WPCCS 16 Presentation

WPCCS 16 Presentation

• 1.
  Proactive Database Forensicsin the BYOD Era - An Overview Presenter: Denys A. Flores Supervisor: Dr. Arshad Jhumka July 1st, 2016
• 2.
  Topics A Brief Introductionto Information Security & Digital Forensics The Importance of Digital Forensics in Distributed Systems Challenges for Investigating Databases (DB Forensics) DB Forensics: Reactive vs. Proactive Approaches The BYOD Threat to Proactive DB Forensics Introducing a STRIDE-based BYOD Threat Model Related Work Conclusions
• 3.
  Information Security &Digital Forensics Information Security manages the impact of risks and incidents when threats exploit a vulnerability within an information system (asset). Controls must be applied to protect information assets and information security. (BS ISO/IEC, 2016) Information Assets are any kind of information such as documents, transcripts, audio/visual recordings, databases, etc. mainly stored/processed/transmitted using electronic media. (Escrivá et al, 2013) It is important to secure information at rest, being processed and in transit.
• 4.
  Information Security &Digital Forensics Controls may be policies, procedures, processes, organizational structures, hardware and software in order to prevent materialisation of [internal/external] threats. When controls fail an information security incident is introduced as confidentiality, integrity and availability of information assets are compromised. (BS ISO/IEC, 2016) Accountability is a security characteristic for forensics and auditing purposes . (Stallings, 2011) When there is an incident there is someone accountable for it!
• 5.
  Importance of DigitalForensics in Distributed Systems Digital Forensics is a forensic science used to identify, collect, preserve, analyse and present digital evidence stored in electronic media (information assets) during legal proceedings (Palmer, 2001). Auditing logs and monitors actions to ensure compliance (Andress, 2014) In organisations, digital Forensics relies on auditing in order to associate a security event with the perpetrator using trustworthy digital evidence. Since digital evidence is distributed in different locations and collected in various electronic media (information systems), incident response time is affected (Attoe, 2016). Digital Forensics is crucial to investigate and respond to security incidents, for example in the Cloud (Nurul, 2015)
• 6.
  Challenges for Databaseinvestigations (DB Forensics) During data breaches, databases are the primary targets and also a great challenge for forensic investigations. DB Forensics applies digital forensic approaches to gather suitable digital evidence related to database activity for presentation in a court of law (Fowler, 2007) – evidence may be stored in different sources. DB Forensics has received very little research attention (Hauger, 2015). Generating trustworthy digital evidence by ensuring Chain of Custody (evidence possession, non-repudiation, authenticity and provenance) during the investigation life cycle. Traditional Digital Forensic techniques may not be suitable for DB Forensics (Khanuja, 2014).
• 7.
  DB Forensics: Reactivevs. Proactive Reactive DB Forensics: Rely on the original database reconstruction and recovery (reactive controls) (Fasan, 2012). Data model and data dictionary are not considered (Hauger, 2015). Traditional imaging and file carving is used with ad-hoc practices for MSSQL (Fowler, 2008) and Oracle (Litchfield, 2007-2011). Its admissibility (validity/trust) is challenged (Hauger, 2015). Time consuming when dealing with short incident response periods. Fire Fighting is not a good approach to incident response!
• 8.
  DB Forensics: Reactivevs. Proactive Proactive DB Forensics: Rely on analysing logged activity (multiple evidence sources) during auditing stage when close monitoring of specific suspicious events is required (proactive controls). Adopts an e-Discovery approach (Attoe, 2016) where digital evidence is recovered from different trusted distributed sources. An architecture with pre-defined functional requirements is configured in a forensically secure environment (Digital Forensics Readiness). Allow shorter incident response time. Formalising Proactive DB Forensics is our challenge – can we be ready to respond efficiently?
• 9.
  The BYOD Threatto Proactive DB Forensics Bring-Your-Own-Device (BYOD), or Dual-Use Devices is a growing trend encouraged by some organisations. Increases employee productivity and accessibility to corporate information assets (including databases) from anywhere at anytime. Security concerns regarding monitoring and controlling employee mobile device access to information assets (Sobers, 2015) BYOD – Bring Your Own Disclosure??
• 10.
  The BYOD Threatto Proactive DB Forensics BYOD is a source of a vast amount of digital evidence (Francis & Larson, 2015). When corporate-owned relatively easy to handle. Insider activity has been overlooked as only outsider attacks are seen as relevant (Pavlou et al, 2012). Malicious/naive insider actions must be controlled (Densham, 2015) to avoid corporate information disclosure (Pohlmann et al, 2015) and contamination (Downer & Bhattacharya, 2016). In BYOD evidence ownership is problematic
• 11.
  A STRIDE-based BYODThreat Model BYOD exposes information assets (including databases) to External and Internal Threat Contexts Knowing the Threat Contexts, a Threat Model is proposed using the STRIDE approach External Internal Carrier Cybercriminals (outsiders) Trusted employees (insiders) Threats • Malware • Phishing • Social Engineering • Malicious Mobile Apps. • Insecure Wireless Networks • Fake Certificate Authorities • DoS • Uncontrolled Devices • Device Misconfiguration • Unauthorised Information Sharing in Personal Clouds • Mixture of Personal and Corporate Information • Lost/Stolen/Unlinked Devices • Device Ownership STRIDE => Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege
• 12.
