A Risk Assessment Tool for Network Resilience Evaluation
Content
WHITE CYBER KNIGHT – A RISK ASSESSMENT TOOL FOR NETWORK RESILIENCE EVALUATION
Eyal Adar †
Gwendal Le Grand *
Founder and CEO – iTcon Ltd.
Associate Professor, ENST, France.
Keywords: Risk Assessment, Telecommunications, Complex Infrastructures, Complex Networks, Network Resilience
Abstract The Communication Sector is one of the areas which, over the past several years, evolved most significantly and caused revolutions in both system-wide and system-use aspects. These revolutions have resulted in many communication networks being set up without adequate consideration of the risks involved. The existing RM (Risk Management) concepts are high level, and must be adapted to cope with the specific needs and risks of the communication world. This article aims to: • Analyze the main existing RM concepts and point out those which can be applied to complex communication systems. • Define the specific elements which need to be examined while assessing the risks to communication systems, and define how RM software can aid in the process. The use of RM applications applied specifically to critical and complex communication systems can significantly assist in bridging the gap in communication systems RM which was created in the past few years, and cut down IT Management costs.
Introduction: Risk Management in Telecom Today Today, increasingly complex and IT-dependent digital elements (computers, networks, contents, etc.) or infrastructures are at the center of our lives; they constitute the essential pillars of our communication, economic, social and institutional infrastructures. Security and threat mitigation within those systems has thus implicitly become a fundamental stake for the citizen (to preserve his privacy), for the company (to protect digital assets and transactions), and for the states (to protect their critical infrastructures, and ensure the smooth continuity of the government and government services, etc.) Generalized access to infrastructures like the Internet or mobile 3G telephone infrastructures has profoundly modified users’ behaviors and has radically changed the risks they and the infrastructures are facing. Although several security measures exist, trust in the digital world is not sufficient for several reasons. On the one hand, security technologies are not yet widespread due to the complexity involved in deploying them. On the other hand, ICT (Information and Communication Technologies) are particularly vulnerable due to the heterogeneity of systems, terminals, users, and infrastructures, which all require regular upgrades, and to the interconnectivity of infrastructures, the mobility of the users, and the facility to launch remote or distributed attacks. Risk assessment is therefore an essential stake in our societies, and it remains a burden because of its complexity. Actually, it is necessary to adopt a global vision that takes into account not only technical elements like cryptographic protocols used to provide confidentiality or infrastructures resilience, but also economic aspects like the impact an attack could have on the business or on the corporate image of a company. Interdependencies between infrastructures will also play a major role in the near future since they will certainly be exploited to build attacks using their interplay, while the attacked infrastructure may not necessarily be the final designated target. The effects of such attacks will be disseminated rapidly through a domino effect and the chain of events will be difficult to predict or control in time before a major breakdown happens. Therefore, infrastructure and service risk and crisis management must play an increasing role: since it is impossible to make a system error-free and invulnerable, it is necessary to cope with identifiable, controllable and quantifiable risks. This must be accomplished through various types of actions: the design of efficient risk assessment tools, the development of crisis management models, the certification of systems and products, etc. In subsequent sections of the paper, we will first examine the challenges related to complex risk management in telecommunication. We will then present existing frameworks and methodologies for risk analysis. Then, we will focus on specific parameters for telecom risk assessment and provide an example evaluation checklist. Finally, we will introduce WCK (White Cyber Knight), a software tool which constitutes a possible answer to risk assessment requirements.
Dealing with Complex Risk Management Challenges The growing field of risk management plays an important role in mitigating and managing risks of complex and distributed architectures and environments. However, this field is not yet fully standardized, and different RM methods cover different RM aspects. Within the
different frameworks which currently exist for assessing risk in such environments, many methods are very high level oriented. From industry inputs, there is little use of these methodologies by IT operations staff on a day-to-day basis. The products used often include software tools that address specific IT platforms, and lack the "over-all" security assessment ability. In order to adapt these frameworks towards a more practical application for the telecom world, a layer of additional analysis is needed; such a layer must rely upon a thorough and multi-faceted understanding of the telecom world's unique business needs and requirements, and its specific systems and protocols. This assessment layer should include concrete checklists which will adhere to these parameters. Practical methodologies that can bridge this gap are required. These should enable the identification of critical paths through an understanding of the telecommunications unique business processes as well as the ability to apply an additional assessment layer which deals with the specific parameters which will be discussed in this article. A solution to the complex problems we have stated here lies in utilizing a combination of 3 realms: • RM framework or methodology layer which includes risk analysis • Controls and policies – IT governance layer • Specific checklists (detailed controls) or questionnaires aimed to identify the telecom specific vulnerabilities
IT Governance and Management
COBIT, ITIL
(RM Life Cycle) Security Governance (Assessment Fields)
ISO17799, ISF, GAISP, OCTAVE, SysTrust
Evaluate Using Automated Software Tool
Detailed Controls (Technical, Policy, Operational)
NIST, CIS, FFIEC, EESA
Figure 1: Describes how these 3 elements operate and interact
RM Framework or Methodology Layer Which Includes Risk Analysis The following are examples of some of the leading RM frameworks: 1 • Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE®) : The Octave approach is a systematic way for an organization to address its information 1
http://www.cert.org/octave/
security risks, sorting through the complex web of organizational and technological issues. The OCTAVE approach includes a set of criteria that defines the requirements for a comprehensive, self-directed information security risk evaluation, and a set of methods consistent with the criteria. Octave was developed by Software Engineering Institute at Carnegie Mellon University. • COBIT® 2 : COBIT, Control Objectives for Information and related Technology, is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organizations. COBIT® is Sponsored and funded by the IT Governance Institute (affiliate of the Information Systems Audit and Control Association). The Framework emphasizes best practices and leverages other recognized methodologies and tools such as COSO, ISO, ITIL, NIST and AICPA. Its Focus is on helping leaders understand and manage the risks relating to IT and the links between the management process, the technical questions, the need for control and the risks • Thales SHIELD™ 3 : Thales SHIELD is a complete system that combines different areas from intelligence gathering and analysis, communications and network security, physical security to crisis management, to provide a fully integrated solution for nations, regions and institutions potentially vulnerable to intrusive security strikes or threats.
