1.4. Where do we go from here?
A system assessment must discover security vulnerabilities in the system of interest. Majority of current assessment practices are relatively informal and very subjective. Due to difficulties caused by development trends and systems' complexities, they focus primarily on evaluating the development process and a product's documentation rather than formal artifacts. Security testing is rarely performed and can be characterized at the most as opportunistic. The only exception is evaluation methodology for high robustness, at which point formal methods are applied to assess a system's formal artifacts. However, this process is laborious and costly, the key reasons why most systems are not being evaluated in this way. For all these reasons, it is becoming increasingly difficult to establish or verify whether or not software is sufficiently trustworthy, and as complications will likely continue to evolve, a new approach needs to be developed to provide credible, repeatable, and cost-efficient ways for assessing a system's trustworthiness and for managing assurance risks; an approach that will still give us systematic and methodical system coverage in identifying and mitigating vulnerabilities.
Having in mind the internal complexity of the system and complexity of development trends and development environment, the only way to achieve this new approach is by implementing automated model-driven assessment.
Over the years, we have followed uptake of model-driven development where more and more new features, applications, and even systems are modeled in an implementation-independent way to express technical, operational, and business requirements and designs. These models are prototyped, inspected, verified, and validated before design is implemented. In a majority of the cases, once design is implemented, models and their prototypes are discarded. The reason is that throughout the implementation process, some of the designs are changed due to various reasons (e.g., impact of chosen implementation technologies) and going back to update models and prototypes to keep them current is expensive. In other words, trusted traceability is broken.
1.4.1. Systematic and repeatable defense at affordable cost
Consequently, this approach would create confidence in the security posture of systems. By regaining knowledge of our systems, and accumulating the knowledge of the attackers and their methods, we would be able to reason about the security mechanisms of our systems and clearly and articulately communicate and justify our solutions. This involves a clear and comprehensive game plan, which anticipates the possible moves of the opponent and uses the home advantage and the initiative to build a reasonably strong defense.
It is the nature of cybersecurity to provide a reasonable, justifiable answer to the question of whether the countermeasures implemented in the target system adequately mitigate all threats to that system. This answer is what is sometimes called the security posture of the system. Evaluating security posture requires detailed knowledge, in particular, the knowledge of the factors internal to the system, such as the system boundaries, components, access points, countermeasures, assets, impact, policy, design, etc., as well as the factors that are external, such as threats, hazards, capability and motivations of the threat agents, etc. As vulnerability can be described as a situation where a particular threat is not mitigated, this would mean that there exists a possibility of an attack, waiting for a motivated attacker to discover this situation, and execute the attack steps.
Answering the cybersecurity question is not easy due to the uncertainty factor. There is a great deal of uncertainty associated with any external factors, but there is uncertainty associated with the internal factors too, because our knowledge of the complex target system is not perfect. There may be some uncertainty about the impacts of the incidents to the business and even about the validity of the security policy. In a slightly different sense, there is uncertainty about the behavior of the system, but this uncertainty is only related to the current state of our knowledge, and can be removed (at a certain cost) by analyzing the system deeper.
Two disciplines, security engineering and risk assessment, address the cybersecurity question from different perspectives. Security engineering addresses this question in a practical way by selecting the countermeasures and building the target system. It emphasizes building the system rather than communicating the knowledge about the system, although some design documentation may be one of the outputs of a solid engineering process. Security engineering often uses “tried and tested” solutions based on “best practices,” and selects countermeasures from catalogs. This pragmatic approach avoids analysis of threats and their mitigation by the security architecture, so justification is often done by reference to the recommended catalog of countermeasures. A clear, comprehensive, and defensible justification of the system's security architecture ought to be one of the mainstream activities of security engineering; however, there is little evidence that this is being done, in part because of the mismatch in the qualifications required for systems engineering, system validation, and verification on one hand, and the security validation, verification, and assurance on the other hand. It is not uncommon to push some uncertainty to the market as the system is released and patched later as the vulnerability is found by someone else and reported back to the engineering team.
