08448380779 Call Girls In Friends Colony Women Seeking Men
It risk assessment_methodology
1. RISK ASSESSMENT AND
MANAGEMENT
Presented by
Jeff Kimmelman
Vigilinx Digital Security Solutions
Introduction
! Who Am I?
! Purpose of Talk
! High Level Agenda
Copyright (c) 2002 by Vigilinx 2
1
2. Who Am I?
! Jeff Kimmelman
! Principal Security Architect
! Vigilinx Digital Security Solutions
! jeff.kimmelman@vigilinx.com
! Areas of Expertise:
! Assessment
! Policy
! Design
! Software
Copyright (c) 2002 by Vigilinx 3
Experience
! IT related since 1982
! Worked in DoD secure environments
! Developed cryptographic software
! Designed and maintained secure global
WANs
! Directed BBN/GTE/Baltimore Security
Consulting Group
Copyright (c) 2002 by Vigilinx 4
2
4. Security Terminology
Security – A Definition
se•cu•ri•ty (si kyoor’ i tē), n., pl. –ties, adj. –n. 1. freedom from
danger, risk, etc.; safety. 2. Freedom from care, anxiety, or doubt;
well-founded confidence. 3. Something that secures or makes safe;
protection; defense. … [1400-50; late ME securytye, securite(e) <
L sēcūritās. … ] (Webster’s New Universal Unabridged Dictionary)
! Security is a GOAL, not a STATE OF BEING.
! Security is everyone’s responsibility.
Copyright (c) 2002 by Vigilinx 8
4
5. Important Terms
! Flaw
! Weakness
! Vulnerability
! Exploit
! Attack
! Adversary
! Threat
Copyright (c) 2002 by Vigilinx 9
Flaw
! Imperfection of a system
! Found in design, implementation or
execution
! Concealed or exposed
! Known or unknown
! Source of weakness or vulnerability
! Not always exploitable
Copyright (c) 2002 by Vigilinx 10
5
6. Weakness
! Attribute of a system or defense
! Insufficient to resist expected attack – lack
of strength
! Not necessarily due to a flaw
! Source of vulnerability
! Not always exploitable
Copyright (c) 2002 by Vigilinx 11
Vulnerability
! Feature of system or defense
! Sometimes (often) undiscovered
! Caused by flaws and weaknesses
! Always exploitable
! Target of adversaries
Copyright (c) 2002 by Vigilinx 12
6
7. Exploit
! Methodology for attack
! Takes advantage of one or more
vulnerabilities
! Repeatable
! Always “succeeds”
! Used in an attack
Copyright (c) 2002 by Vigilinx 13
Attack
! Prosecution of an exploit (an instance)
! Defined objective
! Can be undetected or detected
! Sometimes (often) unsuccessful
! Performed by a motivated adversary
Copyright (c) 2002 by Vigilinx 14
7
8. Adversary
! Agent (person or corporate)
! Motivated
! Often unscrupulous
! Goals:
! Competition
! Defamation
! Financial gain
! Notoriety
! Information
! May or may not have means & knowledge
Copyright (c) 2002 by Vigilinx 15
Threat
! Adversary
! Possesses means and knowledge
! Actively targeting
! Known or unknown
Copyright (c) 2002 by Vigilinx 16
8
9. Countermeasures
! Methodology for defense
! Technological or procedural
! Types:
! Detection
! Resistance
! Avoidance
! Counter-attack
! Usually specific to an exploit
Copyright (c) 2002 by Vigilinx 17
Countermeasures:
Defense in Depth
TECHNOLOGY PROCEDURE
Management, Monitoring,
Information
Auditing, Response
Application
System
Network
Physical
Copyright (c) 2002 by Vigilinx 18
9
10. Security Countermeasures
Include a Lot
ENABLERS
Technology Processes People
Operational
Infrastructure
RISK REGIONS
RISK REGIONS
Protective
Boundary
Exogenous
Exogenous
Factors
Copyright (c) 2002 by Vigilinx 19
Security is an Arms Race
Easy Attack
Frequency of Attack
Chosen Security
Countermeasure
Complex Attack
Time
Copyright (c) 2002 by Vigilinx 20
10
11. Risk Assessment
Risk
! Measures importance
! Determines relevance of vulnerabilities
! Useful for setting programmatic priority
! Varies over time
Copyright (c) 2002 by Vigilinx 22
11
12. The Risk Equation
Impact x Likelihood = Risk
Impact x Likelihood = Risk
! Universal: Applies to all types of risk
! Uniform: Enables comparison
! Objective: Track over time
Copyright (c) 2002 by Vigilinx 23
Risk is Two Dimensional
Impact x Likelihood = Risk
Impact x Likelihood = Risk
High Risk
Attack 2
Attack 4
Impact "
Attack 1
Attack 3
Low Risk
Likelihood "
Copyright (c) 2002 by Vigilinx 24
12
13. Impact
Impact x Likelihood = Risk
Impact x Likelihood = Risk
