r = p

advertisement
Vulnerability Analysis
Vulnerability Analysis

Formal verification



Penetration testing



Formally (mathematically) prove certain characteristics
Proves the absence of flaws in a program or design
but not in a system
Attempt to violate specific constrains stated in a policy
Cannot prove correctness but absence of a
vulnerability
Review
Penetration Testing

Goals



Prove the existence/absence of a previously defined
flaw
Find vulnerabilities under given restrictions (time,
resources, ...)
Layering of tests



External attacker with no knowledge of the system
External attacker with knowledge of the system
Internal attacker with knowledge of the system
Penetration Testing Procedure

Information gathering


Flaw hypothesis


Verify the possible flaws (exploiting, testing) – but no harming!
Flaw generalization


Derive possible flaws from the information gathered
Flaw testing


Find problem areas in the specification
Generalize the obtained insights
Flaw elimination proposal

Flaws need to be fixed but sometimes this takes time and than
the tester can suggest ways to prevent the exploit
Vulnerability Scanners

Automated tools to test if the network or host is
vulnerable to known attacks

Run in batch mode against the system

Process


A set of system attributes are sampled and stored
The results are compared to a reference set and the
deviation derived
Nessus

The Nessus Security Scanner is a security
auditing tool made up of two parts:





The server, nessusd is in charge of the attacks
The client nessus provides an interface to the user
Nessusd inspect the remote hosts and
attempts to list all the vulnerabilities and
common misconfigurations that affects them.
Nessus can be set up to use other tools such
as Nmap and Hydra.
New plug-ins can be downloaded or written in
the nasl scripting language.
ISS





Internet scanner is a commercial security analysis
tool similar to Nessus.
It also consists of two parts a console and a sensor
that is the client and server part of ISS.
Runs exclusively on Windows systems.
New pluggins can be downloaded or written as
programs in C or Perl and added through the
FlexCheck system.
ISS and Nessus are the most popular security
analysis tools
Network Based Analysis

Probing the system actively by



Looking for weaknesses
Derive information from system responses
Two different techniques


Testing by exploit – really doing the attack
Interference Methods – monitoring the system for
vulnerable applications
Host Based Analysis



Assessing system data sources (file contents,
configuration setting, status information) to
determine vulnerabilities
Passive assessment where the tool has legitimated
access which mostly involves privilege escalation
attacks
Targets are password files, SUID, access
permissions, anonymous ftp ...
Advantage/Disadvantage
+



Helping to document the
security state of a system
Regular application can
spot system changes
which could lead to
problems
A way to double-check
any changes made to the
system




Host based are tightly bound
to the environment
Network based can harm the
system and are more prone
to false alarms
Can misguide a running IDS
system
May violate legal
prescriptions (privacy, others
sphere of influence ...)
Risk analysis
Terms - Risk

Risk constitutes from the expected likelihood
of a hazardous event and the expected
damage of the event.
DIN, VDE Norm 31000,

Risks are a function of the values of the
assets at risk, the likelihood of threats
occurring to cause the potential adverse
business impacts, the ease of exploitation of
the vulnerabilities by the identified threats,
and any existing or planned safeguards which
might reduce the risk.
ISO 13335 – Guidelines for the management of IT Security (GMITS)
Terms - Risk Analysis

The total process to identify, control,
and manage the impact of uncertain
harmful events, commensurate with the
value of the protected assets.
National Information Systems Security Glossary
Risk Analysis Approaches

Bottom up

The risk is an aggregate of lower level risks



e.g. The risk that a phone break is a
aggregation of the risk of the consiting parts
Mainly used in technical risk analysis
Top down


The risk is detailed to derive more clarity
Mainly use in organizational risk analysis
Risk Analysis Approaches

Baseline Approach


Informal Approach


Pragmatic risk analysis
Detailed Risk Analysis


Do not analysis but apply baseline security
In-depth valuation of assets, threat assessment
and vulnerability assessment
Combined Approach

Initial high level approach where important
systems are further analysis with a detailed
approach
ISO 13335 – Guidelines for the management of IT Security (GMITS)
Risk Identification

Checklists/Best practices


RA Tools (e.g. CRAMM, COBRA …)
Standards




...
Mathematical Approaches


ISO 17799, ISO 13335, Common criteria
Basic Protection Manual (Grundschutzhandbuch)
Trend Analysis, Regression Analysis ...
Creative approaches

Brainstorming, Delphi Method ..
Risk Assessment

Assess the values for a risk (per asset)



How likely is it ?
How harmful is it?
Assessment Approaches

Mathematical/Statistical Methods



Simulation


Time line analysis (Trend Analysis)
Regression analysis
Monte Carlo Simulation
Expert guesses
Risk Assessment

Severity Analysis


Qualitative Methods


Calculate the risk; r = p * e
Abstract values for ranking (high – low
effect, high – low likelihood)
Quantitative Methods

Specific values indicating severity (p=0.32,
e = 1000 or e = 0.43)
Risk countermeasures

Avoidance


A measurement is chosen (respectively not
chosen) so that the risk can not emerge.
Reduction

of threat


of vulnerability


the cause of the risk is tried to be reduce.
reducing the vulnerability
of impact

reduce the effects
Risk countermeasures

Detection


Recovery


establish a recovery strategy
Transfer


identified when the risk is emerging – eliminating the risk
source
transfer the risk to a third party
Acceptance

Preconditions set by the management


Residual Risk - The maximal acceptable risk
Final decision made by the management
AS/NZS: 4360
RM Process
Identify Context

Identify Risks


Determine Likelihood and
consequences
Evaluate Risk


What can happen and how
Analyze Risks


Define the organizational
context
Compare against criteria
and set priorities
Treat Risk

Identify treatment options
and decide for one
Identify Context
Identify Risks
Analyze Risks
Determine
Likelihood
Monitor and Review

Communicate and Consult

Determine
consequence
Estimate level of risk
Evaluate Risks
Accept Risks
no
Treat Risks
yes
Process after ISO 17799





Asset Identification
Threat Assessment
Vulnerability Assessment
Safeguard Assessment
Risk Assessment
Security Policy
Policy - Terms and definitions

As security policy is a formal
statement of the rules by which
people who are given access to an
organization’s technology and
information assets must abide.
Security Policy (Site Security Handbook, B. Fraser)
Policy classification

Language



Product (mostly a
technical system)
Overall (mostly an
organization or humans)
Liability
policy - legal
Internet
privacy
policy
Privacy
policy for
enterprises
Product
Target
Overall

Corporate
Policy
Target

Formal languages
(mathematics, state
engines, constrain
languages
Natural language
(normative languages,
free speech)
BellLaPadula
Formal language
Java Policy
constrain
language
Natural Language
Language
Information Security Policy
Hierarchy
Corporate
Policy
Target
Policy
Target 1
...
Product 1
Product
Policy
...
Product n
Security Goal
Target n
Overall Policy





Expresses policy at the highest level of
abstraction
A statement about the importance of
information resources
Management and employee responsibility
Critical and subsequent security requirements
As a subdocument acceptable risks and
budgets
Requirements to a policy





Policies need to set a high enough level to
guide for longer time periods
Demonstrate organizational commitment to
security
Position of responsibility to owners, partners
and public
Hierarchy of policies
Concordant with organizational culture and
norms
Target Policies

Tactical regulation instrument


Can have operational guidelines
Specific in a target area but not to detailed
Product policy

Requirements to the product



Additional Security
Relaxing other policies
Formulating special target policies for
products




Privacy
Confidentiality statements
Reliability statements
...
Questions ?
Download