MADEIRA
WP6 Deliverable Document
Initial Madeira Risk Assessment
MAD-WP6-DD-0002-01
PROJECT CONFIDENTIAL
Author(s)
Luis Miguel Simoni
Julio ViveroJulio Vivero
SGI
SGI
Date: 8/30/2006
Pages: 16
MADEIRA
PROJECT CONFIDENTIAL
Initial Madeira Risk Assessment
8/30/2006
MAD-WP6-DD-0002-01
Table of Contents
Table of Contents .................................................................................................................. 2
Index of Tables ...................................................................................................................... 3
0 Document Information .................................................................................................... 5
0.1
Document History .................................................................................................... 5
0.2
Keywords ................................................................................................................ 5
0.3
Glossary and Abbreviations..................................................................................... 5
0.4
Purpose of the Document ........................................................................................ 5
0.5
Project Internal References ..................................................................................... 5
0.6
External References ................................................................................................ 6
0.7
Relationship to Other Documents ............................................................................ 6
0.8
Open Issues ............................................................................................................ 6
1 Executive Summary ....................................................................................................... 7
2 Introduction .................................................................................................................... 8
3 Methodology Description ................................................................................................ 9
4 Initial Madeira Security Risk Identification Analysis ........................................................ 9
5 Initial Madeira Security Risk Assessment Result ...........................................................11
6 Critical-to-Security Matrix ..............................................................................................12
7 Conclusions...................................................................................................................13
8 References ....................................................................................................................15
9 Abbreviations ................................................................................................................16
Page 2 of 16
MADEIRA
PROJECT CONFIDENTIAL
Initial Madeira Risk Assessment
8/30/2006
MAD-WP6-DD-0002-01
Index of Tables
Table 1: Document History .................................................................................................... 5
Table 2: Glossary and Abbreviations ..................................................................................... 5
Table 3: Project Internal References ..................................................................................... 5
Table 4: External References ................................................................................................ 6
Table 5: Open Issues ............................................................................................................ 6
Page 3 of 16
MADEIRA
PROJECT CONFIDENTIAL
Initial Madeira Risk Assessment
8/30/2006
MAD-WP6-DD-0002-01
Index of Figures
Figure 1: Madeira Security problems and effects ..................................................................10
Figure 2 – Initial Madeira security risk assessment results ...................................................11
Page 4 of 16
MADEIRA
PROJECT CONFIDENTIAL
Initial Madeira Risk Assessment
8/30/2006
MAD-WP6-DD-0002-01
0 Document Information
0.1
Document History
Issue
0.1
Date
30/08/2006
Comments
Initial deliverable draft
Editor
J. Vivero
Table 1: Document History
0.2
Keywords
MADEIRA, P2P, Network Management, Security, Risk assessment
0.3
Glossary and Abbreviations
This glossary and abbreviations list only explains items proprietary to this document. All other
items are explained in the Madeira Project Glossary [GLOSS].
Term
DS
MDM
NBI
NE
OLSR
OSS
Explanation
Directory Service
Madeira Distributed Management element
North-Bound Interface
Network Element
Optimized Link State Routing
Operating Support System
Table 2: Glossary and Abbreviations
0.4
Purpose of the Document
The purpose of this document is to provide an objective metric of the initial security risk of the
Madeira system.
0.5
Project Internal References
Short Code
Document Reference
Table 3: Project Internal References
Page 5 of 16
MADEIRA
PROJECT CONFIDENTIAL
Initial Madeira Risk Assessment
0.6
8/30/2006
MAD-WP6-DD-0002-01
External References
Short Code
Document Reference
Table 4: External References
0.7
Relationship to Other Documents
0.8
Open Issues
-
Number
1
Description
Table 5: Open Issues
Page 6 of 16
MADEIRA
PROJECT CONFIDENTIAL
Initial Madeira Risk Assessment
8/30/2006
MAD-WP6-DD-0002-01
1 Executive Summary
The reasoning behind realising two risks assessments in Madeira, one at the beginning and
one at the end of the project is that of, on the one side, stating with clarity and objectivity the
starting point of the project from the Security point of view, and on the other hand having an
objective metric that allows us to evaluate the progress achieved during the project.
The results obtained show that confidentiality and integrity are the most important types of
risk in this initial assessment of the Madeira system. Most of the risks are linked with an
identity spoofing within the network, particularly spoofing the identity from an MDM or from a
OLSR router.
This initial assessment shows, as expected, the high security risk of Madeira as no
prevention mechanisms or countermeasures have been implemented yet.
Page 7 of 16
MADEIRA
PROJECT CONFIDENTIAL
Initial Madeira Risk Assessment
8/30/2006
MAD-WP6-DD-0002-01
2 Introduction
To develop the risk assessment of the Madeira framework we considered several
methodological approaches. After an internal evaluation of some different approaches we
have opted for using a failure-effect like approach for evaluating the security risks of the
Madeira system.
The main reasoning for following that approach is that it provide a simple method for
assessing security as a property of the Madeira platform. It has allowed us to identify the
main security problems in Madeira and assessing that problems taking into account different
criteria. Moreover, the result of this methodology provides a risk number which can be used
to first, compare the progress caused by the work developed during the security work
package; and second, identifying those problems with a higher risk and where special
attention should be paid.
The document is structured as follows. In chapter 3 we describe the main steps followed in
the methodology used. Chapter 4 presents the main security problems identified in the
platform grouped by their effects in the form of an Ishikawa diagram. Then, in chapter 5 we
present the risk assessment results before we re-organise them by criticality in chapter 6.
Finally, in chapter 7 we present some conclusions from the assessment developed.
