© A.K. Krings 2011Sequence 5Survivable Network Analysis (SNA)!This discussion is based on–A Case Study in Survivable Network System Analysis, R. J. Ellison, R. C. Linger, T. Longstaff, N. R. Mead, TECHNICAL REPORT CMU/SEI-98-TR-014 ESC-TR-98-014, September 1998–and –Survivable Network Analysis Method, Nancy R. Mead, Robert J. Ellison, Richard C. Linger, Thomas Longstaff, John McHugh, CMU/SEI-2000-TR-013, ESC-TR-2000-013, September 2000.1© A.K. Krings 2011Sequence 5Survivable Network Analysis (SNA)!SNA ModelSequence 52© A.K. Krings 2011 2© A.K. Krings 2011Sequence 5Survivable Network Analysis (SNA)!SNA Model builds on–Multi-step approach–Information Security Evaluation method–Evaluation of a distributed architecture rather than focussing on site-level security–Small team of trained evaluators–Several meetings and working sessions3Sequence 5© A.K. Krings 2011 3© A.K. Krings 2011Sequence 5Survivable Network Analysis (SNA)!Compromisable Components–components that could be penetrated and damaged by intrusion!Softspot Components–components that are both, essential and compromisable!Strategy uses “three R’s:–Resistance, Recognition, RecoverySequence 54© A.K. Krings 2011 4© A.K. Krings 2011Sequence 5Survivable Network Analysis (SNA)!Case Study Subsystem–Application: management of mental health treatment–Carnegie Works, Inc (CWI) is developing a large-scale management system to:»automate, systematize, integrate multiple aspects of regional mental health care–System named Vigilant»22 subsystems»distributed client/server networked environment»Vigilant vital part "development and management of treatment plans for patient and provider»problem of each patient, goals, actions, medication, therapy»treatment plan is carried out by action team composed of providersSequence 55© A.K. Krings 2011 5© A.K. Krings 2011Sequence 5Survivable Network Analysis (SNA)!Case Study Subsystem (cont.)–Sentinel Subsystem»subsystem of Vigilant»interacts with providers, affiliations and other subsystems»maintains action teams and treatment plans as part of Vigilant database»severe consequences of system failure»survivability of key Sentinel capabilities viewed by CWI as extremely importantSequence 56© A.K. Krings 2011 6© A.K. Krings 2011Sequence 5SNA Method ApplicationCMU/SEI-2000-TR-013Fig.5Sequence 57© A.K. Krings 2011 7© A.K. Krings 2011Sequence 5Survivable Network Analysis (SNA)!Joint Planning Meeting–Analysis team responsibilities:»establish team (typically 3 members) and single point of contact (POC)–Customer responsibilities»establish team"should have the expertise required: e.g. system mission, requirements, operating environment, usage and architecture."e.g. system architect, a lead designer, several stakeholders like system owners and system users"establish POC (should have authority to call on members)»identify system to be analyzed"should be appropriate size (realistic w.r.t. team size and time constraints)"establish clear boundaries, (e.g. should know every network connection)–Joint responsibilities»Scope the system to be analyzed and establish bound for the SNA»Establish work schedules and venues for joint sessionsSequence 58© A.K. Krings 2011 8© A.K. Krings 2011Sequence 5Survivable Network Analysis (SNA)!System Documentation–Customer Responsibilities»provide system documentation that describes:"Business mission"Functional requirements"Operating environment an users"Architecture: define system configuration in terms of–hardware & connections. e.g. in block diagram form–software in every hardware, protocols used, operating systems, application programs, databases, security, maintenance, backup, recovery facilities–administrators, developers, maintainers, operatorsSequence 59© A.K. Krings 2011 9© A.K. Krings 2011Sequence 5Survivable Network Analysis (SNA)–Exit criteria»both teams and team leaders are assigned»system to be analyzed is identified»schedules are set»documentation is identifiedSequence 510© A.K. Krings 2011 10© A.K. Krings 2011Sequence 5Survivable Network Analysis (SNA)!Analysis Team Preparation Task–review documentation –prepare for joint discovery sessionsSequence 511© A.K. Krings 2011 11© A.K. Krings 2011Sequence 5Survivable Network Analysis (SNA)!Joint Discovery Sessions–Customer initiates SNA Step 1 (System Definition)»Briefing on"business mission"principle functional requirements"system architecture"operating environment"typical usage scenarios (NUS)"evolution plans–Joint Responsibilities»Both teams initiate SNA Step 2 (Essential capability definition)"customer identifies set of essential services & assets and usage scenarios that invoke and access them"both teams trace them through the architecture to identify essential components"the highest priority services and assets are identifiedSequence 512© A.K. Krings 2011 12© A.K. Krings 2011Sequence 5Survivable Network Analysis (SNA)–Exit criteria»Both teams share common level of understanding of "system"essential services"essential assets"scenarios have been traced though the architecture => "essential components are revealedSequence 513© A.K. Krings 2011 13© A.K. Krings 2011Sequence 5Example architecture: CMU/SEI-2000-TR-013 Fig.6Sequence 514© A.K. Krings 2011 14© A.K. Krings 2011Sequence 5Example architecture: CMU/SEI-2000-TR-013 Fig.7Sequence 515© A.K. Krings 2011 15© A.K. Krings 2011Sequence 5Survivable Network Analysis (SNA)!Analysis Team Discovery Integration Task–Complete SNA Step 1 & 2 (sys.def. & essential cap. def.)»analyze and summarize "system mission"functional requirements"operational environment"essential services and assets"scenarios traces"essential components–Initiate SNA Step 3 (Compromisable Capability Definition)"assess system vulnerabilities"identify representative intrusion scenarios"define corresponding usage scenarios–Exit criteria»system vulnerabilities and representative intrusions have been identified Sequence 516© A.K. Krings 2011 16© A.K. Krings 2011Sequence 5Survivable Network Analysis!Joint Analysis Session–Customer team»validates selected intrusion scenarios»proposes modifications and extensions–Joint responsibilities»complete SNA Step 3 (Compromisable Capability Definition)"trace intrusion scenarios through architecture to reveal compromisable components»initiate SNA Step 4 (Survivability Analysis)"identification of softspot components"propose/discuss potential strategies for