Download - It risk assessment_methodology
1
RISK ASSESSMENT AND MANAGEMENT
Presented byJeff Kimmelman
Vigilinx Digital Security Solutions
Copyright (c) 2002 by Vigilinx 2
Introduction
! Who Am I?! Purpose of Talk! High Level Agenda
2
Copyright (c) 2002 by Vigilinx 3
Who Am I?
! Jeff Kimmelman! Principal Security Architect! Vigilinx Digital Security Solutions! [email protected]
! Areas of Expertise:! Assessment! Policy! Design! Software
Copyright (c) 2002 by Vigilinx 4
Experience
! IT related since 1982! Worked in DoD secure environments! Developed cryptographic software! Designed and maintained secure global
WANs! Directed BBN/GTE/Baltimore Security
Consulting Group
3
Copyright (c) 2002 by Vigilinx 5
Purpose of Talk
! Define risk! Propose an assessment methodology! Discuss risk mitigation strategies! Avoid overly technical digression
Copyright (c) 2002 by Vigilinx 6
High Level Agenda! Security Terminology! Risk Assessment
! The �Risk Equation�! Likelihood! Impact
! Addressing Risk! Establish Policy! Implement Countermeasures! Maintain Vigilance
! Concluding Remarks
4
Security Terminology
Copyright (c) 2002 by Vigilinx 8
Security – A Definition
! Security is a GOAL, not a STATE OF BEING.! Security is everyone�s responsibility.
se�cu�ri�ty (si kyoor� i tē), n., pl. –ties, adj. �n. 1. freedom from danger, risk, etc.; safety. 2. Freedom from care, anxiety, or doubt; well-founded confidence. 3. Something that secures or makes safe; protection; defense. � [1400-50; late ME securytye, securite(e) < L sēcūritās. � ] (Webster�s New Universal Unabridged Dictionary)
5
Copyright (c) 2002 by Vigilinx 9
Important Terms
! Flaw! Weakness! Vulnerability! Exploit! Attack! Adversary! Threat
Copyright (c) 2002 by Vigilinx 10
Flaw
! Imperfection of a system! Found in design, implementation or
execution! Concealed or exposed! Known or unknown! Source of weakness or vulnerability! Not always exploitable
6
Copyright (c) 2002 by Vigilinx 11
Weakness
! Attribute of a system or defense! Insufficient to resist expected attack � lack
of strength! Not necessarily due to a flaw! Source of vulnerability! Not always exploitable
Copyright (c) 2002 by Vigilinx 12
Vulnerability
! Feature of system or defense! Sometimes (often) undiscovered! Caused by flaws and weaknesses! Always exploitable! Target of adversaries
7
Copyright (c) 2002 by Vigilinx 13
Exploit
! Methodology for attack! Takes advantage of one or more
vulnerabilities! Repeatable! Always �succeeds�! Used in an attack
Copyright (c) 2002 by Vigilinx 14
Attack
! Prosecution of an exploit (an instance)! Defined objective! Can be undetected or detected! Sometimes (often) unsuccessful! Performed by a motivated adversary
8
Copyright (c) 2002 by Vigilinx 15
Adversary
! Agent (person or corporate)! Motivated! Often unscrupulous! Goals:
! Competition! Defamation! Financial gain! Notoriety! Information
! May or may not have means & knowledge
Copyright (c) 2002 by Vigilinx 16
Threat
! Adversary! Possesses means and knowledge! Actively targeting! Known or unknown
9
Copyright (c) 2002 by Vigilinx 17
Countermeasures
! Methodology for defense! Technological or procedural! Types:
! Detection! Resistance! Avoidance! Counter-attack
! Usually specific to an exploit
Copyright (c) 2002 by Vigilinx 18
Countermeasures: Defense in Depth
Physical
Network
Application
System
Information
Man
agem
ent,
Mon
itorin
g,A
uditi
ng, R
espo
nse
TECHNOLOGY PROCEDURE
10
Copyright (c) 2002 by Vigilinx 19
Security Countermeasures Include a Lot
RIS
K R
EGIO
NS
OperationalInfrastructure
ProtectiveBoundary
Exogenous
RIS
K R
EGIO
NS
OperationalInfrastructure
ProtectiveBoundary
ExogenousFactors
ENABLERS
Technology PeopleProcesses
Copyright (c) 2002 by Vigilinx 20
Security is an Arms Race
Freq
uenc
y of
Atta
ck
Time
Easy Attack
Complex Attack
Chosen SecurityCountermeasure
11
Risk Assessment
Copyright (c) 2002 by Vigilinx 22
Risk
! Measures importance! Determines relevance of vulnerabilities! Useful for setting programmatic priority! Varies over time
12
Copyright (c) 2002 by Vigilinx 23
The Risk Equation
! Universal: Applies to all types of risk! Uniform: Enables comparison! Objective: Track over time
Impact x Likelihood = RiskImpact x Likelihood = Risk
Copyright (c) 2002 by Vigilinx 24
Risk is Two Dimensional
Likelihood "
Impa
ct "
Low Risk
