A Model-Driven Approach for Dev. & Operations of Security-sensitive IS
Hasan SayaniJim Chen
Mary HoferekGraduate School of Mgmt & Technology
University of Maryland University College
Copyright, H. Sayani, MD., March 2, 2006 2
Introduction
Leveraging Work Flow Originated in Industrial Engineering
Tracking Materials through Processes Applies to Information Systems as well
May be used to model Information Systems At any phase of the development cycle Non-threatening to functional users
Available as part of Microsoft’s Vista and Office 2007 Document management packages (e.g. Hershey
Systems) We use it to model Security Fits into a Meta-Meta view of IS
Copyright, H. Sayani, MD., March 2, 2006 3
Data-Activity-Control-Constraint (Meta-meta)
Copyright, H. Sayani, MD., March 2, 2006 4
Major Building Block of WF
The Activity (e.g., in IDEF0) components Control (logical) Performance (using specified Procedure) Data Input Data Output Database Interaction (added explicitly)
Enhanced for our model
Copyright, H. Sayani, MD., March 2, 2006 5
The Visualized Activity Model
Copyright, H. Sayani, MD., March 2, 2006 6
Diagrammatic Ontology of the Activity Model
PROCESS OUTPUT ICOM
ICOM
CONTROL
DATABASE
DATA
ICOM INPUT
PROCESS
ACTIVITY
ICOM
MECHANI-SM
PROCED-URE
Copyright, H. Sayani, MD., March 2, 2006 7
Ontology of the Activity Model (Culture) CULTURE CONTENTS REPORT Wed Feb 28 17:49:08 2007
OBJECTS: --------
1) ACTIVITY 2) DATABASE 3) ICOM
RELATIONSHIPS: --------------
1) PROCESS Role:1 OUTPUT Role Player(s) OBJ: ICOM Role:2 INPUT Role Player(s) OBJ: ICOM Role:3 PROCESS Role Player(s) OBJ: ACTIVITY Role:4 CONTROL Role Player(s) OBJ: ICOM Role:5 DATA Role Player(s) OBJ: DATABASE Role:6 MECHANISM Role Player(s) OBJ: ICOM
PROPERTIES ----------
1) PROCEDURE
Copyright, H. Sayani, MD., March 2, 2006 8
Work Flow
“The stringing together of Activities to perform a functional task”
Interspersed with a special type of Activity Routes to the next Activity Via Procedure using classic control constructs Can be used across Life Cycle
Copyright, H. Sayani, MD., March 2, 2006 9
Security Concerns
Components Specifically targeted
Control (logical)Performance (using specified Procedure)Data InputData OutputDatabase Interaction
Or, generally aimed at Activity
Copyright, H. Sayani, MD., March 2, 2006 10
Diagrammatic Ontology of the Security Model
s-OUTPUT ICOM
ICOM
s-CONTR-OL
DATABASE
s-DATA
PROCESS
ICOM
ss-PROC-ESS
s-INPUT
ss-PROC-ESS
SECURITY
s-PROCE-SS
ACTIVITY
ICOM
s-MECHA-NISM
PROCED-URE
Copyright, H. Sayani, MD., March 2, 2006 11
Overlay of Security on Work Flow
OUTPUT
s-PROCE-SS
s-ACTIVIT-Y
ICOM
s-OUTPUT
ss-PROC-ESS
SECURITY
s-CONTR-OL
ICOM
CONTROL
DATABASE
DATA
ICOM INPUT
s-INPUT PROC
ACTIVITY
PROCESS
ICOM
MECHANI-SM
PROCED-URE
s-DATA
s-MECHA-NISM
Copyright, H. Sayani, MD., March 2, 2006 12
Copyright, H. Sayani, MD., March 2, 2006 13
Visualization of Work Flow
Copyright, H. Sayani, MD., March 2, 2006 14
Control
Functional control Security Control
Copyright, H. Sayani, MD., March 2, 2006 15
Control Constraints
Sequence of control flow constructs
Conditional constructs (if-then-else)
Iteration constructs (while loop)
Copyright, H. Sayani, MD., March 2, 2006 16
Routing
Copyright, H. Sayani, MD., March 2, 2006 17
Security: Access Control
Identification Authentication Authorization
Copyright, H. Sayani, MD., March 2, 2006 18
Example
IF (Identification = OK) AND (Authentication = OK) AND (Authorization = OK)
THEN DO XELSE EXIT
Copyright, H. Sayani, MD., March 2, 2006 19
Benefits
Good tracking mechanism in the hierarchy
Good tracking mechanism in the systems development life cycle
Copyright, H. Sayani, MD., March 2, 2006 20
Application Environments
Role-based access of data Network security Intrusion detection Forensics
Copyright, H. Sayani, MD., March 2, 2006 21
A Database Perspective
Last year, we talked about data centric view rather than work flow.