! Measures the level of “pain” to the organization
! Examples:
! Financial: Loss or cost to repair
! Operational: Lost time, production or delivery
! Reputation: Loss of customer or consumer confidence
! Competitive: Reduction of market advantage
! Regulatory: Legal liability
! Fiduciary: Fiduciary liability
Copyright (c) 2002 by Vigilinx 25
Likelihood
Impact x Likelihood = Risk
Impact x Likelihood = Risk
! Measures the probability of feeling the
impact
! Contributors:
! Known exploits
! Motivated adversaries
! Adequacy of countermeasures
Copyright (c) 2002 by Vigilinx 26
13
14. Performing the Assessment
! Requires experience
! Two approaches:
! Vulnerability driven
! Asset driven
! Combine for greatest effect
Copyright (c) 2002 by Vigilinx 27
Vulnerability Driven Analysis
1. Search for known vulnerabilities
2. Tabulate and estimate severity
3. Determine what assets are affected
4. Assign impact value
5. Consider adversaries and their
motivations
6. Assign likelihood
7. Tabulate and report
Copyright (c) 2002 by Vigilinx 28
14
15. Searching for Known
Vulnerabilities
Flaws
Vulnerability
Weaknesses
! Research known threat databases
! Use scanning tools
! Review technology and procedures
! Test users (social engineering)
" Grade ease of exploitation
Copyright (c) 2002 by Vigilinx 29
Network and System
Vulnerabilities
! Network:
! Unnecessary pathways
! Unsecured data-streams
! System:
! Unhardened systems
! Unprotected administrator logon
! Exposed management interfaces
Copyright (c) 2002 by Vigilinx 30
15
16. Application and Operations
Vulnerabilities
! Application:
! Unneeded services
! Buffer overflows
! Lack of or weak authentication
! Operations
! Lack of change control program
! No monitoring or intrusion detection
! Easy access to backup media
Copyright (c) 2002 by Vigilinx 31
Determine Affected Assets
Likeli-
Vulnerability hood Asset Impact Risk
No Web 1 Med
Password Anon Low
Required FTP
Modem Med
Pool
• Most vulnerabilities affect multiple assets
• Can’t determine likelihood yet
Copyright (c) 2002 by Vigilinx 32
16
17. Gauge the Impact
Impact x Likelihood = Risk
Impact x Likelihood = Risk
! Is there money at stake?
! Can private information be revealed?
! Would an attack embarrass the organization?
! Could a targeted system be used as a “stepping
stone?”
! Would an attack advance the cause of
information warfare or terrorism?
! Will competitive advantage be lost?
Copyright (c) 2002 by Vigilinx 33
Identify Your Adversaries
Adversary + Motivation + Capability = Threat
Adversary + Motivation + Capability = Threat
! Internet Hacker
! Insider
! Thief
! Terrorist
! Industrial Spy
Copyright (c) 2002 by Vigilinx 34
17
18. Gauge the Likelihood
Adversary + Motivation + Capability = Threat
Adversary + Motivation + Capability = Threat
! Depends on:
! Threat
! Complexity
! Examples:
! DoS or DDoS on an Online Banking Application
! Threat: Medium, Complexity: Low
! Modify Stock Price Quote:
! Threat: High, Complexity: Medium
! Execute Unauthorized Transactions
! Threat: High, Complexity: Very High
Copyright (c) 2002 by Vigilinx 35
Tabulate and Report
Likeli-
Vulnerability hood Asset Impact Risk
No Med Web 1 Med Med
Password Low Anon Low Very
Required FTP Low
High Modem Med High
Pool
" Many assessments stop at vulnerability
and don’t consider impact
Copyright (c) 2002 by Vigilinx 36
18
19. Asset Driven Analysis
1. Inventory information assets
2. Estimate impact
3. Trace information back to technology
4. Analyze for vulnerabilities
5. Consider adversaries and their
motivations
6. Assign likelihoods
7. Tabulate and report
Copyright (c) 2002 by Vigilinx 37
Asset Table
Likeli-
Asset Impact Vulnerability hood Risk
Web 1 Med Unpatched High High
IIS
No Med Med
Password
Open NBT High High
ports
" This is just the vulnerability driven table
“turned inside out”
Copyright (c) 2002 by Vigilinx 38
19
20. Risk Leads to Priority
Risk = Impact x Likelihood
Very
High Risk
Potential Impact
Very
Medium Risk
Low Risk
Likelihood of Attack
Copyright (c) 2002 by Vigilinx 39
Addressing Risk
20
21. Risk Management Program
! Establish Policy
! Implement Countermeasures
! Maintain Vigilance
Copyright (c) 2002 by Vigilinx 41
Security Policy – What Is It?
