Threat Modeling vs Information Classification

Dominic White

 

Threat Modeling vs Information Classification

This was originally posted on the SensePost blog.

Over the last few years there has been a popular meme talking about information centric security as a new paradigm over vulnerability centric security. I've long struggled with the idea of information-centricity being successful, and in replying to a post by Rob Bainbridge, quickly jotted some of those problems down.

In pre-summary, I'm still sceptical of information-classification approaches (or information-led control implementations)  as I feel they target a theoretically sensible idea, but not a practically sensible one.

Information gets stored in information containers (to borrow a phrase from Octave) such as the databases or file servers. This will need to inherit a classification based on the information it stores. That's easy if it's a single purpose DB, but what about a SQL cluster (used to reduce processor licenses) or even end-user machines? These should be moved up the classification chain because they may store some sensitive info, even if they spend the majority of the time pushing not-very-sensitive info around. In the end, the hoped-for cost-saving-and-focus-inducing prioritisation doesn't occur and you end up having to deploy a significantly higher level of security to most systems. Potentially, you could radically re-engineer your business to segregate data into separate networks such as some PCI de-scoping approaches suggest, but, apart from being a difficult job, this tends to counter many of the business benefits of data and system integrations that lead to the cross-pollination in the first place.

Next up, I feel this fails to take cognisance of what we call "pivoting"; the escalation of privileges by moving from one system or part of a system to another. I've seen situations when the low criticality network monitoring box is what ends up handing out the domain administrator password. It had never been part of internal/external audits scope, none of the vulns showed up on your average scanner, it had no sensitive info etc. Rather, I think we need to look at physical, network and trust segregation between systems, and then data. It would be nice to go data-first, but DRM isn't mature (read simple & widespread) enough to provide us with those controls.

Lastly, I feel information-led approaches often end up missing the value of raw functionality. For example, a critical trade execution system at an investment bank could have very little sensitive data stored on it, but the functionality it provides (i.e. being able to execute trades using that bank's secret sauce) is hugely sensitive and needs to be considered in any prioritisation.

I'm not saying I have the answers, but we've spent a lot of time thinking about how to model how our analysts attack systems and whether we could "guess" the results of multiple pentests across the organisation systematically, based on the inherent design of your network, systems and authentication. The idea is to use that model to drive prioritisation, or at least a testing plan. This is probably closer aligned to the idea of a threat-centric approach to security, and suffers from a lack of data in this area (I've started some preliminary work on incorporating VERIS metrics).

In summary, I think information-centric security fails in three ways; by providing limited prioritiation due to the high number of shared information containers in IT environments, by not incorporating how attackers move through a networks and by ignoring business critical functionality.

Thursday, June 9. 2011
Posted by Dominic White in Security
Comments (2) | Trackbacks (0)

 

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

#1 Alapan wrote (Link) (Reply)
Posted on Sunday, June 12. 2011
You make some good observations - but I think you miss a fundamental component. Security, holistically, is about the minimisation of risk. In the information age, information is the critical asset, and thus the inappropriate exploitation of information is the greatest risk. You are absolutely correct with regards to the current environment. Current technology is not geared to protect information in the strictest sense. And DRM is immature. And most companies' security policies and processes will not, practically, be able to drive information based security initiatives. In my opinion, information based security is the best way to go for the long term - but it is not practical yet.
 
#2 Rob wrote (Link) (Reply)
Posted on Tuesday, June 14. 2011
I made this response on another blog, but it is relevant here. On Augusto's blog in response to our discussion (http://blog.securitybalance.com) he reiterates the value of having both approaches in an organisation to compliment rather than contradict each other. I agree with this. My view was that the threat modelling helps identify the 'how' of a possible compromise or attack, while the information classification contextualises the 'what' and 'why'. My concern with focusing purely on threat modelling is you may neglect the unintentional threats to information and only focus on intentional malicious attack vectors. A system failure or poor data input controls could negatively impact the availability or integrity of critical information, and happen totally by accident. An organisation needs to understand what information assets it has, where these are stored and processed, and why someone would want to obtain (view, alter or block) this. They can then design security accordingly, and validate its effectiveness through threat modelling and testing. In traditional security terms, classification and associated processes can talk to the method and motivation for an attack, while threat modelling can address the opportunity aspect.
 

Add Comment