Page 8 of 16
MADEIRA
PROJECT CONFIDENTIAL
Initial Madeira Risk Assessment
8/30/2006
MAD-WP6-DD-0002-01
3 Methodology Description
The methodology we have followed to assess the security risks of the Madeira platform is
based on a failure-effect like approach. The main steps followed to develop this methodology
are the next ones:
o
First we develop a brainstorming for identifying security problems in the Madeira
system
o
Then, we iteratively group the security problems identified by their effect until we
reach the final effect: a security problem in the Madeira system. Then, we present the
analysis as an Ishikawa diagram.
o
We follow up evaluating the security problems identified taking into account three
different criteria: its likelihood, its severity and its difficulty of detection.
o
From the previous evaluation we obtain a security risk number of each of the security
problems identified. Calculating the average value of these numbers we obtain the
security risk number for each effect until we reach the security risk value of the whole
Madeira platform.
o
The final step is ordering the security problems by their risk to identify those that are
more critical and focus the project efforts to protect those first.
The initial Madeira risk value obtained will be used to evaluate the enhancement achieved by
the Security mechanisms design and implemented during the project when compared with
the final Madeira risk value.
Page 9 of 16
MADEIRA
PROJECT CONFIDENTIAL
Initial Madeira Risk Assessment
8/30/2006
MAD-WP6-DD-0002-01
4 Initial Madeira Security Risk Identification Analysis
The figure below shows the main security risks identified for the Madeira system.
Figure 1: Madeira Security problems and effects
Page 10 of 16
MADEIRA
PROJECT CONFIDENTIAL
Initial Madeira Risk Assessment
8/30/2006
MAD-WP6-DD-0002-01
5 Initial Madeira Security Risk Assessment Result
The figure below shows the evaluation of the security risks identified in the previous section and the initial Madeira security risk value. This value is
calculated as the product of Likelihood, Severity and Difficulty of Detection numbers:
Figure 2: Initial Madeira security risk assessment results
Page 11 of 16
MADEIRA
PROJECT CONFIDENTIAL
Initial Madeira Risk Assessment
8/30/2006
MAD-WP6-DD-0002-01
6 Critical-to-Security Matrix
The following table shows the identified Madeira security risks ordered in decreasing risk
value.
Type of security
problem
How can it fail?
Risk priority
number
Confidentiality
A malicious OLSR node sniffs network traffic
900
Confidentiality
A malicious MDM sniffs network traffic
810
Integrity
A malicious OLSR node modifies network traffic
630
Integrity
A malicious MDM modifies network traffic
560
Integrity
Configuration commands for a legacy NE are modified
392
Integrity
Time service messages are modified
378
Integrity
Cluster construction notifications are modified
378
Integrity
Madeira notifications are modified
378
Integrity
Malicious modification of DS information
315
Integrity
A malicious OSS introduces false policies through the NBI
288
Integrity
A malicious MDM continuously re-sends clustering
notifications
280
Availability
One or more users flood the network
270
Availability
One or more users flood a particular MDM
216
Confidentiality
Legacy NE commands are sniffed
210
Availability
A malicious MDM drops packets
189
Availability
Cluster structuring packets are dropped
189
Integrity
The network is flooded with false alarms
189
Integrity
Alarms are continuously provoked
168
Availability
A malicious node floods legacy NE
126
Availability
A malicious node floods the Directory Service
126
Confidentiality
Unauthorized access to the Directory Service
120
Availability
A malicious OLSR node drops all packets
90
Availability
A malicious OSS floods the NBI
42
Table 6: Critical-to-Security Matrix
Page 12 of 16
MADEIRA
PROJECT CONFIDENTIAL
Initial Madeira Risk Assessment
8/30/2006
MAD-WP6-DD-0002-01
To provide a more graphical view about the relative criticality of the security problems
identified we include below the following figure:
900
800
700
600
500
RPN
400
300
200
100
0
Figure 3: Critical-to-Security Matrix figure
Page 13 of 16
MADEIRA
PROJECT CONFIDENTIAL
Initial Madeira Risk Assessment
8/30/2006
MAD-WP6-DD-0002-01
7 Conclusions
From the Madeira security risk assessment results shown in the previous chapter we can
elaborate a number of conclusions.
The first one, is that the initial security risk assessment value in Madeira: 315, is the highest
possible value if we take into account that no security mechanism is yet implemented.
However, we should not put the stress on the value obtained, whether it is higher or lower
but on its trend when compared with the value obtained in the final assessment. To have an
objective trend value both assessments have to be realised by the same people and applying
the same rating approaches.
To obtain this value we have identified a number of possible security risks of the platform and
grouped them in mainly three types of security effects over the service offered by Madeira:
1. Lack of service confidentiality
2. Lack of service integrity
3. Lack of service availability
From the critical-to-security analysis developed in chapter 6 we observe that the first two
types of problems, confidentiality and integrity, are those that are more critical in Madeira.
Another interesting conclusion is that identity spoofing is currently the most straightforward
path to break the, inexistent, current security of Madeira. Particularly, assuring the identity
and authenticity of MDM and OLSR nodes within the network is critical to the system
security.
One last issue worth pointing out is the high risk value of the first four security problems. If
we were able to reduce by a half just these four risks we will obtain a global security
enhancement of 20%.
These results, are an important input to our design and implementation work, since it targets
the aspects where we should focus our solution to obtain the best benefit (i.e., reduce the
risk of the Madeira system to the maximum extent) from our effort.
Page 14 of 16
MADEIRA
PROJECT CONFIDENTIAL
Initial Madeira Risk Assessment
8/30/2006
MAD-WP6-DD-0002-01
8 References
Page 15 of 16
MADEIRA
PROJECT CONFIDENTIAL
Initial Madeira Risk Assessment
8/30/2006
MAD-WP6-DD-0002-01
9 Abbreviations
Page 16 of 16