Loading...

Assignment 2

Open Posted By: surajrudrajnv33 Date: 10/09/2020 Graduate Research Paper Writing

 

Briefly respond to all the following questions. Make sure to explain and backup your responses with facts and examples. This assignment should be in APA format and have to include at least two references.

Using Figure 5.4 as the target architecture, who are the threat agents who will be most interested in attacking Web applications created through AppMaker?

Minimum 600 words

Category: Business & Management Subjects: Human Resource Management Deadline: 12 Hours Budget: $120 - $180 Pages: 2-3 Pages (Short Assignment)

Attachment 1

University of the Cumberlands School of Computer & Information Sciences

ISOL-536 - Security Architecture & Design

Chapter 5 - Prepare for Assessment

Spring 2020

Dr. < your name >

Chapter 5 - Prepare for Assessment

5.1 Process Review

5.1.1 Credible Attack Vectors

5.1.2 Applying ATASM

5.2 Architecture and Artifacts

5.2.1 Understand the Logical and Component Architecture of the System

5.2.2 Understand Every Communication Flow and Any Valuable Data Wherever Stored

5.3 Threat Enumeration

5.3.1 List All the Possible Threat Agents for This Type of System

5.3.2 List the Typical Attack Methods of the Threat Agents

5.3.3 List the System-Level Objectives of Threat Agents Using Their Attack Methods

Chapter 5 - Prepare for Assessment – Cont.

5.4 Attack Surfaces

5.4.1 Decompose (factor) the Architecture to a Level That Exposes Every Possible Attack

Surface

5.4.2 Filter Out Threat Agents Who Have No Attack Surfaces Exposed to Their Typical

Methods

5.4.3 List All Existing Security Controls for Each Attack Surface

5.4.4 Filter Out All Attack Surfaces for Which There Is Sufficient Existing Protection

5.5 Data Sensitivity

5.6 A Few Additional Thoughts on Risk

5.7 Possible Controls

5.7.1 Apply New Security Controls to the Set of Attack Services for Which There Isn’t

Sufficient Mitigation

5.7.2 Build a Defense-in-Depth

5.8 Summary

Chapter 5: Summary

Information assurance is achieved when information and information systems are

protected against attacks through the application of security services such as availability, integrity, authentication, confidentiality, and nonrepudiation. The application of these services should be based on the protect, detect, and react paradigm.

This means that in addition to incorporating protection mechanisms, organizations need to expect attacks and include attack detection tools and procedures that allow them to react to and recover from these unexpected attacks.

5.1 Process Review

At the highest level, an assessment follows the mnemonic, ATASM:

Architecture ➤ Threats ➤ Attack Surfaces ➤ Mitigations

Figure 5.1 shows the ATASM flow graphically. There are architecture tasks that will help to determine which threats are relevant to systems of the type under assessment.

Figure 5.1 Architecture, threats, attack surfaces, mitigations.

5.1.1 Credible Attack Vectors

Credible attack vector: A credible threat exercising an exploit on an exposed

vulnerability.

Recalling the risk term discussion from Chapter 4, a CAV encapsulates the three threat sub-terms into a single expression:

Threat

Exposure

Vulnerability

Risk is the critical governing principle that underlies the entire risk assessment and threat modeling process. Ultimately, we must mitigate those computer attacks that are likely to impinge upon the use of the system under assessment and upon efforts to obtain the objectives of the organization.

5.1.2 Applying ATASM

Table 5.1 summarizes the typical background information an assessor brings to an assessment. These topics have been arranged with the “3 S’s” merely for convenience and to provide an ordering principle.

No matter how one may choose to order these topics, it remains that before beginning an ARA and threat model, one will need to have examined the current threat landscape into which the system will be deployed.

5.1.2 Applying ATASM – Cont.

Figure 5.2 orders those steps by the high-level ATASM abstraction. That is, architecture steps are followed by threat-related tasks. The results of these are applied to an enumeration of attack surfaces, which, when prioritized, can then be defended by building a set of risk mitigations, a defense-in-depth of security controls.

Each of the steps outlined in Figure 5.2 is, of course, what developers call a “nontrivial” activity.

