In this post we will be exploring a very useful analysis concept in security engineering, Security Patterns and more importantly; Anti-Patterns.
As we have discussed in earlier posts, a use case or use model is a generalized process or method to do something useful. A security pattern is a generalized solution to a use case / use model.
As a quick refresher, lets take a look at how we get to patterns. Security within a system can be dissembled into a set of security controls. These controls come from one of three broad categories, which include Management, Operational and Technical. For further information on these distinctions, look to NIST SP 800-53 and NIST SP800-100. The management controls are essentially policy and enforcement controls. Operational controls are primarily process and workflow management. Lastly, Technical controls are the nuts and bolts pieces of technology that most people associate with computer security. These three control domains loosely map to implementation mechanisms including, People, Process, Policy and Technology. Technology maps directly to technical controls, and for the most part is the most effective part of system security design. Process is the how stuff gets done, and includes the checks, balances and feedback elements to ensure stuff gets done right. Policy is the organizational policy that drives the behavior of people and process. Lastly people are the mechanism that interfaces everything and in many cases turns a disconnected collection of policy, process and technical systems into some organizational system that provides some capability. When we represent some overall system capability as a Pattern, we are generalizing and simplifying down so that the entire system function can be easily understood as a single system. Anti-Patterns is used to represent common failure modes of the system, and analyze what security controls are missing or failing that allows this failure.
Credit Issuance: Pattern & Anti-Pattern
In this simple example we will look at a how large purchase credit is issued to consumers. It is important to note that I do not work in the financial / credit business, and this example is massively simplified.
In this particular Pattern / Anti-Pattern discussion, the bulk of the system security is based on process and people, and the discussion will center on those elements.
First we are going to explore the use case and security pattern. Bob and Alice are car shopping, have selected a vehicle, inform the sales person that they would like to finance the purchase, and would like the dealership to facilitate this purchase. This is essentially the use case. The next steps are that Bob and Alice provide information that authenticates who they are so that their financial identity can be verified by financial institution. Based on Bob and Alice’s identity, the financial institution procures a credit report from one of the three credit reporting agencies (or all three), to establish a credit profile for Bob and Alice. Based on Bob and Alice’s current financial commitments and history, the financial institution makes a risk based decision as to whether credit will be extended for the purchase and what the terms will be. This information is then relayed back to the car salesman, who provides to Bob and Alice and then they decide if they will accept the terms. If the terms are accepted, Bob and Alice fill out various contracts that commit them to a number of things, the money is transferred from the financial institution, and owner ship of the car is transferred from the dealership to Bob, Alice and the financial institution.
It is important to note that this pattern and use case are idealized, and by looking at the anti-pattern for this pattern, we can make some interesting observations. An anti-pattern is not exactly the opposite of the pattern, but often represents generalized failure in the pattern that we would like to prevent.
In this particular anti-pattern, Eve is car shopping also, but rather than paying for it herself, she intends to present herself as Alice, and take possession of a car and fraudulently commit Alice to the loan for the car. All of this is occurring without Alice’s involvement or awareness of these events. It turns out that it is surprisingly easy to achieve with some degree of success, requiring little more than a fabricated ID and some personal information about Alice. When successful, Eve completes the contractual paperwork (posing as Alice), money is transferred to the car dealership and Eve takes possession of the car. Some 15 to 30 days later, Alice receives notification of her payment schedule for the loan.
In most cases this is the first indication to Alice that she is involved. From that point Alice then contacts the financial institution indicating that they are in error and that she did not take out a loan for a new car. By this time, the transfer of the money and car title to the bank has been completed, and is unlikely to be reversed without the return of the car (which Eve is unlikely to do voluntarily). As far as the car dealership or the financial institution is concerned, the entire process was legitimate and valid. By default, Alice is the responsible party for this fraudulent loan until she is able to legally correct this issue by having the financial institution accept the loan as fraudulent, and absolve her of responsibility for the loan. This can often take many months, and in the mean time it is often necessary for Alice to make payments on this loan to protect her credit standing.
What Went Wrong?
I consider this to be a particularly good example to illustrate patterns, anti-patterns. So lets dissect what happened and what went wrong.
If we look at this pattern, and analyse the roles of the parties involved, we have Bob and Alice – the buyers, the car salesman, and the financial institution loan officer. In addition, the car salesman is acting as a broker for the between the financial institution and Bob and Alice. As buyers – the role of Bob and Alice is relatively simple. Bob and Alice want to buy a car, and are ready to commit to a car loan within some set of terms they deem reasonable.
The loan officer has a similarly simple role. The financial institution chooses to offer a loan to the buyers under a set of terms that fall within the policy of the financial institution, based on the financial identity / history of the buyers. If we examine the goals and motives of the financial institution it becomes somewhat more complicated. For any financial institution, it is imperative to not give out fraudulent loans. As as for profit institution, it is also imperative to increase profits by issuing more loans. These two conflicting goals result in a risk based trade-off that becomes part of of the loan calculus at the financial institution. The probability of the loan being fraudulent is a known risk, and the probability that Bob and Alice may default on the loan is also a known risk and all of these risks are taken into consideration. However, even when these risks are known and accounted for, there is no benefit to a realized risk.
The car salesman plays a critical role in this process. The salesman (and by extension – his employers) are responsible for authenticating Bob and Alice. The primary basis of this entire example is that it only functions correctly if Bob and Alice are really Bob and Alice. The salesman is also responsible for representing the financial institution to the buyers – Bob and Alice. This becomes complicated by the fact that most car dealerships have relationships with dozens of financial institutions with various forms of incentives to select one over another. The role of the car salesman also is conflicted. Fundamentally, the first and most important goal for the car salesman is to sell cars, and maximize his personal incentive that results from the sale of that car. The goal of ensuring that any particular car purchase is not fraudulent is a distant second. It is safe to assume that if one financial institution rejects the loan application because it seems excessively risky, it will be submitted to multiple other financial institutions willing to take on more risky loans. In addition, for every car dealership that rigorously reviews the application and credentials submitted by Bob and Alice to ensure that they are not party to a fraudulent loan, there are numerous other dealerships willing to be less diligent.
If we then look at the Anti-Pattern, we introduce an additional party to this process; Eve. When Eve impersonates Alice, Alice still plays a role (as the victim) but is not actually connected to the process in a useful manner – and therein lies the flaw in this security architecture.
The remaining part of this analysis is to examine how the pattern reacts to misrepresentation. If the financial institution misrepresents the loan terms to the buyers, the buyer is in possession of the contract signed at closing of the loan. If the financial institution fails to transfer the loan proceeds to the car dealership, the title is not transferred and possession of the car is not released. If the car salesman misrepresents the vehicle, the financial institution does check the VIN number which provides significant information about the vehicle, and no money will be transferred until it is resolved. For both the car salesman and the financial institution there are checks and balances to ensure that they are not misrepresenting their part in the transaction. However, if the buyer misrepresents themselves as somebody else, there are no immediate system level controls to function as a check.
Bottom Line – Whenever people are key parts of the security design, it is important to assess these elements:
- Identify Goals / Motivations of all the roles. If these are conflicted, this will result in some form of trade-off at the personal level, which translates to a system security vulnerability.
- Identify impact of Misrepresentation. What checks and balances are in place to ensure that if a role misrepresents itself, the system security functions despite this misrepresentation.
Pattern and Anti-Pattern analysis are often done to highlight weaknesses. This analysis showed that for this particular example, all of the parties (or actors) need to be accounted for in the process, where this includes the primary pattern and any anti-patterns.