Figure 2: the COBIT® risk assessment framework Focusing on the RM framework layer, in this context we will recommend COBIT® as a risk management framework, due to the following advantages: • It is one of the only RM frameworks which deal with organizational processes. • It is a well respected and recognized tool - even by regulators. • It is an excellent methodology for getting various parts of an organization to speak the same language. 2
http://www.isaca.org/cobit/ 3 http://shield.thalesgroup.com/
• COBIT® looks at IT in general - not just at security, and it includes detailed assessment domains, systems and programs. • It facilitates communication with top level executives and provides an excellent management perspective (e.g., CMM). • It was planned and designed to interface with other methods, which makes it an open framework. Controls and Policies – IT Governance Layer - ISO 17799 4 ISO (the International Organization for Standardization) along with IETC (the International Electro Technical Commission) form the specialized system for worldwide standardization. The stated purpose of ISO 17799 is to provide a common basis for developing organizational security standards and effective security management practice and to provide confidence in inter-organizational dealings. Originally developed in the UK, the standard has gained much popularity and is a favored risk assessment approach in Europe. It is typically used in larger organizations, especially those involved with international activities. ISO offers very specific guidance that requires specific modification and adaptation. ISO 17799 is often referenced and leveraged by other wellknown methodologies. ISO 17799 spans the following fields: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10.
Security Policy Communications and Operations Management Organizational Security Access Control Asset Classification and Control System Development and Maintenance Personnel Security Business Continuity Management Physical and Environment Security Compliance
Moreover, ISO 17799 has some specific relevant advantages, such as: • • • • •
Very detailed guidance Standard of standards Common language Well-known Favored by large business enterprises
Despite its many advantages as a RM framework, ISO 17799 does not supply the required technological depth to cover all technical aspects, which is why more detailed, specific checklists are required. Specific Checklists (Detailed Controls) or Questionnaires Aimed to Identify the Telecom Specific Vulnerabilities In order to identify specific vulnerabilities in telecom systems, several checklists and methods may be used. They include: 4
http://www.iso.org/iso/en/prods-services/popstds/informationsecurity.html
• End to End Security Assessment (EESA™) 5 : EESA is an assessment method which deals with Critical Information Infrastructure Protection (CIIP). It analyzes the "Security Quality of Service" (SQOS) along the path of critical processes within a business environment or system and evaluates whether the security mechanisms along it are adequate for protecting against likely threats. The uniqueness of EESA lies in the fact that the analysis covers both strategic issues as well as very detailed technical security design issues. Ranging from business layer to IT layers (from business processes thru systems and applications and infrastructure), it provides an interdisciplinary, business oriented assessment method. • NIST 6 : ITL (Information Technology Laboratory within the NIST) develops technical, physical, administrative, and management standards and guidelines for the costeffective security and privacy of sensitive unclassified information in federal computer systems. Publications issued report on ITL’s research, guidance, and outreach efforts in computer security, and its collaborative activities with industry, government and academic organizations. As governmental agencies, banking regulators frequently participate in NIST research and are audited against these guidelines. Many other methodologies leverage the work performed by the NIST. It also includes many detailed checklists tailor-cut for specific realms and sectors. • Specific Telecom Driven Vulnerability Checklists which will be presented in this article. A possible way of combining these realms could be using a sophisticated software tool that will enable a more efficient analysis of the data. Combining these three elements will allow risk managers to better deal with the complexity and technological difficulties, while saving time and manpower. In the following, we aim to demonstrate how these 3 elements contribute to the creation of a holistic and telecom-applied risk management view, when used with a comprehensive software tool which automates many of the assessment and risk management processes.
