Auditing Networks,
Perimeters and Systems
Time-Based Security and STAR
Copyright 2001 Marchany
1
Unit 2: TBS & Star –
Theory and Practice
TBS – Time Based Security
STAR – Security Targetting and Analysis
of Risk
Copyright 2001 Marchany
2
How the day is going to go
 Morning – Principles and Theory
– Audit Process and Goals
– Time Based Security
– Putting it all together
 Afternoon – Audit in the Real World
– Using CIS Rulers to build audit plans
– Applying the process to systems
– Putting it all together
Copyright 2001 Marchany
3
The Course Goals
 Construct a Security Checklist for your site.
– Unix
– NT
 Use this methodology to develop a response to your
internal auditors.
 Have a repeatable method of defining the $$$ cost of
implementing security features at your site.
– This method can be used over time to show trends
 Develop a set of reports/matrices that can be used to
quickly identify the security status of a host at your site.
Copyright 2001 Marchany
4
The General Audit Process
 Audit Planning
– Review pertinent background info, research policies,
prepare the audit program
 Entrance Conference
– Meet w/IS group leaders to let them know what is
going on and find out if there any specific areas to
check.
 Fieldwork
– Visiting the IS systems and performing the steps listed
in the audit program on a sample of systems.
Copyright 2001 Marchany
5
The General Audit Process
 Preparing the Audit Report
– The report should:
•
•
•
•
State what was done
State the results of these actions
Present recommendations
Include in the appendices the audit checklists used to collect the data.
 The Exit Conference
– Meet with the people from step 2 and review the results w/them.
This is the time to clear up any misunderstandings. Refine the audit
report and prepare the recommendations paper.
 Report to Upper Management (CEO, CFO, CIO, VP)
– Present a summary report of the audit. Provide recommendation
and implementation cost estimates.
Copyright 2001 Marchany
6
The Auditor’s Goals
 Ensure Assets are protected according to
company, local,state and federal regulatory
policies.
 Determine what needs to be done to ensure
the protection of the above assets.
 Make life miserable for sysadmins…:-)
– Not really. They can save a sysadmin if a
problem occurs.
Copyright 2001 Marchany
7
The Sysadmin’s Goals
 Keep the systems up.
 Keep users happy and out of our hair.
 Keep auditors at arms’ length.
 Get more resources to do the job properly.
 Wear jeans or shorts to work when everyone
else has to wear suits…….
Copyright 2001 Marchany
8
The Sysadmin’s Audit Strategy
 Turn a perceived weakness (the audit) into
a strength (security checklists).
 Develop a set of reporting matrices that can
be used as audit reports or justification for
security expenditures.
 The above info can be used to help develop
your incident response plan.
Copyright 2001 Marchany
9
Time Base Security
 The Time Based Security Model provides:
• A methodology that a security officer can use to
quantifiably test and measure the effectiveness of
security measures.
• A set of matrices/reports that can be used by
security professionals to assign a $ value to the cost.
This figure can be given to mgt. to help them
prioritize their security expenditures.
• Winn Schwartau’s book describes TBS. The
following slides discuss his methodology.
Copyright 2001 Marchany
10
Time Based Security
 Schwartau’s Simple Formula for TBS
– Protection (P) - the bank vault
– Detection(D) - the alarm system
– Reaction(R) - thep police
t
 Pt > Dt + Rt
• Pt - the amount of time the Protection system works
• Dt - the amount of time needed to detect the attack
• Rt - the amount of time needed to react to the attack
Copyright 2001 Marchany
11
Time Based Security
 Pt > Dt + Rt (TBS Law)
– If the amount of protection time (Pt) you offer is greater
than the sum of the detection time (Dt) and reaction
time (Rt), then your systems can be considered secure.
– If the detection & reaction times are very fast then
you don’t need as strong a Protection mechanism.
 KEY: detect anomalous activity and respond
ASAP!
Copyright 2001 Marchany
12
Time Based Security
 TBS Corollary
– P<D+ R
 If it takes longer to detect and respond to an
intrusion than the amount of protection time
afforded by the protection device, P, then
effective security is impossible.
 Look at specs for each of the components in
your network architecture.
Copyright 2001 Marchany
13
Time Based Security
 If Pt = Dt + Rt, then Pt implies an
Exposure Time, E.
– E=D+R
 You want D+R -> 0. As your detection &
reaction speeds increase, the need for strong
Protection decreases. Hmmm…...
 Fortress mentality dictates that P must be
extremely high because D+R is really slow
or non-existent.
Copyright 2001 Marchany
14
Measuring Security
 Measure D+R (sec/min/hrs/day)
 Assume the best: active logging, good AUP
(Acceptable Usage Policy), decent IRP (Incident
Response Policy)
• How long does it take to detect an event? (D=x)
• How long to notify affected parties? How long for them to
analyze and respond? (R=y) Out of office? Out to lunch? How
long to answer page?
