International Conference on Computer Systems and Technologies - CompSysTech’12
Towards a Security Evaluation Model based on Security Metrics Jakub Breier, Ladislav Hudec Abstract: Methods for risk evaluation often involve subjective criteria because this process is undertaken by a risk analyst influenced by his own knowledge and experience. The purpose of this work is to bring objectivity to this process and to provide a discrete-scale evaluation of implemented security controls. It provides results and a final score from a security attributes point of view, that is a quality ranking of confidentiality, integrity, availability, authenticity and non-repudiability within the organization. The assignment of security clauses from the ISO/IEC 27002:2005 standard to security attributes uses the Formal Concept Analysis method, which provides summarized and clear object-attribute classification. Key words: Risk Evaluation, Information Security, Security Standards, Security Metrics, Security Model, Formal Concept Analysis
INTRODUCTION Information security risks pose a serious threat to organizations dependent on their information systems. Both known and unknown vulnerabilities can be exploited to compromise confidentiality, integrity, availability or authenticity of the information used by the organization. Different levels of security exist including physical protection, protection by cryptography, and ensuring authenticity or asset classification in order to minimize the effect of both internal and external threats. It is essential that responsible leaders and managers understand their responsibilities and support information security management that improves the protection of an organization’s assets. There are many documents that describe risk assessment techniques. They usually propose theoretical approaches and provide generic guidance on choosing security controls. However they usually fall short on describing practical aspects and giving an objective discrete-scale evaluation. Risk managers and security professionals need formalized quantitative risk measures and metrics, so they can efficiently and correctly measure risks. A comprehensive risk management framework with risk metrics would improve risk assessment by reducing the level of difficulty for organizations when making decisions in relation to information security management In this paper we will cover a risk evaluation method based on the ISO/IEC 27002:2005 standard [1] supported by information security risk metrics. We propose the formal model for using metrics as the tool for risk analysis [2] and we have also started defining components of this model. We have identified the three stages of the model and this paper will describe the second stage – that is supporting the security attributes with security clauses from the standard. FORMAL MODEL Risk analysis is the main technique for assessing information security risks in an organization. In order to increase objectivity in the process of risk assessment, we propose the use of information security risk metrics [2]. We have designed a model that uses metrics to measure the quality of implemented security controls which consists of a three stages:
International Conference on Computer Systems and Technologies - CompSysTech’12
Mapping metrics to control objectives: The first stage concerns the standard's control objectives and assigns metrics to each of them. We selected the most appropriate metrics, defined their characteristics and created quality function, which reflected the control objective's achievement. Metrics in this phase are chosen from the lists provided in books [3, 4] and from the metric databases available on the internet. Three different characteristics are connected to each metric: o Metric weight: this parameter defines how the metric contributes to the control objective. When there are more than one metrics for one control objective, the totals 100%. o Optimal value: each metric has an optimal value, used in the quality function. In some cases this value is clearly visible, but in others, for example in the number of security reviews per annum, it has to be defined in respect to the best practices and recommendations. o Worst value: the situation with this parameter is similar to optimal value. For example, it is not clear, what number of successful attacks per month is critical. After defining the quality function we move to the evaluation of the eleven security clauses from the standard. We can use them to determine compliance with this standard or we can further work on them to achieve aggregated values from the security attributes point of view. Assigning security clauses to security attributes: The second part is about the contribution of the security clauses from the standard to the security attributes confidentiality, integrity, availability, authenticity and non-repudiation. We need to examine the security clauses from the attributes point of view so we can design relevant mappings between them. The ideal method for this purpose is the Formal Concept Analysis [6]. As proposed in [5], which can be used for the classification of the security patterns. This method can classify and categorize the objects. It establishes a relationship between objects and attributes that can give us comprehensive and easy to understand results. In our case, the objects are security clauses, to which are assigned the attributes – security attributes. Each clause can contribute to several attributes and vice versa. Support the model with statistics: Security statistics are the necessary key factors when considering security investments and implementation of security mechanisms. Several statistical reports are published each year, some of them provide only aggregated results, while others present detailed information that can be further inspected. For our purpose we chose Verizon's Data Breach Investigations Report [7] which contains detailed types of cyber-attacks and it categorizes them in the view of security attributes. Each security breach is divided into four parts: o Agent - who performs an attack. o Action - attack type. o Asset - which asset was affected. o Attribute - which security attributes were compromised. With this knowledge we can make a detailed analysis of the report and use the result to support the second stage of our model, where we can assign weights to each clause - attribute couple. This will help us to determine which clauses are important to which attributes and reveal the relevant connections between them. Statistics, as well as threats, change over time. Therefore the model has to be capable of development and adaptable to new conditions.