5.2 Architecture and Artifacts

Part of understanding a system architecture is to understand the system’s overall functions and what objectives deploying the system is hoping to achieve. An assessment should start at the beginning by determining the system’s intended purpose and how it fits into the overall goals of the deploying organization and its users. This information will “ground” the architecture into the real world and will place the architecture within its intended context.

5.2.1 Understand the Logical and Component Architecture of the System

The logical architecture represents each logical function that will be in the system. These groupings are irrespective of how many individual units of each function get instantiated and irrespective of the physical architecture. Generally, that there are computers (servers?) and operating systems is assumed and not detailed; the physical network addresses assigned to each network interface are unimportant in the logical view. Instead, functions like business logic versus the presentation versus back office accounting systems versus databases are separated out. It is assumed that all of these are connected by some sort of network architecture.

5.2.1 Understand the Logical and Component Architecture of the System – Cont.

The logical architecture was actually a standard three-tier web architecture, with very strict rules between layers, bidirectional authentications across trust boundaries, valued resource protected by bastion systems that terminated and then validated traffic before passing across trust boundaries, and similar protections. Looking only at the physical architecture would not properly represent the way that traffic flowed and the trust boundaries that existed. It was the logical architecture that appeared to separate out the firewalls (and restrictions) of each layer and that demonstrated how traffic flowed or was stopped. All of this was performed by a group of multifunction switches with different blade inserts for the various functions that implemented the logical architecture.

5.2.2 Understand Every Communication Flow and Any Valuable Data Wherever Stored

Figure 5.4 AppMaker DFD with data types.

Data types have been added to the AppMaker diagram to create Figure 5.4. There is a co-located repository containing various types of static content to be served to users (customers). Moving further back in the architecture, every application server must contain configuration data and metadata about the applications that the server is running. Usually, but not always, there is local disk storage, or readily available storage for this application server–specific data.

5.3 Threat Enumeration

We need to understand the attackers in order to know which of them apply to any particular system. And in order to prioritize attack surfaces and attack targets, we need to be able to calculate the risk of any particular attack occurring.

These higher-priority areas are characterized by the existence of threat agents who have the motivation and capabilities to take advantage of likely methods that will lead them to their objectives – and will in turn cause unacceptable losses . . .

5.3.1 List All the Possible Threat Agents for This Type of System

The motives of these undirected attack sweeps are varied; many of these sweeps are conducted by criminal organizations or independent attackers. But there are many other reasons for running constant vulnerability sweeps, as well. Increasing one’s skill as a security tester is certainly among these reasons. Every sweep is not conducted by criminals, though, in many jurisdictions, conducting such a sweep is illegal.

5.3.1 List All the Possible Threat Agents for This Type of System – Cont.

There is one additional threat agent with which most public sites and products must contend. Calling security researchers “threats” is somewhat of a misnomer and might be perceived by researchers as an insult? No insult is intended. Still, if an organization is on the receiving end of vulnerability research, the impact to reputation and brand

may be approximately the same as what can occur following a successful compromise of systems or data.

5.3.1 List All the Possible Threat Agents for This Type of System – Cont.

There is one additional threat agent with which most public sites and products must contend. Calling security researchers “threats” is somewhat of a misnomer and might be perceived by researchers as an insult? No insult is intended. Still, if an organization is on the receiving end of vulnerability research, the impact to reputation and brand

may be approximately the same as what can occur following a successful compromise of systems or data.

5.3.1 List All the Possible Threat Agents for This Type of System – Cont.

Essentially, researchers need to find vulnerabilities. They need to find tricky vulnerabilities and then must publish the research. It doesn’t really matter if the vulnerability can result in significant loss for the organization owning the problem. The actuality of an impact does not play a big part of the research equation. Any organization that has had to deal with a well-publicized stunt hack against one of the organization’s systems will know full well that the media attention of the research did not benefit the public image of the organization, especially if that organization’s customers expect a certain level of security from the organization.

5.3.2 List the Typical Attack Methods of the Threat Agents

Spending months or years creating a new method to execute a series of randomly placed instructions in a program to create an attack simply isn’t worth the effort: The research and development costs are too high. At the time of the writing of this book, so called “gadget” programs take too much time. Running gadgets culled by finding bits of

code within widely distributed applications is much more likely to fall into the category of “stunt hack.” Cyber criminals are probably not going to waste their time unless there was a readily available tool (even if on the black market) that would make this attack trivial.

