La protección de los datos personales y la anonimización

Observable information sources are most often represented using the classical interpretation of probability, meaning that these describe some event and the observed occurrence of this event. Here, uncertainty is associated with how repre-sentative the observations are of the actual facts. Observable information sources

150 16. Information Sources

includes among other things publicly available experience repositories, company con…dential experience repositories, domain knowledge (facts), recommendation or best practice, standards (a collection of best practice), results from risk as-sessment, results from formal security veri…cation, honeypot log-…les, Intrusion Detection Systems (IDS) log-…les and other type of log-…les, such as Firewall log-…les.

Information from IDS and honeypots are real-time information sources and thus record information in real-time. Such sources are useful both for deriving the misuse scenario and for estimating misuse occurrence frequencies and security solution e¤ects. The latter can be done by employing two log periods, one be-fore and one after the employment of a security solution. There are many ways that information can be obtained from real-time information sources and some examples are given in the following.

The real-time observable information source Snort is a freeware IDS and fre-quently used both in academia and in industry. An example of output from Snort for the Internet worm CodeRed is:

10/30-11:47:14.834837 0:80:1C :C E:8C :0!0:10:60:D B:37:E5 typ e:0x800 len:0x3E 129.241.216.114:1203

!129.241.209.154:139 T C P T T L:125 T O S:0x0 ID :45447 IpLen:20 D gm Len:48 D F ******S* Seq:

0x6F12FE95 A ck: 0x0 W in: 0xFFFF T cpLen: 28 T C P O ptions (4) = > M SS: 1260 N O P N O P SackO K .

The above is interpreted as following:

{date}–{tim e} {source M AC address}!{destination M AC address} {typ e} {length} {source ad-dress} !{destination address} {proto col} {T T L} {T O S} {ID } {IP- length} {D atagram – length}

{Flags}{Sequence numb er} {A cknow ledgm ent} {W indow } {T C P–length} {T C P options}

The above information from Snort is an example of transport layer logging (layer 4 in the OSI reference model and layer 3 in the TCP/IP protocol stack), in this case TCP. As for anti-virus software Snort triggers alarms according to known signatures describing suspicious activity. By con…guring the logging mechanism, Snort can be set up to monitor particular attacks, such as speci…c Denial of Service (DoS) attacks. Due to its ‡exible con…guration abilities Snort has the ability to record potential impacts and frequency of DoS attacks and therefore represents an e¤ective and real-time gathers of information for estimating both misuse and security solution variables. However, for the logging to be e¤ective and accurate the IDS should be combined with a honeypot, such as the freeware honeypot Honeyd [77]. Such a con…guration gives a second layer of logging which is necessary due to the problem of false positives with IDS. Using both IDS and honeypot makes it possible to compare and calibrate the two information sources against each other to eliminate some of the false positives.

16.1 Sources for observable information 151 A honeypot is an information system resource whose value lies in all unauthorised or illicit use of that resource [94]. The advantages of an honeypot is its ability to capture new attacks and attack methods by observing, responding to and documenting interactions with its environment. Honeypots come in a wide range of types and more advanced types are able to capture more information than a simpler and low-interaction honeypot. Honeypots are able to capture attack information easily, as they are set up as resources that normally are not used by any authorised users. This limits the problem with false positives. It also means that any data sent from the honeypot indicates a successful attack which makes it easier to measure events such as the number of successful attacks within a particular time frame.

There are three main categories of honeypots available. These are low-interaction, middle-interaction and high-interaction honeypots. The low-interaction honey-pots have limited interaction with the attackers and hence are limited in their ability to detect more advanced and innovative attacks. Low-interaction hon-eypots can only simulate parts of an operating system and some applications.

Middle-interaction honeypots are able to simulate an entire operation system and its belonging applications and hence provide more realistic information than the low-interaction honeypots. High-interaction honeypots are real system that usually are employed in parallel with the production system, only separated by an attack routing gateway called Honeywall. However, employing the honeypot as a real system involves the risk of attackers taking over the honeypot and using it as a gateway into the network. This problem has been further elaborated on in Østvang (2004) [81] and Østvang and Houmb (2004) [82].

Combing the two information sources IDS and honeypot gives the ability to test the e¤ect that a particular security solution has on a particular misuse in a realistic environment. Assume that a set of security solutions S are identi…ed as potential treatments for DoS attacks. Each security solution siwhere i points to a particular security solutions is employed into the Honeyd simulation environment for the logging period 4t. Here, 4t is de…ned as the time di¤erence between start time and end time of the logging. By taking each security solution through a series of logging periods an estimate for the anticipated number of DoS attacks can by derived by calculating the set average. From this the anticipated e¤ect on DoS attacks for each security solution can be derived and thus the solution …tness for DoS attacks have been observed. To make the evaluation as realistic as possible the logging period 4t should cover the same amount of time and be comparable as there are often di¤erences in number of attack tries during weekends than during week days.

