Vulnerability Analysis - PowerPoint PPT Presentation

1 / 31
About This Presentation
Title:

Vulnerability Analysis

Description:

Attempt to violate specific constrains stated in a policy ... Nessus can be set up to use other tools such as Nmap and Hydra. ... – PowerPoint PPT presentation

Number of Views:37
Avg rating:3.0/5.0
Slides: 32
Provided by: AlbinZ1
Category:

less

Transcript and Presenter's Notes

Title: Vulnerability Analysis


1
Vulnerability Analysis
2
Vulnerability Analysis
  • Formal verification
  • Formally (mathematically) prove certain
    characteristics
  • Proves the absence of flaws in a program or
    design but not in a system
  • Penetration testing
  • Attempt to violate specific constrains stated in
    a policy
  • Cannot prove correctness but absence of a
    vulnerability
  • Review

3
Penetration Testing
  • Goals
  • Prove the existence/absence of a previously
    defined flaw
  • Find vulnerabilities under given restrictions
    (time, resources, ...)
  • Layering of tests
  • External attacker with no knowledge of the system
  • External attacker with knowledge of the system
  • Internal attacker with knowledge of the system

4
Penetration Testing Procedure
  • Information gathering
  • Find problem areas in the specification
  • Flaw hypothesis
  • Derive possible flaws from the information
    gathered
  • Flaw testing
  • Verify the possible flaws (exploiting, testing)
    but no harming!
  • Flaw generalization
  • Generalize the obtained insights
  • Flaw elimination proposal
  • Flaws need to be fixed but sometimes this takes
    time and than the tester can suggest ways to
    prevent the exploit

5
Vulnerability Scanners
  • Automated tools to test if the network or host is
    vulnerable to known attacks
  • Run in batch mode against the system
  • Process
  • A set of system attributes are sampled and stored
  • The results are compared to a reference set and
    the deviation derived

6
Nessus
  • The Nessus Security Scanner is a security
    auditing tool made up of two parts
  • The server, nessusd is in charge of the attacks
  • The client nessus provides an interface to the
    user
  • Nessusd inspect the remote hosts and attempts to
    list all the vulnerabilities and common
    misconfigurations that affects them.
  • Nessus can be set up to use other tools such as
    Nmap and Hydra.
  • New plug-ins can be downloaded or written in the
    nasl scripting language.

7
ISS
  • Internet scanner is a commercial security
    analysis tool similar to Nessus.
  • It also consists of two parts a console and a
    sensor that is the client and server part of ISS.
  • Runs exclusively on Windows systems.
  • New pluggins can be downloaded or written as
    programs in C or Perl and added through the
    FlexCheck system.
  • ISS and Nessus are the most popular security
    analysis tools

8
Network Based Analysis
  • Probing the system actively by
  • Looking for weaknesses
  • Derive information from system responses
  • Two different techniques
  • Testing by exploit really doing the attack
  • Interference Methods monitoring the system for
    vulnerable applications

9
Host Based Analysis
  • Assessing system data sources (file contents,
    configuration setting, status information) to
    determine vulnerabilities
  • Passive assessment where the tool has legitimated
    access which mostly involves privilege escalation
    attacks
  • Targets are password files, SUID, access
    permissions, anonymous ftp ...

10
Advantage/Disadvantage

-
  • Host based are tightly bound to the environment
  • Network based can harm the system and are more
    prone to false alarms
  • Can misguide a running IDS system
  • May violate legal prescriptions (privacy, others
    sphere of influence ...)
  • Helping to document the security state of a
    system
  • Regular application can spot system changes which
    could lead to problems
  • A way to double-check any changes made to the
    system

11
Risk analysis
12
Terms - Risk
  • Risk constitutes from the expected likelihood of
    a hazardous event and the expected damage of the
    event.
  • DIN, VDE Norm 31000,
  • Risks are a function of the values of the assets
    at risk, the likelihood of threats occurring to
    cause the potential adverse business impacts, the
    ease of exploitation of the vulnerabilities by
    the identified threats, and any existing or
    planned safeguards which might reduce the risk.
  • ISO 13335 Guidelines for the management of IT
    Security (GMITS)

13
Terms - Risk Analysis
  • The total process to identify, control, and
    manage the impact of uncertain harmful events,
    commensurate with the value of the protected
    assets.
  • National Information Systems Security Glossary

