Portunes: generating attack scenarios by finding inconsistencies between security policies in the physical, digital and social domain

The security goals of an organization are implemented through security policies, which concern physical security, digital security and security awareness. An insider is aware of these security policies, and might be able to thwart the security goals without violating any policies, by combining physical, digital and social means. This paper presents the Portunes model, a model for describing and analyzing attack scenarios across the three security areas. Portunes formally describes security alignment of an organization and finds attack scenarios by analyzing inconsistencies between policies from the different security areas. For this purpose, the paper defines a language in the tradition of the Klaim family of languages, and uses graph-based algorithms to find attack scenarios that can be described using the defined language

Portunes: representing attack scenarios spanning through the physical, digital and social domain

The security goals of an organization are realized through security policies, which concern physical security, digital security and security awareness. An insider is aware of these security policies, and might be able to thwart the security goals by combining physical, digital and social means. A systematic analysis of such attacks requires the whole environment where the insider operates to be formally represented. This paper presents Portunes, a framework which integrates all three security domains in a single environment. Portunes consists of a high-level abstraction model focusing on the relations between the three security domains and a lower abstraction level language able to represent the model and describe attacks which span the three security domains. Using the Portunes framework, we are able to represent a whole new family of attacks where the insider is not assumed to use purely digital actions to achieve a malicious goal

Security Policy Alignment:A Formal Approach

Security policy alignment concerns the matching of security policies specified at different levels in socio-technical systems, and delegated to different agents, technical and human. For example, the policy that sales data should not leave an organization is refined into policies on door locks, firewalls and employee behavior, and this refinement should be correct with respect to the original policy. Although alignment of security policies in socio-technical systems has been discussed in the literature, especially in relation to business goals, there has been no formal treatment of this topic so far in terms of consistency and completeness of policies. Wherever formal approaches are used in policy alignment, these are applied to well-defined technical access control scenarios instead. Therefore, we aim at formalizing security policy alignment for complex socio-technical systems in this paper, and our formalization is based on predicates over sequences of actions. We discuss how this formalization provides the foundations for existing and future methods for finding security weaknesses induced by misalignment of policies in socio-technical systems

Two methodologies for physical penetration testing using social engineering

Penetration tests on IT systems are sometimes coupled with physical penetration tests and social engineering. In physical penetration tests where social engineering is allowed, the penetration tester directly interacts with the employees. These interactions are usually based on deception and if not done properly can upset the employees, violate their privacy or damage their trust toward the organization and might lead to law suits and loss of productivity. We propose two methodologies for performing a physical penetration test where the goal is to gain an asset using social engineering. These methodologies aim to reduce the impact of the penetration test on the employees. The methodologies have been validated by a set of penetration tests performed over a period of two year

Understanding How Components of Organisations Contribute to Attacks

Attacks on organisations today explore many different layers, including buildings infrastructure, IT infrastructure, and human factor – the physical, virtual, and social layer. Identifying possible attacks, understanding their impact, and attributing their origin and contributing factors is difficult. Recently, system models have been used for automatically identifying possible attacks on the modelled organisation. The generated attacks consider all three layers, making the contribution of building infrastructure, computer infrastructure, and humans (insiders and outsiders) explicit. However, this contribution is only visible in the attack trees as part of the performed steps; it cannot be mapped back to the model directly since the actions usually involve several elements (attacker and targeted actor or asset). Especially for large attack trees, understanding the relations between several model components quickly results in a large quantity of interrelations, which are hard to grasp. In this work we present several approaches for visualising attributes of attacks such as likelihood of success, impact, and required time or skill level. The resulting visualisations provide a link between attacks on an organisations and the contribution of parts of an organisation to the attack and its impact

Alignment of Organizational Security Policies -- Theory and Practice

To address information security threats, an organization defines security policies that state how to deal with sensitive information. These policies are high-level policies that apply for the whole organization and span the three security domains: physical, digital and social. One example of a high-level policy is: ‿The sales data should never leave the organization.‿ The high-level policies are refined by the Human Resources (HR), Physical Security and IT departments into implementable, low-level policies, which are enforced via physical and digital security mechanisms and training of the employees. One example of low-level policy is: ‿There should be a firewall on every external-facing system‿. The erroneous refinement of a high-level policy into a low-level policy can introduce design weaknesses in the security posture of the organization. For example, although there is a low-level policy that places firewalls on every external-facing system, an adversary may still obtain the sales data through copying it on a USB stick. In addition, the erroneous enforcement of a low-level policy using a specific security mechanisms may introduce implementation flaws. For example, although there might be a firewall on every external-facing system, the firewall might not be configured correctly. The organization needs assurance that these errors are discovered and mitigated. In this thesis we provide methods for testing whether (a) the high-level policies are correctly refined into low-level policies that span the physical, digital and social domain, and (b) whether low-level policies are correctly enforced is specific mechanisms. Our contributions can be summarized as follows: 1. We propose a formal framework, Portunes, which addresses the correct re- finement of high level policies by generating attack scenarios that violate a high-level policy without violating any low-level policies. Portunes binds the three security domains in a single formalism and enables the analysis of policies that span the three domains. We provide a proof of concept implementation of Portunes in a tool and polynomial time algorithms to generate the attack scenarios. 2. We propose a modal logic for defining more expressive high-level policies. We use the logic to express properties of Portunes models and model evolutions formally. We provide a proof of concept implementation of the logic in the Portunes tool. 3. We propose two methodologies for physical penetration testing using social engineering to address the correct enforcement of low-level policies. Both methodologies are designed to reduce the impact of the test on the employees and on the personal relations between the employees. The methodologies result in a more ethical assessment of the implementation of security mechanisms in the physical and social domain. 4. We provide an assessment of the commonly used security mechanisms in reducing laptop theft. We evaluate the effectiveness of existing physical and social security mechanisms for protecting laptops based on (1) logs from security guards regarding laptop thefts that occurred in a period of two years in two universities in the Netherlands, and (2) the results from more than 30 simulated thefts using the methodologies in contribution 3. The results of the assessment can aid in reducing laptop theft in organizations. 5. We propose a practical assignment of an information security master course where students get practical insight into attacks that use physical, digital and social means. The assignment is based on the penetration testing methodologies from contribution 3. The goal of the assignment is to give a broad overview of security to the students and to increase their interest in the field. Besides for educational purposes, the assignment can be used to increase the security awareness of the employees and provide material for future security awareness trainings. Using these contributions, security professionals can better assess and improve the security landscape of an organization

L'aplicació de notícies de la UB: guia ràpida d'edició

Recomanacions sobre aspectes tipogràfics que cal tenir en compte per editar informacions amb l’aplicació de notícies de la UB