It risk assessment_methodology
Upcoming SlideShare
Loading in...5
×
 

It risk assessment_methodology

on

  • 500 views

 

Statistics

Views

Total Views
500
Views on SlideShare
500
Embed Views
0

Actions

Likes
0
Downloads
22
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    It risk assessment_methodology It risk assessment_methodology Document Transcript

    • RISK ASSESSMENT AND MANAGEMENT Presented by Jeff Kimmelman Vigilinx Digital Security Solutions Introduction! Who Am I?! Purpose of Talk! High Level Agenda Copyright (c) 2002 by Vigilinx 2 1
    • Who Am I?! Jeff Kimmelman ! Principal Security Architect ! Vigilinx Digital Security Solutions ! jeff.kimmelman@vigilinx.com! Areas of Expertise: ! Assessment ! Policy ! Design ! Software Copyright (c) 2002 by Vigilinx 3 Experience! IT related since 1982! Worked in DoD secure environments! Developed cryptographic software! Designed and maintained secure global WANs! Directed BBN/GTE/Baltimore Security Consulting Group Copyright (c) 2002 by Vigilinx 4 2
    • Purpose of Talk! Define risk! Propose an assessment methodology! Discuss risk mitigation strategies! Avoid overly technical digression Copyright (c) 2002 by Vigilinx 5 High Level Agenda! Security Terminology! Risk Assessment ! The “Risk Equation” ! Likelihood ! Impact! Addressing Risk ! Establish Policy ! Implement Countermeasures ! Maintain Vigilance! Concluding Remarks Copyright (c) 2002 by Vigilinx 6 3
    • Security Terminology Security – A Definition se•cu•ri•ty (si kyoor’ i tē), n., pl. –ties, adj. –n. 1. freedom from danger, risk, etc.; safety. 2. Freedom from care, anxiety, or doubt; well-founded confidence. 3. Something that secures or makes safe; protection; defense. … [1400-50; late ME securytye, securite(e) < L sēcūritās. … ] (Webster’s New Universal Unabridged Dictionary)! Security is a GOAL, not a STATE OF BEING.! Security is everyone’s responsibility. Copyright (c) 2002 by Vigilinx 8 4
    • Important Terms! Flaw! Weakness! Vulnerability! Exploit! Attack! Adversary! Threat Copyright (c) 2002 by Vigilinx 9 Flaw! Imperfection of a system! Found in design, implementation or execution! Concealed or exposed! Known or unknown! Source of weakness or vulnerability! Not always exploitable Copyright (c) 2002 by Vigilinx 10 5
    • Weakness! Attribute of a system or defense! Insufficient to resist expected attack – lack of strength! Not necessarily due to a flaw! Source of vulnerability! Not always exploitable Copyright (c) 2002 by Vigilinx 11 Vulnerability! Feature of system or defense! Sometimes (often) undiscovered! Caused by flaws and weaknesses! Always exploitable! Target of adversaries Copyright (c) 2002 by Vigilinx 12 6
    • Exploit! Methodology for attack! Takes advantage of one or more vulnerabilities! Repeatable! Always “succeeds”! Used in an attack Copyright (c) 2002 by Vigilinx 13 Attack! Prosecution of an exploit (an instance)! Defined objective! Can be undetected or detected! Sometimes (often) unsuccessful! Performed by a motivated adversary Copyright (c) 2002 by Vigilinx 14 7
    • Adversary! Agent (person or corporate)! Motivated! Often unscrupulous! Goals: ! Competition ! Defamation ! Financial gain ! Notoriety ! Information! May or may not have means & knowledge Copyright (c) 2002 by Vigilinx 15 Threat! Adversary! Possesses means and knowledge! Actively targeting! Known or unknown Copyright (c) 2002 by Vigilinx 16 8
    • Countermeasures! Methodology for defense! Technological or procedural! Types: ! Detection ! Resistance ! Avoidance ! Counter-attack! Usually specific to an exploit Copyright (c) 2002 by Vigilinx 17 Countermeasures: Defense in Depth TECHNOLOGY PROCEDURE Management, Monitoring, Information Auditing, Response Application System Network Physical Copyright (c) 2002 by Vigilinx 18 9
    • Security Countermeasures Include a Lot ENABLERS Technology Processes People Operational Infrastructure RISK REGIONS RISK REGIONS Protective Boundary Exogenous Exogenous Factors Copyright (c) 2002 by Vigilinx 19 Security is an Arms Race Easy AttackFrequency of Attack Chosen Security Countermeasure Complex Attack Time Copyright (c) 2002 by Vigilinx 20 10
    • Risk Assessment Risk! Measures importance! Determines relevance of vulnerabilities! Useful for setting programmatic priority! Varies over time Copyright (c) 2002 by Vigilinx 22 11