! Who?
! What’s prohibited?
! What’s required?
! What’s permitted?
Copyright (c) 2002 by Vigilinx 42
21
22. Policy Statements
! Most corporate policies must be translated
to concrete statements.
! Major elements:
! Information Classification
! System Criticality
! Operational Context
Copyright (c) 2002 by Vigilinx 43
Information Classification
! Information classification streamlines policy
statement and enforcement.
! CAVEAT: Over-classification leads to
excessive cost and added overhead.
! CAVEAT: Some collections of unclassified
data become sensitive when aggregated.
Copyright (c) 2002 by Vigilinx 44
22
23. An Example of Information
Classification
INFORMAT ION CLASSIFICAT ION GUIDELINES
Classification Level Examples
Personally Restricted Personnel Records
Identifiable
Consumer Account Information
Information (PII)
Company Restricted Plans for Reduction in Force
Financial Results
Confidential Product Development Plans
Business Expansion Strategies
Customers Restricted Customer Plant Designs
Billing and Payables
Customer Non-Disclosure Information
Confidential Customer Names
Sales and Delivery Records
Vendor Restricted Vendor Non-Disclosure Information
Contracts
Confidential Business Unit Specific Price Lists
Copyright (c) 2002 by Vigilinx 45
Criticality
! Criticality is a quality of operational
systems.
! It depends upon the importance of a
network, system or application.
! Criticality motivates reliability measures.
Copyright (c) 2002 by Vigilinx 46
23
24. Example of Criticality
Criticality Definition
Low This application, system, or network asset is non-essential to
Corporate, business unit or departmental operations. Outages can be
tolerated for a period of two weeks or more.
Medium This asset is important for normal corporate, business unit or
departmental operations, but is not essential. An outage of up to 48
hours can be tolerated.
High This asset is essential and critical to corporate, business unit or
department operations. Ideally, it is designed with full reliability.
Outages should be kept to a minimum, generally less than 30 minutes.
Copyright (c) 2002 by Vigilinx 47
Operational Context
! Facilities (systems and networks) are
certified to the maximum classification level
permitted.
! “Guards” ensure that information does not
pass to an unauthorized environment.
Copyright (c) 2002 by Vigilinx 48
24
25. Example of Operational
Context
Copyright (c) 2002 by Vigilinx 49
Create a Policy Hierarchy
Policies Requirements Standards Configurations
Copyright (c) 2002 by Vigilinx 50
25
26. Example: Requirements
Specify Security Services Policies Requirements Standards Configurations
! Authentication
! Access Control
! Data Confidentiality
! Data Integrity
! Non-repudiation
(X.800, Security Architecture for Open Systems Interconnection for
CCITT Applications – also ISO/IEC 7498-2)
Copyright (c) 2002 by Vigilinx 51
Communications Policies
(Examples)
! Personally Identifiable Information (PII)
may not be transmitted in the clear on the
Internet.
! Transmission of corporate restricted
information on any network requires data
confidentiality, peer-entity authentication,
and non-repudiation with proof of delivery.
Copyright (c) 2002 by Vigilinx 52
26
27. Storage Policies (Examples)
! Permanent storage of information classified as
confidential or above on web servers is
prohibited.
! Caching of information classified as confidential
or above on web servers is permitted during the
validity period of an associated session.
! Database systems must restrict access to
authenticated, authorized users of confidential
information.
Copyright (c) 2002 by Vigilinx 53
Example: Standards Specify
Service Mechanisms Policies Requirements Standards Configurations
! Includes algorithms and parameters:
! Encipherment: DES, 3DES, RSA, key-length, etc.
! Digital signature: RSA, DSS, key-length, etc.
! Access control: authorization type, time, duration, etc.
! Integrity: MD5, SHA, HMAC, etc.
! Many more choices exist.