International Conference on Computer Systems and Technologies - CompSysTech’12
FORMAL CONCEPT ANALYSIS Formal Concept Analysis (FCA) is a method of data analysis, knowledge representation and information management [6]. The mathematical lattices produced by FCA can be interpreted as classification systems. This section proposes usage of FCA for the classification of security clauses from the ISO/IEC 27002:2005 standard [1]. The central notion of Formal Concept Analysis is the duality called Galois connection [6]. This duality can be observed between two types of items that relate to each other in an application, such as objects and attributes. In our case attributes are the information security attributes - confidentiality, integrity, availability, authenticity and non-repudiation and objects are security clauses from the standard. Galois connection implies that if we make the set of one type larger, it corresponds to smaller set of the other type, and vice versa. Definitions Definition 1: A formal context is defined as a set structure K = X , Y , I . It consists of a set of (formal) objects X, a set of (formal) attributes Y, and a set of binary relations I between X and Y, I X Y . xIy, i.e. x, y I is read: the object x has the attribute y. Definition 2 A formal concept for a context is defined to be a 2-tuple O, A , derived from formal context, such that 1. O X 2. A Y 3. Every object in O has every attribute in A 4. For every object in X that is not in O , there is an attribute A that the object does not have 5. For every attribute in Y that is not in A , there is an object in O that does not have that attribute O is then called the extent of the concept, A the intent. More formally, O, A is called the formal concept if and only if O = A and A = O where O = { y Y | x X : x, y I } A = {x X | y Y : x, y I }
INSPECTION OF SECURITY CLAUSES We analyzed the standard's control objectives contained in each security clause and made maps between clauses and security attributes. Below are stated descriptions for each clause along with the reasons for proposed maps: Security policy: The main objective of this clause is to provide the information security policy document that defines the role of information security in an organization. It explains security policies, principles, standards and compliance requirements, so it deals with the three main attributes - confidentiality, integrity and availability. Organization of information security: This clause specifies confidentiality, explicitly defined in the ‘Confidentiality agreements’ control objective that deals with the protection of information. We also have to consider the integrity of assets when dealing with customers and the necessary authorization process for users, so we have to implement the authenticity. This clause also contains the ‘Addressing security in third party agreements’ control objective, defining the access control policy for the third party access methods. These methods identify their actions in the system, so we need to implement the non-repudiation mechanisms for these actions.
International Conference on Computer Systems and Technologies - CompSysTech’12
Asset management: In this clause there are two categories, ‘Responsibility for assets’ and ‘Information classification’. The first one contains control objectives dealing with the ownership, acceptable use and storage of assets. That means, when it is properly implemented, it contributes to data integrity, availability, and authenticity. The second category supports the confidentiality. Human resources security: This clause deals with responsibilities of employees, contractors and third party users. It is necessary to monitor each user actions in order to distinguish between proper use or misuse of a system. To support this we need the presence of the non-repudiation in a system. Physical and environmental security: This clause contains the definition of secure areas and equipment security. Proper implementation of control objectives in this clause strenghtens data confidentiality, integrity and availability. Communications and operations management: This clause covers several procedures related to information processing. Backup rules support data availability. Protection against malicious code involves controlling the integrity of the data. Securing network services enhances the confidentiality of the information flow. The ‘Electronic commerce’ control objective supports non-repudiation, as it requires identity verification. Access control: Controlling user access to a system and enabling access rights supports data confidentiality, integrity and user authenticity. Proper implementation of access control management supports non-repudiation of user actions in a system. Information systems acquisition, development and maintenance: The ‘Control of internal processing’ control objective in this clause supports the integrity and authenticity of data and software transferred between central and remote computers in a system. The ‘Cryptographic controls’ control objective provides confidentiality, authenticity and integrity of information. The ‘Security in development and support process’ category supports non-repudiability of user actions involving changes to the application software. Information security incident management: The ‘Collection of evidence’ control objective needs to implement proper non-repudiability methods in a system in order to determine the origin of executed processes. Business continuity management: From the security point of view, this clause deals with the availability of data stored in a system. Processes described in this clause can be used after a security incident. Compliance: In this clause there are several control objectives dealing with the confidentiality of data. It also contains the regulation of cryptographic controls and rules on how to satisfy the compliance with relevant agreements, laws, and regulations.
