Using Vulnerability Trees for Decision Making in Threat Assessment

During the development of the TAME threat assessment methodology under framework 5 IST-2000–29601, the problem of analysing and examining vulnerabilities was identified. The methodology was developed for the assessment and analysis of threat and vulnerabilities within the context of a security risk management. TAME was developed with the needs of electronic payment systems in mind and it consists of four stages: a) Scope of Assessment, b) Scenario Construction & Modeling, c) Threat Agent & Vulnerability Analysis, and d) Stakeholder Evaluation. The requirement for this paper was identified in the “Vulnerability Complexity Analysis”, which is part of the “Threat Agent & Vulnerability Analysis” stage of the methodology. Identifying vulnerabilities in isolation is not sufficient for analysing, assessing and securing a network. There is a need to identify vulnerability chains and to model their relationships. Through use of the TAME methodology the user should be capable of producing a matrix identifying the most significant of the vulnerabilities for each asset involved with the system under analysis. From this there is a requirement to find out how easy (or difficult) it is for a vulnerability to be exploited by a threat agent. Does a threat agent need to exploit another vulnerability in order to achieve his goal or is it enough that one vulnerability is used? What are the different attack paths that the agent might follow in order to achieve his/her goals? How long will it take for an agent with a given set of capabilities to exploit an asset vulnerability? Will he be able to manifest a threat in that time window? How complex is for the different types of threat agents to exploit system vulnerabilities and how “worried” should the information security officers be? Vulnerability trees can provide the answers to the above questions by helping the users of the TAME methodology to identify key vulnerabilities that are common to more than one assets of the system and help them to counter them in a cost effective manner. The phrase that can best describe the problem that is being addressed in this paper comes from Keeney and Raiffa: “In an uncertain world the responsible decision maker must balance judgments about uncertainties with his or her preferences for possible consequences or outcomes.” Information security (IS) as a concept is chaotic. The four goals of IS: confidentiality, integrity, availability and non-repudiation, are in tension with each other in such a way that a shift in favor of one of these elements may make an attack on another of them more likely. As a result, a decision maker has to make assumptions and judge situations according to his/her experience. In the modern electronic world that we live in, there is a need for a more formal technique to help with the above process. In this paper we will present such a technique based on the Object Oriented principles, the utility theory, FTAs and other methodologies. The technique is part of a process that is aiming in minimising and controlling the threats against e-Business and eCommerce. Introduction During the development of the TAME threat assessment methodology (Vidalis '01), the problem of analysing and examining vulnerabilities (Blyth '01) was identified. The concise oxford dictionary (Sykes '81), defines the term Vulnerability to mean: “is susceptible to damage”. Vulnerability has been defined as follows: A point where a system is susceptible to attack (Kabay '96). A weakness in the security system that might be exploited to cause harm or loss (Pfleeger '97). Some weakness of a system that could allow security to be violated (A.J.C.Blyth '01). However, for the purpose of a threat assessment we require a definition that is more general to information security and encompasses, information technology, communication systems, and business processes. Therefore we will define vulnerability as a measure of the exploitability of a weakness. According to (Pfleeger '97), (A.J.C.Blyth '01), (Summers '77), (Scambray '01), (M.Smith '93), (Forte '00), , there are six types of vulnerabilities that can exist in any system, and these are: Physical, Natural, Hardware/Software, Media, Communication, and Human. We need a process that will be able to analyze all of the above different types. The problem examined in this paper was identified in the “Vulnerability Complexity Analysis” step, which is part of the “Threat Agent & Vulnerability Analysis” stage of the TAME methodology (Vidalis '01). For reference purposes the different stages of the TAME methodology are: o Scope of Assessment: Business Analysis, Stakeholder Identification, System Boundaries Identification, and Threat Agent Identification & Selection o Scenario Construction & Modeling: Scenario Generation, System Modeling, Asset Identification o Threat Agent & Vulnerability Analysis: Threat Agent Preference Structuring, Threat Agent Capabilities, Vulnerability Type Identification & Selection, and Vulnerability Complexity Analysis o Evaluation: Stakeholder Evaluation, Scenario Selection & Conflict Resolution, Threat Impact Analysis, Threat Statement Generation and Transfer Through use of the TAME methodology the user should be capable of producing a matrix identifying the most significant of the vulnerabilities for each asset involved with the system under analysis. From this there is a requirement to find out how easy or difficult it would be for a vulnerability to be exploited by a threat agent (Stalling '00), (Carroll '96), (Ammann '02). Does a threat agent need to exploit another vulnerability in order to achieve his goal, or is it enough that one vulnerability is used? What are the different attack paths (Moore '01) that the agent