Copyright (c) 2002 by Vigilinx 54
27
28. Tabulate Policy to Ensure
Consistent Practice
Static Application Application Internet
Content Web Front- Front-end Logic Database Notes Access
Server end Server Server Server Server Server Router
User passwords C NA C NA U NA R NA R NA C NA U NA
User password quality checking C NA C NA C NA NA NA NA NA NA NA NA NA
Token based authentication R NA R NA R NA NA NA NA NA NA NA NA NA
Digitial certificates NA NA NA NA NA NA NA NA NA NA R NA NA NA
Session Encryption (SSL, TLS, SSH) R NA R NA NA NA NA NA NA NA NA NA U NA
IPSEC (ESP) NA NA NA NA R NA R NA R NA NA NA NA NA
IPSEC (AH) NA NA NA NA NA NA NA NA NA NA NA NA NA NA
S/MIME NA NA NA NA NA NA NA NA NA NA NA NA NA NA
PGP NA NA NA NA NA NA NA NA NA NA NA NA NA NA
Software design review U NA U NA U NA U NA U NA U NA NA NA
Software code review U NA U NA U NA U NA U NA U NA U NA
Application vulnerability testing U NA U NA U NA R NA R NA R NA NA NA
Network vulnerability testing U H U H U H R NA R NA R NA U NA
Backup and recovery process NA L NA L NA L NA L NA L NA L NA L
Automatic fail-over NA H NA H NA H NA H NA H NA H NA M
Manual fail-over NA M NA M NA M NA M NA M NA M NA L
Copyright (c) 2002 by Vigilinx 55
Recap of Policy
! Policy defines classification and rules for
access/exchange.
! Policy defines criticality.
! Policy hierarchy defines security services
and quality of mechanisms.
Copyright (c) 2002 by Vigilinx 56
28
29. Implement Countermeasures
TECHNOLOGY: PROCESS: PEOPLE:
Firewalls Monitoring Assignment
Authentication Response Training
VPN Administration Awareness
System IDS Change Control Background
Network IDS Auditing
PKI / Cryptography Continuity
Intelligence
Network Manager
Copyright (c) 2002 by Vigilinx 57
Countermeasures:
Defense in Depth
TECHNOLOGY: PROCESS: PEOPLE:
Firewalls Monitoring Assignment
Authentication Response Training
VPN Administration Awareness
System IDS Change Control Background
Network IDS Auditing
PKI / Cryptography Continuity
Intelligence
Network Manager
TECHNOLOGY PROCEDURE
Management, Monitoring,
Information
Auditing, Response
Application
System
Network
Physical
Copyright (c) 2002 by Vigilinx 58
29
30. The 10 Guiding Principles*
1. Secure the Weakest Link
2. Practice Defense in Depth
3. Fail Securely
4. Follow the Principle of Least Privilege
5. Compartmentalize
6. Keep It Simple
7. Promote Privacy
8. Remember That Hiding Secrets Is Hard
9. Be Reluctant to Trust
10. Use Your Community Resources
• From Building Secure Software, John Viega and Gary McGraw
Copyright (c) 2002 by Vigilinx 59
Cost vs. Risk
Solutions above the line
are not cost effective.
Cost to Implement
Chosen Solution
Residual Risk
Vuln #2
Vuln #3
Vuln #4
Vuln #1
Less More
Effectiveness of Solution/
Impact of Threat
Copyright (c) 2002 by Vigilinx 60
30
31. Maintain Vigilance
Level of
Vigilance
Frequency of Attack
Level of
Vigilance
Level of
Vigilance
Level of
Vigilance
Time
Copyright (c) 2002 by Vigilinx 61
Balance Security Activities
Plan Execute
Appraise
Copyright (c) 2002 by Vigilinx 62
31
32. Plan
Plan Execute
Appraise
! Consider:
! Future business needs
! Changing threatscape
! Tolerance to residual risk
! Establish policy
! Design security infrastructure
! Develop security procedures
Copyright (c) 2002 by Vigilinx 63
Execute
Plan Execute
Appraise
! Implement according to design
! Operate according to procedures
! Continually improve
Copyright (c) 2002 by Vigilinx 64
32
33. Appraise
Plan Execute
Appraise
! Appraise the plan:
! Does it meet the expected threats?
! Will it protect business interests?
! Are there flaws in the design?
! Is policy adequate or overly burdensome?
! Appraise the execution:
! Is the design implemented correctly?
! Has the configuration changed?
! Do procedures cover all events?
! Are operators alert?
Copyright (c) 2002 by Vigilinx 65
Conclusions
! Understanding vulnerability alone is not enough!
! Risk depends upon likelihood of successful attack
and its impact on the organization.
! Countermeasures include technology, procedures
and people.
! Reducing risk generally requires additional cost.
! The war is never won—constant vigilance is the
only way.
Copyright (c) 2002 by Vigilinx 66
33