  A STRIDE-based BYODThreat Model Trust Boundaries Represents Interacts With A. Internet Trust Boundary (ITB) Lower-Trust Insider Activity Personal Cloud Mobile App Stores CPTB B. Business Core Trust Boundary (BCTB) Higher-Trust Insider Activity Relational Database Audit Repository C. Corporate Perimeter Trust Boundary (CPTB) Internal/External Insider Interaction ITB-located Mobile Client CPTB
• 13.
  A STRIDE-based BYODThreat Model BYOD Threats causing Information Contamination
• 14.
  A STRIDE-based BYODThreat Model BYOD Threats causing Information Disclosure
• 15.
  Related Work Previous workon mitigating BYOD Threats has not considered security and digital forensics issues. Mobile Device Management (MDM) solutions (Sobers, 2015) provide mobile device access control, but do not prevent/monitor information access and misuse (i.e. disclosure and contamination). STRIDE-based Threat Models have already been applied for supporting digital forensic readiness initiatives (Lourida et al, 2013) without analysing threat interaction. Our research provides a baseline for understanding the environment in which proactive digital forensics initiatives may be deployed (Henry et al, 2013), considering internal and external threat interactions in the BYOD context.
• 16.
  Conclusions Future work towardsprotecting corporate information from unauthorised disclosure and contamination, using proactive approaches. Regarding information contamination, forensic investigations must look at insider actions that can compromise information integrity, introducing repudiation issues when disabling logging and auditing repositories. Regarding information disclosure, forensic investigations must be aware of information confidentiality issues when malicious insiders misuse their high-privilege credentials to access sensitive information. E.g. DB credential misuse. Unless insider actions are properly monitored and controlled, proactive digital evidence generation may be challenged, affecting chain of custody provenance requirements and evidence causality during forensic investigations.
• 17.
  Thank You!
• 18.
  References Andress, J. (2014).Chapter 1 - What is Information Security?, In The Basics of Information Security (Second Edition), Syngress, Boston, Pp. 1-22 Attoe, R. (2016). Chapter 6 - Digital forensics in an eDiscovery world, In Digital Forensics, edited by John Sammons, Syngress, Boston, Pp. 85-98 BS ISO/IEC (2016). 27000:2016 Information Technology-Security Techniques-Information Security Management Systems-Overview and Vocabulary, [Online], Available at: https://bsol.bsigroup.com/ Densham, B. (2015). Three cyber-security strategies to mitigate the impact of a data breach. In Network Security, vol. 2015, 2015, pp. 5–8. [Online] Available at: http://bit.ly/1Wv9CQJ Downer, K. and Bhattacharya, M. (2016). BYOD security: A new business challenge. [Online] Available at: http://bit.ly/1O08xJY Escrivá, G. et al. (2013). Information Security. Macmillan Iberia S.A. Spain Fasan, O., Olivier, M. (2012). On Dimensions of Reconstruction in Database Forensics, In Seventh International Workshop on Digital Forensics & Incident Analysis. Francis, K. and Larson, M. (2015). Digital Forensics in the Mobile, BYOD, and Cloud Era. [Online]. Available at: http://bit.ly/1T9TxdY Fowler, K. (2007). SQL Server Database Forensics. [Online] Available at: http://ubm.io/1WuG9Il Fowler, K. (2008). SQL Server Forensic Analysis. Addison-Wesley Professional, Boston Hauger, W., Olivier, M. (2015). The state of Database Forensic research. In IEEE Information Security for South Africa (ISSA) Henry, P. et al (2013). The SANS Survey of Digital Forensics and Incident Response. [Online]. Available at: http://bit.ly/1SDdomv Khanuja, H. (2014). Role of metadata in forensic analysis of database attacks, In IEEE International Advance Computing Conference (IACC). Litchfield, D. (2007-2011). Papers on Oracle Forensics. Available at: http://www.davidlitchfield.com/security.htm Lourida, K., et al. (2013). Assessing database and network threats in traditional and cloud computing. [Online]. Available at: http://wrap.warwick.ac.uk/65197/ Nurul, A., Kim-Kwang, R. (2015). Chapter 17 - Integrating digital forensic practices in cloud incident handling: A conceptual Cloud Incident Handling Model, In The Cloud Security Ecosystem, Syngress, Boston, Pp. 383-400 Palmer, G., 2001. A Road Map for Digital Forensic Research. [Online] Available at: http://bit.ly/1bNYpaj Pavlou, K. et al. (2012). Achieving Database Information Accountability in the Cloud. [Online] Available at: http://bit.ly/1WuGzyh Sobers, A. (2015). BYOD and the Mobile Enterprise – Organisational challenges and solutions to adopt BYOD. [Online]. Available at: http://bit.ly/1Z8ZkG2 Pohlmann, N. et al. (2015). Bring your own device for authentication (BYOD4A)–the Xign–System. In Information Security Solutions Europe (ISSE) 2015 Conference. Springer, 2015, pp. 240–250. Stallings, W. (2011). Network Security Essentials, 4th edition, New York, US; Prentice-Hall