Telecom Risk Assessment Parameters Several important parameters should be covered in risk assessment for future complex communication networks. Based upon these parameters we will mention several telecom specific vulnerabilities that need to be addressed. This will be the basis of a checklist or baseline in our example. These include (but are not limited to): • Overall threat and vulnerability assessment: o Vulnerability of content – destruction, modification, copy, etc. – and its volatility, which is critical in a world where broadband wireless and ubiquitous access are generalized. o Vulnerability of media – on which the content is stored or sent (hard disks, wireless transmission links, etc.) o Vulnerability of access and access control means – for example, what devices should connect to the network, or the ability to prevent potentially dangerous devices (that are infected by viruses or spyware) or content from penetrating a 5
http://www.iabg.de/acip/doc/ergebnisse_workshop_2002_12_bruessel/EESA-basics.pdf 6 http://csrc.nist.gov/pcig/index.html
corporate network. Moreover, increased interconnection of infrastructures eases remote and distributed attacks, which makes access control even more critical. o Vulnerability of well known technologies, operating systems, or protocols – on which networks and systems rely worldwide. o Vulnerability of complexity – complex and non error-free systems require constant upgrades that may be insecure and introduce new vulnerabilities or failures. o Vulnerability of interdependencies – interdependencies of similar and different infrastructures (e.g. two telecom operators or a telecom operator and a power provider). • Security of communications, characterized by security objectives expressed in terms of confidentiality (non-disclosure to unauthorized persons), integrity (non-alteration of content) and availability (the ability of licensed users to use digital assets). • Certification or standards compliance. • Trust with respect to the reliability and confidentiality of operations, operators, infrastructures and software. • Safety (security of people and goods). • Resilience of infrastructures which characterizes their ability to resist attacks or failures. Resilience should consider self-learning, self-healing and fast cicatrisation properties of a system with respect to a set of canonical attacks. • Cost of security or of insecurity evaluates the economic impact (profit loss and indirect losses due to a degradation of the corporate image) related to mitigating or accepting an identified vulnerability. • Security policy of the system and crisis management models, together with protection measures within legal frameworks.
An Example of a Telecom Risk Assessment Evaluation Checklist There is a growing need for an additional layer of evaluation in order to fully assess the specific vulnerabilities and risks inherent to the telecom field. It seems prudent that this additional layer should include specific risks and vulnerabilities driven by the business process of the infrastructure being assessed. We offer an example of a concrete baseline, based upon the aforementioned parameters, as an evaluation checklist. This checklist should allow an evaluator to identify and assess the unique vulnerabilities of the telecom world. Threats to the Security of Communications The core business of the telecommunications field is the communication of data. According to this ground statement, it is crucial to view the unique threats to this data, in aspect of the confidentiality, availability, and integrity of the data being communicated: • • • • •
Eavesdropping , fraud and call theft Disclosure and/or alteration of sensitive billing information Unauthorized use of resources such as illicit use of telephony Interrogation of secure databases Risk of data disclosure due to IP based infrastructure linked with other networks
Interdependencies and Threats to the Resilience and Availability of Infrastructures Examples of possible interdependencies or threats to the resilience and availability of infrastructures include: • Reliance of the telecom infrastructure upon a single energy infrastructure creates an obvious dependency, which poses a potential risk to the resilience of the telecom infrastructure in any case of a regional power outage. • Extensive use of third party software, which has also been described in the ACIP report as "The far most feared and seen most realistic threat is due to software dependence in both the operational and the production network", creates a major threat which affects the entire telecommunications world. Most service providers use important key components from several specific vendors, so that one could affect many operators and render an entire infrastructure unavailable. • Cellular networks are particularly vulnerable to jamming by using RF energy to swamp receiver sites, and to denial of service attacks on central cellular communication nodes. Vulnerability of Telecom Specific Technologies Recent ACIP research 7 revealed that most telecom providers rely on dedicated, specific hardware and communications equipment from a single vendor – one major bug or failure of such equipment may cause an infrastructure-wide crash, as mentioned here. Additionally, usage of telecom specific technologies creates a wide range of vulnerabilities which are unique to the telecom world: • The GPRS method is primarily based upon IP, a protocol well known to hackers and vulnerable to many exploits which previous communications protocols have been immune to due to their relative obscurity outside of the telecom field. • Dedicated communications equipment from a single vendor creates a single point of failure for the entire infrastructure. Vulnerability of Access and Access Control As described previously, the increased interconnection of infrastructures and the enhanced mobility of information systems today, make it even more crucial and complex a challenge to properly identify devices, users and other entities in a communications infrastructure. Additionally, there are several unique issues for telecom in this aspect that come to mind: • Poor GSM authentication mechanisms do not allow sufficient assurance when devices roam between cells. • Difficulty to enforce content filtering and strong authentication when mobile communication components interact with other communications networks – ID and data migrate through different and segregated worlds (from a cellular network to the enterprise IT infrastructure for example), with minimal or no control. Threats to the Business Viability of the Telecom Service Provider The potential vulnerabilities mentioned in this article could also project unto the provider's brand image. Any such damage to the telecom service provider's brand image and public relations status should be considered as a potential threat to its business viability. 7
ACIP CIP Telecom Operators Case Study: http://www.iabg.de/acip/doc/wp2/D2_3_Summary_of_the_Interview_Findings.pdf
Integrating Specific Checklists into the Assessment Process The aforementioned specific vulnerabilities could be integrated as checklists into the assessment process as an additional, detailed technical layer as figure 3 describes.
