Presentation is loading. Please wait.

Presentation is loading. Please wait.

Example One Internet is allowed to access the web server through HTTP protocol and port CVE-2006-3747 was identified on web server.

Published byZaria Edmond Modified over 10 years ago

Similar presentations

Presentation on theme: "Example One Internet is allowed to access the web server through HTTP protocol and port CVE-2006-3747 was identified on web server."— Presentation transcript:

1 Example One Internet is allowed to access the web server through HTTP protocol and port CVE-2006-3747 was identified on web server

2 Exploit pre-condition Exploit post-condition

3 Pre- and Post-conditions can be used in constructing an attack graph webServer is network-accessible to an attacker The web service is running The vulnerability exists This attack is possible The consequence is that webServer is compromised

4 This process is completely automated attackerLocated(internet). hacl( internet, webServer, httpProtocol, httpPort ). hacl( H, H, _, _). networkServiceInfo( webServer, httpd, httpProtocol, httpPort, apache ). vulExists( webServer, cve_apache, httpd ). vulProperty( cve_apache, remoteExploit, privEscalation ). What are your threats? Firewall/netw ork analyzer Vulnerability scanner NVD

5 But you do need a knowledge base execCode(H, Perm) :- vulExists(H, VulID, Software, remoteExploit, privEscalation), networkServiceInfo(H, Software, Protocol, Port, Perm), netAccess(H, Protocol, Port) The knowledge is completely independent of any site-specific settings.

6 Combining attack graphs and CVSS Attack graph presents a qualitative view of security problems – It shows what attacks are possible, but does not tell you how bad the problem is. – It captures the interactions among all attack possibilities in your system. CVSS provides a quantitative property of individual vulnerabilities – It tells you how bad an individual vulnerability could be. – But it does not tell you how bad it may be in your system.

7 Our Approach Use CVSS to produce a component metric --- a numeric measure on the conditional probability of success of an attack step. Suppose an attacker needs c1 (network access) to launch an attack on the vulnerability, and c2 (host compromised) is the consequence of a successful attack. the component metric means Pr[c2 = T|c1 = T] This measure does not consider any attacker behavior

8 High => 0.2 Medium=> 0.6 Low => 0.9 High => 0.2 Medium=> 0.6 Low => 0.9

9 Our Approach Aggregate the probabilities over the attack-graph structure to provide a cumulative metric --- the probability of attacker success in your system. Suppose there is a “dedicated attacker” who will try all possible ways to attack your system. If one path fails, he will try another. The cumulative metric is the probability that he can succeed in at least one path.

10 Calculation of the cumulative metrics c1 c2 Pr[c2|c1]=0.2 Pr[c2]=? Pr[c1]=? Pr[c1]=1 Pr[c2]=0.2 Pr[execCode(webServer, apache)]=0.2

11 Example Two CVE-2006-3747 was identified on web server Internet is allowed to access the web server through HTTP protocol and port Web server is allowed to access the MySQL database service on the dbase server CVE-2009-2446 was identified on db server

12 Exploit pre-condition Exploit post-condition Medium=> 0.6

13 1:execCode(dbServer,root) 2:remote exploit of a server program 3:netAccess(dbServer,dbProtocol,dbPort) 4:multi-hop access 5:hacl(webServer,dbServer,dbProtocol,dbPort) 6:execCode(webServer,apache) 7:remote exploit of a server program 8:netAccess(webServer,httpProtocol,httpPort) 9:direct network access 10:hacl(internet,webServer,httpProtocol,httpPort) 11:attackerLocated(internet) 12:networkServiceInfo(webServer,httpd,httpProtocol,httpPort,apache) 13:vulExists(webServer,cve_apache,httpd,remoteExploit,privEscalation) 14:networkServiceInfo(dbServer,mySQL,dbProtocol,dbPort,root) 15:vulExists(dbServer,cve_mySQL,mySQL,remoteExploit,privEscalation) 0.2 0.2x0.6=0.12

14 Example Three Internet is allowed to access the web server through HTTP protocol and port Web server is allowed to access the MySQL database service on the db server User workstations are allowed to access anywhere CVE-2006-3747 was identified on web server CVE-2009-2446 was identified on db server CVE-2009-1918 was identified on user workstations

15 Exploit pre-condition Exploit post-condition Low=> 0.9

16 Possible attack paths

17

18 6:execCode(webServer,apache) 11:execCode(workStation,normalAccount) 12:remote exploit of a client program 13:hasAccount(secretary,workStation,norma lAccount) 14:canAccessMaliciousInput(workStation,se cretary,internetExplorer) 15:Browsing a malicious website 17:hacl(workStation,internet,httpProtocol,htt pPort) 21:Browsing a compromised website 24:isUserMachine(workStation) 25:isWebBrowser(internetExplorer) 26:inCompetent(secretary) 27:vulExists(workStation,cve_IE,internetExplorer, remoteExploit,privEscalation) 30:attackerLocated(internet) 34:hacl(workStation,dbServer,dbProtocol,dbPort)

19

20 Challenge How to calculate probabilities in an attack graph with shared dependencies and cycles. – Bayesian Network Frigault, et al., 2008, does not allow cycles – Assuming independence among attack paths Wang, et al., 2008 – Customized data-flow algorithm with dynamic programming Homer, et al., 2009

21 Result execCode(dbServer,root): 0.47 execCode(webServer,apache): 0.2 execCode(workStation,normalAccount): 0.74 Before: execCode(dbServer,root): 0.12 execCode(webServer,apache): 0.2

22 Prioritization Given three hardening options: – Patching the web server – Patching the db server – Patching the workstation Which one would you patch first?

