Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC

Security+ Chapter 7 – Managing Vulnerabilities and Risks Brian E. Brzezicki

Threats, Vulnerabilities and Risks (335) Asset – resource or information an organization needs to conduct it’s business Threat – any circumstance or event with the potential to cause harm to an asset. – Natural – Human – Accidental – Environmental

Threats Vulnerabilities and Risks Vulnerability - A software hardware or procedural weakness that may provide an attacker the opportunity to obtain unauthorized access. Impact – the resulting loss when a threat exploits a vulnerability Risks – Likelihood that a threat will be able to exploits a vulnerability and cause an impact (loss) – It is IMPOSSIBLE to 100% remove risks

Risk Management (337) Attempting to minimize risks to an acceptable level. Risk management is an important responsibility of senior management. Risk Assessment is the methodical analysis of threats, vulnerabilities, and risks and employing countermeasures and other protections to minimize risks as best as possible in a cost effective manner.

Quantitative Risk Analysis (338) An objective method of risk analysis that attempts to measure and assign values to every aspect of the risk analysis process. Note: – nothing can be 100% quantified – This step requires lots of work on the front end and software to fully implement. There are very important terms and concepts needed to understand Quantitative Risk Analysis

Quantitative Risk Analysis ( ) Asset Value – The total value of an asset More than just replacement cost – Replacement cost – Development cost – Opportunity cost – Value of asset to competitors – Legal costs – Public Relation costs – Etc…

Quantitative Risk Analysis ( ) SLE – Single Loss Expectancy. The amount of loss you expect on average for any occurance of a (asset, threat, vulnerability) combination. Example: A warehouse’s asset value is $1,000, If the warehouse caught fire, let’s say you expect 30% of the asset value to be lost per fire. SLE = $1,000,000 *.30 = $300,000

Quantitative Risk Analysis ( ) ARO – Annual Rate of Occurance. The number of times in one year that you expect a certain threat to exploit and vulnerability and cause a loss. This can be a whole number or a fraction If you expect 1 fire every 10 years then ARO = (1 fire)/(10 years) =.10 or 10% This is calculated based on specific conditions, statistics, historical data… etc.

Quantitative Risk Analysis ( ) ALE – Annual Loss Expectancy. The average amount of money you expect to lose every year for a certain (asset, threat, vulnerability) combination. ALE = SLE * ARO For the warehouse/fire example we have been doing ALE = $300,000 per fire *.10 fires per year ALE = $30,000

Countermeasures Once you have computed an ALE, you need to choose cost effective countermeasures that will reduce the ALE such that the new ALE + the countermeasure costs is less than the original ALE. ALE_before > ALE_after + countermeasure_cost

Example Problem ( ) You have an important server. For every hour that the server is down it costs your company $ There is a 25% chance every month that the server will get hacked, if it does it will cost you 4 hours to clean and reinstall the server (nobody will be able to use it) There is an intrusion prevention system that will take the risk of hacked system to 0% (don’t we wish), however it costs $5, per year subscription fee. Should you purchase the IPS? If you do how much money will you save or lose?

Qualitative Risk Analysis (340) Qualitative Risk Analysis is another less formal method of Risk Analysis, more commonly used “in the field” No metrics Subjective Based more on experience and intuition

Other Ways of Mitigating Risks (n/b) Sometimes there are not effective countermeasures to reduce the risk in a way that is cost effective when that’s the case you can mitigate risks with other methods. Transferring the Risk Avoiding the Risk Accepting the Risk

Vulnerability Assessments (340) Though many vulnerabilities are NOT computer or network related. Vulnerability Assessment is a special process of analyzing computer networks for technical vulnerabilities. 1)Identifying systems on the network 2)Determining what applications / services are running 3)Determining if these services have security holes 4)Reporting on deficiencies found so they can be corrected Note that vulnerability assessment is not intrusive. It is simply a methodology of determining vulnerabilities. A vulnerability assessment does not try to actually exploit the vulnerabilities.

OVAL (349) Open Vulnerability and Assessment Language The verbage below is taken directly from oval.mitre.org: OVAL is an information security community effort to standardize how to assess and report upon the machine state of computer systems. OVAL includes a language to encode system details, and an assortment of content repositories held throughout the community. Tools and services that use OVAL for the three steps of system assessment — representing system information, expressing specific machine states, and reporting the results of an assessment — provide enterprises with accurate, consistent, and actionable information so they may improve their security. Use of OVAL also provides for reliable and reproducible information assurance metrics and enables interoperability and automation among security tools and services.

Penetration Testing (342) The next step past vulnerability assessment. Once vulnerabilities are found one tries to actually exploit the vulnerabilities to see if the systems are actually susceptible. Dangerous, can actually cause damage Do not do this without senior management approval and without written consent Can be carried out by an internal organization or a outside (3 rd party)

Network Security Tools (344) Protocol Analyzers – Promiscuous mode vs. Non-promiscuous mode – Specific Tools wireshark Ping Scanners – nmap – hping Port Scanners – Nmap Network Mappers

Password Cracking Method (347) Dictionary Attacks Brute Force Rainbow Tables Specific Tools – John the Ripper – Cain and Able – L0phtcrack

Hardware Risks

Storage Risks (349) Removable media is a major concern for security professionals, especially USB drives. Problems Data Theft Malware installation

USB Storage Countermeasures ( ) Physically disable USB ports Disable USB in the BIOS Disable USB in the operating system – Windows registry key \HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ UsbStor Disable AutoRun in Windows

Storage Risks (n/b) Besides USB keys, other removable media such as CD-ROM disks and floppy drives cause problems. Often through object re-use data can unintentionally leak out of an organization. Removable data should be sanitized or destroyed. Some sanitation methods include – Degaussing – Over writing media – Secure Deletion

Logging and Auditing

Logging and Auditing (352) When you spend the time and resources to protect resources. It is important that you log access attempts and then log those access attempts Can be manual or automated Sadly this is often NOT done

Unix Logging (n/b) Unix logging uses the syslog daemon There is also a Unix Kernel Log ring buffer

Windows Logs (354) Windows logging are in 3 main categories (Windows XP, many more in Windows 2003 and 2008) Application System Security Applications logs have events of different severities Information Warning Error

Windows Logs (355) Windows Security are noted as either Success Failure The tools used to view logs in Windows is event viewer

Log Security (357) Logs need to be secured, some methods of securing them are. System permissions Remote servers Hashing or Digitally Signing log files