In the example given in Section 18.1 the e¤ect of two DoS security solutions for a .NET e-commerce system are measured using the combination of Snort and

152 16. Information Sources

Honeyd. This is done by simulating the employment of each security solution separately and then comparing the result of the logging with the result of the simulation of the .NET e-commerce system without any DoS solutions. By doing so a real-time simulation of future con…gurations of ToEs can be performed. The trick, in this context is that the alternative security solutions are included into the simulation environment so their actual e¤ect on preventing DoS attacks can be observed. Note that there are still problems creating a realistic and comparable context for the simulation.

Log-…les from …rewalls, anti-virus …rewalls, Internet gateways (routers) etc. pro-vide information such as the source and destination IP addresses and the accessed TCP port for all connection attempts. Such logging mechanism can also employ action rules, such as …ltering mechanisms on the IP and TCP levels. Here, …l-tering means to con…gure the router with access lists containing either single IP addresses or ranges of IP addresses. The rules used are among others “access”

and “deny”. In addition, …rewalls provide application layer …ltering in combina-tion with the two other …ltering funccombina-tions. In the trade-o¤ tool informacombina-tion on who tried to contact whom, at what time and for what reason is of interest. Such information can provide information on whether there has been an attempt of port scan or other DoS attacks that was not successfull due to the …ltering rules.

These pieces of information are valuable for both the misuse and the security solution variables in the trade-o¤ tool.

Virus and spyware scanners also use log-…les to record the result of their activities.

In addition, these mechanisms have the capability to issue alarms and perform prescribed actions to remove the problem detected, such as removing a virus and closing a connection. A vulnerability scanner works in a similar way but has more options when it comes to the actions. It detects and proposes solutions to the vulnerabilities detected, if such solutions exist (such as a list of downloadable vulnerability …xes). These tools are all helpful in detecting vulnerabilities in the system and other relevant information for the misuse variables in the trade-o¤

tool. These tools can also be used to identify potential security solutions.

Public repositories are used to store experience and best practise from various relevant activities that are publicly available. Examples of such are the quarterly reports from Norsk Senter for Informasjonssikring (NorSIS) in Norway, incident and security reports and white papers from CERT, NIST, NSA and CSO, reports from the Honeynet-project and other attack trend reports. A repository can also be speci…c to a company and in such cases they are called company experience repositories. Often these repositories contain company con…dential information and thus the access to them is restricted. The information that these two types of repositories contain is mostly related to the misuse variables in the trade-o¤

tool. However, the repositories might also provide input to the security solution

16.1 Sources for observable information 153 variables, such as suggested solutions to a particular security problem and exam-ples of unsolved issues with these that reduce their ability to withstand certain attacks.

Domain knowledge is similar to the experience repositories but represent estab-lished knowledge within a particular domain, such as the e-commerce domain.

Information denoted domain knowledge is based on observations of multiple co-herent events over a certain amount of time. Examples are lists of well-known vul-nerabilities in existing systems, such as patch lists with downloadable patches for a particular operating system version or application. Such information is highly relevant for the both the misuse and the security solution variables in the trade-o¤

tool.

Recommendations and standards are best practice and industry standards de-rived from long-term experience from industry or similar, such as the quality assurance best practise and standards (e.g. CMM and ISO 9000). Recommen-dations could also take the form of interpreted information source type, such as subjective recommendation from domain experts. Examples of recommendations are those captured in Common Criteria Protection Pro…les (PP). Examples of security standards for security level evaluation are the Common Criteria, mation Technology Security Evaluation Criteria (ITSEC) and ISO 17799 Infor-mation technology –Code of Practice for inforInfor-mation security management.

System analysis and tests are module and integration tests performed on both or either of the design models and the implementation. Vulnerability analysis is such as those in the vulnerability assessment techniques and guidelines described for the Common Criteria assurance class vulnerability assessment (AVA). The main aim of these tests is to detect design ‡aws or security problems in the implementation and to check whether the implemented system meets the security requirements outlined in the design models.

Formal security veri…cation covers techniques that use mathematical rigour to check a system model for ‡aws and for resistance to attacks. An example of this is the UMLsec security veri…cation approach described in Houmb et al. (2005) [44] (Appendix B.3). Results from security veri…cation are applicable to both the misuse and the security solution variables of the trade-o¤ tool. The example given in [44] demonstrates the use of such information as input to the security solution variables.

Risk assessment results give information on the potential misuses, their potential frequency and their associated impacts on the system assets. In some cases a risk assessment may also identify alternative security solutions and perform an evaluation of these solutions. The result from such activities is thus relevant for both the misuse and the security solution variables of the trade-o¤ tool.

154 16. Information Sources