might follow in order to achieve his/her goals? How long will it take for an agent with a given set of capabilities (Vidalis '01), (A.J.C.Blyth '01), (Barber '01), (Hoath '98), (Rees '96), to exploit a vulnerability, and will he be able to manifest a threat in that time window? How complex is for the different types of threat agents to exploit system vulnerabilities and how concerned should the information security officers be? Vulnerability trees can provide the answers to the above questions by helping the users of the TAME methodology to identify key vulnerabilities that are common to more than one assets of the system and help them to counter them in a cost effective manner (Summers '77). State of the Art There are quite a few tools that can be used for analyzing systems and identifying vulnerabilities. Some of the tools are: COPS (COPS '02), NESSUS , SystemScanner (SystemScanner '02), Retina, NetRecon, Whisker, and CyberCop. It is recognized in (Ammann '02) that just identifying individual vulnerabilities is not sufficient and adequate in today’s electronic era of cyber-crime (Bequai '01). There are quite a few approaches when it comes to modeling vulnerabilities in order to perform some sort of analysis in a computing system. The safety critical systems field examines the hazard analysis process. Vulnerabilities can be perceived as being hazards for a computer system. The different techniques that analyse hazards include: checklists, fault tree analysis, event tree analysis, and cause-consequence analysis. Checklists are static and cannot demonstrate the relationships between the vulnerabilities. Furthermore, they do not examine the how and the why two vulnerabilities are related to each other. Fault trees are just chronological orderings of events over time and are not adequate to visualize and model the different types of vulnerability relationships. Each level of the fault tree merely shows the same thing in more detail. Event tree analysis is a Boolean approach to examine vulnerabilities and failures. Most of the vulnerability types of a computing system though cannot be expressed with Boolean values. The technique work very well for hardware vulnerabilities, but according to (Nuemann '95) there are six other vulnerability types, that cannot be addressed effectively. Cause-Consequence Analysis (CCA) is a top-down or backward technique that can determine the causes of an event. It can model both time dependencies and casual relationships among the events. The negative side of CCAs is the size of the diagrams, their complexity and the fact that they cannot accept data from other diagrams. Another technique is the use of history attack data for producing patterns and attack trees. This technique is trying to predict the path that the threat agent will follow by analyzing the exploits that might be used. Each path through an attack tree represents a unique attack on the enterprise. The problem with attack trees is that they cannot analyse big systems or large—size networks (Ammann '02) mainly due to their complexity. A different number of exploits might be used for attacking more than one vulnerabilities, and the same exploits can be used for attacking different vulnerabilities. Producing attack trees using exploits as nodes is not efficient for a system that changes constantly. Vulnerability Trees Definition Vulnerability trees are hierarchy trees (Keeney '93) constructed as a result of the relationship between one vulnerability and other vulnerabilities and/or steps that a threat agent (A.J.C.Blyth '01), (Carroll '96), (Rees '96), (Hinde '01), (Icove '95) has to carry out in order to reach the top of the tree. The top of the tree is known as the top vulnerability or the parent vulnerability and we will symbolise it with a capital ‘V’. There are a large number of ways that such a top vulnerability can be exploited. Each of these ways will constitute a branch of the tree. The branches will be constructed by child vulnerabilities. Consequently the child vulnerabilities can be exploited by steps that the threat agent will have to perform in order to get to the parent. We will symbolise the child vulnerabilities with the lower case ‘v’ and the steps with the lower case ‘s’. Each vulnerability will have to be broken down in a similar way. Normally this will end up in more than one levels of decomposition. When the point is reached where the branches contain only steps, and no child vulnerabilities, then we know that we have reach the lowest level of decomposition. We will call that level the “step-only” level For example let us consider the scenario of a main broker server of a micro-payment system (MPS) (Vidalis '01), (Manasse '95), (W3C '99), (O'Mahony '97). There is the physical vulnerability of a human threat agent to walk in the server room and steal the server. For doing that though, he would exploit a vulnerability related to the alarm system of the room, and with regard to the building, a vulnerability related to the security guards, and a vulnerability related to the high security doors which are installed in the server room. Hence, from what we have seen up to know, the tree should look like the one presented in figure 1. Figure 1 – Level 0 Tree example For the graphical representation of the vulnerability trees we will use the notation presented in appendix A. The notation was inspired from the FTA notation taken from (Storey '96) and (Leveson '95). Taken under consideration the notation, the updated tree is presented in figure 2. Figure 2 – Updated Level 0 Tree example If we think of the vulnerability as being an object, like all objects, it has some attributes. According to Coad (Coad '91) attribute is any property, quality, or characteristic that can be ascribed to a person or thing. V