    • The Risk Equation Impact x Likelihood = Risk Impact x Likelihood = Risk! Universal: Applies to all types of risk! Uniform: Enables comparison! Objective: Track over time Copyright (c) 2002 by Vigilinx 23 Risk is Two Dimensional Impact x Likelihood = Risk Impact x Likelihood = Risk High Risk Attack 2 Attack 4Impact " Attack 1 Attack 3 Low Risk Likelihood " Copyright (c) 2002 by Vigilinx 24 12
    • Impact Impact x Likelihood = Risk Impact x Likelihood = Risk! Measures the level of “pain” to the organization! Examples: ! Financial: Loss or cost to repair ! Operational: Lost time, production or delivery ! Reputation: Loss of customer or consumer confidence ! Competitive: Reduction of market advantage ! Regulatory: Legal liability ! Fiduciary: Fiduciary liability Copyright (c) 2002 by Vigilinx 25 Likelihood Impact x Likelihood = Risk Impact x Likelihood = Risk! Measures the probability of feeling the impact! Contributors: ! Known exploits ! Motivated adversaries ! Adequacy of countermeasures Copyright (c) 2002 by Vigilinx 26 13
    • Performing the Assessment! Requires experience! Two approaches: ! Vulnerability driven ! Asset driven! Combine for greatest effect Copyright (c) 2002 by Vigilinx 27 Vulnerability Driven Analysis1. Search for known vulnerabilities2. Tabulate and estimate severity3. Determine what assets are affected4. Assign impact value5. Consider adversaries and their motivations6. Assign likelihood7. Tabulate and report Copyright (c) 2002 by Vigilinx 28 14
    • Searching for Known Vulnerabilities Flaws Vulnerability Weaknesses! Research known threat databases! Use scanning tools! Review technology and procedures! Test users (social engineering)" Grade ease of exploitation Copyright (c) 2002 by Vigilinx 29 Network and System Vulnerabilities! Network: ! Unnecessary pathways ! Unsecured data-streams! System: ! Unhardened systems ! Unprotected administrator logon ! Exposed management interfaces Copyright (c) 2002 by Vigilinx 30 15
    • Application and Operations Vulnerabilities! Application: ! Unneeded services ! Buffer overflows ! Lack of or weak authentication! Operations ! Lack of change control program ! No monitoring or intrusion detection ! Easy access to backup media Copyright (c) 2002 by Vigilinx 31 Determine Affected Assets Likeli- Vulnerability hood Asset Impact Risk No Web 1 Med Password Anon Low Required FTP Modem Med Pool• Most vulnerabilities affect multiple assets• Can’t determine likelihood yet Copyright (c) 2002 by Vigilinx 32 16
    • Gauge the Impact Impact x Likelihood = Risk Impact x Likelihood = Risk! Is there money at stake?! Can private information be revealed?! Would an attack embarrass the organization?! Could a targeted system be used as a “stepping stone?”! Would an attack advance the cause of information warfare or terrorism?! Will competitive advantage be lost? Copyright (c) 2002 by Vigilinx 33 Identify Your Adversaries Adversary + Motivation + Capability = Threat Adversary + Motivation + Capability = Threat! Internet Hacker! Insider! Thief! Terrorist! Industrial Spy Copyright (c) 2002 by Vigilinx 34 17
    • Gauge the Likelihood Adversary + Motivation + Capability = Threat Adversary + Motivation + Capability = Threat! Depends on: ! Threat ! Complexity! Examples: ! DoS or DDoS on an Online Banking Application ! Threat: Medium, Complexity: Low ! Modify Stock Price Quote: ! Threat: High, Complexity: Medium ! Execute Unauthorized Transactions ! Threat: High, Complexity: Very High Copyright (c) 2002 by Vigilinx 35 Tabulate and Report Likeli- Vulnerability hood Asset Impact Risk No Med Web 1 Med Med Password Low Anon Low Very Required FTP Low High Modem Med High Pool" Many assessments stop at vulnerability and don’t consider impact Copyright (c) 2002 by Vigilinx 36 18
    • Asset Driven Analysis1. Inventory information assets2. Estimate impact3. Trace information back to technology4. Analyze for vulnerabilities5. Consider adversaries and their motivations6. Assign likelihoods7. Tabulate and report Copyright (c) 2002 by Vigilinx 37 Asset Table Likeli- Asset Impact Vulnerability hood Risk Web 1 Med Unpatched High High IIS No Med Med Password Open NBT High High ports" This is just the vulnerability driven table “turned inside out” Copyright (c) 2002 by Vigilinx 38 19
