process-oriented security risk analysis and requirements engineering
Post on 23-Jan-2018
890 Views
Preview:
TRANSCRIPT
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
Process-oriented Security Risk Analysis and Requirements Engineering
Raimundas Matulevičius University of Tartu, Estonia
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
Domain Model for Security Risk Management
Dubois et al., 2010
3
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
Content
4
Security Risk-aware BPMN
Security Risk-oriented Patterns
Business Processes and Compliance
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
Content
5
Security Risk-aware BPMN
Security Risk-oriented Patterns
Business Processes and Compliance
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
Business Process Modelling v Objective
Ø What organisation needs to do to achieve their business objectives?
v Advantages Ø Reasonably intuitive Ø Explicit declaration of business activities, processes and
sub-processes
v Disadvantages Ø Captures only a dynamic picture Ø Not focused on the business support by technology
6
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
Business Process Model and Notation
7
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
Asset Identification and Security Objective Determination
8
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
Asset Identification and Security Objective Determination
9
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
Risk Analysis and Assessment
10
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
Security Requirements Definition
11
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
Security Risk-aware BPMN
12
Altuhhova et al., 2013
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
Content
13
Security Risk-aware BPMN
Security Risk-oriented Patterns
Business Processes and Compliance
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
Security Patterns
14
v A security pattern describes Ø a particular recurring security problem Ø that arises in a specific security context Ø presents a well-proven generic scheme for a security solution
v Codify security knowledge in structured and understandable way v Presentation is familiar to the audience v Proven solutions improve the integration of security into
enterprises where needed
[Schumacher et al, 2006]
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
Security Risk-oriented Patterns
SRP1: Secure data from unauthorized access
SRP2: Secure data transmitted between business entities
SRP3: Secure business activity after data is submitted
SRP4: Secure business services against denial of service attacks
SRP5: Secure data stored in / retrieved from the data store
15
[Ahmed and Matulevičius, 2014]
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
Security Risk-oriented Patterns
SRP1: Secure data from unauthorized access
SRP2: Secure data transmitted between business entities
SRP3: Secure business activity after data is submitted
SRP4: Secure business services against denial of service attacks
SRP5: Secure data stored in / retrieved from the data store
16
[Ahmed and Matulevičius, 2014]
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
Security Risk-oriented Patterns
SRP1: Secure data from unauthorized access
SRP2: Secure data transmitted between business entities
SRP3: Secure business activity after data is submitted
SRP4: Secure business services against denial of service attacks
SRP5: Secure data stored in / retrieved from the data store
17
[Ahmed and Matulevičius, 2014]
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
Security Risk-oriented Patterns
SRP1: Secure data from unauthorized access
SRP2: Secure data transmitted between business entities
SRP3: Secure business activity after data is submitted
SRP4: Secure business services against denial of service attacks
SRP5: Secure data stored in / retrieved from the data store
18
[Ahmed and Matulevičius, 2014]
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
Security Risk-oriented Patterns
SRP1: Secure data from unauthorized access
SRP2: Secure data transmitted between business entities
SRP3: Secure business activity after data is submitted
SRP4: Secure business services against denial of service attacks
SRP5: Secure data stored in / retrieved from the data store
19
[Ahmed and Matulevičius, 2014]
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
Security Risk-oriented Patterns
SRP1: Secure data from unauthorized access
SRP2: Secure data transmitted between business entities
SRP3: Secure business activity after data is submitted
SRP4: Secure business services against denial of service attacks
SRP5: Secure data stored in / retrieved from the data store
20
[Ahmed and Matulevičius, 2014]
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
Security Risk-oriented Patterns
SRP1: Secure data from unauthorized access
SRP2: Secure data transmitted between business entities
SRP3: Secure business activity after data is submitted
SRP4: Secure business services against denial of service attacks
SRP5: Secure data stored in / retrieved from the data store
21
[Ahmed and Matulevičius, 2014]
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
Security Risk-oriented Patterns
SRP1: Secure data from unauthorized access
SRP2: Secure data transmitted between business entities
SRP3: Secure business activity after data is submitted
SRP4: Secure business services against denial of service attacks
SRP5: Secure data stored in / retrieved from the data store
22
[Ahmed and Matulevičius, 2014]
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
Security Risk-oriented Patterns
SRP1: Secure data from unauthorized access
SRP2: Secure data transmitted between business entities
SRP3: Secure business activity after data is submitted
SRP4: Secure business services against denial of service attacks
SRP5: Secure data stored in / retrieved from the data store
23
[Ahmed and Matulevičius, 2014]
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
Content
24
Security Risk-aware BPMN
Security Risk-oriented Patterns
Business Processes and Compliance
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
v Business process management Ø Instrument to manage enterprise activities Ø Ensure consistent outcomes to bring value to
customers
v Compliance Ø A set of activities an organisation does to ensure that
its core business does not violate the regulations
ü ISO/IEC 27001, NIST SP 800-39, Base III, IT-Grundschutz, ISKE, etc.
