vulnerability analysis
DESCRIPTION
Vulnerability Analysis. Vulnerability Analysis. Formal verification Formally (mathematically) prove certain characteristics Proves the absence of flaws in a program or design but not in a system Penetration testing Attempt to violate specific constrains stated in a policy - PowerPoint PPT PresentationTRANSCRIPT
Vulnerability Analysis
Vulnerability Analysis Formal verification
Formally (mathematically) prove certain characteristics
Proves the absence of flaws in a program or design but not in a system
Penetration testing Attempt to violate specific constrains stated in a
policy Cannot prove correctness but absence of a
vulnerability Review
Penetration Testing Goals
Prove the existence/absence of a previously defined flaw
Find vulnerabilities under given restrictions (time, resources, ...)
Layering of tests External attacker with no knowledge of the system External attacker with knowledge of the system Internal attacker with knowledge of the system
Penetration Testing Procedure
Information gathering Find problem areas in the specification
Flaw hypothesis Derive possible flaws from the information gathered
Flaw testing Verify the possible flaws (exploiting, testing) – but no
harming! Flaw generalization
Generalize the obtained insights Flaw elimination proposal
Flaws need to be fixed but sometimes this takes time and than the tester can suggest ways to prevent the exploit
Vulnerability Scanners Automated tools to test if the network or host
is vulnerable to known attacks
Run in batch mode against the system
Process A set of system attributes are sampled and
stored The results are compared to a reference set
and the deviation derived
Nessus The Nessus Security Scanner is a security
auditing tool made up of two parts: The server, nessusd is in charge of the attacks The client nessus provides an interface to the user
Nessusd inspect the remote hosts and attempts to list all the vulnerabilities and common misconfigurations that affects them.
Nessus can be set up to use other tools such as Nmap and Hydra.
New plug-ins can be downloaded or written in the nasl scripting language.
ISS Internet scanner is a commercial security
analysis tool similar to Nessus. It also consists of two parts a console and a
sensor that is the client and server part of ISS. Runs exclusively on Windows systems. New pluggins can be downloaded or written as
programs in C or Perl and added through the FlexCheck system.
ISS and Nessus are the most popular security analysis tools
Network Based Analysis
Probing the system actively by Looking for weaknesses Derive information from system responses
Two different techniques Testing by exploit – really doing the attack Interference Methods – monitoring the system
for vulnerable applications
Host Based Analysis
Assessing system data sources (file contents, configuration setting, status information) to determine vulnerabilities
Passive assessment where the tool has legitimated access which mostly involves privilege escalation attacks
Targets are password files, SUID, access permissions, anonymous ftp ...
Advantage/Disadvantage
Helping to document the security state of a system
Regular application can spot system changes which could lead to problems
A way to double-check any changes made to the system
Host based are tightly bound to the environment
Network based can harm the system and are more prone to false alarms
Can misguide a running IDS system
May violate legal prescriptions (privacy, others sphere of influence ...)
++ --
Risk analysis
Terms - Risk Risk constitutes from the expected
likelihood of a hazardous event and the expected damage of the event.
DIN, VDE Norm 31000,
Risks are a function of the values of the assets at risk, the likelihood of threats occurring to cause the potential adverse business impacts, the ease of exploitation of the vulnerabilities by the identified threats, and any existing or planned safeguards which might reduce the risk.
ISO 13335 – Guidelines for the management of IT Security (GMITS)
Terms - Risk Analysis
The total process to identify, control, and manage the impact of uncertain harmful events, commensurate with the value of the protected assets.
National Information Systems Security GlossaryNational Information Systems Security Glossary
Risk Analysis Approaches
Bottom up The risk is an aggregate of lower level
risks e.g. The risk that a phone break is a
aggregation of the risk of the consiting parts Mainly used in technical risk analysis
Top down The risk is detailed to derive more clarity Mainly use in organizational risk analysis
Risk Analysis Approaches Baseline Approach
Do not analysis but apply baseline security Informal Approach
Pragmatic risk analysis Detailed Risk Analysis
In-depth valuation of assets, threat assessment and vulnerability assessment
Combined Approach Initial high level approach where important
systems are further analysis with a detailed approachISO 13335 – Guidelines for the management of IT Security (GMITS)
Risk Identification Checklists/Best practices
RA Tools (e.g. CRAMM, COBRA …) Standards
ISO 17799, ISO 13335, Common criteria Basic Protection Manual (Grundschutzhandbuch)
... Mathematical Approaches
Trend Analysis, Regression Analysis ... Creative approaches
Brainstorming, Delphi Method ..
Risk Assessment Assess the values for a risk (per asset)
How likely is it ? How harmful is it?
Assessment Approaches Mathematical/Statistical Methods
Time line analysis (Trend Analysis) Regression analysis
Simulation Monte Carlo Simulation
Expert guesses
Risk Assessment Severity Analysis
Calculate the risk; r = p * e Qualitative Methods
Abstract values for ranking (high – low effect, high – low likelihood)
Quantitative Methods Specific values indicating severity
(p=0.32, e = 1000 or e = 0.43)
Risk countermeasures Avoidance
A measurement is chosen (respectively not chosen) so that the risk can not emerge.
Reduction of threat
the cause of the risk is tried to be reduce. of vulnerability
reducing the vulnerability of impact
reduce the effects
Risk countermeasures Detection
identified when the risk is emerging – eliminating the risk source
Recovery establish a recovery strategy
Transfer transfer the risk to a third party
Acceptance Preconditions set by the management
Residual Risk - The maximal acceptable risk Final decision made by the management
AS/NZS: 4360RM Process Identify Context
Define the organizational context
Identify Risks What can happen and
how Analyze Risks
Determine Likelihood and consequences
Evaluate Risk Compare against criteria
and set priorities Treat Risk
Identify treatment options and decide for one
Identify Context
Identify Risks
Evaluate Risks
Treat Risks
DetermineLikelihood
Determineconsequence
Estimate level of risk
Analyze Risks
Accept Risks
Mon
itor
and
Rev
iew
Com
mun
icat
e an
d C
onsu
lt
yes
no
Process after ISO 17799
Asset Identification Threat Assessment Vulnerability Assessment Safeguard Assessment Risk Assessment
Security Policy
Policy - Terms and definitions
As security policy is a formal statement of the rules by which people who are given access to an organization’s technology and information assets must abide.
Security Policy (Site Security Handbook, B. Fraser)
Policy classification Language
Formal languages (mathematics, state engines, constrain languages
Natural language (normative languages, free speech)
Target Product (mostly a
technical system) Overall (mostly an
organization or humans)
LanguageNatural LanguageFormal language
Target
Product
Overall
Bell-LaPadula
Java Policyconstrainlanguage
CorporatePolicy
Privacypolicy for
enterprises
Internetprivacypolicy
Liabilitypolicy - legal
Information Security Policy Hierarchy
CorporatePolicy
TargetPolicy
ProductPolicy
Product 1
. . .
Target 1 . . .
Product n
Target n
Security Goal
Overall Policy Expresses policy at the highest level of
abstraction A statement about the importance of
information resources Management and employee responsibility Critical and subsequent security
requirements As a subdocument acceptable risks and
budgets
Requirements to a policy Policies need to set a high enough level
to guide for longer time periods Demonstrate organizational
commitment to security Position of responsibility to owners,
partners and public Hierarchy of policies Concordant with organizational culture
and norms
Target Policies Tactical regulation instrument
Can have operational guidelines Specific in a target area but not to
detailed
Product policy Requirements to the product
Additional Security Relaxing other policies
Formulating special target policies for products Privacy Confidentiality statements Reliability statements ...
Questions ?