Vulnerability Analysis

1
Vulnerability Analysis
2
Vulnerability Analysis

• Formal verification
• Formally (mathematically) prove certain
  characteristics
• Proves the absence of flaws in a program or
  design but not in a system
• Penetration testing
• Attempt to violate specific constrains stated in
  a policy
• Cannot prove correctness but absence of a
  vulnerability
• Review

3
Penetration Testing

• Goals
• Prove the existence/absence of a previously
  defined flaw
• Find vulnerabilities under given restrictions
  (time, resources, ...)
• Layering of tests
• External attacker with no knowledge of the system
• External attacker with knowledge of the system
• Internal attacker with knowledge of the system

4
Penetration Testing Procedure

• Information gathering
• Find problem areas in the specification
• Flaw hypothesis
• Derive possible flaws from the information
  gathered
• Flaw testing
• Verify the possible flaws (exploiting, testing)
  but no harming!
• Flaw generalization
• Generalize the obtained insights
• Flaw elimination proposal
• Flaws need to be fixed but sometimes this takes
  time and than the tester can suggest ways to
  prevent the exploit

5
Vulnerability Scanners

• Automated tools to test if the network or host is
  vulnerable to known attacks
• Run in batch mode against the system
• Process
• A set of system attributes are sampled and stored
• The results are compared to a reference set and
  the deviation derived

6
Nessus

• The Nessus Security Scanner is a security
  auditing tool made up of two parts
• The server, nessusd is in charge of the attacks
• The client nessus provides an interface to the
  user
• Nessusd inspect the remote hosts and attempts to
  list all the vulnerabilities and common
  misconfigurations that affects them.
• Nessus can be set up to use other tools such as
  Nmap and Hydra.
• New plug-ins can be downloaded or written in the
  nasl scripting language.

7
ISS

• Internet scanner is a commercial security
  analysis tool similar to Nessus.
• It also consists of two parts a console and a
  sensor that is the client and server part of ISS.
• Runs exclusively on Windows systems.
• New pluggins can be downloaded or written as
  programs in C or Perl and added through the
  FlexCheck system.
• ISS and Nessus are the most popular security
  analysis tools

8
Network Based Analysis

• Probing the system actively by
• Looking for weaknesses
• Derive information from system responses
• Two different techniques
• Testing by exploit really doing the attack
• Interference Methods monitoring the system for
  vulnerable applications

9
Host Based Analysis

• Assessing system data sources (file contents,
  configuration setting, status information) to
  determine vulnerabilities
• Passive assessment where the tool has legitimated
  access which mostly involves privilege escalation
  attacks
• Targets are password files, SUID, access
  permissions, anonymous ftp ...

10
Advantage/Disadvantage

-

• Host based are tightly bound to the environment
• Network based can harm the system and are more
  prone to false alarms
• Can misguide a running IDS system
• May violate legal prescriptions (privacy, others
  sphere of influence ...)

• Helping to document the security state of a
  system
• Regular application can spot system changes which
  could lead to problems
• A way to double-check any changes made to the
  system

11
Risk analysis
12
Terms - Risk

• Risk constitutes from the expected likelihood of
  a hazardous event and the expected damage of the
  event.
• DIN, VDE Norm 31000,
• Risks are a function of the values of the assets
  at risk, the likelihood of threats occurring to
  cause the potential adverse business impacts, the
  ease of exploitation of the vulnerabilities by
  the identified threats, and any existing or
  planned safeguards which might reduce the risk.
• ISO 13335 Guidelines for the management of IT
  Security (GMITS)

13
Terms - Risk Analysis

• The total process to identify, control, and
  manage the impact of uncertain harmful events,
  commensurate with the value of the protected
  assets.
• National Information Systems Security Glossary

14
Risk Analysis Approaches

• Bottom up
• The risk is an aggregate of lower level risks
• e.g. The risk that a phone break is a aggregation
  of the risk of the consiting parts
• Mainly used in technical risk analysis
• Top down
• The risk is detailed to derive more clarity
• Mainly use in organizational risk analysis

