Vulnerability Analysis

Vulnerability Analysis Formal verification

Formally (mathematically) prove certain characteristics

Proves the absence of flaws in a program or design but not in a system

Penetration testing Attempt to violate specific constrains stated in a

policy Cannot prove correctness but absence of a

vulnerability Review

Penetration Testing Goals

Prove the existence/absence of a previously defined flaw

Find vulnerabilities under given restrictions (time, resources, ...)

Layering of tests External attacker with no knowledge of the system External attacker with knowledge of the system Internal attacker with knowledge of the system

Penetration Testing Procedure

Information gathering Find problem areas in the specification

Flaw hypothesis Derive possible flaws from the information gathered

Flaw testing Verify the possible flaws (exploiting, testing) – but no

harming! Flaw generalization

Generalize the obtained insights Flaw elimination proposal

Flaws need to be fixed but sometimes this takes time and than the tester can suggest ways to prevent the exploit

Vulnerability Scanners Automated tools to test if the network or host

is vulnerable to known attacks

Run in batch mode against the system

Process A set of system attributes are sampled and

stored The results are compared to a reference set

and the deviation derived

Nessus The Nessus Security Scanner is a security

auditing tool made up of two parts: The server, nessusd is in charge of the attacks The client nessus provides an interface to the user

Nessusd inspect the remote hosts and attempts to list all the vulnerabilities and common misconfigurations that affects them.

Nessus can be set up to use other tools such as Nmap and Hydra.

New plug-ins can be downloaded or written in the nasl scripting language.

ISS Internet scanner is a commercial security

analysis tool similar to Nessus. It also consists of two parts a console and a

sensor that is the client and server part of ISS. Runs exclusively on Windows systems. New pluggins can be downloaded or written as

programs in C or Perl and added through the FlexCheck system.

ISS and Nessus are the most popular security analysis tools

Network Based Analysis

Probing the system actively by Looking for weaknesses Derive information from system responses

Two different techniques Testing by exploit – really doing the attack Interference Methods – monitoring the system

for vulnerable applications

Host Based Analysis

Assessing system data sources (file contents, configuration setting, status information) to determine vulnerabilities

Passive assessment where the tool has legitimated access which mostly involves privilege escalation attacks

Targets are password files, SUID, access permissions, anonymous ftp ...

Advantage/Disadvantage

Helping to document the security state of a system

Regular application can spot system changes which could lead to problems

A way to double-check any changes made to the system

Host based are tightly bound to the environment

Network based can harm the system and are more prone to false alarms

Can misguide a running IDS system

May violate legal prescriptions (privacy, others sphere of influence ...)

++ --

Risk analysis

Terms - Risk Risk constitutes from the expected

likelihood of a hazardous event and the expected damage of the event.

DIN, VDE Norm 31000,

Risks are a function of the values of the assets at risk, the likelihood of threats occurring to cause the potential adverse business impacts, the ease of exploitation of the vulnerabilities by the identified threats, and any existing or planned safeguards which might reduce the risk.

ISO 13335 – Guidelines for the management of IT Security (GMITS)

Terms - Risk Analysis

The total process to identify, control, and manage the impact of uncertain harmful events, commensurate with the value of the protected assets.

National Information Systems Security GlossaryNational Information Systems Security Glossary

Risk Analysis Approaches

Bottom up The risk is an aggregate of lower level

risks e.g. The risk that a phone break is a

aggregation of the risk of the consiting parts Mainly used in technical risk analysis

Top down The risk is detailed to derive more clarity Mainly use in organizational risk analysis

Risk Analysis Approaches Baseline Approach

Do not analysis but apply baseline security Informal Approach

Pragmatic risk analysis Detailed Risk Analysis

In-depth valuation of assets, threat assessment and vulnerability assessment

Combined Approach Initial high level approach where important

systems are further analysis with a detailed approachISO 13335 – Guidelines for the management of IT Security (GMITS)

Risk Identification Checklists/Best practices

RA Tools (e.g. CRAMM, COBRA …) Standards

ISO 17799, ISO 13335, Common criteria Basic Protection Manual (Grundschutzhandbuch)

... Mathematical Approaches

Trend Analysis, Regression Analysis ... Creative approaches

Brainstorming, Delphi Method ..

Risk Assessment Assess the values for a risk (per asset)

How likely is it ? How harmful is it?

Assessment Approaches Mathematical/Statistical Methods

Time line analysis (Trend Analysis) Regression analysis

Simulation Monte Carlo Simulation

Expert guesses

Risk Assessment Severity Analysis

Calculate the risk; r = p * e Qualitative Methods

Abstract values for ranking (high – low effect, high – low likelihood)

Quantitative Methods Specific values indicating severity

(p=0.32, e = 1000 or e = 0.43)

Risk countermeasures Avoidance

A measurement is chosen (respectively not chosen) so that the risk can not emerge.

Reduction of threat

the cause of the risk is tried to be reduce. of vulnerability

reducing the vulnerability of impact

reduce the effects

Risk countermeasures Detection

identified when the risk is emerging – eliminating the risk source

Recovery establish a recovery strategy

Transfer transfer the risk to a third party

Acceptance Preconditions set by the management

Residual Risk - The maximal acceptable risk Final decision made by the management

AS/NZS: 4360RM Process Identify Context

Define the organizational context

Identify Risks What can happen and

how Analyze Risks

Determine Likelihood and consequences

Evaluate Risk Compare against criteria

and set priorities Treat Risk

Identify treatment options and decide for one

Identify Context

Identify Risks

Evaluate Risks

Treat Risks

DetermineLikelihood

Determineconsequence

Estimate level of risk

Analyze Risks

Accept Risks

Mon

itor

and

Rev

iew

Com

mun

icat

e an

d C

onsu

lt

yes

no

Process after ISO 17799

Asset Identification Threat Assessment Vulnerability Assessment Safeguard Assessment Risk Assessment

Security Policy

Policy - Terms and definitions

As security policy is a formal statement of the rules by which people who are given access to an organization’s technology and information assets must abide.

Security Policy (Site Security Handbook, B. Fraser)

Policy classification Language

Formal languages (mathematics, state engines, constrain languages

Natural language (normative languages, free speech)

Target Product (mostly a

technical system) Overall (mostly an

organization or humans)

LanguageNatural LanguageFormal language

Target

Product

Overall

Bell-LaPadula

Java Policyconstrainlanguage

CorporatePolicy

Privacypolicy for

enterprises

Internetprivacypolicy

Liabilitypolicy - legal

Information Security Policy Hierarchy

CorporatePolicy

TargetPolicy

ProductPolicy

Product 1

. . .

Target 1 . . .

Product n

Target n

Security Goal

Overall Policy Expresses policy at the highest level of

abstraction A statement about the importance of

information resources Management and employee responsibility Critical and subsequent security

requirements As a subdocument acceptable risks and

budgets

Requirements to a policy Policies need to set a high enough level

to guide for longer time periods Demonstrate organizational

commitment to security Position of responsibility to owners,

partners and public Hierarchy of policies Concordant with organizational culture

and norms

Target Policies Tactical regulation instrument

Can have operational guidelines Specific in a target area but not to

detailed

Product policy Requirements to the product

Additional Security Relaxing other policies

Formulating special target policies for products Privacy Confidentiality statements Reliability statements ...

Questions ?