1st Edition

Securing Systems Applied Security Architecture and Threat Models

By Brook S. E. Schoenfield Copyright 2015
    440 Pages 50 B/W Illustrations
    by CRC Press

    440 Pages 50 B/W Illustrations
    by CRC Press

    Internet attack on computer systems is pervasive. It can take from less than a minute to as much as eight hours for an unprotected machine connected to the Internet to be completely compromised. It is the information security architect’s job to prevent attacks by securing computer systems. This book describes both the process and the practice of assessing a computer system’s existing information security posture. Detailing the time-tested practices of experienced security architects, it explains how to deliver the right security at the right time in the implementation lifecycle.

    Securing Systems: Applied Security Architecture and Threat Models covers all types of systems, from the simplest applications to complex, enterprise-grade, hybrid cloud architectures. It describes the many factors and prerequisite information that can influence an assessment. The book covers the following key aspects of security analysis:

    • When should the security architect begin the analysis?
    • At what points can a security architect add the most value?
    • What are the activities the architect must execute?
    • How are these activities delivered?
    • What is the set of knowledge domains applied to the analysis?
    • What are the outputs?
    • What are the tips and tricks that make security architecture risk assessment easier?

    To help you build skill in assessing architectures for security, the book presents six sample assessments. Each assessment examines a different type of system architecture and introduces at least one new pattern for security analysis. The goal is that after you’ve seen a sufficient diversity of architectures, you’ll be able to understand varied architectures and can better see the attack surfaces and prescribe security solutions.

    Foreword by John N. Stewart
    Foreword by Dr. James F. Ransome
    About the Author

    Part I Introduction
    The Lay of Information Security Land
    The Structure of the Book

    Breach! Fix It!
    Information Security, as Applied to Systems
    Applying Security to Any System

    The Art of Security Assessment
    Why Art and Not Engineering?
    Introducing "The Process"
    Necessary Ingredients
    The Threat Landscape
    Who Are These Attackers? Why Do They Want to Attack My System?
    How Much Risk to Tolerate?
    Getting Started

    Security Architecture of Systems
    Why Is Enterprise Architecture Important?
    The "Security" in "Architecture"
    Diagramming For Security Analysis
    Seeing and Applying Patterns
    System Architecture Diagrams and Protocol Interchange Flows (Data Flow Diagrams)
    Security Touches All Domains
    Component Views
    What’s Important?
    What Is "Architecturally Interesting"?
    Understanding the Architecture of a System
    Size Really Does Matter
    Applying Principles and Patterns to Specific Designs
    Principles, But Not Solely Principles

    Information Security Risk
    Rating with Incomplete Information
    Gut Feeling and Mental Arithmetic
    Real-World Calculation
    Personal Security Posture
    Just Because It Might Be Bad, Is It?
    The Components of Risk
    Business Impact
    Data Sensitivity Scales
    Risk Audiences
    The Risk Owner
    Desired Security Posture

    Prepare for Assessment
    Process Review
    Credible Attack Vectors
    Applying ATASM
    Architecture and Artifacts
    Understand the Logical and Component Architecture of the System
    Understand Every Communication Flow and Any Valuable Data Wherever Stored

    Threat Enumeration
    List All the Possible Threat Agents for This Type of System
    List the Typical Attack Methods of the Threat Agents
    List the System-Level Objectives of Threat Agents Using Their Attack Methods
    Attack Surfaces
    Decompose (factor) the Architecture to a Level That Exposes Every Possible Attack Surface
    Filter Out Threat Agents Who Have No Attack Surfaces Exposed to Their Typical Methods
    List All Existing Security Controls for Each Attack Surface
    Filter Out All Attack Surfaces for Which There Is Sufficient Existing Protection
    Data Sensitivity
    A Few Additional Thoughts on Risk
    Possible Controls
    Apply New Security Controls to the Set of Attack Services for Which There Isn’t Sufficient Mitigation
    Build a Defense-in-Depth

    Part I Summary

    Part II Introduction
    Practicing with Sample Assessments
    Start with Architecture
    A Few Comments about Playing Well with Others
    Understand the Big Picture and the Context
    Getting Back to Basics

    eCommerce Website
    Decompose the System
    The Right Level of Decomposition
    Finding Attack Surfaces to Build the Threat Model