25
Business Process and Compliance
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
ISO/IEC 27001:2013 v Requirements for managing
sensitive organisation’s information Ø risk management Ø risk assessment Ø risk treatment means
v Guidance on understanding Ø Organisation’s context Ø Leadership Ø Planning Ø Operation performance Ø Physical access Ø …
v Checklist of objectives and controls
26
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
v Business process management Ø Instrument to manage enterprise activities Ø Ensure consistent outcomes to bring value to
customers
v Compliance Ø A set of activities an organisation does to ensure that
its core business does not violate the regulations
ü ISO/IEC 27001, NIST SP 800-39, Base III, IT-Grundschutz, ISKE, etc.
27
To achieve business process compliance with regulations remains rather labour
intensive activity
Business Process and Compliance
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
v Business process management Ø Instrument to manage enterprise activities Ø Ensure consistent outcomes to bring value to
customers
v Compliance Ø A set of activities an organisation does to ensure that
its core business does not violate the regulations
ü ISO/IEC 27001, NIST SP 800-39, Base III, IT-Grundschutz, ISKE, etc.
28
To achieve business process compliance with regulations remains rather labour
intensive activity
Business Process and Compliance
Check compliance
Apply SRPs Check com- pliance again
Compare results
Alaküla and Matulevičius, 2015
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
v Business process management Ø Instrument to manage enterprise activities Ø Ensure consistent outcomes to bring value to
customers
v Compliance Ø A set of activities an organisation does to ensure that
its core business does not violate the regulations
ü ISO/IEC 27001, NIST SP 800-39, Base III, IT-Grundschutz, ISKE, etc.
29
To achieve business process compliance with regulations remains rather labour
intensive activity
Business Process and Compliance
Check compliance
Apply SRPs Check com- pliance again
Compare results
Alaküla and Matulevičius, 2015
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
Insurance Brokerage System
30
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
Insurance Brokerage System Accept Offer
31
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
ISO/IEC 27001:2013
32
A.9.4.1 Information access restriction Ø Access to information and application system functions shall be
restricted in accordance with the access control policy A.13.2.1 Information transfer policies and procedures
Ø Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities.
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
ISO/IEC 27001:2013
33
A.9.4.1 Information access restriction Ø Access to information and application system functions shall be
restricted in accordance with the access control policy A.13.2.1 Information transfer policies and procedures
Ø Formal transfer policies, procedures and controls shall be in place to protect the transfer of information through the use of all types of communication facilities.
Abstract terminology
Multiple requirements
Not relevant requirements
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
ISO/IEC 27001:2013
34
A.9.4.1 Information access restriction Ø Access to information and application system functions shall be
restricted in accordance with the access control policy
A.9.4.1 Information access restriction (i) Access to Customer data, Relevant quotes, Offer status, and
Selected quotes shall be restricted in accordance with the access control policy.
(ii) Access to Get customer contact data, Get relevant quotes, Email offer, Cancel offer, Register customer decision, and Register selected quotes shall be restricted in accordance with the access control policy.
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
35
Check Compliance
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
36
A.9.4.1 Information access restriction (i) Access to Customer data, Relevant quotes,
Offer status, and Selected quotes shall be restricted in accordance with the access control policy.
(ii) Access to Get customer contact data, Get relevant quotes, Email offer, Cancel offer, Register customer decision, and Register selected quotes shall be restricted in accordance with the access control policy.
Check Compliance
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
37
A.9.4.1 Information access restriction (i) Access to Customer data, Relevant quotes,
Offer status, and Selected quotes shall be restricted in accordance with the access control policy.
(ii) Access to Get customer contact data, Get relevant quotes, Email offer, Cancel offer, Register customer decision, and Register selected quotes shall be restricted in accordance with the access control policy.
Check Compliance
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
v Business process management Ø Instrument to manage enterprise activities Ø Ensure consistent outcomes to bring value to
customers
v Compliance Ø A set of activities an organisation does to ensure that
its core business does not violate the regulations
ü ISO/IEC 27001, NIST SP 800-39, Base III, IT-Grundschutz, ISKE, etc.
38
To achieve business process compliance with regulations remains rather labour
intensive activity
Business Process and Compliance
Check compliance
Apply SRPs Check com- pliance again
Compare results
Alaküla and Matulevičius, 2015
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
Identify Pattern Occurrences
39
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
Derive Security Model
40
1. Identify resource 2. Identify roles 3. (Assign users) 4. Identify secured operations 5. Assign permissions
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
41
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
42
SReq.1.1: Only Broker should update offer’s Customer data and Relevant quotes. SReq.1.1.1: Broker should perform Get customer contact data. SReq.1.1.2: Broker should perform Get relevant quotes.
