LY
Uploaded byLarry Yurdin
95 views

Risk Analysis Report review

The document provides a risk assessment report for the NCIC 2000 Encryption Project being undertaken by the Washington State Patrol. It identifies various vulnerabilities in the encryption system being designed to secure communication between regional sites and the WSP ACCESS messaging system. These include issues like lax physical security, insecure password mechanisms, and inadequate access controls. The report then evaluates the risks associated with threats exploiting these vulnerabilities and provides recommendations for safeguards to mitigate the risks. These include measures like adding redundancy, strengthening physical access restrictions, and developing improved troubleshooting techniques and training.

Embed presentation

Download to read offline
Washington State Patrol NCIC 2000 ACCESS Encryption Project Task Order 2 – Design Task 2a – Risk Assessment Report August 16, 2005
Background The National Crime Information Center (NCIC), originally established in 1967, is the most extensive criminal justice information system in the US and is maintained by the FBI. Its successor, NCIC 2000 now includes requirements for all CJIS data to be encrypted between regional sites and the WSP ACCESS messaging system. In accordance with the FBI’s Criminal Justice Information Service (CJIS) Division Security Policy v4.1, all CJIS data transmitted through any public network segment or Internet connections shall be encrypted by a pair of secret keys, each with a minimum of 128 bits. Each cryptographic module, used for this purpose, must be certified by the National Institute of Standards and Technology’s (NIST) Computer Systems Laboratory to ensure that it meets the standards set forth in Federal Information Processing Standards (FIPS) Publication 140-2, “Security Requirements for Cryptographic Modules”. I. Scope Statement This report deals entirely with risks relating to the deployment and maintenance of an encryption structure, designed to secure communication from regional sites to the WSP ACCESS messaging system. The implementation of the encryption-decryption architecture will introduce new potential threats and vulnerabilities, both physical and procedural. These issues will be addressed in this document. II. Vulnerability and Threat Identification This section is concerned with the process used to identify threats, issues, concerns, risks etc. Risk is defined as the possibility of a threat exploiting a vulnerability and thereby causing harm to an asset. The threat will exploit the vulnerability to compromise one or more of the principles previously mentioned: • Confidentiality means that information is protected from being read or copied by anyone who does not have permission of the owner of that information. • Integrity means that information is not deleted or altered in a way that will cause damage or disruption. • Availability means that information should be protected so that it is readily available to those with proper authorization. • Non-repudiation means that an individual should not be able to deny having received or sent information. The following formula is one way of measuring risk: • Risk = threat × vulnerability × impact The key terms are risk, threat, vulnerability and impact. Without a threat agent, a vulnerability, or an impact, there is no risk. There must be a threat agent to exploit a vulnerability, and this exploitation must cause an impact for there to be a risk to the organization. Relevant definitions include:
• Threat - The capabilities and intentions of adversaries to exploit an information system; or any natural or unintentional event with the potential to cause harm to an information system, resulting in a degradation of an organization’s ability to fully perform its mission. • Vulnerability - A characteristic of an information system or its components that could be exploited by an adversary, or harmed by a natural act or an act unintentionally caused by human activity • Impact – The result of a particular threat exploiting a particular vulnerability. • Risk – The probability that a particular threat will exploit a particular vulnerability. • Safeguard – Any protective action, device, procedure, technique, or other measure that reduces exposures. Safeguard, in this context, is synonymous with countermeasure. There are three types of device interfaces referred to in this section: • Public Interface points to any untrusted network. • Private Interface points to any trusted network • Management Interface can either be the console or a private Ethernet interface. This section is devoted to identifying vulnerabilities that might be present in the NCIC 2000 Encryption Project and the potential of a given threat agent exploiting one of these vulnerabilities, thereby constituting a risk. These include: • Network Latency and Jitter– Latency indicates that the network is prone to delay. Jitter refers to an unpredictable variation in the time between packets arriving. Network congestion is, in this instance, the risk agent, which, when it exploits latency or jitter, could lead to the dropping of packets, jeopardizing availability. • Single Point of Failure – The absence of redundant modules and/or devices could be threatened by equipment failure whose impact could be unanticipated downtime, again posing a risk to the availability of the infrastructure. • Lax Physical Security – Poor physical security could make it possible for an intruder, or even a disgruntled employee, to remove or damage an encryption device. This could be the concentrator located at the WSP head end or a hardware client located at a regional site. This would enable the thief to, at the least, sabotage the encryption process and, at the worst, use the secret keys obtained to access or tamper with sensitive information. • Insecure Password Changing Mechanism – Cisco has pointed out that it is relatively easy for any person with possessing the administrative password and physical access to the console to change any password on a Cisco concentrator or hardware client. Combine this vulnerability with the lax physical security mentioned earlier, and the threat agent, in this case, a malicious person could effectively sabotage the encryption system.