15
Risk Analysis Approaches

• Baseline Approach
• Do not analysis but apply baseline security
• Informal Approach
• Pragmatic risk analysis
• Detailed Risk Analysis
• In-depth valuation of assets, threat assessment
  and vulnerability assessment
• Combined Approach
• Initial high level approach where important
  systems are further analysis with a detailed
  approach
• ISO 13335 Guidelines for the management of IT
  Security (GMITS)

16
Risk Identification

• Checklists/Best practices
• RA Tools (e.g. CRAMM, COBRA )
• Standards
• ISO 17799, ISO 13335, Common criteria
• Basic Protection Manual (Grundschutzhandbuch)
• ...
• Mathematical Approaches
• Trend Analysis, Regression Analysis ...
• Creative approaches
• Brainstorming, Delphi Method ..

17
Risk Assessment

• Assess the values for a risk (per asset)
• How likely is it ?
• How harmful is it?
• Assessment Approaches
• Mathematical/Statistical Methods
• Time line analysis (Trend Analysis)
• Regression analysis
• Simulation
• Monte Carlo Simulation
• Expert guesses

18
Risk Assessment

• Severity Analysis
• Calculate the risk r p e
• Qualitative Methods
• Abstract values for ranking (high low effect,
  high low likelihood)
• Quantitative Methods
• Specific values indicating severity (p0.32, e
  1000 or e 0.43)

19
Risk countermeasures

• Avoidance
• A measurement is chosen (respectively not chosen)
  so that the risk can not emerge.
• Reduction
• of threat
• the cause of the risk is tried to be reduce.
• of vulnerability
• reducing the vulnerability
• of impact
• reduce the effects

20
Risk countermeasures

• Detection
• identified when the risk is emerging
  eliminating the risk source
• Recovery
• establish a recovery strategy
• Transfer
• transfer the risk to a third party
• Acceptance
• Preconditions set by the management
• Residual Risk - The maximal acceptable risk
• Final decision made by the management

21
AS/NZS 4360RM Process

• Identify Context
• Define the organizational context
• Identify Risks
• What can happen and how
• Analyze Risks
• Determine Likelihood and consequences
• Evaluate Risk
• Compare against criteria and set priorities
• Treat Risk
• Identify treatment options and decide for one

22
Process after ISO 17799

• Asset Identification
• Threat Assessment
• Vulnerability Assessment
• Safeguard Assessment
• Risk Assessment

23
Approaches

• OCTAVE
• Software Engineering Institute approach
• CORAS
• European Research group approach
• Software Tool free available
• CRAMM
• British Software Tool
• ...

24
Security Policy
25
Policy - Terms and definitions

• As security policy is a formal statement of the
  rules by which people who are given access to an
  organizations technology and information assets
  must abide.
• Security Policy (Site Security Handbook, B.
  Fraser)

26
Policy classification

• Language
• Formal languages (mathematics, state engines,
  constrain languages
• Natural language (normative languages, free
  speech)
• Target
• Product (mostly a technical system)
• Overall (mostly an organization or humans)

27
Information Security Policy Hierarchy
28
Overall Policy

• Expresses policy at the highest level of
  abstraction
• A statement about the importance of information
  resources
• Management and employee responsibility
• Critical and subsequent security requirements
• As a subdocument acceptable risks and budgets

29
Requirements to a policy

• Policies need to set a high enough level to guide
  for longer time periods
• Demonstrate organizational commitment to security
• Position of responsibility to owners, partners
  and public
• Hierarchy of policies
• Concordant with organizational culture and norms

30
Target Policies

• Tactical regulation instrument
• Can have operational guidelines
• Specific in a target area but not to detailed

31
Product policy

• Requirements to the product
• Additional Security
• Relaxing other policies
• Formulating special target policies for products
• Privacy
• Confidentiality statements
• Reliability statements
• ...

32
Questions ?