Behavioral Security Modeling: Functional Security Requirements

Written by John A Benninghoff

May082012

Copyright © 2012 Brophey Consulting and Transvasive Security. All rights reserved.

In my Behavioral Security Modeling talk at OWASP AppSec USA 2011, I promised a white paper on BSM. Since then, I enlisted the aid of Karl Brophey, a friend who has a wealth of experience in software development and architecture, and the result of our collaboration is finally complete! I'm pleased to formally announce the release of the first BSM white paper, "Behavioral Security Modeling: Functional Security Requirements." Karl and I will be speaking about the paper today at Secure360 in St Paul. Hope to see you there!

Abstract:

Defining functional security requirements is a key component of Behavioral Security Modeling, a method to improve security through accurately modeling human/information interactions in social terms. The paper proposes a practical, SDLC agnostic method for gathering functional security requirements by establishing limits on interactions through a series of questions to identify, clarify, and uncover hidden constraints. Five categories of constraints are presented, along with advice and “requirement patterns” to facilitate discussions with stakeholders and translate business needs into unambiguous security requirements. General advice on improving constraints, implementation considerations, security actions, quality assurance, and documenting post conditions are also discussed.

Version 1.0 disclaimer: this white paper attempts to formally capture our collective knowledge on how to effectively define functional security requirements. The next step is to test the theory by implementing the approach in a number of application development environments.

Paper:

Behavioral Security Modeling: Functional Security Requirements

SIRACon: Organization of Risk Management Programs

Written by John A Benninghoff

May072012

Copyright © 2012 Transvasive Security. All rights reserved.

I spoke today (May 7, 2012) at SIRACon, the first ever conference of the Society of Information Risk Analysts. Here is the description I submitted for the talk - it is fairly close to the final product:

Effective, established Risk Management practices fall into two major categories: management of risk due to accidental damage (safety) and management of risk due to threats (protection). This talk will present the case that these are two distinct methodologies, and all information risk management should be divided into protection functions (like the Secret Service) and safety functions (like the Aviation Industry), staffed by different people if possible, due to the differences in approach, available data, threat behavior, and the cognitive biases of the risk analysts themselves.

I've uploaded copies of the talk to my site: Organizing Risk Management Programs, Or, What I learned from the Aviation Industry and the US Secret Service.

I really enjoyed the day's talks, and appreciated all the different perspectives, they all help with our still-immature business of information risk analysis and information risk management.

I believe there will also be a video of my talk as well, I'll post a link to that once it becomes available.

Upcoming Talks in 2012

Written by John A Benninghoff

Apr202012

Copyright © 2012 Transvasive Security. All rights reserved.

I'm pleased to announce three upcoming speaking engagements in 2012!

First, I've been busy working with Karl Brophey on the Behavioral Security Modeling whitepaper I promised back in September 2011 at OWASP AppSec USA here in Minneapolis. Karl has a wealth of experience in software development and architecture, and we will be publishing the paper and giving a presentation at Secure360 in St Paul on May 8. If you are going, make sure to register for the Secure360 Run/Walk for ECHO!

Second, I'll also be speaking the day before (on May 7) at SIRACon, the first-ever conference of the Society of Information Risk Analysts, on "Organizing Risk Management Programs, or, What I Learned from the Secret Service and the Aviation Industry," where I will make the case for splitting up risk management into two separate functions: information protection (like the Secret Service), and information safety (like the airline industry). While I'm excited to be speaking, I'm even more exited to see the other talks, given by Risk Management thought leaders from around the country.

Finally, I just learned today that my proposal for the ISC2 Security Congress in Philadelphia was accepted, and I'll be speaking on September 10 on “Defending Against Attacks by Modeling Threat Behaviors," which will demonstrate how knowledge of attacker behaviors can be used to evaluate and improve application and infrastructure design. It's my attempt to improve upon traditional threat modeling. The ISC Security Congress is co-located with the ASIS International conference, and I'm looking forward to attending talks from the world of physical security.

Some random ideas from RSA 2012

Written by John A Benninghoff

Apr062012

Copyright © 2012 Transvasive Security. All rights reserved.

I recently (or not-so-recently) attended the 2012 RSA Conference in San Francisco. Although I had meant to write about it sooner, I've only now gotten around to it. While I left with fewer new ideas than I had hoped, looking over my notes and reflecting on the conference, I did leave with some. What follows are the highlights of the recap I put together of what I recall from the sessions I attended.

Disclaimer: I'm writing this primarily from memory, and haven't fact-checked, although I don't think there are any glaring errors. Please use the Contact Us link if you find any.

On Money Mules and Credential Theft

Written by John A Benninghoff

Mar282012

Copyright © 2012 Transvasive Security. All rights reserved.

A threatpost article, "Money Mules, Not Customers, The Real Victims of Bank Fraud" and the paper it references caught my attention today. The premise of the paper is that due to banking regulations and how banks react to fraudulent online transactions affecting consumer accounts, the criminals are effectively stealing not from consumers, but from the "money mules" they recruit to move the stolen money. Brian Krebs, a journalist and blogger who writes about the online criminal underground and information security issues on his blog, Krebs on Security, posted a comment criticizing the authors' conclusions, specifically calling out that the main victims of theft of banking credentials are small and mid-size business owners, who are liable for losses, and have lost significant amounts of money. I've reposted my reply in part below. I largely agree with Brian, however, I do think the authors raise good points about the difficulty of moving money through the banking system, and about the critical role mules play in online bank fraud.

@Brian,

Your point on the fraud losses to small and mid-size business owners with corporate banking accounts is spot-on, and while the paper makes it clear they are mainly addressing the consumer problem, it's a fair criticism that they're glossing over a significant portion of online banking fraud, and that they misrepresent the facts by citing the instances in which fraudulent transactions on commercial accounts and not the transactions that couldn't be reversed.

However, I do believe the paper raises an excellent point about online consumer banking fraud, and online banking fraud in general. It is difficult to transfer money out of accounts, and the mules really do bear much of the risk, and (as you have noted) rarely get paid, and sometimes may not realize what they're doing is illegal. Their point on the low black market value of stolen credentials relative to account value does indicate that extracting money is difficult, and unlikely to succeed. Even though their rationale on how banks resolve fraudulent transfers means that attackers are effectively stealing from the mules only applies to consumers, I welcome the suggestion that we attack the problem at other points in the chain, and not just passwords. We may do better to disrupt online banking fraud by putting more efforts into making mule recruitment harder.

I would also raise a point not yet covered in the article or the comments: I take issue with the authors' comments on liability; the auto rental and identity theft insurance markets have little bearing on banks' decision to offer zero-dollar liability; the reality is, when the consumers' liability is limited by regulation to $50, offering the extra $50 is trivially inexpensive. When Banks aren't legally obligated to bear liability, they quite willingly shift it to the account holder, as is the case for US commercial bank accounts. I for one would very much like to see regulators force the issue and limit liability for at least small and mid-size business, since they're simply not equipped to handle this type of fraud on their own.