High RiskAttack 2
Attack 1
Attack 3
Attack 4
Impact x Likelihood = RiskImpact x Likelihood = Risk
13
Copyright (c) 2002 by Vigilinx 25
Impact
! Measures the level of �pain� to the organization! Examples:
! Financial: Loss or cost to repair! Operational: Lost time, production or delivery! Reputation: Loss of customer or consumer confidence! Competitive: Reduction of market advantage! Regulatory: Legal liability! Fiduciary: Fiduciary liability
Impact x Likelihood = RiskImpact x Likelihood = Risk
Copyright (c) 2002 by Vigilinx 26
Likelihood
! Measures the probability of feeling the impact
! Contributors:! Known exploits! Motivated adversaries! Adequacy of countermeasures
Impact x Likelihood = RiskImpact x Likelihood = Risk
14
Copyright (c) 2002 by Vigilinx 27
Performing the Assessment
! Requires experience! Two approaches:
! Vulnerability driven! Asset driven
! Combine for greatest effect
Copyright (c) 2002 by Vigilinx 28
Vulnerability Driven Analysis
1. Search for known vulnerabilities2. Tabulate and estimate severity3. Determine what assets are affected4. Assign impact value5. Consider adversaries and their
motivations6. Assign likelihood7. Tabulate and report
15
Copyright (c) 2002 by Vigilinx 29
Searching for Known Vulnerabilities
! Research known threat databases! Use scanning tools! Review technology and procedures ! Test users (social engineering)
" Grade ease of exploitation
VulnerabilityFlawsWeaknesses
Copyright (c) 2002 by Vigilinx 30
Network and System Vulnerabilities
! Network:! Unnecessary pathways! Unsecured data-streams
! System:! Unhardened systems! Unprotected administrator logon! Exposed management interfaces
16
Copyright (c) 2002 by Vigilinx 31
Application and Operations Vulnerabilities
! Application:! Unneeded services! Buffer overflows! Lack of or weak authentication
! Operations! Lack of change control program! No monitoring or intrusion detection! Easy access to backup media
Copyright (c) 2002 by Vigilinx 32
Determine Affected Assets
Vulnerability Likeli- hood Asset Impact Risk Web 1 Med Anon
FTP Low
No Password Required
Modem Pool
Med
� Most vulnerabilities affect multiple assets� Can�t determine likelihood yet
17
Copyright (c) 2002 by Vigilinx 33
Gauge the Impact
! Is there money at stake?! Can private information be revealed?! Would an attack embarrass the organization?! Could a targeted system be used as a �stepping
stone?�! Would an attack advance the cause of
information warfare or terrorism?! Will competitive advantage be lost?
Impact x Likelihood = RiskImpact x Likelihood = Risk
Copyright (c) 2002 by Vigilinx 34
Identify Your Adversaries
! Internet Hacker! Insider! Thief! Terrorist! Industrial Spy
Adversary + Motivation + Capability = ThreatAdversary + Motivation + Capability = Threat
18
Copyright (c) 2002 by Vigilinx 35
Gauge the Likelihood
! Depends on:! Threat ! Complexity
! Examples:! DoS or DDoS on an Online Banking Application
! Threat: Medium, Complexity: Low
! Modify Stock Price Quote:! Threat: High, Complexity: Medium
! Execute Unauthorized Transactions! Threat: High, Complexity: Very High
Adversary + Motivation + Capability = ThreatAdversary + Motivation + Capability = Threat
Copyright (c) 2002 by Vigilinx 36
Tabulate and Report
Vulnerability Likeli-hood Asset Impact Risk Med Web 1 Med Med Low Anon
FTP Low Very
Low
No Password Required
High Modem Pool
Med High
" Many assessments stop at vulnerability and don�t consider impact
19
Copyright (c) 2002 by Vigilinx 37
Asset Driven Analysis
1. Inventory information assets2. Estimate impact3. Trace information back to technology4. Analyze for vulnerabilities5. Consider adversaries and their
motivations6. Assign likelihoods7. Tabulate and report
Copyright (c) 2002 by Vigilinx 38
Asset Table
Asset Impact VulnerabilityLikeli-hood Risk
Unpatched IIS
High High
No Password
Med Med
Web 1 Med
Open NBT ports
High High
" This is just the vulnerability driven table �turned inside out�
20
Copyright (c) 2002 by Vigilinx 39
Risk Leads to Priority
Likelihood of Attack
Pote
ntia
lIm
pact
VeryLow Risk Medium Risk
VeryHigh Risk
Risk = Impact x Likelihood
Addressing Risk
21
Copyright (c) 2002 by Vigilinx 41
Risk Management Program
! Establish Policy! Implement Countermeasures! Maintain Vigilance
Copyright (c) 2002 by Vigilinx 42
Security Policy – What Is It?