IT Governance and Management
COBIT, ITIL
(RM Life Cycle) Security Governance (Assessment Fields)
ISO17799, ISF, GAISP, OCTAVE, SysTrust Evaluate Using Automated Software Tool
Detailed Controls (Technical, Policy, Operational) Sector Driven Controls (Technical, Very Detailed)
NIST, CIS, FFIEC, EESA
Banking, Telecom, Energy, Pharma
Figure 3: This figure describes how the specific questionnaires integrate in the RM process shown in figure 1
WCK – a Possible Solution Addressing the complexities of integrating the frameworks, methodologies and assessment criteria with specific questionnaires could only be done using a highly sophisticated software tool engineered to perform this task. In addition, Specific parameters, or rather checklists, must be applied in order to accurately analyze the unique telecommunications security vulnerabilities and risks. In order to encompass all of these elements, a comprehensive answer for a complex problem is needed. Such a solution will be able to bridge the analysis gap through integration of a smart "learning" automated software tool, which is capable of applying such checklists to analyze the risk in view of all the parameters previously mentioned, while operating within the assessment frameworks effectively. Such a tool would ideally supply a single person a thorough and panoramic view while mitigating risks which emanate from one environment and affect several. It could be used by system operators, or by information security managers, as it offers a clear picture of the infrastructure and systems security status. It could also be used for further research on the subject, as it allows a comprehensive, single-point look at an entire infrastructure's strong and weak points, while accommodating all of the various parameters that should be considered.
An example of such an automated risk management tool, currently under development, is White Cyber Knight™ 8 .
Risk Analysis Process
Auditor
Dynamic questionnaire Risk analysis Countermeasures Implementation status
Risk Evaluator
WCK
System Head of RM Team
Risk Analysis Management Workflow Assignment of tasks Aggregation of results Risk mitigation follow-up
Organizational Risk Map Managerial Reports
Management
Global Security Officer
By organization units By security areas Costs Security measures Continuous improvement
Figure 4: The White Cyber Knight™ assessment process
White Cyber Knight™ is an expert RM system. The tool is designed for CIP, with an emphasis on Critical Information Infrastructure Protection (CIIP). The tool is based on an advanced RA engine. It is capable of providing a comprehensive risk map, which is driven by a wide variety of aspects which affect organization security. This includes: human behavior, policies and regulations, critical business processes, architecture of IT systems, and technical vulnerabilities, among others. WCK provides the ability to implement infrastructure-specific analysis parameters while operating under an assessment framework such as COBIT® in order to manage security risks in distributed environments, to follow-up risk mitigation activities, and finally, allows the Chief Security Officer (CSO) and the IT manager to measure their success over time.
Epilogue This article is a milestone in a joint research effort, aiming to identify through cooperation the specific threats, vulnerabilities, and risk management solutions for the telecom era, that can be assessed in an efficient way by an automated tool.
8
http://www.WhiteCyberKnight.com
References [i]
[ii]
[iii]
[iv]
[v]
Sandro Bologna, Ruaridh Macdonald (2002). Advanced Modeling and Simulation Methods and Tools for Critical Infrastructure Protection. In ACIP Project (2002), Brussels, Belgium. See: http://www.iabg.de/acip/doc/wp4/D4_5_v0_1_RM.pdf Bernhard M. Hämmerli, Eric Luiijf, Willi Stein, Eyal Adar (2005). ECN, European CIIP Newsletter. See: http://www.ci2rco.org Andreas Wuchner, Eyal Adar (2005). Risk Management for Critical Infrastructure Protection (CIP) – Challenges, Best Practices & Tools. In Proceedings of the 1st IEEE International Workshop on Critical Infrastructure Protection (IWCIP 2005), Darmstadt, Germany. Franck Springinsfeld, Michel Riguidel, Gwendal Le Grand (2002). Policy Based Management for Critical Infrastructure Protection. In ACIP Project (2002), Brussels, Belgium. See: http://perso.enst.fr/~legrand/Publis/CIP_wkshop_2003_frank.pdf Professor Heinz Thielmann, Eyal Adar (2004). End to End Security Assessment für CIP. J. Digma Magazine, Vol. 4, No. 2, June 2004, pp.76-80. Zurich, Switzerland. ISSN: 14249944. See: http://www.digma.info
Authors' Biographies Gwendal Le Grand * Gwendal Le Grand works as an Associate Professor in the Computer Science and Network Department of ENST (Ecole Nationale Supérieure des Télécommunications, Paris, France) since 2001. Gwendal received his PhD in computer science from the University of Paris 6 in July 2001. His main research interests are oriented towards security of information systems, critical information infrastructure protection, and wireless mesh networking. He is currently involved in several European projects in the field of security and critical infrastructures protection (IST FP6 SEINIT, CI2RCO, DESEREC, and IRRIIS). He is teaching advanced networks and security at ENST.
Eyal Adar† Eyal Adar is one of the leading experts in the area of CIP (Critical Infrastructure Protection) and information security. Eyal is the founder and CEO of iTcon Ltd., a consulting firm specializing in enterprise security architecture in the telecom, finance and energy sectors. Mr. Adar is one of the founding editors of the European CIIP Newsletter (see: http://www.ci2rco.org/ecn/European CIIP newsletter No 1.pdf), and participated in several European projects such as ACIP which determined the research plan in the field for the EU in the next 5 years. He is also a member in the advisory board of CI2RCO, which coordinates European research in the field of CIP. Mr. Adar is also one of the chief security strategists behind the Israeli government E-Government project.
*
[email protected] Télécom Paris, 46 rue Barrault, 75634 Paris Cedex, France Tel: +33 1 45 81 77 77, Fax: +33 1 45 89 79 06 †
[email protected] iTcon Ltd, Atidim – Building 4, P.O.B 10147, Tel Aviv 61101, Israel Tel: +972 3 6490039, Fax: +972 3 6490110
Eyal Adar †
Gwendal Le Grand *
Founder and CEO – iTcon Ltd.
