Benchmarking Untrustworthiness: An Alternative to Security Measurement

Int. J. Dependable Trust. Inf. Syst. Pub Date : 2010-04-01 DOI:10.4018/jdtis.2010040102

Afonso Araújo Neto, M. Vieira

{"title":"Benchmarking Untrustworthiness: An Alternative to Security Measurement","authors":"Afonso Araújo Neto, M. Vieira","doi":"10.4018/jdtis.2010040102","DOIUrl":null,"url":null,"abstract":"Benchmarking security is hard and, although there are many proposals of security metrics in the literature, no consensual quantitative security metric has been previously proposed. A key difficulty is that security is usually more influenced by what is unknown about a system than by what is known. In this paper, the authors propose the use of an untrustworthiness metric for benchmarking security. This metric, based on the idea of quantifying and exposing the trustworthiness relationship between a system and its owner, represents a powerful alternative to traditional security metrics. As an example, the authors propose a benchmark for Database Management Systems (DBMS) that can be easily used to assess and compare alternative database configurations based on minimum untrustworthiness, which is a low-cost and high-reward trust-based metric. The practical application of the benchmark in four real large database installations shows that untrustworthiness is a powerful metric for administrators to make informed security decisions by taking into account the specifics needs and characteristics of the environment being managed. DOI: 10.4018/jdtis.2010040102 International Journal of Dependable and Trustworthy Information Systems, 1(2), 32-54, April-June 2010 33 Copyright © 2010, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. consider complex environments where security vulnerabilities may exist due to the combination of several distinct characteristics of the system, including the environment around it and how it is used (e.g., a database accessed by several applications and users). Insecurity metrics based on risk (Jelen & Williams, 1998) try to cope with the uncertainty associated with security goals by incorporating the probability of attacks. Risk is usually defined as the product of the likelihood of an attack by the damage expected if it happens. This metric can be used to decide if the risks are acceptable and to decide which ones have to be mitigated first. The problem is that it is very easy to underestimate or overestimate these values. This is, obviously, a major problem when they are used for supporting security related decisions. Traditional security and insecurity metrics are hard to define and compute (Torgerson, 2007) because they involve making isolated estimations about the ability of an unknown individual (e.g., a hacker) to discover and maliciously exploit an unknown system characteristic (e.g., vulnerability). In practice, it is assumed that such metrics can be computed using information about the system itself, and they depend only on the systems properties. Therefore, they are universal and have the same value when seen from different perspectives (e.g., the administrators’ versus the attackers’ point of view). In spite of the usefulness of such metrics, they are not necessarily the only way of quantifying security aspects. Consider the definition of a useful security metric: “the degree to which security goals are met in a given system allowing an administrator to make informed decisions”. An interesting alternative would be a metric that systematizes and summarizes the knowledge and control that a particular administrator has about his own system. This metric would still fit the security metric definition. Basically, the idea is not to measure just the system characteristics, but to extend the measurement to the relationship between the system and the person (or persons) that is in charge of it (defined here as the system administrator). Such a metric would allow the administrator to become aware of the security characteristics of the system, gathering knowledge to backup decisions. This metric would be even more useful for administrators that are not security experts and have to manage a complex environment, with just too many distinct security aspects to consider at once. This kind of metric is what we call a trust-based metric, in the sense that it exposes and quantifies the trustworthiness relationship between an administrator and the system he manages. In this work we argue that a highly useful trust-based metric can be based on the evaluation of how much active effort the administrator puts in his system to make it more secure. Note that effort is used broadly, including not only real effort (e.g., testing an application) but also effort put on becoming aware of the state of the system (e.g., identifying that the server currently loads insecure processes). This effort can be summarized as the level of trust (or rather distrust) that can be justifiably put in a given system as not being susceptible to attacks. As an instantiation, we propose a trust-based metric called minimum untrustworthiness that expresses the minimum level of distrust one should put in a given system or component to act accordingly to its specification. A benchmark is a procedure that allows assessing and comparing systems (or components) according to a given characteristic (e.g., performance, availability, security) (TPC, 2010). The concept of benchmarking can be summarized in three words: representativeness, usefulness, and agreement. A benchmark must be as representative as possible of a given domain but, as an abstraction of that domain, it will always be an imperfect representation of reality. However, it is useful, in the sense that its results allow making informed decisions regarding the benchmarked targets. One expected usage of a security benchmark is to compare the security characteristics of alternative systems and installations. It is in fact an invaluable tool to help administrators to become aware of the security characteristics and issues of the environments they manage. At the same time, users must agree that the benchmark 21 more pages are available in the full version of this document, which may be purchased using the \"Add to Cart\" button on the product's webpage: www.igi-global.com/article/benchmarking-untrustworthinessalternative-security-measurement/46937?camid=4v1 This title is available in InfoSci-Journals, InfoSci-Journal Disciplines Computer Science, Security, and Information Technology. Recommend this product to your librarian: www.igi-global.com/e-resources/libraryrecommendation/?id=2","PeriodicalId":298071,"journal":{"name":"Int. J. Dependable Trust. Inf. Syst.","volume":"10 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2010-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"8","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Int. J. Dependable Trust. Inf. Syst.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.4018/jdtis.2010040102","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 8