RELATIONSHIPS BETWEEN SECURITY ATTRIBUTES AND SECURITY CLAUSES We can now construct a formal context useful for the classification of security attributes. Let A be the set of security attributes and O be the set of security clauses from the ISO/IEC 27002:2005 standard. For o O and a A , oIa tells us that security clause o supports security attribute a . For example, if o is 'Access Control' security clause and a is 'confidentiality', then oIa implies that 'Access control’ security clause supports ‘confidentiality.' The formal context is denoted in table 1, objects are tabulated along rows, attributes along columns and their maps are indicated in cells of the table. The formal concept lattice for the created formal context is then illustrated in figure 1.
International Conference on Computer Systems and Technologies - CompSysTech’12
X X X
X X X
X
X
AC ISADM
X
X
X
X
X
X
X
X
X X
X X
X X
X
X X
ISIM BCM CMP
Authenticity
Integrity
SP OIS AM HRS PES COM
Availability
Confidentiality
Security Policy Organization of Information security Asset management Human resources security Physical and environmental security Communications and operations management Access control Information systems acquisition, development and maintenance Information security incident management Business continuity management Compliance
Abbreviation
Object Attribute
Non-repudiation
Table 1: Formal context defining support of security attributes by security clauses.
X
X X X
STATISTICS SUPPORT The assignment of attributes to clauses is important, but we need to further discuss weights and investigate how each security clause contributes to security attribute. For this purpose we need statistical data that brings the real world into our model. Every year statistics on security breaches in the information security world are published. In Verizon's Data Breach Investigations Report [7] we can find comprehensive statistics, useful to determine the importance of particular security clauses. The structure of the threat overview in the report is as follows. Events are organized into the matrix and each element comprises of four elements: Agent: Whose actions affect the asset. This can be external, internal, and partner. Action: What actions affected the asset. This can be malware, hacking, social, misuse, error, physical, and environmental. Asset: Which assets were affected. This can be servers, networks, user devices, offline data, and people. Attribute: How the asset was affected. This can be in terms of confidentiality, possession, integrity, authentication, availability, and utility. This matrix leads to 630 different possible threat events. However the results showed that only 55 of them were observed in a sample of 761 breaches. The most reported security events are listed in table 2. We can look at particular attributes from the security clauses point of view to determine which clauses are critical to minimize those threat events. We can find eight security clauses, which support confidentiality and six security clauses which support integrity in their control objectives. In respect of the properties of these attributes we can assess them together with some explainable minor differences. In accordance with the statistics, we only have to consider those, which cover servers and user devices security. We also have to divide the clauses into two categories, considering the action type: • Hacking and Malware: These two action types can be considered together, because the mechanisms to protect against them are almost the same. They both use vulnerabilities in code, user lack of awareness of the existing threats and bad security practices. The key security clauses concerning these actions are Access control,
International Conference on Computer Systems and Technologies - CompSysTech’12
Information systems acquisition, development and maintenance, Asset management and Communications and operations management. The first one is necessary to ensure the authentication and authorization of the users, which has to be implemented in accordance with another security clause - Security policy. The second covers information systems and their implementation and includes responsibility for the vulnerabilities in code, which can be exploited by hacking and malicious code. Asset management covers assets confidentiality, and is necessary for information classification and also encapsulates cryptography controls which can protect information even if it is obtained by the hacker. And finally, Communications and operations management is a clause covering information processing in an organization. It implements mechanisms protecting information flow and secures network services.
Figure 2: Formal concept lattice for the proposed formal context.
• Physical: The security clauses concerning this action type are Physical and environmental security and Security policy. In the statistics only user devices are listed as a target of this attack type. This means that servers are usually well protected from unauthorized access. However a company's security policy rarely specifies the physical security of user devices, especially if those devices are portable. Even there are rules of secure usage, these are often ignored by users. As a result there has to be clear policy and exact guidelines with regard to Physical and environmental security control objectives to protect assets and critical information processing facilities from these attacks.
