System Security Engineering Roadmap

System Security Engineering Roadmap

UNCLASSIFIED Systems Security Engineering Final Technical Report SERC-2010-TR-005 Principal Investigator: Jennifer Bayuk, Stevens Institute of Technology Team Members Dennis Barnabe, NSA/ESEA Jonathan Goodnight, OUSD(AT&L)/DDRE/SE Drew Hamilton, Auburn University Barry Horowitz, University of Virginia Clifford Neuman, University of Southern California Stas’ Tarchalski, Stevens Institute of Technology Contract Number: H98230-08-D-0171 , DO 001, TO 0002, RT 008 Report No. SERC-2010-TR-005 August 22, 2010 UNCLASSIFIED Page 1 of 78 UNCLASSIFIED This page intentionally left blank Contract Number: H98230-08-D-0171 , DO 001, TO 0002, RT 008 Report No. SERC-2010-TR-005 August 22, 2010 UNCLASSIFIED Page 2 of 78 UNCLASSIFIED System Security Engineering A Research Roadmap Table of Contents 1. Executive Summary ............................................................................................................................... 7 2. Problem Statement ............................................................................................................................... 8 3. Solution Criteria .................................................................................................................................. 11 4. Proposal .............................................................................................................................................. 20 4.1. Security Definition........................................................................................................................... 21 4.2. Frameworks .................................................................................................................................... 22 4.3. Metrics ............................................................................................................................................ 23 4.4. Workforce ....................................................................................................................................... 25 4.5. Systems Engineering Methods, Processes and Tools ..................................................................... 26 4.6. Advanced Research Topics .............................................................................................................. 27 4.7. Coordination ................................................................................................................................... 28 5. Summary and Next Steps .................................................................................................................... 28 6. Contributors ........................................................................................................................................ 29 Appendix A: Additional Detail on Selected Research Modules ................................................................. 33 Security definition (Reference Section: 4.1) ........................................................................................... 34 A. Security Standards Reconciliation ..................................................................................................... 34 B. The Utility of Security Best Practices ................................................................................................. 35 C. Security Policy Compliance ................................................................................................................ 36 D. Adaptation of Security Policy and Mechanism .................................................................................. 37 Security Frameworks (Reference Section: 4.2) ....................................................................................... 38 E. Critical Program Information Protection ............................................................................................ 38 F. System of Systems ............................................................................................................................. 39 G. Configuration Hopping ...................................................................................................................... 41 Contract Number: H98230-08-D-0171 , DO 001, TO 0002, RT 008 Report No. SERC-2010-TR-005 August 22, 2010 UNCLASSIFIED Page 3 of 78 UNCLASSIFIED H. Continuity of Communications .......................................................................................................... 42 I. Data Continuity Checking .................................................................................................................... 44 J. Denial and Deception .......................................................................................................................... 46 K. Shared Command Information Sharing ............................................................................................. 47 L. Physical Security Frameworks ........................................................................................................... 48 Security metrics (Reference Section: 4.3) ............................................................................................... 49 M. Architecture Metrics ......................................................................................................................... 49 N. Risk Metrics ....................................................................................................................................... 51 O. Security versus Convenience ............................................................................................................. 52 P. Security Trade Spaces in Emerging Technologies .............................................................................. 54 Q. Trust Assessment Models .................................................................................................................. 55 Security workforce (Reference Section: 4.4) .......................................................................................... 58 R. Workforce Education ......................................................................................................................... 58 S. Security Requirements Process .......................................................................................................... 59 T. SE Career Path .................................................................................................................................... 61 Security MPTs (Reference Section: 4.5) .................................................................................................. 61 W. Exploring Nearby Disciplines ............................................................................................................ 61 X. BKCASE Security Section .................................................................................................................... 62 Security advanced topics (Reference Section: 4.6) ................................................................................. 64 Y. Agile Architecture ............................................................................................................................... 64 Z. Executable Architecture ..................................................................................................................... 65 AA. Critical Functionality ........................................................................................................................ 67 Security Research Coordination (Reference Section: 4.7) ...................................................................... 68 BB. Coordination .................................................................................................................................... 68 CC. Hypothesis Test ................................................................................................................................ 68 Contract Number: H98230-08-D-0171 , DO 001, TO 0002, RT 008 Report No. SERC-2010-TR-005 August 22, 2010 UNCLASSIFIED Page 4 of 78 UNCLASSIFIED Appendix B: Glossary .................................................................................................................................. 70 Appendix C: SERC Security Research Workshop Agenda ........................................................................... 73 Appendix D: References and Bibliography .................................................................................................. 75 Contract Number: H98230-08-D-0171 , DO 001, TO 0002, RT 008 Report No. SERC-2010-TR-005 August 22, 2010 UNCLASSIFIED Page 5 of 78 UNCLASSIFIED This page intentionally left blank Contract Number: H98230-08-D-0171 , DO 001, TO 0002, RT 008 Report No. SERC-2010-TR-005 August 22, 2010 UNCLASSIFIED Page 6 of 78 UNCLASSIFIED System Security Engineering A Research Roadmap 1. Executive Summary The US needs dramatic improvements in systems security. Current defensive strategies, based principally on strengthening system peripheries, inspections, and similar bolt-on techniques add tremendously to cost and do not respond effectively to the growing sophistication of attacks. Systems cannot be assumed to have static boundaries, static user communities, or even a static set of services. To a great extent, systems engineers are inadequately prepared to address system security requirements. The failure of traditional systems engineering methods to address system security issues is due to the fact that these methods rely heavily on requirements gathering and modeling. In the realm of security, requirements gathering

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    78 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us