Associate Professor, ENST, France.
Keywords: Risk Assessment, Telecommunications, Complex Infrastructures, Complex Networks, Network Resilience
Abstract The Communication Sector is one of the areas which, over the past several years, evolved most significantly and caused revolutions in both system-wide and system-use aspects. These revolutions have resulted in many communication networks being set up without adequate consideration of the risks involved. The existing RM (Risk Management) concepts are high level, and must be adapted to cope with the specific needs and risks of the communication world. This article aims to: • Analyze the main existing RM concepts and point out those which can be applied to complex communication systems. • Define the specific elements which need to be examined while assessing the risks to communication systems, and define how RM software can aid in the process. The use of RM applications applied specifically to critical and complex communication systems can significantly assist in bridging the gap in communication systems RM which was created in the past few years, and cut down IT Management costs.
Introduction: Risk Management in Telecom Today Today, increasingly complex and IT-dependent digital elements (computers, networks, contents, etc.) or infrastructures are at the center of our lives; they constitute the essential pillars of our communication, economic, social and institutional infrastructures. Security and threat mitigation within those systems has thus implicitly become a fundamental stake for the citizen (to preserve his privacy), for the company (to protect digital assets and transactions), and for the states (to protect their critical infrastructures, and ensure the smooth continuity of the government and government services, etc.) Generalized access to infrastructures like the Internet or mobile 3G telephone infrastructures has profoundly modified users’ behaviors and has radically changed the risks they and the infrastructures are facing. Although several security measures exist, trust in the digital world is not sufficient for several reasons. On the one hand, security technologies are not yet widespread due to the complexity involved in deploying them. On the other hand, ICT (Information and Communication Technologies) are particularly vulnerable due to the heterogeneity of systems, terminals, users, and infrastructures, which all require regular upgrades, and to the interconnectivity of infrastructures, the mobility of the users, and the facility to launch remote or distributed attacks. Risk assessment is therefore an essential stake in our societies, and it remains a burden because of its complexity. Actually, it is necessary to adopt a global vision that takes into account not only technical elements like cryptographic protocols used to provide confidentiality or infrastructures resilience, but also economic aspects like the impact an attack could have on the business or on the corporate image of a company. Interdependencies between infrastructures will also play a major role in the near future since they will certainly be exploited to build attacks using their interplay, while the attacked infrastructure may not necessarily be the final designated target. The effects of such attacks will be disseminated rapidly through a domino effect and the chain of events will be difficult to predict or control in time before a major breakdown happens. Therefore, infrastructure and service risk and crisis management must play an increasing role: since it is impossible to make a system error-free and invulnerable, it is necessary to cope with identifiable, controllable and quantifiable risks. This must be accomplished through various types of actions: the design of efficient risk assessment tools, the development of crisis management models, the certification of systems and products, etc. In subsequent sections of the paper, we will first examine the challenges related to complex risk management in telecommunication. We will then present existing frameworks and methodologies for risk analysis. Then, we will focus on specific parameters for telecom risk assessment and provide an example evaluation checklist. Finally, we will introduce WCK (White Cyber Knight), a software tool which constitutes a possible answer to risk assessment requirements.
Dealing with Complex Risk Management Challenges The growing field of risk management plays an important role in mitigating and managing risks of complex and distributed architectures and environments. However, this field is not yet fully standardized, and different RM methods cover different RM aspects. Within the
different frameworks which currently exist for assessing risk in such environments, many methods are very high level oriented. From industry inputs, there is little use of these methodologies by IT operations staff on a day-to-day basis. The products used often include software tools that address specific IT platforms, and lack the "over-all" security assessment ability. In order to adapt these frameworks towards a more practical application for the telecom world, a layer of additional analysis is needed; such a layer must rely upon a thorough and multi-faceted understanding of the telecom world's unique business needs and requirements, and its specific systems and protocols. This assessment layer should include concrete checklists which will adhere to these parameters. Practical methodologies that can bridge this gap are required. These should enable the identification of critical paths through an understanding of the telecommunications unique business processes as well as the ability to apply an additional assessment layer which deals with the specific parameters which will be discussed in this article. A solution to the complex problems we have stated here lies in utilizing a combination of 3 realms: • RM framework or methodology layer which includes risk analysis • Controls and policies – IT governance layer • Specific checklists (detailed controls) or questionnaires aimed to identify the telecom specific vulnerabilities
IT Governance and Management
COBIT, ITIL
(RM Life Cycle) Security Governance (Assessment Fields)
ISO17799, ISF, GAISP, OCTAVE, SysTrust
Evaluate Using Automated Software Tool
Detailed Controls (Technical, Policy, Operational)
NIST, CIS, FFIEC, EESA
Figure 1: Describes how these 3 elements operate and interact
RM Framework or Methodology Layer Which Includes Risk Analysis The following are examples of some of the leading RM frameworks: 1 • Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE®) : The Octave approach is a systematic way for an organization to address its information 1
http://www.cert.org/octave/
security risks, sorting through the complex web of organizational and technological issues. The OCTAVE approach includes a set of criteria that defines the requirements for a comprehensive, self-directed information security risk evaluation, and a set of methods consistent with the criteria. Octave was developed by Software Engineering Institute at Carnegie Mellon University. • COBIT® 2 : COBIT, Control Objectives for Information and related Technology, is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organizations. COBIT® is Sponsored and funded by the IT Governance Institute (affiliate of the Information Systems Audit and Control Association). The Framework emphasizes best practices and leverages other recognized methodologies and tools such as COSO, ISO, ITIL, NIST and AICPA. Its Focus is on helping leaders understand and manage the risks relating to IT and the links between the management process, the technical questions, the need for control and the risks • Thales SHIELD™ 3 : Thales SHIELD is a complete system that combines different areas from intelligence gathering and analysis, communications and network security, physical security to crisis management, to provide a fully integrated solution for nations, regions and institutions potentially vulnerable to intrusive security strikes or threats.