5.3.3 List the System-Level Objectives of Threat Agents Using Their Attack Methods

For many exploits there is a system-level objective that must be attained in order to prosecute the attack to its goal. For security researchers, the system-level objective— that is, getting a piece of scripting code (javascript) to execute in the user’s browser, or

gaining system-level privileges—will be sufficient to prove vulnerability. No more need be accomplished.

5.3.3 List the System-Level Objectives of Threat Agents Using Their Attack Methods

The subsequent entries in Table 5.3 are drawn from OWASP.org Top 10. In order to gain a place in the list, an attack method has to be one of the most popularly executed as well as used on a regular and continuing basis. When we analyzed cyber criminals, we noted their predilection for well-known and proven attack methods. The OWASP Top 10 list is representative of the most often used attacks on the Internet. Since the Web-Sock-A-Rama site is a typical web store, it will be subjected to attacks drawn from the OWASP Top 10 list, at the very least. Security researchers will also attempt well-known attack methods in order to find and report vulnerabilities.

5.4 Attack Surfaces

In the ATASM process, we try to enumerate all the attack surfaces before we categorize the importance of each surface. It’s useful to avoid the prioritization process during enumeration. Think of it as an attack surface brainstorm: Any discussion about the legitimacy or fitness of an attack surface tends to bog down the enumeration into too many details. In this way, the natural flow resulting from nonjudgmental observation is broken. It’s easy to miss an attack surface, especially when it seems inconsequential, or perhaps that function just seems to be “part of the running program.” For that very reason, getting a good flow of nonjudgmental inspection can help to uncover all the attack surfaces. Prioritization can come later, once everything has been uncovered. In the process being described in this chapter, we simply enumerate all the attack surfaces and try to avoid discussion of their importance and exposure until a later step.

5.4.1 Decompose (factor) the Architecture to a Level That Exposes Every Possible Attack Surface

When hunting for attack surfaces, it’s important to understand the trust boundaries that exist between components in the architecture. Figure 5.5 adds three dashed-line divisions to the AppMaker-based, Web-Sock-A-Rama online store. The three lines represent one possible set of boundaries, based upon industry-standard, three-tier web architecture.

5.4.1 Decompose (factor) the Architecture to a Level That Exposes Every Possible Attack Surface – Cont.

An integrated web server collapses the web tier and application server tier into a two-tiered architecture. Following the security principles, defense-in-depth and fail securely, the three-tier architecture is usually considered a more defensible approach. Web-Sock-A-Rama, as depicted in Figure 5.5, demonstrates the more standard three-tier web architecture.

Figure 5.5 Web-Sock-A-Rama trust boundaries.

23

5.4.1 Decompose (factor) the Architecture to a Level That Exposes Every Possible Attack Surface – Cont.

Figure 5.6 An obvious attack surface.

Figure 5.6 adds an arrow to Figure 5.5 that points at the most obvious attack surface: the Web server’s Internet facing HTTP receiver. The Web server is open to all Internet traffic, which means that any attacker can probe it. The constant “doorknob rattling” sweeps of the Internet will surely find and investigate whatever interfaces are open and available to unrestricted traffic.

Once an interested attacker finds and catalogs the open HTTP port, then the fun really begins. Like web vulnerability scanners, the attacker will probe every reachable page with every attack variation possible.

5.4.1 Decompose (factor) the Architecture to a Level That Exposes Every Possible Attack Surface – Cont.

The injections for downstream destinations, such as LDAP and databases, are aimed at the application server code because that’s where the capability to pass on these attacks is typically found. These are then attacks against the application code. Contrast these injections with a Cross-Site Request Forgery (CSRF) attack. These attacks can be mitigated at several different layers, depending upon how session management is implemented in the website. Although many would consider this a vulnerability of the custom application code, depending upon how the infrastructure is set up, it may be that the application server handles user and transaction states. If so, then a CSRF vulnerability would lie in front of the application code.

25

5.4.2 Filter Out Threat Agents Who Have No Attack Surfaces Exposed to Their Typical Methods

Through the process of filling out Table 5.4, we have already filtered out a series of attacks that do not have an appropriate attack surface exposed to them. In fact, by attempting to apply attack methods to attack surfaces, we have even eliminated, or significantly reduced, a threat agent: security researchers. Security researchers’ stunt level hacks are unlikely since the attack surfaces required to execute these attacks are not exposed. To simplify the process in order to understand it, we didn’t list security researchers in any of the subsequent attack methods in Table 5.4.