International Conference on Computer Systems and Technologies - CompSysTech’12 Table 2: Top 10 threat events [7]. Threat event External.Hacking.Servers.Confidentiality External.Hacking.Servers.Integrity External.Malware.Servers.Integrity External.Malware.Servers.Confidentiality
% 48.5% 46.4% 42.4% 41.9% 28.1%
External.Malware.UserDevices.Confidentiality External.Malware.UserDevices.Integrity External.Physical.UserDevices.Confidentiality External.Physical.UserDevices.Integrity External.Hacking.UserDevices.Confidentiality External.Hacking.UserDevices.Integrity
28.1% 26.4% 26.4% 22.9% 22.7%
FUZZY FORMAL CONCEPT FOR SECURITY EVALUATION We can now construct a formal concept, which will be more specific and in accordance with the statistical data in the previous section. First, we will choose one attribute - confidentiality and take a detailed view of it. The original formal concept analysis method uses crisp scaling between objects and attributes. It is often required to have more detailed information than just whether the security clause supports or does not support a chosen attribute. Therefore we will use the fuzzy formal concept analysis [8] to deal with this problem. Definition 3 A fuzzy formal concept is a triple K = X , Y , I = ( X Y ) , where X is a finite set of objects, Y is a finite set of attributes and I is a fuzzy set on domain X Y . Each relation x, y I has a membership value ( x, y) [0,1] . We can construct the fuzzy formal context for confidentiality, which contains eight security clauses as objects and the importance property as an attribute. Importance specifies how the clause contribute in supporting confidentiality in an organization. The fuzzy formal context is denoted in table 3. Table 3: Fuzzy formal context for the confidentiality. Security Importance Clause SP 0.05 OIS 0.05 AM 0.2 PES 0.1 COM 0.15 AC 0.3 ISADM 0.1 CMP 0.05
CONCLUSIONS AND FURTHER WORK In previous sections of this paper we described a formal model of using security metrics for the security evaluation. Metrics can bring effectiveness and objectivity into the process and can be used as an input to the proposed model. We proposed three stages of a formal model construction. The first stage explains how to evaluate ISO/IEC 27002:2005 control objectives by security metrics, and this part
International Conference on Computer Systems and Technologies - CompSysTech’12
was described in the previous work. The second stage is about supporting security attributes with the standard's security clauses using the formal concept analysis. And the third stage is about supporting the model with proper statistics. The second and a part of the last stage were explained in this paper. The main problem with these two stages is adequate categorisation of security clauses, so we could further use them to get the aggregated security score. A way was defined to make this categorisation, but there is a need to support the model with more statistics and to establish verification of this. The purpose of the whole model will be to extract the useful information from the selected metrics, evaluate it, and to show the results on a discrete scale in a view of security attributes that will give us a complete picture of security controls implemented in an organization. Acknowledgement. The paper was prepared with partial support of research grant VEGA 1/0722/12 entitled "Security in distributed computer systems and mobile computer networks". REFERENCES [1] ISO. ISO/IEC Std. ISO 27002:2005, Information Technology – Security Techniques – Code of Practice for Information Security Management. ISO, 2005. [2] J. Breier and L. Hudec. Risk Analysis Supported by Information Security Metrics. In ACM, volume 578, pages 393-398, 2011. [3] L. Hayden. IT Security Metrics. McGraw-Hill Osborne Media, 2010. [4] A. Jacquith. Security Metrics: Replacing Fear, Uncertainty, and Doubt. Addison-Wesley Professional, 2007. [5] A. Sarmah, S. M. Hazarika, and S. K. Sinha. Security pattern lattice: A formal model to organize security patterns. In Proceedings of the 2008 19th International Conference on Database and Expert Systems Application, pages 292–296, Washington, DC, USA, 2008. IEEE Computer Society. [6] U. Priss. Formal concept analysis in information science. Annual Review of Information Science and Technology, 40:521–543, 1996. [7] W. Baker, A. Hutton, D. Hylender, J. Pamula, Ch. Porter, and M. Spitler. 2011 Data Breach Investigations Report. Technical report, Verizon, 2011. [8] S. Zheng, Y. Zhou, and T. Martin. A new method for fuzzy formal concept analysis. In Proceedings of the 2009 IEEE/WIC/ACM International Joint Conference on Web Intelligence and Intelligent Agent Technology - Volume 03, WI-IAT ’09, pages 405–408, Washington, DC, USA, 2009. IEEE Computer Society. ABOUT THE AUTHORS Mgr. Jakub Breier, Institute of Applied Informatics, Faculty of Informatics and Information Technologies STU in Bratislava, Phone: +421 948 752 069, E-mail:
[email protected] Assoc.Prof. Ladislav Hudec, PhD, Institute of Applied Informatics, Faculty of Informatics and Information Technologies STU in Bratislava, Phone: +421 (2) 60 291 243, E-mail:
[email protected]
