unusual that would warrant client contact. • When George -- ACME’s IT manager -- spoke to Ben about the account lockout on Wednesday morning, Ben stated that RedTeam did not do anything that wasn’t within their pre-agreed scope of activities. • When the scope of activities was initially agreed, ACME indicated that several legacy applications associated with water flood level monitoring was prone to unpredictable behaviour. Ben confirmed that these applications would not be considered within the test’s scope. • Ben accepted that his relationship with George was tenuous. Several times during the past week, George spoke to Ben about problems accessing network services which, it was claimed, was attributed to RedTeam’s testing. Ben was used to receiving complaints from George, and didn’t think his conversation on Wednesday morning was out of the ordinary.

Rpnd Id _Id 1

2

3

4

Explanation

Related goals

Harmed/ Broken goals

LA HT RB CI

1

He shouldn’t have used the tool if he didn’t fully understand the implications

Trusted tool reliance

None

1

Ben did not review Alex’s work fully. He should have identified the potential error. If he had, Ben should have also checked with the organisations IT team if they could reverse the accounts that had been locked

Junior and senior testered paired, Model for client interaction, Junior tester mentored, Client expertise acknowledged

Ethical knowledge shared, Client expertise acknowledged

Y

1

Ben’s scope had been poorly defined, there are a number of ways to test passwords and if this Wide scope exercises, was something that was important Legality of scope to the client a different approach determined, Scope kept could have been taken, preventing accounts from being locked

Legality of scope determined, Scope kept

Y

1

Ben’s response to the clients IT department was not professional and he should have investigated the complaint

IT team Security problems communications explained, IT team respectful, Security communications respectful, problems Client expertise explained, Client acknowledged expertise acknowledged

Faily, S., Iacob, C., and Field, S. Ethical Hazards and Safeguards in Penetration Testing. In Proceedings of the 30th British HCI Group Annual Conference on People and Computers: Fusion (2016), British Computer Society. To Appear.

Y

Y

Further information