Abstract

Benchmarking security is hard and, although there are many proposals of security metrics in the literature, no consensual quantitative security metric has been previously proposed. A key difficulty is that security is usually more influenced by what is unknown about a system than by what is known. In this paper, the authors propose the use of an untrustworthiness metric for benchmarking security. This metric, based on the idea of quantifying and exposing the trustworthiness relationship between a system and its owner, represents a powerful alternative to traditional security metrics. As an example, the authors propose a benchmark for Database Management Systems (DBMS) that can be easily used to assess and compare alternative database configurations based on minimum untrustworthiness, which is a low-cost and high-reward trust-based metric. The practical application of the benchmark in four real large database installations shows that untrustworthiness is a powerful metric for administrators to make informed security decisions by taking into account the specifics needs and characteristics of the environment being managed. DOI: 10.4018/jdtis.2010040102 International Journal of Dependable and Trustworthy Information Systems, 1(2), 32-54, April-June 2010 33 Copyright © 2010, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited. consider complex environments where security vulnerabilities may exist due to the combination of several distinct characteristics of the system, including the environment around it and how it is used (e.g., a database accessed by several applications and users). Insecurity metrics based on risk (Jelen & Williams, 1998) try to cope with the uncertainty associated with security goals by incorporating the probability of attacks. Risk is usually defined as the product of the likelihood of an attack by the damage expected if it happens. This metric can be used to decide if the risks are acceptable and to decide which ones have to be mitigated first. The problem is that it is very easy to underestimate or overestimate these values. This is, obviously, a major problem when they are used for supporting security related decisions. Traditional security and insecurity metrics are hard to define and compute (Torgerson, 2007) because they involve making isolated estimations about the ability of an unknown individual (e.g., a hacker) to discover and maliciously exploit an unknown system characteristic (e.g., vulnerability). In practice, it is assumed that such metrics can be computed using information about the system itself, and they depend only on the systems properties. Therefore, they are universal and have the same value when seen from different perspectives (e.g., the administrators’ versus the attackers’ point of view). In spite of the usefulness of such metrics, they are not necessarily the only way of quantifying security aspects. Consider the definition of a useful security metric: “the degree to which security goals are met in a given system allowing an administrator to make informed decisions”. An interesting alternative would be a metric that systematizes and summarizes the knowledge and control that a particular administrator has about his own system. This metric would still fit the security metric definition. Basically, the idea is not to measure just the system characteristics, but to extend the measurement to the relationship between the system and the person (or persons) that is in charge of it (defined here as the system administrator). Such a metric would allow the administrator to become aware of the security characteristics of the system, gathering knowledge to backup decisions. This metric would be even more useful for administrators that are not security experts and have to manage a complex environment, with just too many distinct security aspects to consider at once. This kind of metric is what we call a trust-based metric, in the sense that it exposes and quantifies the trustworthiness relationship between an administrator and the system he manages. In this work we argue that a highly useful trust-based metric can be based on the evaluation of how much active effort the administrator puts in his system to make it more secure. Note that effort is used broadly, including not only real effort (e.g., testing an application) but also effort put on becoming aware of the state of the system (e.g., identifying that the server currently loads insecure processes). This effort can be summarized as the level of trust (or rather distrust) that can be justifiably put in a given system as not being susceptible to attacks. As an instantiation, we propose a trust-based metric called minimum untrustworthiness that expresses the minimum level of distrust one should put in a given system or component to act accordingly to its specification. A benchmark is a procedure that allows assessing and comparing systems (or components) according to a given characteristic (e.g., performance, availability, security) (TPC, 2010). The concept of benchmarking can be summarized in three words: representativeness, usefulness, and agreement. A benchmark must be as representative as possible of a given domain but, as an abstraction of that domain, it will always be an imperfect representation of reality. However, it is useful, in the sense that its results allow making informed decisions regarding the benchmarked targets. One expected usage of a security benchmark is to compare the security characteristics of alternative systems and installations. It is in fact an invaluable tool to help administrators to become aware of the security characteristics and issues of the environments they manage. At the same time, users must agree that the benchmark 21 more pages are available in the full version of this document, which may be purchased using the "Add to Cart" button on the product's webpage: www.igi-global.com/article/benchmarking-untrustworthinessalternative-security-measurement/46937?camid=4v1 This title is available in InfoSci-Journals, InfoSci-Journal Disciplines Computer Science, Security, and Information Technology. Recommend this product to your librarian: www.igi-global.com/e-resources/libraryrecommendation/?id=2

