it risk assessment_methodology

1

RISK ASSESSMENT AND MANAGEMENT

Presented byJeff Kimmelman

Vigilinx Digital Security Solutions

Copyright (c) 2002 by Vigilinx 2

Introduction

! Who Am I?! Purpose of Talk! High Level Agenda

2


Who Am I?

! Jeff Kimmelman! Principal Security Architect! Vigilinx Digital Security Solutions! [email protected]

! Areas of Expertise:! Assessment! Policy! Design! Software


Experience

! IT related since 1982! Worked in DoD secure environments! Developed cryptographic software! Designed and maintained secure global

WANs! Directed BBN/GTE/Baltimore Security

Consulting Group

3


Purpose of Talk

! Define risk! Propose an assessment methodology! Discuss risk mitigation strategies! Avoid overly technical digression


High Level Agenda! Security Terminology! Risk Assessment

! The �Risk Equation�! Likelihood! Impact

! Addressing Risk! Establish Policy! Implement Countermeasures! Maintain Vigilance

! Concluding Remarks

4

Security Terminology


Security – A Definition

! Security is a GOAL, not a STATE OF BEING.! Security is everyone�s responsibility.

se�cu�ri�ty (si kyoor� i tē), n., pl. –ties, adj. �n. 1. freedom from danger, risk, etc.; safety. 2. Freedom from care, anxiety, or doubt; well-founded confidence. 3. Something that secures or makes safe; protection; defense. � [1400-50; late ME securytye, securite(e) < L sēcūritās. � ] (Webster�s New Universal Unabridged Dictionary)

5


Important Terms

! Flaw! Weakness! Vulnerability! Exploit! Attack! Adversary! Threat


Flaw

! Imperfection of a system! Found in design, implementation or

execution! Concealed or exposed! Known or unknown! Source of weakness or vulnerability! Not always exploitable

6


Weakness

! Attribute of a system or defense! Insufficient to resist expected attack � lack

of strength! Not necessarily due to a flaw! Source of vulnerability! Not always exploitable


Vulnerability

! Feature of system or defense! Sometimes (often) undiscovered! Caused by flaws and weaknesses! Always exploitable! Target of adversaries

7


Exploit

! Methodology for attack! Takes advantage of one or more

vulnerabilities! Repeatable! Always �succeeds�! Used in an attack


Attack

! Prosecution of an exploit (an instance)! Defined objective! Can be undetected or detected! Sometimes (often) unsuccessful! Performed by a motivated adversary

8


Adversary

! Agent (person or corporate)! Motivated! Often unscrupulous! Goals:

! Competition! Defamation! Financial gain! Notoriety! Information

! May or may not have means & knowledge


Threat

! Adversary! Possesses means and knowledge! Actively targeting! Known or unknown

9


Countermeasures

! Methodology for defense! Technological or procedural! Types:

! Detection! Resistance! Avoidance! Counter-attack

! Usually specific to an exploit


Countermeasures: Defense in Depth

Physical

Network

Application

System

Information

Man

agem

ent,

Mon

itorin

g,A

uditi

ng, R

espo

nse

TECHNOLOGY PROCEDURE

10


Security Countermeasures Include a Lot

RIS

K R

EGIO

NS

OperationalInfrastructure

ProtectiveBoundary

Exogenous

RIS

K R

EGIO

NS

OperationalInfrastructure

ProtectiveBoundary

ExogenousFactors

ENABLERS

Technology PeopleProcesses


Security is an Arms Race

Freq

uenc

y of

Atta

ck

Time

Easy Attack

Complex Attack

Chosen SecurityCountermeasure

11

Risk Assessment


Risk

! Measures importance! Determines relevance of vulnerabilities! Useful for setting programmatic priority! Varies over time

12


The Risk Equation

! Universal: Applies to all types of risk! Uniform: Enables comparison! Objective: Track over time

Impact x Likelihood = RiskImpact x Likelihood = Risk


Risk is Two Dimensional

Likelihood "

Impa

ct "

Low Risk

High RiskAttack 2

Attack 1

Attack 3

Attack 4


13


Impact

! Measures the level of �pain� to the organization! Examples:

! Financial: Loss or cost to repair! Operational: Lost time, production or delivery! Reputation: Loss of customer or consumer confidence! Competitive: Reduction of market advantage! Regulatory: Legal liability! Fiduciary: Fiduciary liability



Likelihood

! Measures the probability of feeling the impact

! Contributors:! Known exploits! Motivated adversaries! Adequacy of countermeasures


14


Performing the Assessment

! Requires experience! Two approaches:

! Vulnerability driven! Asset driven

! Combine for greatest effect


Vulnerability Driven Analysis

1. Search for known vulnerabilities2. Tabulate and estimate severity3. Determine what assets are affected4. Assign impact value5. Consider adversaries and their

motivations6. Assign likelihood7. Tabulate and report

15


Searching for Known Vulnerabilities

! Research known threat databases! Use scanning tools! Review technology and procedures ! Test users (social engineering)