    Enterprise Architecture
    Enterprise Architecture Pre-work: Digital Diskus
    Digital Diskus’ Threat Landscape
    Conceptual Security Architecture
    Enterprise Security Architecture Imperatives and Requirements
    Digital Diskus’ Component Architecture
    Enterprise Architecture Requirements

    Business Analytics
    Attack Surfaces
    Attack Surface Enumeration
    Administrative Controls
    Enterprise Identity Systems (Authentication and Authorization)

    Endpoint Anti-malware
    A Deployment Model Lens
    More on Deployment Model
    Endpoint AV Software Security Requirements

    Mobile Security Software with Cloud Management
    Basic Mobile Security Architecture
    Mobility Often Implies Client/Cloud
    Introducing Clouds
    Authentication Is Not a Panacea
    The Entire Message Stack Is Important
    Just Good Enough Security
    Additional Security Requirements for a Mobile and Cloud Architecture

    Cloud Software as a Service (SaaS)
    What’s So Special about Clouds?
    Analysis: Peel the Onion
    Freemium Demographics
    Protecting Cloud Secrets
    The Application Is a Defense
    Additional Requirements for the SaaS Reputation Service 319

    Part II Summary

    Part III Introduction

    Patterns and Governance Deliver Economies of Scale
    Expressing Security Requirements
    Expressing Security Requirements to Enable
    Who Consumes Requirements?
    Getting Security Requirements Implemented
    Why Do Good Requirements Go Bad?
    Some Thoughts on Governance

    Building an Assessment Program
    Building a Program
    Senior Management’s Job
    Bottom Up?
    Use Peer Networks
    Building a Team
    Documentation and Artifacts
    Peer Review
    Mistakes and Missteps
    Not Everyone Should Become an Architect
    Standards Can’t Be Applied Rigidly
    One Size Does Not Fit All, Redux
    Don’t Issue Edicts Unless Certain of Compliance
    Measuring Success
    Invitations Are Good!
    Establish Baselines

    Part III Summary and Afterword



    Brook S.E. Schoenfield is Director of Product Security Architecture at Intel Security Group. He is the senior technical leader for software security across the division’s broad product portfolio. He has held leadership security architecture positions at high-tech companies for many years. Brook has presented at conferences such as RSA, BSIMM, and SANS What Works Summits on subjects within security architecture, including architecture risk assessment and threat models, information security risk, SaaS/Cloud security, and Agile security. He has been published by CRC Press, SANS, Cisco, and the IEEE.

    "Brook Schoenfield has distilled a tremendous amount of practical experience and critical thinking about security architecture into a resource that should be extremely helpful to practitioners."
    — Jack Jones, Originator of The Open Group Standard, Factor Analysis for Information Risk (FAIR)

    "Five stars for Brook Schoenfield who has created a one-stop resource for both the security strategist/technologist and the executive suite, sounding the ‘proactive’ klaxon. The reader is given substantive exemplars on the practicality of architecting security solutions into the mix from the get-go, and obviating the tendency to ‘bolt on’ security at a later date. Securing Systems should be on every CSO’s and CISO’s desk, and referenced often as teams are built and security solutions architected."
    — Christopher Burgess, CEO, Prevendra Inc, Author of Secrets Stolen, Fortunes Lost and Protecting Intellectual Property

    "Brook Schoenfield’s approach to securing systems addresses the entire enterprise, not only its digital systems, as well as the processes and people who will interact, design, and build the systems. This book fills a significant gap in the literature and is appropriate for use as a resource for both aspiring and seasoned security architects alike."
    — Dr. James F. Ransome, CISSP, CISM, Senior Director of Product Security at Intel Security Group and Co-Author of Core Software Security

    "It is not good enough just to build something and try and secure it, it must be architected from the bottom up with security in it, by professionally trained and skilled security architects, checked and validated by regular assessments for weakness, and through a learning system that learns from today to inform tomorrow. We must succeed."
    — John N. Stewart, SVP & Chief Security Officer, Cisco Security and Trust Organization and Winner of the CSO 40 Silver Award for the 2014 Chief Security Officer of the Year

    "This book describes well why some companies are successful and some are not in the area of software security. Brook writes this book out of his own experiences from many years in the trade. I doubt that you can find many who have more years of great achievements in his field. By reading this book, you will get a fast track to build competence in a very advanced area. The possibilities to take the wrong route are much wider than you can imagine. Please do like me— read it and think how I can improve my daily business from what I have learned."
    — Per-Olof Persson, Head of Software Security, Sony Mobile