查看原文本刊更多论文

对不可信度进行基准测试:安全度量的替代方案

对安全性进行基准测试是困难的，尽管文献中有许多安全度量的建议，但以前没有提出共识的定量安全度量。一个关键的困难是，安全性通常更受系统未知因素的影响，而不是已知因素。在本文中，作者提出使用不可信度量来对安全性进行基准测试。该指标基于量化和暴露系统及其所有者之间的可信赖关系的思想，代表了传统安全指标的强大替代方案。作为一个例子，作者提出了一个数据库管理系统(DBMS)的基准，可以很容易地用于评估和比较基于最小不可信度的备选数据库配置，这是一个低成本和高回报的基于信任的度量。该基准在四个实际大型数据库安装中的实际应用表明，不可信是一个强大的度量标准，管理员可以通过考虑所管理环境的具体需求和特征来做出明智的安全决策。DOI: 10.4018 / jdtis.2010040102信息系统学报，1(2)，32-54,2010年4月33版权所有©2010,IGI Global。未经IGI Global书面许可，禁止以印刷或电子形式复制或分发。考虑复杂的环境，其中安全漏洞可能由于系统的几个不同特征的组合而存在，包括它周围的环境和它的使用方式(例如，由几个应用程序和用户访问的数据库)。基于风险的不安全度量(jelen&williams, 1998)试图通过结合攻击的概率来处理与安全目标相关的不确定性。风险通常被定义为攻击发生的可能性与预期损失的乘积。这个度量可以用来决定风险是否可以接受，以及决定哪些风险必须首先减轻。问题是很容易低估或高估这些值。显然，当它们用于支持与安全相关的决策时，这是一个主要问题。传统的安全和不安全度量很难定义和计算(Torgerson, 2007)，因为它们涉及对未知个体(例如，黑客)发现和恶意利用未知系统特征(例如，漏洞)的能力进行孤立估计。在实践中，假设这样的度量可以使用关于系统本身的信息来计算，并且它们仅依赖于系统属性。因此，它们是通用的，从不同的角度(例如，从管理员和攻击者的角度)来看，它们具有相同的价值。尽管这些度量很有用，但它们不一定是量化安全方面的唯一方法。考虑一个有用的安全度量标准的定义:“在给定系统中满足安全目标的程度，允许管理员做出明智的决策”。另一种有趣的替代方法是将特定管理员对其系统的知识和控制系统化并进行总结的度量。这个度量仍然符合安全度量的定义。基本上，其思想不是仅仅度量系统特征，而是将度量扩展到系统与负责系统的人(这里定义为系统管理员)之间的关系。这样的度量将允许管理员了解系统的安全特征，收集知识以备份决策。对于非安全专家且必须管理复杂环境的管理员来说，这个指标甚至更有用，因为要同时考虑太多不同的安全方面。这种度量就是我们所说的基于信任的度量，因为它暴露并量化了管理员和他所管理的系统之间的可信性关系。在这项工作中，我们认为一个非常有用的基于信任的度量可以基于对管理员在其系统中投入多少积极努力以使其更安全的评估。注意，工作的使用范围很广，不仅包括实际工作(例如，测试应用程序)，还包括用于了解系统状态的工作(例如，确定服务器当前加载了不安全的进程)。这种努力可以概括为可以合理地在给定系统中放置的信任(或者更确切地说是不信任)级别，因为它不容易受到攻击。作为一个实例，我们提出了一个基于信任的度量，称为最小不可信度，它表达了人们应该在给定系统或组件中放置的最低不信任程度，以根据其规范进行操作。基准测试是一个允许根据给定特征(例如，性能、可用性、安全性)评估和比较系统(或组件)的过程(TPC, 2010)。基准测试的概念可以用三个词来概括:代表性、有用性和一致性。基准必须尽可能地代表给定的领域，但是，作为该领域的抽象，它将永远是对现实的不完美表示。然而，它是有用的，因为它的结果允许对基准目标作出明智的决定。安全基准的一个预期用途是比较可选系统和安装的安全特性。它实际上是一个非常有用的工具，可以帮助管理员了解他们所管理的环境的安全特征和问题。同时，用户必须同意在本文档的完整版本中可以获得另外21页的基准，这些页面可以通过产品网页上的“添加到购物车”按钮购买:www.igi-global.com/article/benchmarking-untrustworthinessalternative-security-measurement/46937?camid=4v1此标题可在InfoSci-Journals, InfoSci-Journal journals, computers Science, Security, and Information Technology中获得。向您的图书管理员推荐此产品:www.igi-global.com/e-resources/libraryrecommendation/?id=2

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Int. J. Dependable Trust. Inf. Syst.

自引率

0.00%

发文量