    • Risk Leads to Priority Risk = Impact x Likelihood Very High RiskPotential Impact Very Medium Risk Low Risk Likelihood of Attack Copyright (c) 2002 by Vigilinx 39 Addressing Risk 20
    • Risk Management Program! Establish Policy! Implement Countermeasures! Maintain Vigilance Copyright (c) 2002 by Vigilinx 41 Security Policy – What Is It?! Who?! What’s prohibited?! What’s required?! What’s permitted? Copyright (c) 2002 by Vigilinx 42 21
    • Policy Statements! Most corporate policies must be translated to concrete statements.! Major elements: ! Information Classification ! System Criticality ! Operational Context Copyright (c) 2002 by Vigilinx 43 Information Classification! Information classification streamlines policy statement and enforcement.! CAVEAT: Over-classification leads to excessive cost and added overhead.! CAVEAT: Some collections of unclassified data become sensitive when aggregated. Copyright (c) 2002 by Vigilinx 44 22
    • An Example of Information Classification INFORMAT ION CLASSIFICAT ION GUIDELINES Classification Level Examples Personally Restricted Personnel Records Identifiable Consumer Account Information Information (PII) Company Restricted Plans for Reduction in Force Financial Results Confidential Product Development Plans Business Expansion Strategies Customers Restricted Customer Plant Designs Billing and Payables Customer Non-Disclosure Information Confidential Customer Names Sales and Delivery Records Vendor Restricted Vendor Non-Disclosure Information Contracts Confidential Business Unit Specific Price Lists Copyright (c) 2002 by Vigilinx 45 Criticality! Criticality is a quality of operational systems.! It depends upon the importance of a network, system or application.! Criticality motivates reliability measures. Copyright (c) 2002 by Vigilinx 46 23
    • Example of Criticality Criticality Definition Low This application, system, or network asset is non-essential to Corporate, business unit or departmental operations. Outages can be tolerated for a period of two weeks or more. Medium This asset is important for normal corporate, business unit or departmental operations, but is not essential. An outage of up to 48 hours can be tolerated. High This asset is essential and critical to corporate, business unit or department operations. Ideally, it is designed with full reliability. Outages should be kept to a minimum, generally less than 30 minutes. Copyright (c) 2002 by Vigilinx 47 Operational Context! Facilities (systems and networks) are certified to the maximum classification level permitted.! “Guards” ensure that information does not pass to an unauthorized environment. Copyright (c) 2002 by Vigilinx 48 24
    • Example of Operational Context Copyright (c) 2002 by Vigilinx 49 Create a Policy HierarchyPolicies Requirements Standards Configurations Copyright (c) 2002 by Vigilinx 50 25
    • Example: Requirements Specify Security Services Policies Requirements Standards Configurations! Authentication! Access Control! Data Confidentiality! Data Integrity! Non-repudiation(X.800, Security Architecture for Open Systems Interconnection for CCITT Applications – also ISO/IEC 7498-2) Copyright (c) 2002 by Vigilinx 51 Communications Policies (Examples)! Personally Identifiable Information (PII) may not be transmitted in the clear on the Internet.! Transmission of corporate restricted information on any network requires data confidentiality, peer-entity authentication, and non-repudiation with proof of delivery. Copyright (c) 2002 by Vigilinx 52 26
    • Storage Policies (Examples)! Permanent storage of information classified as confidential or above on web servers is prohibited.! Caching of information classified as confidential or above on web servers is permitted during the validity period of an associated session.! Database systems must restrict access to authenticated, authorized users of confidential information. Copyright (c) 2002 by Vigilinx 53 Example: Standards Specify Service Mechanisms Policies Requirements Standards Configurations! Includes algorithms and parameters: ! Encipherment: DES, 3DES, RSA, key-length, etc. ! Digital signature: RSA, DSS, key-length, etc. ! Access control: authorization type, time, duration, etc. ! Integrity: MD5, SHA, HMAC, etc. ! Many more choices exist. Copyright (c) 2002 by Vigilinx 54 27