Risk assessment is usually considered to be part of management and governance of the system. Risk assessment answers the cybersecurity question by evaluating the system. Usually there are two points in the system life cycle when such evaluation takes place: one as early as possible, right after the countermeasures have been selected, and the other one as late as possible, when the entire system has been implemented, and it is ready to be put into operation. The decision-making process of risk assessment involves analyzing the threats to the system, the countermeasures, and vulnerabilities. The emphasis of risk assessment is to identify the risks that need to be managed, and not to communicate the knowledge about the system. Neither is a clear, comprehensible, and defensible justification of the system's security architecture a mainstream activity of risk assessment. The nature of the risk assessment is that it identifies problems—not justifies that the available solution is adequate.
Risk assessment provides a probabilistic approach to dealing with uncertainty in our knowledge about the system. Lower end varieties of risk assessment teams offer a “best practice” approach, often based on the ‘best guess.” This works, because risk assessment is a pragmatic discipline, which generates the list of risks to manage and the list of recommendations of new countermeasures that would lower the risk. Since risk assessment is part of the ongoing risk management, any miscalculations can be addressed as more operational data becomes available. Risk assessment provides input to engineering, which evaluates the recommendations and implements them.
As you can see, justifying system's security posture, and communicating this knowledge in a clear, comprehensive, and defensible way, is not addressed by either security engineering or risk assessment. Engineering builds solutions. Validation and verification justify that the solution corresponds to the requirements, objectives, and policy. Risk assessment looks for problems, identifies them, and justifies significance of their existence. Risk assessment also recommends mitigating solutions. On the other hand, assurance is considered by many as an optional activity that is applicable only for a limited number of high-profile systems where high security and safety is a “must have,” such as in nuclear reactors. The reason is the perceived high cost of assurance activities. However, it is important to note that assurance closes some gaps in both security engineering and risk analysis.
The Information and Communication Technology (ICT) security community refers to ”Assurance” as confidence and trust that a product or service will function as advertised and provide the intended results or the product or service will be replaced or reconditioned. It refers to the security of the product or service and that the product or service fulfills the requirements of the situation, satisfying the Security Requirements.
The Cybersecurity Assurance community expands this Assurance description to explicitly talk about vulnerabilities. The National Defense Industrial Association (NDIA) Engineering for System Assurance Guidebook [
NDIA 2008] defines “Assurance” as “justified measures of confidence that the system functions as intended and is free of exploitable vulnerabilities, either intentionally or unintentionally designed or inserted as part of the system at any time during the life cycle.” This new definition, besides arguing positive properties, “does functions as intended,” adds a need for arguing negative properties, and “does not contain exploitable vulnerabilities,” which requires more comprehensive assurance methods. This book describes a framework for implementing comprehensive assurance for cybersecurity with emphasis on automation.
The Cybersecurity community more often refers to “Assurance” as “System Assurance” or “Software Assurance” (emphasizing importance of vulnerabilities in software itself). According to the Cybersecurity community, the system assurance as a discipline studies the methods of justifying cybersecurity. It is a systematic discipline that focuses on how to provide justification that the security posture is adequate. System assurance develops a clear, comprehensive, and defensible argument for security of the system. In order to support the argument, concrete and compelling evidence must be collected. One of the sources of evidence is system analysis. System assurance deals with uncertainty through a special kind of reasoning that involves the architecture of the target system. Instead of a never-ending process of seeking more and more data to eliminate the fundamental uncertainty, system assurance uses the layered defense considerations to address the unknowns. Needless to say, the assurance argument benefits from the available knowledge related to both the external and the internal factors of cybersecurity.
The reasoning provided by the system assurance discipline is used both in the context of engineering as well as risk assessment. System assurance is a form of systematic, repeatable, and defensible system evaluation that provides more detailed results than a traditional “best-practice” approach. The key difference of the system assurance approach and traditional risk assessment is that assurance justifies the claims about the security posture of the system. Assurance is a direct way to build confidence in the system. Deficit of assurance can be directly transformed into the requirements for additional countermeasures. On the other hand, while evidence of risks, produced by detecting vulnerabilities, can also be transformed into countermeasures, it does not build confidence in the system, because the absence of vulnerabilities makes only a weak indirect case about the security posture of the system. This is why we need system assurance. This is why we need to move beyond detecting vulnerabilities.