SReq.1.2: Only Broker should read offer’s Offer status. SReq.1.2.1: Broker should view Offer status after operation Email offer. SReq.1.2.2: Broker should view Offer status after operation Cancel offer. SReq.1.2.3: Broker should view Offer status after operation Register customer decision
SReq.1.3: Customer should read offer’s Customer data and Relevant quotes after operation Email offer
SReq.1.4: Only Customer should update offer’s Offer status and Select quotes. SReq.1.4.1: By performing Send response task, Customer should invoke Register customer decision. SReq.1.4.2: By performing Send response task, Customer should invoke Register selected quote if Offer status is “Accepted”.
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
Introduction of Security Constraints
43
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
v Business process management Ø Instrument to manage enterprise activities Ø Ensure consistent outcomes to bring value to
customers
v Compliance Ø A set of activities an organisation does to ensure that
its core business does not violate the regulations
ü ISO/IEC 27001, NIST SP 800-39, Base III, IT-Grundschutz, ISKE, etc.
44
To achieve business process compliance with regulations remains rather labour
intensive activity
Business Process and Compliance
Check compliance
Apply SRPs Check com- pliance again
Compare results
Alaküla and Matulevičius, 2015
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
Check Compliance Again
45
A.9.4.1 Information access restriction (i) Access to Customer data, Relevant quotes,
Offer status, and Selected quotes shall be restricted in accordance with the access control policy.
(ii) Access to Get customer contact data, Get relevant quotes, Email offer, Cancel offer, Register customer decision, and Register selected quotes shall be restricted in accordance with the access control policy.
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
v Business process management Ø Instrument to manage enterprise activities Ø Ensure consistent outcomes to bring value to
customers
v Compliance Ø A set of activities an organisation does to ensure that
its core business does not violate the regulations
ü ISO/IEC 27001, NIST SP 800-39, Base III, IT-Grundschutz, ISKE, etc.
46
To achieve business process compliance with regulations remains rather labour
intensive activity
Business Process and Compliance
Check compliance
Apply SRPs Check com- pliance again
Compare results
Alaküla and Matulevičius, 2015
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
47
A.9.4.1 Information access restriction (i) Access to Customer data, Relevant
quotes, Offer status, and Selected quotes shall be restricted in accordance with the access control policy.
(ii) Access to Get customer contact data, Get relevant quotes, Email offer, Cancel offer, Register customer decision, and Register selected quotes shall be restricted in accordance with the access control policy.
A.13.2.1 Information transfer policies and procedures
(i) Formal transfer policies shall be in place to protect the transfer of Offer request, Offer, Request email offer, Offer status, and Decision on offer through the use of all types of communication facilities.
(ii) Formal transfer procedures shall be in place to protect the transfer of Offer request, Offer, Request email offer, Offer status, and Decision on offer through the use of all types of communication facilities.
(iii) Formal transfer controls shall be in place to protect the transfer of Offer request, Offer, Request email offer, Offer status, and Decision on offer through the use of all types of communication facilities.
A.9.4.1 Information access restriction (i) Access to Customer data, Relevant
quotes, Offer status, and Selected quotes shall be restricted in accordance with the access control policy.
(ii) Access to Get customer contact data, Get relevant quotes, Email offer, Cancel offer, Register customer decision, and Register selected quotes shall be restricted in accordance with the access control policy.
A.13.2.1 Information transfer policies and procedures
(i) Formal transfer policies shall be in place to protect the transfer of Offer request, Offer, Request email offer, Offer status, and Decision on offer through the use of all types of communication facilities.
(ii) Formal transfer procedures shall be in place to protect the transfer of Offer request, Offer, Request email offer, Offer status, and Decision on offer through the use of all types of communication facilities.
(iii) Formal transfer controls shall be in place to protect the transfer of Offer request, Offer, Request email offer, Offer status, and Decision on offer through the use of all types of communication facilities.
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
Lessons Learnt v Patterns could systematically guide the compliance
manager to achieve compliance
v Future Work Ø Patterns does not deal with
ü (physical) human resource security, media handling, physical and environmental security, equipment and other
48
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
Lessons Learnt v Patterns could systematically guide the compliance
manager to achieve compliance
v Future Work Ø Patterns does not deal with
ü (physical) human resource security, media handling, physical and environmental security, equipment and other
49
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
Lessons Learnt v Patterns could systematically guide the compliance
manager to achieve compliance
v Future Work Ø Patterns does not deal with
ü (physical) human resource security, media handling, physical and environmental security, equipment and other
50
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
Process-oriented Security Risk Analysis and Requirements Engineering
51
Security Risk-aware BPMN
Security Risk-oriented Patterns
Business Processes and Compliance
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
52
Cyber-Physical Security of Critical Processes for Crucial Functions in Society Copenhagen, 02.05.2016
Limitations
v Formal compliance checking is not performed v Future work
v Business process model is not enriched with security-related activities
53
Compliance checking – “a relationship between the formal representation of a business model and the formal representation of a relevant regulation”
[Governatori and Shek, 2012]
[Sadiq and Governatori, 2015]
top related