Abstract:Unified and formal knowledge models of the information security domain are fundamental requirements for supporting and enhancing existing risk management approaches. This project develops a security ontology which provides an ontological structure for information security domain knowledge. Besides existing best-practice guidelines such as the German IT Grundschutz Manual also concrete knowledge of the considered organization is incorporated. An evaluation conducted by an information security expert team has shown that this knowledge model can be used to support a broad range of information security risk management approaches.
Security Ontology Description
The security ontology was developed based on the security relationship model described in the National Institute of Standards and Technology Special Publication 800-12. The figure below shows the high-level concepts and corresponding relations of the ontology. A threat gives rise to follow-up threats, represents a potential danger to the organization’s assets and affects specific security attributes (e.g. confidentiality, integrity, and/or availability) as soon as it exploits a vulnerability in the form of a physical, technical, or administrative weakness. Additionally each threat is described by potential threat origins (human or natural origin) and threat sources (accidental or deliberate source). For each vulnerability a severity value and the asset on which the vulnerability could be exploited is assigned. Controls have to be implemented to mitigate an identified vulnerability and to protect the respective assets by preventive, corrective, deterrent, recovery, or detective measures (control type). Each control is implemented as asset concept, or as combinations thereof. Controls are derived from and correspond to best-practice and information security standard controls (e.g. the German IT Grundschutz Manual and ISO/IEC 27001) to ensure the incorporation of widely accepted knowledge. The controls are modeled on a highly granular level and are thus reusable for different standards. When implementing the controls, a compliance with various information security standards is implicit. To enrich the knowledge model with concrete information security knowledge the German IT Grundschutz Manual has been superimposed on the security ontology and more than 500 information security concepts and 600 corresponding formal axioms are integrated into the ontological knowledge base. The coded ontology follows the OWL-DL (W3C Web Ontology Language) standard and ensures that the knowledge is represented in a standardized and formal form.
The threat subontology build upon Peltier’s threat classification, comprises natural, accidental and intentional threats at the highest level, followed by a detailed subclassification. An in-depth threat description for clarity, as well as endangered security objectives, following the security- and dependability taxonomy referring to Avizienis et al. (confidentiality, integrity, availability, accountability, authenticity, reliability and safety), are provided for each threat. This is useful if a company wants to prioritize their IT security strategy regarding specific attributes. Often the occurrence of a threat gives rise to or intensifies other threats, therefore these relationships are reflected in the ontology.
The annual rate of occurrence of each threat is stored within the probability concept which is linked to the threat and location subontology to map location-dependent threat occurrence rates. For natural threats such as flood and earthquake national weather and research centers provide proper data-sets to determine annual occurrence rates. Local law enforcement agencies are able to provide data for intentional threats such as theft, active wiretapping and vandalism and for accidental threats such as power-outage the local energy supply company is able to provide reliable data about former power-outages. Insurance companies can be also used to get reliable data regarding specific threat occurrence rates.
Furthermore, each threat exploits one or more vulnerabilities which can be found in the vulnerability subontology. Understanding the relationships between threats and endangered assets is vital for a comprehensive security planning and thus these connections have been integrated. Assets are reflected by classes in the infrastructure subontology.
In the following an example is given to clarify the threat ontology: Unauthorized access to the office building is a subclass of the class unauthorized access. If this threat would be given rise by a threat agent, availability would be affected the most. While simple unauthorized access could have damaged windows or doors as consequence, the possible subsequent threats, e.g. theft of hardware or vandalism, could have severe impact on the company’s availability, confidentiality and integrity. Defined vulnerabilities which could be exploited by the unauthorized access threat to the office building are doors or windows with a low level of security or the unauthorized dissemination of access credentials by employees.
A vulnerability is the absence of a proper safeguard that could be exploited by a threat. We subclassified the subontology vulnerability into three distinct classes: (1) administrative vulnerability, (2) physical vulnerability, and (3) technical vulnerability. Each vulnerability can be exploited by predefined threats of the threat subontology and mitigation is achieved by selection of one or more controls which are implemented by elements from either the infrastructure, control or software subontology.
The infrastructure section of the Security Ontology contains a wide range of physical elements which are utilized within an organization. Parts of the categorization such as the IT and telecommunication branch follow established standards like the United Nations Standard Products and Services Code to ensure a standardized structure. To guarantee that the entire organization can be mapped to the ontology, the infrastructure subontology also provides structural elements which enable the mapping of the physical environment elements, such as buildings, floors, rooms, windows or doors. Vulnerability severity ratings (critical, important, moderate and low) enable an additional classification. In the case of physical vulnerabilities we added an extra relation that indicates the corresponding infrastructure element that causes a certain vulnerability, e.g. a door with a low security rating.
Compared to the infrastructure part of the Security Ontology the control subontology provides administrative elements which are atomic elements coming from best-practice standards, guidelines, baselines, procedures and security frameworks such as ISO27001, ISO17799, Cobit, ITIL, and BSI.
The following example should clarify the idea of the described vulnerability subontology: A physical vulnerability would be windows with a low security rating used within the organization’s building. This circumstance can be exploited by the threat unauthorized access, which was described in the previous section. The ontology indicates that this vulnerability is caused by the usage of standard windows and thus appropriate safeguards to reduce the vulnerability would be the implementation of more secure window types such as wired windows or acrylic windows.
Vulnerabilities can be reduced by installing infrastructure resources, implementing organizational controls, and/or deploying specific software products, depending on the vulnerability’s nature. Certain infrastructure resources demand other resources to be effective, e.g. a fire extinguishing system depends on fire detectors. By adding links between infrastructure elements this requirement can be modeled.
Online Version of the Security Ontology