! Who?! What�s prohibited?! What�s required?! What�s permitted?
22
Copyright (c) 2002 by Vigilinx 43
Policy Statements
! Most corporate policies must be translated to concrete statements.
! Major elements:! Information Classification! System Criticality! Operational Context
Copyright (c) 2002 by Vigilinx 44
Information Classification
! Information classification streamlines policy statement and enforcement.
! CAVEAT: Over-classification leads to excessive cost and added overhead.
! CAVEAT: Some collections of unclassified data become sensitive when aggregated.
23
Copyright (c) 2002 by Vigilinx 45
An Example of Information Classification
INFORMATION CLASSIFICATION GUIDELINES
Classification Level Examples
Personally Identifiable Information (PII)
Restricted Personnel Records
Consumer Account Information
Company Restricted Plans for Reduction in Force
Financial Results
Confidential Product Development Plans
Business Expansion Strategies
Customers Restricted Customer Plant Designs
Billing and Payables
Customer Non-Disclosure Information
Confidential Customer Names
Sales and Delivery Records
Vendor Restricted Vendor Non-Disclosure Information
Contracts
Confidential Business Unit Specific Price Lists
Copyright (c) 2002 by Vigilinx 46
Criticality
! Criticality is a quality of operational systems.
! It depends upon the importance of a network, system or application.
! Criticality motivates reliability measures.
24
Copyright (c) 2002 by Vigilinx 47
Example of Criticality
Criticality Definition
Low This application, system, or network asset is non-essential to Corporate, business unit or departmental operations. Outages can be tolerated for a period of two weeks or more.
Medium This asset is important for normal corporate, business unit or departmental operations, but is not essential. An outage of up to 48 hours can be tolerated.
High This asset is essential and critical to corporate, business unit or department operations. Ideally, it is designed with full reliability. Outages should be kept to a minimum, generally less than 30 minutes.
Copyright (c) 2002 by Vigilinx 48
Operational Context
! Facilities (systems and networks) are certified to the maximum classification level permitted.
! �Guards� ensure that information does not pass to an unauthorized environment.
25
Copyright (c) 2002 by Vigilinx 49
Example of Operational Context
Copyright (c) 2002 by Vigilinx 50
Create a Policy HierarchyPolicies Requirements Standards Configurations
26
Copyright (c) 2002 by Vigilinx 51
Example: Requirements Specify Security Services
! Authentication! Access Control! Data Confidentiality! Data Integrity! Non-repudiation
(X.800, Security Architecture for Open Systems Interconnection for CCITT Applications � also ISO/IEC 7498-2)
Policies Requirements Standards Configurations
Copyright (c) 2002 by Vigilinx 52
Communications Policies (Examples)
! Personally Identifiable Information (PII) may not be transmitted in the clear on the Internet.
! Transmission of corporate restricted information on any network requires data confidentiality, peer-entity authentication, and non-repudiation with proof of delivery.
27
Copyright (c) 2002 by Vigilinx 53
Storage Policies (Examples)
! Permanent storage of information classified as confidential or above on web servers is prohibited.
! Caching of information classified as confidential or above on web servers is permitted during the validity period of an associated session.
! Database systems must restrict access to authenticated, authorized users of confidential information.
Copyright (c) 2002 by Vigilinx 54
Example: Standards Specify Service Mechanisms
! Includes algorithms and parameters:! Encipherment: DES, 3DES, RSA, key-length, etc.! Digital signature: RSA, DSS, key-length, etc.! Access control: authorization type, time, duration, etc.! Integrity: MD5, SHA, HMAC, etc.! Many more choices exist.