26

5.4.3 List All Existing Security Controls for Each Attack Surface

In Table 5.4, the existing security controls are not shown. We have made a couple of assumptions for the sake of understanding the process. Namely, we’ve assumed that Web-Sock-A-Rama has a mature website management and administrative function. In previous chapters, we’ve listed what those functions typically are. This assumption provides the usual set of controls to the backend of our website.

27

5.4.4 Filter Out All Attack Surfaces for Which There Is Sufficient Existing Protection

Authentication is an interesting security control because, although it does reduce exposure to only those who’ve been authenticated, there are plenty of techniques an attacker can use to get an account, depending upon the site: steal or crack weak credentials, or perhaps simply sign up for the free version. In addition, once a site or system implements authentication, it now has another system that will need protection! Authentication systems are often considered critical, thus requiring tight security control: a high security posture. Implementing authentication adds significant complexity to the security requirements of the system.

28

5.4.4 Filter Out All Attack Surfaces for Which There Is Sufficient Existing Protection – Cont.

29

5.5 Data Sensitivity

Data classification is a key component of risk, both for assessing impact and for understanding likely targets in a system. As has been explained earlier, attackers often string more than one attack method together in order to achieve their objectives. An attacker might execute an SQL injection against the payment card database, thereby gaining financial information, if applications accepting user input were poorly written such that SQL injection to databases were allowed.

Data sensitivity mustn't become the sole measure of CAV or impact. Each of these risk terms are multidimensional; terms shouldn’t be reduced in a simplistic way or assessments will suffer by possibly excluding other key factors.

30

5.6 A Few Additional Thoughts on Risk

The goal of risk calculation during ATASM is to identify those CAVs whose lack of mitigation will prevent reaching the intended security posture. Concomitantly, there is an imperative to limit the number of risk treatments to that which is affordable, that which is doable. Few organizations can “do it all.” Hence, there has to be a process to eliminate unlikely attacks while prioritizing the most dangerous ones for mitigation.

31

5.7 Possible Controls

Due to the realities of email impersonation and payment card theft, an authentication based upon these factors isn’t really worth much, which leaves our Web-Sock-Arama website without much attack mitigation based upon authentication. Obviously, the organization’s security team will have their hands full with fraud attempts, operationally removing fraudulent and fake accounts as soon as malicious behavior is observed. Still, at account initialization, there isn’t much that can be done.

32

5.7.1 Apply New Security Controls to the Set of Attack Services for Which There Isn’t Sufficient Mitigation

Table 5.6 adds defenses to each of the attack methods that we enumerated in previousATASM steps. These are the five attacks and their associated attack surfaces (the CAVs) that we believe are applicable to this system, in this organizational context. (Continued on following page 167 – Prepare for Assessment)

33

5.7.2 Build a Defense-in-Depth

Because the system handles sensitive data from users originating from the untrusted

Internet, the Transport Layer Security (TLS), most often implemented as HTTPS,

must be used between the user’s browser and the web server, at least for sensitive data

transmission. Some architectures would also require TLS (or more properly, communication encryption of some sort) between the web server and the application server, and perhaps even between the application server and the database server? We assumed that the networks in this system are tightly controlled through a mature administrative practice. Therefore, the networks can be considered a trusted infrastructure. Since we’ve separated out three tiers, and there is only a single piece of trusted networking equipment separating each tier (a new assumption and requirement), the store doesn’t feel the need to encrypt the data as it moves between tiers.

34

5.8 Summary

Defenses are applied such that these specifically interrupt each CAV, as was discussed in the chapter on risk. Then, the entire set of defenses is considered as a set of overlapping, interlocking, and supporting defenses to build enough redundancy to create a defense-in-depth. The security requirements should be achievable, relevant, and “real world.”

ATASM has been presented as a series of linear steps. However, in practice, an assessment might proceed to requirements and uncover a previously unknown part of the system, thus returning to the architecture stage of the process. Ultimately, the goal of the ARA and threat model is to achieve a unity between security posture and intended risk tolerance, to achieve balance between defenses and resource limitations.

35