– How much damage could be done in D+R time?
Copyright 2001 Marchany
15
TBS Methodology


 Assume P=0. Build the following matrix
– Detection systems in place? No then D= ,
E=
and you have 100% exposure (E).
– Reaction System in place? No then R=
,
E=
and you have 100% system
exposure(E).
– How long does the detection mechanism take to
detect an attack? Answer in sec/min/hrs.


Copyright 2001 Marchany
16
TBS Methodology - Detection
– Once an attack is detected, how are you notified?
Logs? Pager? Phone? Future audit trails?
– How long does the above take? (sec/min/hr/day)
•
•
•
•
•
•
Sitting at your desk: _________
When you’re at lunch: _______
Break time:
_______
Headed home:
_______
Sleeping:
_______
At the movies:
_______
Copyright 2001 Marchany
17
TBS Methodology - Reaction
– Once notified, how long does it take to do
something about it? (sec/min/hrs/day)
•
•
•
•
•
Sitting at your desk: _______
At lunch:
_______
On break:
_______
Headed home:
_______
Sleeping:
_______
– How long does it take to determine the
cause/effect/solution? Include other folks
• Onsite: _____
Offsite:
Copyright 2001 Marchany
_____
18
TBS Methodology - D+R
– Severe Attacks: How long does it take to get
permission to take any/all steps to protect the
net/assets including shutting them down? _____
 Add the best-case numbers: ______ s/m/h
 Add the worst-case numbers: _____ s/m/h
 Exposure Time (E) = ______ to _____
best case
Copyright 2001 Marchany
worst case
19
Measure Exposure Time - E
 Rule of Thumb: Bw/10/bits = Bw/bytes
• Example: T-1: 1.54Mb/s -> 154KB/s=9.2MB/m
 This gives: File Size/Bandwidth=Req.
Attack Time or MB/Mb/S=(Attack Time) or
F/Bw = T= E (Exposure Time)
 If the goal is file theft, the size of the target
file F divided by the max. bandwidth of the
network path Bw determines the amount of
time T needed to get the info.
Copyright 2001 Marchany
20
Measure Exposure Time - E
 This is 1 measure of risk. Info theft can be
measured using T + intrinsic value of info.
Remember Bw could be data transfer rates
of floppy or tape drives.
 Example: A net has Exposure Time,
E=(D+R) = 10 minutes and a tape drive
with a xfer rate of 6 GB/hr.
• T = 10 minutes = 1/6 hr, Bw = 6 GB/hr, F=Bw*T=
1GB of data could be stolen before
detection/reaction kills the attack.
Copyright 2001 Marchany
21
Measure Exposure - External
 Bandwidth limiting is an effective
response method.
 Data Padding: pad the critical files so their
size exceeds E. Using the previous
example:
– E=10 min, Bw=6 Gb/hr.
• File Size = (1/6 hr)/ (6 Gb/hr) = 1 GB=F
• All critical files should be padded to 1Gb.
Copyright 2001 Marchany
22
TBS - Integrity Attacks
 Attacker’s Goal: make undetected,
unauthorized changes to data
 TBS analysis:
• Assume you’re an insider w/access to the net &
system. How long does it take you to manually get
to the target application? _____(s/m/h) How long
would a script take to do the same? ______(s/m/h)
• Once logged into that application, how long does it
take as a trusted user to make unauthorized changes
to those records? ______(s/m/h)
Copyright 2001 Marchany
23
TBS - Integrity Attacks (cont)
• What steps would a knowledgeable user take to
cover their tracks? How long does it take to effect
those changes? _______ (s/m/h)
• Add up the times for manual & automatic
navigation.
– This gives a target maximum value for E and
provides a target guideline for D+R.
Copyright 2001 Marchany
24
TBS - Measure the $ Damage
 Two Formulas: E=D+R, F/Bw=T
• If we know E, we can get F if E=T.
• If we know T, we can get E and D+R.
 Coordinate w/Auditors & Mgt. and ask:
• If a critical file gets out, what would be the financial
effect on the company?
• DoS attacks could cripple the company nets. What is
the hourly/daily cost to the company if this happens?
• What is our legal liability if client records or
employee records are compromised?
Copyright 2001 Marchany
25
TBS Asset Organization
 Information Value
– Some info loses value over time. Example:
advance notification, Product announcements
– Some info’s value is still changing. Example:
idea before its time.