Policies Requirements Standards Configurations
28
Copyright (c) 2002 by Vigilinx 55
Tabulate Policy to Ensure Consistent Practice
Static Content Server
Web Front-end Server
Application Front-end
Server
Application Logic Server
Database Server
Notes Server
Internet Access Router
User passwords C NA C NA U NA R NA R NA C NA U NA
User password quality checking C NA C NA C NA NA NA NA NA NA NA NA NA
Token based authentication R NA R NA R NA NA NA NA NA NA NA NA NA
Digitial certificates NA NA NA NA NA NA NA NA NA NA R NA NA NA
Session Encryption (SSL, TLS, SSH) R NA R NA NA NA NA NA NA NA NA NA U NA
IPSEC (ESP) NA NA NA NA R NA R NA R NA NA NA NA NA
IPSEC (AH) NA NA NA NA NA NA NA NA NA NA NA NA NA NA
S/MIME NA NA NA NA NA NA NA NA NA NA NA NA NA NA
PGP NA NA NA NA NA NA NA NA NA NA NA NA NA NA
Software design review U NA U NA U NA U NA U NA U NA NA NA
Software code review U NA U NA U NA U NA U NA U NA U NA
Application vulnerability testing U NA U NA U NA R NA R NA R NA NA NA
Network vulnerability testing U H U H U H R NA R NA R NA U NA
Backup and recovery process NA L NA L NA L NA L NA L NA L NA L
Automatic fail-over NA H NA H NA H NA H NA H NA H NA M
Manual fail-over NA M NA M NA M NA M NA M NA M NA L
Copyright (c) 2002 by Vigilinx 56
Recap of Policy
! Policy defines classification and rules for access/exchange.
! Policy defines criticality.! Policy hierarchy defines security services
and quality of mechanisms.
29
Copyright (c) 2002 by Vigilinx 57
Implement Countermeasures
TECHNOLOGY:
FirewallsAuthentication
VPNSystem IDSNetwork IDS
PKI / CryptographyIntelligence
Network Manager
PROCESS:
MonitoringResponse
AdministrationChange Control
AuditingContinuity
PEOPLE:
AssignmentTraining
AwarenessBackground
Copyright (c) 2002 by Vigilinx 58
Countermeasures: Defense in Depth
Physical
Network
Application
System
Information
Man
agem
ent,
Mon
itorin
g,A
uditi
ng, R
espo
nse
TECHNOLOGY PROCEDURE
TECHNOLOGY:
FirewallsAuthentication
VPNSystem IDSNetwork IDS
PKI / CryptographyIntelligence
Network Manager
PROCESS:
MonitoringResponse
AdministrationChange Control
AuditingContinuity
PEOPLE:
AssignmentTraining
AwarenessBackground
30
Copyright (c) 2002 by Vigilinx 59
The 10 Guiding Principles*
1. Secure the Weakest Link2. Practice Defense in Depth3. Fail Securely4. Follow the Principle of Least Privilege5. Compartmentalize6. Keep It Simple7. Promote Privacy8. Remember That Hiding Secrets Is Hard9. Be Reluctant to Trust10. Use Your Community Resources
� From Building Secure Software, John Viega and Gary McGraw
Copyright (c) 2002 by Vigilinx 60
Cost vs. Risk
Effectiveness of Solution/Impact of Threat
Cos
t to
Impl
emen
t
More Less
Residual Risk
Vuln
#1
Vuln
#2
Vuln
#3
Vuln
#4
Solutions above the lineare not cost effective.
Chosen Solution
31
Copyright (c) 2002 by Vigilinx 61
Maintain VigilanceFr
eque
ncy
of A
ttack
Time
Level of Vigilance
Level of Vigilance
Level of Vigilance
Level of Vigilance
Copyright (c) 2002 by Vigilinx 62
Balance Security Activities
Plan Execute
Appraise
32
Copyright (c) 2002 by Vigilinx 63
Plan
! Consider:! Future business needs! Changing threatscape! Tolerance to residual risk
! Establish policy! Design security infrastructure! Develop security procedures
Plan Execute
Appraise
Copyright (c) 2002 by Vigilinx 64
Execute
! Implement according to design! Operate according to procedures! Continually improve
Plan Execute
Appraise
33
Copyright (c) 2002 by Vigilinx 65
Appraise
! Appraise the plan:! Does it meet the expected threats?! Will it protect business interests?! Are there flaws in the design?! Is policy adequate or overly burdensome?
! Appraise the execution:! Is the design implemented correctly?! Has the configuration changed?! Do procedures cover all events?! Are operators alert?
Plan Execute
Appraise
Copyright (c) 2002 by Vigilinx 66
Conclusions
! Understanding vulnerability alone is not enough!! Risk depends upon likelihood of successful attack
and its impact on the organization.! Countermeasures include technology, procedures
and people.! Reducing risk generally requires additional cost.! The war is never won�constant vigilance is the
only way.
34
Thank You