    • Tabulate Policy to Ensure Consistent Practice Static Application Application Internet Content Web Front- Front-end Logic Database Notes Access Server end Server Server Server Server Server Router User passwords C NA C NA U NA R NA R NA C NA U NA User password quality checking C NA C NA C NA NA NA NA NA NA NA NA NA Token based authentication R NA R NA R NA NA NA NA NA NA NA NA NA Digitial certificates NA NA NA NA NA NA NA NA NA NA R NA NA NA Session Encryption (SSL, TLS, SSH) R NA R NA NA NA NA NA NA NA NA NA U NA IPSEC (ESP) NA NA NA NA R NA R NA R NA NA NA NA NA IPSEC (AH) NA NA NA NA NA NA NA NA NA NA NA NA NA NA S/MIME NA NA NA NA NA NA NA NA NA NA NA NA NA NA PGP NA NA NA NA NA NA NA NA NA NA NA NA NA NA Software design review U NA U NA U NA U NA U NA U NA NA NA Software code review U NA U NA U NA U NA U NA U NA U NA Application vulnerability testing U NA U NA U NA R NA R NA R NA NA NA Network vulnerability testing U H U H U H R NA R NA R NA U NA Backup and recovery process NA L NA L NA L NA L NA L NA L NA L Automatic fail-over NA H NA H NA H NA H NA H NA H NA M Manual fail-over NA M NA M NA M NA M NA M NA M NA L Copyright (c) 2002 by Vigilinx 55 Recap of Policy! Policy defines classification and rules for access/exchange.! Policy defines criticality.! Policy hierarchy defines security services and quality of mechanisms. Copyright (c) 2002 by Vigilinx 56 28
    • Implement Countermeasures TECHNOLOGY: PROCESS: PEOPLE: Firewalls Monitoring Assignment Authentication Response Training VPN Administration Awareness System IDS Change Control Background Network IDS AuditingPKI / Cryptography Continuity Intelligence Network Manager Copyright (c) 2002 by Vigilinx 57Countermeasures:Defense in Depth TECHNOLOGY: PROCESS: PEOPLE: Firewalls Monitoring Assignment Authentication Response Training VPN Administration Awareness System IDS Change Control Background Network IDS Auditing PKI / Cryptography Continuity Intelligence Network Manager TECHNOLOGY PROCEDURE Management, Monitoring, Information Auditing, Response Application System Network Physical Copyright (c) 2002 by Vigilinx 58 29
    • The 10 Guiding Principles*1. Secure the Weakest Link2. Practice Defense in Depth3. Fail Securely4. Follow the Principle of Least Privilege5. Compartmentalize6. Keep It Simple7. Promote Privacy8. Remember That Hiding Secrets Is Hard9. Be Reluctant to Trust10. Use Your Community Resources• From Building Secure Software, John Viega and Gary McGraw Copyright (c) 2002 by Vigilinx 59 Cost vs. Risk Solutions above the line are not cost effective. Cost to Implement Chosen Solution Residual Risk Vuln #2 Vuln #3 Vuln #4 Vuln #1 Less More Effectiveness of Solution/ Impact of Threat Copyright (c) 2002 by Vigilinx 60 30
    • Maintain Vigilance Level of VigilanceFrequency of Attack Level of Vigilance Level of Vigilance Level of Vigilance Time Copyright (c) 2002 by Vigilinx 61 Balance Security Activities Plan Execute Appraise Copyright (c) 2002 by Vigilinx 62 31
    • Plan Plan Execute Appraise! Consider: ! Future business needs ! Changing threatscape ! Tolerance to residual risk! Establish policy! Design security infrastructure! Develop security procedures Copyright (c) 2002 by Vigilinx 63 Execute Plan Execute Appraise! Implement according to design! Operate according to procedures! Continually improve Copyright (c) 2002 by Vigilinx 64 32
    • Appraise Plan Execute Appraise! Appraise the plan: ! Does it meet the expected threats? ! Will it protect business interests? ! Are there flaws in the design? ! Is policy adequate or overly burdensome?! Appraise the execution: ! Is the design implemented correctly? ! Has the configuration changed? ! Do procedures cover all events? ! Are operators alert? Copyright (c) 2002 by Vigilinx 65 Conclusions! Understanding vulnerability alone is not enough!! Risk depends upon likelihood of successful attack and its impact on the organization.! Countermeasures include technology, procedures and people.! Reducing risk generally requires additional cost.! The war is never won—constant vigilance is the only way. Copyright (c) 2002 by Vigilinx 66 33
    • Thank You 34