Threat Analysis - UMBC Center for Information Security and Assurance
advertisement
Threat Analysis Natalie Podrazik February 27, 2006 CS 491V/691V Overview • • • • • Definitions Representation Challenges “The Unthinkable” Strategies & Recommendations Natalie Podrazik – natalie2@umbc.edu 2 Background • What is threat analysis? – Potential Attacks/Threats/Risks – Analysis – Countermeasures – Future Preparations • NIST’s “Introduction to Threat Analysis Workshop”, October 2005 Natalie Podrazik – natalie2@umbc.edu 3 Stakes • People – – – – – – – – Voters Candidates Poll Workers Political Groups Developers Board of Elections Attackers More... Natalie Podrazik – natalie2@umbc.edu • Voting: A System of... – – – – – – – – IT American Politics Duty Trust Inclusion Safety Process Precedence...if it works 4 Means of Representation General tactic: – Identify possible attackers – Identify goals of attacker – Enumerate possible ways to achieve goals – Locate key system vulnerabilities – Create resolution plan Natalie Podrazik – natalie2@umbc.edu 5 Attack Tree • Bruce Sheneier, Dr. Dobb’s Journal, 1999: – Used to “model threats against computer systems” Simple Example Cost propagation Multiple Costs • Continual breaking down of goals and means to achieve them Natalie Podrazik – natalie2@umbc.edu 6 Attack Tree Evaluation • Creation – Refining over time – Realistic costs • Advantages – Identifies key security issues – Documenting plans of attack and likelihood – Knowing the system • Disadvantages – Amount of documentation – Can only ameliorate foreseen circumstances – Difficult to prioritize/quantize factors Natalie Podrazik – natalie2@umbc.edu Shortened version of an Attack Tree for the interception of a message send with a PGP header. 7 Other Means of Representation • Threat Catalog – Doug Jones – Attacks -> vulnerabilities -> analysis of defense – Challenges • • • • Organization Technology Identity Scale of Attack • Fault Tree Analysis – Ensures product performance from software – Attempts to avoid single-point, catastrophic failures Natalie Podrazik – natalie2@umbc.edu 8 Challenges • Vulnerabilities – System – Process • • • • Variety of possible attacks New Field: Systems Engineering Attack Detection Attack Resolution -> too many dimensions to predict all possibilities, but we’ll try to name a few… Natalie Podrazik – natalie2@umbc.edu 9 “The Unthinkable”, Part 1 1. 2. 3. 4. 5. Chain Voting Votes On A Roll The Disoriented Optical Scanner When A Number 2 Pencil Is Not Enough ...we found these poll workers where? Natalie Podrazik – natalie2@umbc.edu 10 “The Unthinkable”, Part 2 6. This DRE “fell off the delivery truck”... 7. The Disoriented Touch Screen 8. The Confusing Ballot (Florida 2000 Election) 9. Third Party “Whoopsies” 10. X-ray vision through walls of precinct Natalie Podrazik – natalie2@umbc.edu 11 “The Unthinkable”, Part 3 11. “Oops” code 12. Do secure wireless connections exist? 13. I’d rather not have your help, thanks... 14. Trojan Horse 15. Replaceable firmware on Optical Scanners Natalie Podrazik – natalie2@umbc.edu 12 “The Unthinkable”, Part 4 16. Unfinished vote = free vote for somebody else 17. “I think I know what they meant by...” 18. Group Conspiracy: “These machines are broken.” 19. “That’s weird. It’s a typo.” 20. Denial of Service Attack Natalie Podrazik – natalie2@umbc.edu 13 My Ideas... • Write-in bomb threat, terrorist attack, backdoor code • Swapping of candidate boxes (developers) at last minute on touch-DRE; voters don’t know the difference • Children in the voting booth Natalie Podrazik – natalie2@umbc.edu 14 Strategies & Recommendations • Create Fault Trees to • Use of “Red Team counter Attack Tree goals Exercises” on: using the components – Hardware design set forth in Brennan – Hardware/Firmware Study configuration • Tamper Tape – Software Design • Use of “independent – Software Configuration expert security team” – Inspection – Assessment – Full Access Natalie Podrazik – natalie2@umbc.edu – Voting Procedures (not hardware or software, but people and process) 15 Conclusions • Attack Trees – Identify agents, scenarios, resources, system-wide flaws • Challenges: dimensions in system analysis • Unforeseen circumstances • Independent Team of Experts, but how expert can they be? Natalie Podrazik – natalie2@umbc.edu 16 Works Cited 1. 2. 3. 4. 5. 6. 7. All 20 “The Unthinkable” scenarios available at: http://www.vote.nist.gov/threats/papers.htm Goldbrick Gallery’s 25 Best Editorial Cartoons of 2004. Online: http://www.goldbrickgallery.com/bestof2004_2.html Jones, Doug. “Threat Taxonomy Overview” slides, from the NIST Threats to Voting Workshop, 7 October 2005. Online: http://www.vote.nist.gov/threats/Jonesthreattalk.pdf Mell, Peter. “Handling IT System Threat Information” slides, from the NIST Threats to Voting Workshop, 7 October 2005. Online: http://www.vote.nist.gov/threats/mellthreat.pdf “Recommendations of the Brennan Center for Justice and the Leadership Conference on Civil Rights for Improving Reliability of Direct Recording Electronic Voting Systems”: http://www.brennancenter.org/programs/downloads/voting_systems_final_recomme ndations.pdf: Wack, John, and Skall, Mark. “Introduction to Threat Analysis Workshop” slides, from the NIST Threats to Voting Workshop, 7 October 2005. Online: http://www.vote.nist.gov/threats/wackthreat.pdf Wikipedia Entry for fault tree: http://en.wikipedia.org/wiki/Fault_tree Natalie Podrazik – natalie2@umbc.edu 17