Figure 2: the COBIT® risk assessment framework Focusing on the RM framework layer, in this context we will recommend COBIT® as a risk management framework, due to the following advantages: • It is one of the only RM frameworks which deal with organizational processes. • It is a well respected and recognized tool - even by regulators. • It is an excellent methodology for getting various parts of an organization to speak the same language. 2
http://www.isaca.org/cobit/ 3 http://shield.thalesgroup.com/
• COBIT® looks at IT in general - not just at security, and it includes detailed assessment domains, systems and programs. • It facilitates communication with top level executives and provides an excellent management perspective (e.g., CMM). • It was planned and designed to interface with other methods, which makes it an open framework. Controls and Policies – IT Governance Layer - ISO 17799 4 ISO (the International Organization for Standardization) along with IETC (the International Electro Technical Commission) form the specialized system for worldwide standardization. The stated purpose of ISO 17799 is to provide a common basis for developing organizational security standards and effective security management practice and to provide confidence in inter-organizational dealings. Originally developed in the UK, the standard has gained much popularity and is a favored risk assessment approach in Europe. It is typically used in larger organizations, especially those involved with international activities. ISO offers very specific guidance that requires specific modification and adaptation. ISO 17799 is often referenced and leveraged by other wellknown methodologies. ISO 17799 spans the following fields: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10.
Security Policy Communications and Operations Management Organizational Security Access Control Asset Classification and Control System Development and Maintenance Personnel Security Business Continuity Management Physical and Environment Security Compliance
Moreover, ISO 17799 has some specific relevant advantages, such as: • • • • •
Very detailed guidance Standard of standards Common language Well-known Favored by large business enterprises
Despite its many advantages as a RM framework, ISO 17799 does not supply the required technological depth to cover all technical aspects, which is why more detailed, specific checklists are required. Specific Checklists (Detailed Controls) or Questionnaires Aimed to Identify the Telecom Specific Vulnerabilities In order to identify specific vulnerabilities in telecom systems, several checklists and methods may be used. They include: 4
http://www.iso.org/iso/en/prods-services/popstds/informationsecurity.html
• End to End Security Assessment (EESA™) 5 : EESA is an assessment method which deals with Critical Information Infrastructure Protection (CIIP). It analyzes the "Security Quality of Service" (SQOS) along the path of critical processes within a business environment or system and evaluates whether the security mechanisms along it are adequate for protecting against likely threats. The uniqueness of EESA lies in the fact that the analysis covers both strategic issues as well as very detailed technical security design issues. Ranging from business layer to IT layers (from business processes thru systems and applications and infrastructure), it provides an interdisciplinary, business oriented assessment method. • NIST 6 : ITL (Information Technology Laboratory within the NIST) develops technical, physical, administrative, and management standards and guidelines for the costeffective security and privacy of sensitive unclassified information in federal computer systems. Publications issued report on ITL’s research, guidance, and outreach efforts in computer security, and its collaborative activities with industry, government and academic organizations. As governmental agencies, banking regulators frequently participate in NIST research and are audited against these guidelines. Many other methodologies leverage the work performed by the NIST. It also includes many detailed checklists tailor-cut for specific realms and sectors. • Specific Telecom Driven Vulnerability Checklists which will be presented in this article. A possible way of combining these realms could be using a sophisticated software tool that will enable a more efficient analysis of the data. Combining these three elements will allow risk managers to better deal with the complexity and technological difficulties, while saving time and manpower. In the following, we aim to demonstrate how these 3 elements contribute to the creation of a holistic and telecom-applied risk management view, when used with a comprehensive software tool which automates many of the assessment and risk management processes.