23 Suppose we patch the web server Before: execCode(dbServer,root): 0.47 execCode(webServer,apache): 0.2 execCode(workStation,normalAccount): 0.74 After: execCode(dbServer,root): 0.43 execCode(webServer,apache): 0 execCode(workStation,normalAccount): 0.72

24 Now let’s patch the db server Before: execCode(dbServer,root): 0.47 execCode(webServer,apache): 0.2 execCode(workStation,normalAccount): 0.74 After: execCode(dbServer,root): 0 execCode(webServer,apache): 0.2 execCode(workStation,normalAccount): 0.74

25 What if we block network access from Group 2 to Internal? Before: execCode(dbServer,root): 0.47 execCode(webServer,apache): 0.2 execCode(workStation,normalAccount): 0.74 After: execCode(dbServer,root): 0.12 execCode(webServer,apache): 0.2 execCode(workStation,normalAccount): 0.74

26 Optimizing Security Hardening Let Pr[execCode(dbServer,root)]=p 1 Pr[execCode(webServer,apache)]=p 2 Pr[execCode(workStation,normalAccount)]=p 3 If C 1,C 2,C 3 are the “cost” for the compromise of these three hosts respectively. Then your expected loss will be LE=C 1 *p 1 +C 2 *p 2 +C 3 *p 3 All the hardening measures H 1,H 2,…H n have costs as well. If you have a maximum dollar amount H to spend on hardening, and you want to minimize your LE, what would you do?

27 Challenges Scalability of metric calculation – Heavily depends on the connectivity of attack graphs – Exponential in the worst case Imprecise input problem – How sensitive is the outcome to the input component metrics? – Approximation algorithms to trade precision for scalability? Optimization techniques

28 Summary Quantitative security risk metrics are important in making sensible decisions in security hardening – People are already doing it in an ad-hoc way without any scientific basis – We want to transform it from a “black art” to a science

29 If you cannot measure it, you cannot improve it. ---Lord Kelvin

Download ppt "Example One Internet is allowed to access the web server through HTTP protocol and port CVE-2006-3747 was identified on web server."

Similar presentations

Lindsey Bleimes Charlie Garrod Adam Meyerson

Lindsey Bleimes Charlie Garrod Adam Meyerson
Haystack: Per-User Information Environment 1999 Conference on Information and Knowledge Management Eytan Adar et al Presented by Xiao Hu CS491CXZ.

Haystack: Per-User Information Environment 1999 Conference on Information and Knowledge Management Eytan Adar et al Presented by Xiao Hu CS491CXZ.
MulVAL: A logic-based network security analyzer Xinming Ou, Sudhakar Govindavajhala, and Andrew W. Appel Princeton University 14th USENIX Security Symposium,

MulVAL: A logic-based network security analyzer Xinming Ou, Sudhakar Govindavajhala, and Andrew W. Appel Princeton University 14th USENIX Security Symposium,
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Operational Security Risk Metrics: Definitions, Calculations, Visualizations Metricon 2.0 Alain Mayer CTO RedSeal Systems

Operational Security Risk Metrics: Definitions, Calculations, Visualizations Metricon 2.0 Alain Mayer CTO RedSeal Systems
1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.
1 Measuring Network Security Using Attack Graphs Anoop Singhal National Institute of Standards and Technology Coauthors: Lingyu Wang and Sushil Jajodia.

1 Measuring Network Security Using Attack Graphs Anoop Singhal National Institute of Standards and Technology Coauthors: Lingyu Wang and Sushil Jajodia.
GPN 2009 May 29, Kansas City, Missouri An open security defense architecture for open collaborative cyber infrastructures Xinming (Simon) Ou Kansas State.

GPN 2009 May 29, Kansas City, Missouri An open security defense architecture for open collaborative cyber infrastructures Xinming (Simon) Ou Kansas State.
Logic-based, data-driven enterprise network security analysis Xinming (Simon) Ou Assistant Professor CIS Department Kansas State University COS 598D: Formal.

Logic-based, data-driven enterprise network security analysis Xinming (Simon) Ou Assistant Professor CIS Department Kansas State University COS 598D: Formal.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
P REDICTING ZERO - DAY SOFTWARE VULNERABILITIES THROUGH DATA MINING Su Zhang Department of Computing and Information Science Kansas State University 1.

P REDICTING ZERO - DAY SOFTWARE VULNERABILITIES THROUGH DATA MINING Su Zhang Department of Computing and Information Science Kansas State University 1.
CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.

CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
1 Software Testing and Quality Assurance Lecture 32 – SWE 205 Course Objective: Basics of Programming Languages & Software Construction Techniques.

1 Software Testing and Quality Assurance Lecture 32 – SWE 205 Course Objective: Basics of Programming Languages & Software Construction Techniques.
AppSec USA 2014 Denver, Colorado Threat Modeling Made Interactive! Eunsuk Kang Software Design Group CSAIL, MIT.

AppSec USA 2014 Denver, Colorado Threat Modeling Made Interactive! Eunsuk Kang Software Design Group CSAIL, MIT.
“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.

“Today over 70% of attacks against a company’s network come at the ‘Application Layer’ not the Network or System layer.” - Gartner Is Your Web Application.
DEEDS Meeting Oct., 26th 2006 Dependable, Embedded Systems and Software Group Department of Computer Science Darmstadt University of Technology Summary.

DEEDS Meeting Oct., 26th 2006 Dependable, Embedded Systems and Software Group Department of Computer Science Darmstadt University of Technology Summary.
BY Zoher & Mahmoud. What is WAMP?  - Acronym for Windows/Apache/MySQL/PHP, Python, (and/or) PERL  - WAMP refers to a set of free open source applications,

BY Zoher & Mahmoud. What is WAMP?  - Acronym for Windows/Apache/MySQL/PHP, Python, (and/or) PERL  - WAMP refers to a set of free open source applications,

Similar presentations

Ads by Google