" Grade ease of exploitation

VulnerabilityFlawsWeaknesses


Network and System Vulnerabilities

! Network:! Unnecessary pathways! Unsecured data-streams

! System:! Unhardened systems! Unprotected administrator logon! Exposed management interfaces

16


Application and Operations Vulnerabilities

! Application:! Unneeded services! Buffer overflows! Lack of or weak authentication

! Operations! Lack of change control program! No monitoring or intrusion detection! Easy access to backup media


Determine Affected Assets

Vulnerability Likeli- hood Asset Impact Risk Web 1 Med Anon

FTP Low

No Password Required

Modem Pool

Med

� Most vulnerabilities affect multiple assets� Can�t determine likelihood yet

17


Gauge the Impact

! Is there money at stake?! Can private information be revealed?! Would an attack embarrass the organization?! Could a targeted system be used as a �stepping

stone?�! Would an attack advance the cause of

information warfare or terrorism?! Will competitive advantage be lost?



Identify Your Adversaries

! Internet Hacker! Insider! Thief! Terrorist! Industrial Spy

Adversary + Motivation + Capability = ThreatAdversary + Motivation + Capability = Threat

18


Gauge the Likelihood

! Depends on:! Threat ! Complexity

! Examples:! DoS or DDoS on an Online Banking Application

! Threat: Medium, Complexity: Low

! Modify Stock Price Quote:! Threat: High, Complexity: Medium

! Execute Unauthorized Transactions! Threat: High, Complexity: Very High

Adversary + Motivation + Capability = ThreatAdversary + Motivation + Capability = Threat


Tabulate and Report

Vulnerability Likeli-hood Asset Impact Risk Med Web 1 Med Med Low Anon

FTP Low Very

Low

No Password Required

High Modem Pool

Med High

" Many assessments stop at vulnerability and don�t consider impact

19


Asset Driven Analysis

1. Inventory information assets2. Estimate impact3. Trace information back to technology4. Analyze for vulnerabilities5. Consider adversaries and their

motivations6. Assign likelihoods7. Tabulate and report


Asset Table

Asset Impact VulnerabilityLikeli-hood Risk

Unpatched IIS

High High

No Password

Med Med

Web 1 Med

Open NBT ports

High High

" This is just the vulnerability driven table �turned inside out�

20


Risk Leads to Priority

Likelihood of Attack

Pote

ntia

lIm

pact

VeryLow Risk Medium Risk

VeryHigh Risk

Risk = Impact x Likelihood

Addressing Risk

21


Risk Management Program

! Establish Policy! Implement Countermeasures! Maintain Vigilance


Security Policy – What Is It?

! Who?! What�s prohibited?! What�s required?! What�s permitted?

22


Policy Statements

! Most corporate policies must be translated to concrete statements.

! Major elements:! Information Classification! System Criticality! Operational Context


Information Classification

! Information classification streamlines policy statement and enforcement.

! CAVEAT: Over-classification leads to excessive cost and added overhead.

! CAVEAT: Some collections of unclassified data become sensitive when aggregated.

23


An Example of Information Classification

INFORMATION CLASSIFICATION GUIDELINES

Classification Level Examples

Personally Identifiable Information (PII)

Restricted Personnel Records

Consumer Account Information

Company Restricted Plans for Reduction in Force

Financial Results

Confidential Product Development Plans

Business Expansion Strategies

Customers Restricted Customer Plant Designs

Billing and Payables

Customer Non-Disclosure Information

Confidential Customer Names

Sales and Delivery Records

Vendor Restricted Vendor Non-Disclosure Information

Contracts

Confidential Business Unit Specific Price Lists


Criticality

! Criticality is a quality of operational systems.

! It depends upon the importance of a network, system or application.

! Criticality motivates reliability measures.

24


Example of Criticality

Criticality Definition

Low This application, system, or network asset is non-essential to Corporate, business unit or departmental operations. Outages can be tolerated for a period of two weeks or more.

Medium This asset is important for normal corporate, business unit or departmental operations, but is not essential. An outage of up to 48 hours can be tolerated.

High This asset is essential and critical to corporate, business unit or department operations. Ideally, it is designed with full reliability. Outages should be kept to a minimum, generally less than 30 minutes.


Operational Context

! Facilities (systems and networks) are certified to the maximum classification level permitted.

! �Guards� ensure that information does not pass to an unauthorized environment.

25


Example of Operational Context


Create a Policy HierarchyPolicies Requirements Standards Configurations

26


Example: Requirements Specify Security Services

! Authentication! Access Control! Data Confidentiality! Data Integrity! Non-repudiation

(X.800, Security Architecture for Open Systems Interconnection for CCITT Applications � also ISO/IEC 7498-2)

Policies Requirements Standards Configurations


Communications Policies (Examples)

! Personally Identifiable Information (PII) may not be transmitted in the clear on the Internet.

! Transmission of corporate restricted information on any network requires data confidentiality, peer-entity authentication, and non-repudiation with proof of delivery.

27


Storage Policies (Examples)

! Permanent storage of information classified as confidential or above on web servers is prohibited.