The answer to weaponized exploits and malware is to automate security analysis, automate checklists involved in threat and risk analysis and use the assurance case as a planning tool for establishing defense in depth.
From the system assurance perspective, deficiencies in the argument indicate defects in the defense. Particular points in the architecture of the system that prevent us from building a defensible assurance argument are the candidates for the engineering to fix. The new, improved mechanisms will directly support the assurance argument and, at the same time, improve the security posture of the system.
Collecting evidence for assurance, in particular within the layered defense argument, is more demanding on the depth and accuracy of the system analysis and the accuracy of the corresponding data.
1.4.2. The OMG software assurance ecosystem
An ecosystem refers to a community of participants in knowledge-intensive exchanges involving an explicit and growing shared body of knowledge and corresponding automated tools for collecting, analyzing, and reporting on the various facets of knowledge, as well as a market where participants exchange tools, services, and content in order to solve significant problems. The essential characteristic of an ecosystem is establishment of knowledge content as a product. An ecosystem involves a certain communication infrastructure, sometimes referred to as “plumbing,” based on the number of knowledge-sharing protocols provided by a number of knowledge-management tools.
The purpose of the ecosystem within a cybersecurity community is to facilitate collection and accumulation of cybersecurity knowledge needed for assurance, and to ensure its efficient and affordable delivery to the defenders of cybersystems, as well as to other stakeholders. An important feature of the cybersecurity knowledge is separation between the
general knowledge (applicable to large families of systems) and
concrete knowledge (accurate facts related to the system of interest). To illustrate this separation, a certain area at the bottom of the ecosystem “marketplace” in the middle of
Figure 1 represents concrete knowledge, while the rest represents general knowledge. Keep in mind that “concrete” facts are specific to the system of interest, so, the “concrete knowledge” area represents multiple local cyberdefense environments, while the “general knowledge” area is the knowledge owned by the entire cyberdefense community. The icons titled “defender,” “inspector,” and “stakeholder” in
Figure 1 represent people interested in providing assurance of one individual system. Basically, this is your team.
The OMG Software Assurance Ecosystem defines a stack of standard protocols for the knowledge-based tools, including knowledge discovery tools, knowledge integration tools, knowledge transformation tools, knowledge provisioning and management tools, and knowledge delivery tools.
1.4.3. Linguistic modeling to manage the common vocabulary
The key requirement for knowledge exchange between tools in the ecosystem is a common, agreed upon vocabulary that represents the conceptual commitment of the participants. However, much of the computer security information gathered and disseminated by individuals and organizations cannot currently be combined or compared because a common vocabulary has yet to emerge in the field of computer security. Numerous individuals and organizations regularly gather and disseminate information related to computer security. This information describes security events, as well as the characteristics of computer and network systems. Unfortunately, much of this computer security information cannot be combined without significant manual effort because the terms currently used in the field of computer security tend to be unique to different individuals and organizations.
Devising a common vocabulary for cybersecurity is the first logical step in the industry evolution from proprietary, in-house, stovepipe solutions to efficient and collaborative cybersecurity ecosystem that can take advantage of the economies of scale. Established standard vocabulary brings several tangible benefits and justifies the efforts required. Indeed, at the heart of any security assessment project there is a need to manage and integrate multiple pieces of information from different sources. Standard vocabulary decouples producers of cybersecurity knowledge from the consumers of knowledge and the distribution channels, and consequently opens up the market of efficient tools that can take advantage of the economies of scale. A single coherent picture that is both accurate and comprehensive enough is necessary to reason about the security of the system and to build a defendable assurance case. Knowledge-based systems and services are expensive to build, test, and maintain. Several technical problems stand in the way of shared, reusable, knowledge-based systems. Like conventional applications, knowledge-based systems are based on heterogeneous hardware platforms, programming languages, and network protocols. However, knowledge-based systems pose special requirements for interoperability. Such systems operate on and communicate using machine-readable knowledge content. They ask queries and give answers. They take “background knowledge” as an input and exchange derived knowledge. For such knowledge-level communication, we need conventions at three levels: knowledge representation format, communication protocol, and specification of the content of shared knowledge. Standard knowledge representation formats and communication protocols are independent of the content of knowledge being exchanged or communicated. A common language is used for standardization of the knowledge content. In general, agreeing upon a vocabulary for a phenomenon makes systematic studies possible. In particular, standardization of the cybersecurity vocabulary brings the following benefits:
• A common language for intrusions and vulnerabilities enables us to compile statistics, observe patterns, and draw other conclusions from collected intrusion and vulnerability data. This process will extend our knowledge of the phenomenon, provide an efficient way to close the knowledge gap with attackers, and will make it possible to strengthen systems against intrusions using this knowledge.