Telecom Risk Assessment Parameters Several important parameters should be covered in risk assessment for future complex communication networks. Based upon these parameters we will mention several telecom specific vulnerabilities that need to be addressed. This will be the basis of a checklist or baseline in our example. These include (but are not limited to): • Overall threat and vulnerability assessment: o Vulnerability of content – destruction, modification, copy, etc. – and its volatility, which is critical in a world where broadband wireless and ubiquitous access are generalized. o Vulnerability of media – on which the content is stored or sent (hard disks, wireless transmission links, etc.) o Vulnerability of access and access control means – for example, what devices should connect to the network, or the ability to prevent potentially dangerous devices (that are infected by viruses or spyware) or content from penetrating a 5
http://www.iabg.de/acip/doc/ergebnisse_workshop_2002_12_bruessel/EESA-basics.pdf 6 http://csrc.nist.gov/pcig/index.html
corporate network. Moreover, increased interconnection of infrastructures eases remote and distributed attacks, which makes access control even more critical. o Vulnerability of well known technologies, operating systems, or protocols – on which networks and systems rely worldwide. o Vulnerability of complexity – complex and non error-free systems require constant upgrades that may be insecure and introduce new vulnerabilities or failures. o Vulnerability of interdependencies – interdependencies of similar and different infrastructures (e.g. two telecom operators or a telecom operator and a power provider). • Security of communications, characterized by security objectives expressed in terms of confidentiality (non-disclosure to unauthorized persons), integrity (non-alteration of content) and availability (the ability of licensed users to use digital assets). • Certification or standards compliance. • Trust with respect to the reliability and confidentiality of operations, operators, infrastructures and software. • Safety (security of people and goods). • Resilience of infrastructures which characterizes their ability to resist attacks or failures. Resilience should consider self-learning, self-healing and fast cicatrisation properties of a system with respect to a set of canonical attacks. • Cost of security or of insecurity evaluates the economic impact (profit loss and indirect losses due to a degradation of the corporate image) related to mitigating or accepting an identified vulnerability. • Security policy of the system and crisis management models, together with protection measures within legal frameworks.
An Example of a Telecom Risk Assessment Evaluation Checklist There is a growing need for an additional layer of evaluation in order to fully assess the specific vulnerabilities and risks inherent to the telecom field. It seems prudent that this additional layer should include specific risks and vulnerabilities driven by the business process of the infrastructure being assessed. We offer an example of a concrete baseline, based upon the aforementioned parameters, as an evaluation checklist. This checklist should allow an evaluator to identify and assess the unique vulnerabilities of the telecom world. Threats to the Security of Communications The core business of the telecommunications field is the communication of data. According to this ground statement, it is crucial to view the unique threats to this data, in aspect of the confidentiality, availability, and integrity of the data being communicated: • • • • •
Eavesdropping , fraud and call theft Disclosure and/or alteration of sensitive billing information Unauthorized use of resources such as illicit use of telephony Interrogation of secure databases Risk of data disclosure due to IP based infrastructure linked with other networks
Interdependencies and Threats to the Resilience and Availability of Infrastructures Examples of possible interdependencies or threats to the resilience and availability of infrastructures include: • Reliance of the telecom infrastructure upon a single energy infrastructure creates an obvious dependency, which poses a potential risk to the resilience of the telecom infrastructure in any case of a regional power outage. • Extensive use of third party software, which has also been described in the ACIP report as "The far most feared and seen most realistic threat is due to software dependence in both the operational and the production network", creates a major threat which affects the entire telecommunications world. Most service providers use important key components from several specific vendors, so that one could affect many operators and render an entire infrastructure unavailable. • Cellular networks are particularly vulnerable to jamming by using RF energy to swamp receiver sites, and to denial of service attacks on central cellular communication nodes. Vulnerability of Telecom Specific Technologies Recent ACIP research 7 revealed that most telecom providers rely on dedicated, specific hardware and communications equipment from a single vendor – one major bug or failure of such equipment may cause an infrastructure-wide crash, as mentioned here. Additionally, usage of telecom specific technologies creates a wide range of vulnerabilities which are unique to the telecom world: • The GPRS method is primarily based upon IP, a protocol well known to hackers and vulnerable to many exploits which previous communications protocols have been immune to due to their relative obscurity outside of the telecom field. • Dedicated communications equipment from a single vendor creates a single point of failure for the entire infrastructure. Vulnerability of Access and Access Control As described previously, the increased interconnection of infrastructures and the enhanced mobility of information systems today, make it even more crucial and complex a challenge to properly identify devices, users and other entities in a communications infrastructure. Additionally, there are several unique issues for telecom in this aspect that come to mind: • Poor GSM authentication mechanisms do not allow sufficient assurance when devices roam between cells. • Difficulty to enforce content filtering and strong authentication when mobile communication components interact with other communications networks – ID and data migrate through different and segregated worlds (from a cellular network to the enterprise IT infrastructure for example), with minimal or no control. Threats to the Business Viability of the Telecom Service Provider The potential vulnerabilities mentioned in this article could also project unto the provider's brand image. Any such damage to the telecom service provider's brand image and public relations status should be considered as a potential threat to its business viability. 7
ACIP CIP Telecom Operators Case Study: http://www.iabg.de/acip/doc/wp2/D2_3_Summary_of_the_Interview_Findings.pdf
Integrating Specific Checklists into the Assessment Process The aforementioned specific vulnerabilities could be integrated as checklists into the assessment process as an additional, detailed technical layer as figure 3 describes.