Copyright, H. Sayani, MD., March 2, 2006 22
Meta-Model of IS
Copyright, H. Sayani, MD., March 2, 2006 23
A Database Perspective
Last year, looked at 3 dimensional perspective of data analysis.
Processes
Risk
A Database Perspective
Processes
Threat Threshold Values
Severe: 21-30Moderate: 11-20
Minor: 1-10
Threat Threshold Values
Severe: 21-30Moderate: 11-20
Minor: 1-10
Column Sensitivity Values
Highly Sensitive: 5Sensitive: 4Moderate: 3
Minor: 2Not Sensitive: 1
Column Sensitivity Values
Highly Sensitive: 5Sensitive: 4Moderate: 3
Minor: 2Not Sensitive: 1
55 443322 11 44 55 44
3322 11 44 4455
3322 11 44 4455Some Threat!!!
Data elements of different sensitivities. Data elements of different sensitivities. Aggregated columns are triggered by the highest Aggregated columns are triggered by the highest
sensitivity value.sensitivity value.
Copyright, H. Sayani, MD., September 2001 24
Copyright, H. Sayani, MD., March 2, 2006 25
A Database Perspective
Identify “code red” data items
Based on that, workflow could vary substantially
Copyright, H. Sayani, MD., March 2, 2006 26
Meta-Model of IS
Copyright, H. Sayani, MD., March 2, 2006 27
A Database Perspective
Could view preceding diagram as a commercial database engine.
Copyright, H. Sayani, MD., March 2, 2006 28
A Database Perspective
Look at just one aspect of workflow and see how security concerns could be addressed - Performer
Copyright, H. Sayani, MD., March 2, 2006 29
A Database Perspective
Data Mining attack characteristics: Organized, technical, professional adversary Compromised user and system credentials Key logging programs strategically deployed Used SQL injection to get IDs and passwords Compiled, malicious code was encrypted- to prevent reverse
engineering Large amount of traffic to external address High volume of traffic during non-working hours Familiar with organization – went after executive, research
and technical accounts New users appeared on system Stole valid ID and established their own (Windsor, 2007).
Copyright, H. Sayani, MD., March 2, 2006 30
A Database Perspective
Look again at workflow model and apply to database – assume this attack. What counter measures could database professionals establish for Performer? Stole IDs so looked like authorized user Created own ID and gave privileges
Copyright, H. Sayani, MD., March 2, 2006 31
A Database Perspective
Counter measures: Set up dummy IDs Determined who was targeted Identify data that was stolen Identify earliest known unauthorized action Identify malicious code
Copyright, H. Sayani, MD., March 2, 2006 32
A Database Perspective
If protecting “code red”, could establish code in DBMS Trigger when dummy ID accessed Trigger to audit all access to data Trigger to send back false data – basically to lie Limit access to catalog – can’t get schema Limit all accesses to code in DBMS
Copyright, H. Sayani, MD., March 2, 2006 33
A Database Perspective
Outside of DBMS – problem Went after files themselves Common file names in industry Encrypted files ASM – help or hurt? Can DBMS files be set up so that only DBMS
can access? Just a thought
Copyright, H. Sayani, MD., March 2, 2006 34
A Database Perspective
Data and workflow interwoven
Just some ideas today. Good food for thought
Copyright, H. Sayani, MD., March 2, 2006 35
A Database Perspective
Reference: Windsor, S. Case Study of a Professional Hacker’s Data Mining Intrusion. Presented at 2007 Maryland CyberSecurity Forum. February 22, 2007 at UMUC.