 4 Categories of Info Assets
• Company Proprietary - product designs, pricing
strategies, patents, source code, customer lists
• Private Employee - HR records, perf reviews, SSN
Copyright 2001 Marchany
26
TBS Information Assets
 Information Asset Categories (cont)
• Customer Private - pricing info, purchase history,
non-disclosure info
• Partner/Gov’t - info assets that don’t fit into the
other categories
 Risk Categories
• Critical - if it gets out, we’re out of business
• Essential - Survivable but a major hit. It’ll hurt but
we can spin back to normal
• Normal - may be embarrassing, disruptive only
Copyright 2001 Marchany
27
TBS Info Asset Matrices
Criticality
Critical
Essential
Normal
Co. Proprietary
Private Employee
Customer Private
Partner/Govt
 Prepare matrices listing each asset and risk.
 Use the matrices to build an affordable,
workable and maintainable security
environment.
 Prepare separate matrices for criticality (like
above), integrity and availability.
Copyright 2001 Marchany
28
TBS Review Process
 Identify and categorize the Info assets
 Specify the logical locations of the assets
 Identify the physical locations of the assets
 The above info tells us:
• If critical assets are all over the place then your
defenses are spread out and cost more
• If you have a single point of failure.
• Negligible info is mixed in with Critical info.
 Some info has no place being on the net!
Copyright 2001 Marchany
29
Layered TBS
 Assume your net has a Firewall, fully
patched OS on the DB server and an
application Password server (Oracle
passwords) in place.
 TBS variables
–
–
–
–
E(db) - Overall Exposure time for the DB
E(pw) – Exposure time for the Appl password
E(os) – Exposure time for the server’s OS
E(fw) – Exposure time for the FW
Copyright 2001 Marchany
30
Layered TBS
TBS Equations:
E(db) = P(pw) +
E(fw) + E(os)
E(os) > D(os)+R(os)
E(fw) > D(fw) + R(fw)
E(pw) > D(pw) + R(pw)
The intruder needs to overcome E(pw), E(fw) and E(os)
in order to get to the data E(db).
Copyright 2001 Marchany
31
Layered TBS Conclusions
 All assets are NOT created equal and they
do NOT deserve equal protection.
 Asset distribution by physical and logical
separation is a security process but
performed under the network architecture
and topology banner
 Design the killing zones, in other words.
Copyright 2001 Marchany
32
TBS Reaction Matrices
 Goal: make D+R as small as possible
– A smaller R reduces the reliance on a higher P value.
 R Components
– Notification - tells someone/something that a detection mechanism
was triggered. Schwartau’s 3am rule: “notify someone” means “tell
someone other than the boss who doesn’t want to be bothered at
3am” which increases the R time.
 Fill out the matrix with the target E, R or T times.
– This documentation is important since it help mgt. understand the
quantitative nature of TBS.
 The matrix is based upon AUP, disaster recovery plans,
amount of risk the org is willing to take - measured in
EXPOSURE TIME - T
Copyright 2001 Marchany
33
TBS Reaction Matrix - I
Notifica tion Means - REACTION
Desire d Ti me
Predi cte d Ti me
Measu red Time
During Work Hours
ema il to de sk at p eak traffic tim es
ema il to de st a t off-hou rs
ema il whe n no t at des k
pag er with retu rn # or 91 1
pag er with ful l me ssag e
pho ne call to desk
notify 2n d in ch arge
Non Bu sine ss Hou rs
ema il to ho me
ema il whe n no t at hom e
pag er with retu rn # or 91 1
pag er with ful l me ssag e
Phon e call to h ome
Copyright 2001 Marchany
34
TBS Reaction Matrix - II
Detected Event
5 bad password attempts
Multiple Port Scan
Ping of Death
Response
Desired Time
Log/call sysadmin
Shoot person
Reaction #30
Measured Time
The sysadmin represents the greatest room for error by
making R unacceptably high. Why? People hesitate to
make tough decisions like shut down part of a net.
The “sacrifice the pawn to save the king” strategy can
be very risky if you don’t have policies in place and MGT
support. Automated responses can eliminate this BUT I
saw “Colossus: The Forbin Project”…:-)
Copyright 2001 Marchany
35
TBS Reaction Matrix
 Questions the Reaction Matrix should
answer:
•
•
•
•
•
Is the attack real? What was the goal? Is it ongoing?
Did the R-matrix come to the proper conclusion?
Was the attack thwarted? Post-mortem analysis?
What further steps are needed?
Who did it?
 Must be empowered by mgt. and policy to
limit R. Necessary for TBS to work.
Copyright 2001 Marchany
36
TBS - Evaluating Protection
 Previous slides used TBS to evaluate D+R.
 Applying E=D+R to Access Control (User Logins)
– E = max. amt. of time needed to accomplish proper
authentication.
– D = time needed to detect the authentication request and
determine its authenticity.
– R = time needed for the detection module to trigger a
PROCEED or STOP reaction.
 Applying E=D+R to Enterprise Audit Trails
– D = time needed for an audit tool to record, analyze, transmit
data.
– R = time it takes for the detection tool to trigger the reaction and
how long the reaction takes.
Copyright 2001 Marchany
37
Course Revision History
Copyright 2001 Marchany
38