inconsistencies between security policies ... Insider threat analysis using information-centric modeling. In ... concern physical security, digital security and.
.
PORTUNES: Generating attack scenarios by finding inconsistencies between security policies Trajce Dimkov, Wolter Pieters, Pieter Hartel {trajce.dimkov,wolter.pieters,pieter.hartel}@utwente.nl Introduction
Solution
The security goals of an organization are implemented through security policies, which concern physical security, digital security and security awareness. Besides external actors, security policies are designed to thwart and malicious employees. This proves to be a hard task.
Portunes1,
Method
abstracts aspects from the three security areas and presents attack scenarios. A method applies graph-based algorithms on a Portunes models to generate attack scenarios.
An employee can work in the same position for years before committing an attack, and has enough time to learn the security policies and their weaknesses;
Social Awareness
An employee has a set of privileges for carrying out everyday tasks, allowing him physical access to various parts of the facility of an organization; An employee has an established level of trust among his colleagues. Physical Security Unauthorized access Safety
Digital Security Confidentiality Integrity Availability
Security Awareness Social Engineering
Digital Security
Physical Security
Policy Policy
Safe Fence Door
Encryption Signature Firewall
Awareness Simulation Seminar
+
Fig 4. Portunes abstracts aspects from physical security, digital security and social awareness
Firstly, the building complex with the inventory of interest, the data and the people residing in the building are abstracted in a high-level Portunes model.
Attack scenario
Security Policies
Digital Mechanisms
+
►We define a formal model which combines aspects from physical security, digital security and security awareness of people in a single formalism. To present the model, a new KLAIM[1] inspired language is defined.
Fig 2. Using Portunes model, we are able to analyze an organization.
The outcome of the method is an attack scenario which leads to negating one of the security goals of the organization, without violating any policy. Policy
Physical Mechanisms
Contribution
Detailed Portunes model + Graph-based algorithms => Attack scenario
Graph + mapping function + constraints = Detailed Portunes model Fig 5. The high-level Portunes model is a tuple of a graph and mapping function which satisfies certain constraints.
Secondly, the high-level model is translated to a detailed model which is presented in Portunes’ language. The detailed model contains additional information on the security policies in place.
Fig 3. The resulting scenario is a set of distributed process definitions 1Inspired
Policy
from the Roman god of keys Policy
Fig 1. The organization defines security goals for the physical security of the buildings and the data. These goals are presented through security policies and enforced by various mechanisms.
Limitations
Policy
Portunes model + Portunes’ language => Detailed Portunes model
Problem Prediction of multi-step attacks from a malicious employee which uses a combination of credentials, physical access and social engineering to harm the organization.
Validation - the Portunes model has been validated on small examples. Currently, we are performing a case study in an organization to properly validate the model. Scalability - the current algorithms for calculating an attack scenario are of complexity O(|n4|) where n is number of nodes.
Fig 6. The detailed Portunes model is a formal language construct.
Finally, adapted graph-based algorithms analyze the detailed model and find inconsistencies in the security policies. As a result, the algorithms return an attack scenario which negates a given security goal of the organization.
►We are the first to produce attack scenarios which include physical and social aspects. This is achieved by using graph-based algorithms on the model to generate multi-step attack scenarios which do not violate any security policy in the organization. The main improvements of Portunes upon existing work are: 1. Expressing mobility of all objects, not just keys [2]; 2. Adaptation of graph-based vulnerability analysis on facilities and physical objects, not just on computer networks [3].
References [1] R. De Nicola, G. L. Ferrari, and R. Pugliese. KLAIM: A kernel language for agents interaction and mobility. IEEE Transactions on software engineering, 24(5):315–330,1998. [2] D. Ha, S. Upadhyaya, H. Ngo, S. Pramanik, and R. Chinchani. Insider threat analysis using information-centric modeling. In IFIP International Conference on Digital Forensics, pages 55– 73. Springer, 2007 [3] P. Ammann, D. Wijesekera, and S. Kaushik. Scalable, graphbased network vulnerability analysis. In CCS ’02, pages 217– 224. ACM, 2002.
This research is supported by the Sentinels program of the Technology Foundation STW, applied science division of NWO and the technology programme of the Ministry of Economic Affairs under project numberTIT.7628