IT Governance and Management
COBIT, ITIL
(RM Life Cycle) Security Governance (Assessment Fields)
ISO17799, ISF, GAISP, OCTAVE, SysTrust Evaluate Using Automated Software Tool
Detailed Controls (Technical, Policy, Operational) Sector Driven Controls (Technical, Very Detailed)
NIST, CIS, FFIEC, EESA
Banking, Telecom, Energy, Pharma
Figure 3: This figure describes how the specific questionnaires integrate in the RM process shown in figure 1
WCK – a Possible Solution Addressing the complexities of integrating the frameworks, methodologies and assessment criteria with specific questionnaires could only be done using a highly sophisticated software tool engineered to perform this task. In addition, Specific parameters, or rather checklists, must be applied in order to accurately analyze the unique telecommunications security vulnerabilities and risks. In order to encompass all of these elements, a comprehensive answer for a complex problem is needed. Such a solution will be able to bridge the analysis gap through integration of a smart "learning" automated software tool, which is capable of applying such checklists to analyze the risk in view of all the parameters previously mentioned, while operating within the assessment frameworks effectively. Such a tool would ideally supply a single person a thorough and panoramic view while mitigating risks which emanate from one environment and affect several. It could be used by system operators, or by information security managers, as it offers a clear picture of the infrastructure and systems security status. It could also be used for further research on the subject, as it allows a comprehensive, single-point look at an entire infrastructure's strong and weak points, while accommodating all of the various parameters that should be considered.
An example of such an automated risk management tool, currently under development, is White Cyber Knight™ 8 .
Risk Analysis Process
Auditor
Dynamic questionnaire Risk analysis Countermeasures Implementation status
Risk Evaluator
WCK
System Head of RM Team
Risk Analysis Management Workflow Assignment of tasks Aggregation of results Risk mitigation follow-up
Organizational Risk Map Managerial Reports
Management
Global Security Officer
By organization units By security areas Costs Security measures Continuous improvement
Figure 4: The White Cyber Knight™ assessment process
White Cyber Knight™ is an expert RM system. The tool is designed for CIP, with an emphasis on Critical Information Infrastructure Protection (CIIP). The tool is based on an advanced RA engine. It is capable of providing a comprehensive risk map, which is driven by a wide variety of aspects which affect organization security. This includes: human behavior, policies and regulations, critical business processes, architecture of IT systems, and technical vulnerabilities, among others. WCK provides the ability to implement infrastructure-specific analysis parameters while operating under an assessment framework such as COBIT® in order to manage security risks in distributed environments, to follow-up risk mitigation activities, and finally, allows the Chief Security Officer (CSO) and the IT manager to measure their success over time.
Epilogue This article is a milestone in a joint research effort, aiming to identify through cooperation the specific threats, vulnerabilities, and risk management solutions for the telecom era, that can be assessed in an efficient way by an automated tool.
8
http://www.WhiteCyberKnight.com
References [i]
[ii]
[iii]
[iv]
[v]
Sandro Bologna, Ruaridh Macdonald (2002). Advanced Modeling and Simulation Methods and Tools for Critical Infrastructure Protection. In ACIP Project (2002), Brussels, Belgium. See: http://www.iabg.de/acip/doc/wp4/D4_5_v0_1_RM.pdf Bernhard M. Hämmerli, Eric Luiijf, Willi Stein, Eyal Adar (2005). ECN, European CIIP Newsletter. See: http://www.ci2rco.org Andreas Wuchner, Eyal Adar (2005). Risk Management for Critical Infrastructure Protection (CIP) – Challenges, Best Practices & Tools. In Proceedings of the 1st IEEE International Workshop on Critical Infrastructure Protection (IWCIP 2005), Darmstadt, Germany. Franck Springinsfeld, Michel Riguidel, Gwendal Le Grand (2002). Policy Based Management for Critical Infrastructure Protection. In ACIP Project (2002), Brussels, Belgium. See: http://perso.enst.fr/~legrand/Publis/CIP_wkshop_2003_frank.pdf Professor Heinz Thielmann, Eyal Adar (2004). End to End Security Assessment für CIP. J. Digma Magazine, Vol. 4, No. 2, June 2004, pp.76-80. Zurich, Switzerland. ISSN: 14249944. See: http://www.digma.info
Authors' Biographies Gwendal Le Grand * Gwendal Le Grand works as an Associate Professor in the Computer Science and Network Department of ENST (Ecole Nationale Supérieure des Télécommunications, Paris, France) since 2001. Gwendal received his PhD in computer science from the University of Paris 6 in July 2001. His main research interests are oriented towards security of information systems, critical information infrastructure protection, and wireless mesh networking. He is currently involved in several European projects in the field of security and critical infrastructures protection (IST FP6 SEINIT, CI2RCO, DESEREC, and IRRIIS). He is teaching advanced networks and security at ENST.
Eyal Adar† Eyal Adar is one of the leading experts in the area of CIP (Critical Infrastructure Protection) and information security. Eyal is the founder and CEO of iTcon Ltd., a consulting firm specializing in enterprise security architecture in the telecom, finance and energy sectors. Mr. Adar is one of the founding editors of the European CIIP Newsletter (see: http://www.ci2rco.org/ecn/European CIIP newsletter No 1.pdf), and participated in several European projects such as ACIP which determined the research plan in the field for the EU in the next 5 years. He is also a member in the advisory board of CI2RCO, which coordinates European research in the field of CIP. Mr. Adar is also one of the chief security strategists behind the Israeli government E-Government project.
*
[email protected] Télécom Paris, 46 rue Barrault, 75634 Paris Cedex, France Tel: +33 1 45 81 77 77, Fax: +33 1 45 89 79 06 †
[email protected] iTcon Ltd, Atidim – Building 4, P.O.B 10147, Tel Aviv 61101, Israel Tel: +972 3 6490039, Fax: +972 3 6490110