14
Risk Analysis Approaches
  • Bottom up
  • The risk is an aggregate of lower level risks
  • e.g. The risk that a phone break is a aggregation
    of the risk of the consiting parts
  • Mainly used in technical risk analysis
  • Top down
  • The risk is detailed to derive more clarity
  • Mainly use in organizational risk analysis

15
Risk Analysis Approaches
  • Baseline Approach
  • Do not analysis but apply baseline security
  • Informal Approach
  • Pragmatic risk analysis
  • Detailed Risk Analysis
  • In-depth valuation of assets, threat assessment
    and vulnerability assessment
  • Combined Approach
  • Initial high level approach where important
    systems are further analysis with a detailed
    approach
  • ISO 13335 Guidelines for the management of IT
    Security (GMITS)

16
Risk Identification
  • Checklists/Best practices
  • RA Tools (e.g. CRAMM, COBRA )
  • Standards
  • ISO 17799, ISO 13335, Common criteria
  • Basic Protection Manual (Grundschutzhandbuch)
  • ...
  • Mathematical Approaches
  • Trend Analysis, Regression Analysis ...
  • Creative approaches
  • Brainstorming, Delphi Method ..

17
Risk Assessment
  • Assess the values for a risk (per asset)
  • How likely is it ?
  • How harmful is it?
  • Assessment Approaches
  • Mathematical/Statistical Methods
  • Time line analysis (Trend Analysis)
  • Regression analysis
  • Simulation
  • Monte Carlo Simulation
  • Expert guesses

18
Risk Assessment
  • Severity Analysis
  • Calculate the risk r p e
  • Qualitative Methods
  • Abstract values for ranking (high low effect,
    high low likelihood)
  • Quantitative Methods
  • Specific values indicating severity (p0.32, e
    1000 or e 0.43)

19
Risk countermeasures
  • Avoidance
  • A measurement is chosen (respectively not chosen)
    so that the risk can not emerge.
  • Reduction
  • of threat
  • the cause of the risk is tried to be reduce.
  • of vulnerability
  • reducing the vulnerability
  • of impact
  • reduce the effects

20
Risk countermeasures
  • Detection
  • identified when the risk is emerging
    eliminating the risk source
  • Recovery
  • establish a recovery strategy
  • Transfer
  • transfer the risk to a third party
  • Acceptance
  • Preconditions set by the management
  • Residual Risk - The maximal acceptable risk
  • Final decision made by the management

21
AS/NZS 4360RM Process
  • Identify Context
  • Define the organizational context
  • Identify Risks
  • What can happen and how
  • Analyze Risks
  • Determine Likelihood and consequences
  • Evaluate Risk
  • Compare against criteria and set priorities
  • Treat Risk
  • Identify treatment options and decide for one

22
Process after ISO 17799
  • Asset Identification
  • Threat Assessment
  • Vulnerability Assessment
  • Safeguard Assessment
  • Risk Assessment

23
Approaches
  • OCTAVE
  • Software Engineering Institute approach
  • CORAS
  • European Research group approach
  • Software Tool free available
  • CRAMM
  • British Software Tool
  • ...

24
Security Policy
25
Policy - Terms and definitions
  • As security policy is a formal statement of the
    rules by which people who are given access to an
    organizations technology and information assets
    must abide.
  • Security Policy (Site Security Handbook, B.
    Fraser)

26
Policy classification
  • Language
  • Formal languages (mathematics, state engines,
    constrain languages
  • Natural language (normative languages, free
    speech)
  • Target
  • Product (mostly a technical system)
  • Overall (mostly an organization or humans)

27
Information Security Policy Hierarchy
28
Overall Policy
  • Expresses policy at the highest level of
    abstraction
  • A statement about the importance of information
    resources
  • Management and employee responsibility
  • Critical and subsequent security requirements
  • As a subdocument acceptable risks and budgets

29
Requirements to a policy
  • Policies need to set a high enough level to guide
    for longer time periods
  • Demonstrate organizational commitment to security
  • Position of responsibility to owners, partners
    and public
  • Hierarchy of policies
  • Concordant with organizational culture and norms

30
Target Policies
  • Tactical regulation instrument
  • Can have operational guidelines
  • Specific in a target area but not to detailed

31
Product policy
  • Requirements to the product
  • Additional Security
  • Relaxing other policies
  • Formulating special target policies for products
  • Privacy
  • Confidentiality statements
  • Reliability statements
  • ...

32
Questions ?
Write a Comment
User Comments (0)
About PowerShow.com