• An established taxonomy would be useful when reporting incidents to incident response teams, such as the CERT Coordination Center. It could also be used in the bulletins issued by incident response teams in order to warn system owners and administrators of new security flaws that can be exploited in intrusions.
• If the common language included a grading of the severity or impact of the intrusion or the vulnerability, system owners and administrators would be helped in prioritizing their efforts.
A common language is a linguistic model of a domain that is used to compose complex statements about the domain. The foundation of a linguistic model is a vocabulary. From a finite, well-defined vocabulary one can compose a large number of coherent sentences. A body of formally represented knowledge is based on a conceptualization: the objects, concepts, and other entities that are presumed to exist in some area of interest and the relationships between them. A conceptualization is an abstract, simplified view of the world that we wish to represent for some purpose. Every knowledge base, knowledge-based system, or knowledge-level agent is committed to some conceptualization, explicitly or implicitly. That is one reason why vocabulary, rather than format is the focus of linguistic models. The set of objects that can be represented by the statements of a linguistic model is called the universe of discourse. This set of objects, and the discernable relationships among them, are reflected in the vocabulary as a set of terms. In such a vocabulary, definitions associate the names of objects and concepts in the universe of discourse with human-readable text describing what the names are meant to denote, and formal rules that constrain the interpretation and well-formed use of these terms.
Pragmatically, a common language defines the vocabulary with which queries and assertions are exchanged among participants of the ecosystem. Conceptual commitments are agreements to use the shared vocabulary in a coherent and consistent manner. The agents sharing a vocabulary need not share a knowledge base; each knows things the other does not, and an agent that commits to a conceptualization is not required to answer all queries that can be formulated in the shared vocabulary. In short, a commitment to a common vocabulary is a guarantee of consistency, and supports multiple implementation choices with respect to queries and assertions using the vocabulary. A vocabulary serves a different purpose than a knowledge base: a shared language need only describe a vocabulary for talking about a domain, whereas a knowledge base may include the knowledge needed to solve a problem or answer arbitrary queries about a domain. Knowledge base includes concrete and specific operational facts.
Linguistic models include the following three important parts:
• Representation of the things in the domain, also known as taxonomy. Taxonomy focuses on the noun concepts. Landwehr et al. made the following observation in his work on a cybersecurity taxonomy: “A taxonomy is not simply a neutral structure for categorizing specimens. It implicitly embodies a theory of the universe from which those specimens are drawn. It defines what data are to be recorded and how like and unlike specimens are to be distinguished” [
Landwehr 1994]. Taxonomy does not resist automation if it supports definitions that can be interpreted as queries into an appropriate knowledge base. Unfortunately, several taxonomies already proposed in the field of cybersecurity resist automation. The art of making discernable definition involves careful selection of the characteristics that are aligned with the conceptual commitment.
• Representation of the relationships in the domain. Nouns alone are insufficient for constructing rich statements about a domain. Connections between nouns are generally expressed using verbs and verb phrases that relate appropriate terms. These noun and verb combinations are called sentential forms and are the basic blocks that permit complex sentences to be made about the domain.
• Mechanism for constructing statements in the vocabulary of noun and verb concepts. In addition to the vocabulary of terms and sentential forms, a linguistic model must include the mechanism for combining them into meaningful statements.