! Caching of information classified as confidential or above on web servers is permitted during the validity period of an associated session.

! Database systems must restrict access to authenticated, authorized users of confidential information.


Example: Standards Specify Service Mechanisms

! Includes algorithms and parameters:! Encipherment: DES, 3DES, RSA, key-length, etc.! Digital signature: RSA, DSS, key-length, etc.! Access control: authorization type, time, duration, etc.! Integrity: MD5, SHA, HMAC, etc.! Many more choices exist.

Policies Requirements Standards Configurations

28


Tabulate Policy to Ensure Consistent Practice

Static Content Server

Web Front-end Server

Application Front-end

Server

Application Logic Server

Database Server

Notes Server

Internet Access Router

User passwords C NA C NA U NA R NA R NA C NA U NA

User password quality checking C NA C NA C NA NA NA NA NA NA NA NA NA

Token based authentication R NA R NA R NA NA NA NA NA NA NA NA NA

Digitial certificates NA NA NA NA NA NA NA NA NA NA R NA NA NA

Session Encryption (SSL, TLS, SSH) R NA R NA NA NA NA NA NA NA NA NA U NA

IPSEC (ESP) NA NA NA NA R NA R NA R NA NA NA NA NA

IPSEC (AH) NA NA NA NA NA NA NA NA NA NA NA NA NA NA

S/MIME NA NA NA NA NA NA NA NA NA NA NA NA NA NA

PGP NA NA NA NA NA NA NA NA NA NA NA NA NA NA

Software design review U NA U NA U NA U NA U NA U NA NA NA

Software code review U NA U NA U NA U NA U NA U NA U NA

Application vulnerability testing U NA U NA U NA R NA R NA R NA NA NA

Network vulnerability testing U H U H U H R NA R NA R NA U NA

Backup and recovery process NA L NA L NA L NA L NA L NA L NA L

Automatic fail-over NA H NA H NA H NA H NA H NA H NA M

Manual fail-over NA M NA M NA M NA M NA M NA M NA L


Recap of Policy

! Policy defines classification and rules for access/exchange.

! Policy defines criticality.! Policy hierarchy defines security services

and quality of mechanisms.

29


Implement Countermeasures

TECHNOLOGY:

FirewallsAuthentication

VPNSystem IDSNetwork IDS

PKI / CryptographyIntelligence

Network Manager

PROCESS:

MonitoringResponse

AdministrationChange Control

AuditingContinuity

PEOPLE:

AssignmentTraining

AwarenessBackground


Countermeasures: Defense in Depth

Physical

Network

Application

System

Information

Man

agem

ent,

Mon

itorin

g,A

uditi

ng, R

espo

nse

TECHNOLOGY PROCEDURE

TECHNOLOGY:

FirewallsAuthentication

VPNSystem IDSNetwork IDS

PKI / CryptographyIntelligence

Network Manager

PROCESS:

MonitoringResponse

AdministrationChange Control

AuditingContinuity

PEOPLE:

AssignmentTraining

AwarenessBackground

30


The 10 Guiding Principles*

1. Secure the Weakest Link2. Practice Defense in Depth3. Fail Securely4. Follow the Principle of Least Privilege5. Compartmentalize6. Keep It Simple7. Promote Privacy8. Remember That Hiding Secrets Is Hard9. Be Reluctant to Trust10. Use Your Community Resources

� From Building Secure Software, John Viega and Gary McGraw


Cost vs. Risk

Effectiveness of Solution/Impact of Threat

Cos

t to

Impl

emen

t

More Less

Residual Risk

Vuln

#1

Vuln

#2

Vuln

#3

Vuln

#4

Solutions above the lineare not cost effective.

Chosen Solution

31


Maintain VigilanceFr

eque

ncy

of A

ttack

Time

Level of Vigilance

Level of Vigilance

Level of Vigilance

Level of Vigilance


Balance Security Activities

Plan Execute

Appraise

32


Plan

! Consider:! Future business needs! Changing threatscape! Tolerance to residual risk

! Establish policy! Design security infrastructure! Develop security procedures

Plan Execute

Appraise


Execute

! Implement according to design! Operate according to procedures! Continually improve

Plan Execute

Appraise

33


Appraise

! Appraise the plan:! Does it meet the expected threats?! Will it protect business interests?! Are there flaws in the design?! Is policy adequate or overly burdensome?

! Appraise the execution:! Is the design implemented correctly?! Has the configuration changed?! Do procedures cover all events?! Are operators alert?

Plan Execute

Appraise


Conclusions

! Understanding vulnerability alone is not enough!! Risk depends upon likelihood of successful attack

and its impact on the organization.! Countermeasures include technology, procedures

and people.! Reducing risk generally requires additional cost.! The war is never won�constant vigilance is the

only way.

34

Thank You

it risk assessment_methodology

Technology

security terminology

risk equation

softwarecopyright c

remarkscopyright c

risk mitigation strategies

principal security architect

high level agendacopyright

assessment methodology