• Password Non-recoverable Cisco warns that, for the VPN 3000 Series Concentrator and the 3002 hardware client, there is no way to recover your system if you forget the administrator password. In such a situation, the crypto- officer who forgets the password is the threat agent. The impact is that the concentrator or client has to be returned to Cisco so that the password can be recovered. This could render the encryption system inoperable for an unspecified period of time. • Network Complexity – An increase in complexity between regional sites and the WSP Data Center will make it more difficult to troubleshoot outages. The troubleshooting problem can be seen as the threat agent causing an increase in the Mean Time to Repair (MTTR). This could negatively impact the availability of the ACCESS messaging system. • Lax Access Control Mechanism – Access to the private interface could compromise the data integrity of the messaging system. This vulnerability could allow an unauthorized person, whether an intruder or an employee, to access, block or tamper with sensitive data. • Inadequate Crypto Officer Backup Mechanism - The role of Crypto Officer is responsible for the configuration and maintenance of the concentrator. When the person who usually assumes the Crypto Officer role is unavailable, it is essential that the person designated as the replacement be fully trained and familiar with the role. The threat agent, in this instance, in the unprepared person suddenly cast into the role. The resulting risk is that this person could inadvertently compromise the encryption system. • Failure to Enforce the Policy of Least Privilege – Least privilege is a policy that limits both the system’s users and processes to access only those resources necessary to perform assigned functions. Ensuring least privilege requires identifying what each user’s job is, outlining the minimum set of privileges required to perform that job, and restricting the user to only those privileges on a system/network. Changing the role of a process or user, without changing the rights associated with the role, is one manner of failing to enforce the policy of least privilege that a threat agent can exploit. The more users or processes sharing these same rights, the greater the chance that access by an uninformed or unscrupulous user or an inappropriate process can result in denial of service, loss of confidentiality or compromise of data. Another failure to enforce the policy of least privilege can result from a breakdown in communications between IT and HR. In such an instance, the privileges of a former employee may not be removed in a timely fashion. In this case, the threat agent is the former employee whose continued privileges could result in deliberate sabotage of the encryption structure and the messaging system (or in an unauthorized sharing of access information). • Lack of Adequate Training – This is a vulnerability where the threat agent is a new employee or an employee assigned an unfamiliar role. This could result in mistakes that could put the ACCESS messaging system at risk. This also opens
the possibility of social engineering where a nefarious intruder is able to obtain a password or other information from the inexperienced user. • Elevation of Privileges – This vulnerability is similar to the previous two. The abrupt increase in privileges without proper preparation, even when essential to the functioning of a process or a user, can result in both mistakes and in deliberate misuse of authority, either or which can put the system at risk. • Unsecured Access to Management Interface – This vulnerability is the result of weak control over the access to management interfaces. The threat agent is an attack that could be mounted, resulting in unauthorized configuration changes. • Misconfiguring the Assignment of Users to Groups presents a vulnerability that can serve as an invitation to access the messaging system for a nefarious purpose (Denial of Service (DoS) attack and compromise of sensitive data.) • Inadequate or No Log Auditing. This is a vulnerability than can be exploited by a threat agent, unauthorized access attempts. Such attempts may remain undetected due to the failure to maintain adequate logs and could serve to precede a brute force attack. • Power Failure – The vulnerability of a facility power failure can be exploited by the threat agent, the lack of an Uninterrupted Power Supply (UPS). This results in the unavailability of the messaging and encryption systems on the 3030 concentrator and the 3002 client. • Limited scalability – The internal database in the 3030 concentrator can support a maximum of 100 groups and users. The threat agent, in this instance, is the need to grow beyond the 100 group and user limit. Unless an external authentication server is used, it will not be possible to add any more groups or users. • FIPS Standards Limiting WSP and Regional Sites to Firmware Known to be Vulnerable In order to adhere to FIPS 140-2 standards, firmware for either the 3030 or the 3002 cannot be updated beyond the 3.6.7.F release. The threat agent here is the exploits known to exist in the 3.6.7.F release. The result is a device running firmware known to be vulnerable. • Lack of Bandwidth – The threat agent that can exploit this vulnerability is an increase in traffic. This will result in the loss of data. • No Backup Configuration File in the 3030 Concentrator- The threat agent that can exploit this vulnerability is data corruption caused by a device failure or other difficulties. This results in excessive downtime brought about by the concentrator’s inability to restore damaged files.
III. Risk Factor Determination This section is concerned with the process used to determine the probability that a specific threat might occur as well as its impact on the deployment and maintenance of the encryption structure designed to secure the ACCESS messaging system Each of the risks described in the section, “Vulnerability and Threat Identification” fall into one or more of these categories: • Policies and Procedures Risk, in this context, is dependent upon the degree to which policies and procedures, relating to the encryption-decryption process between regional sites and ACCESS, are clearly defined and effectively implemented. To some degree, every one of the risks characterized in the previous section is impacted by policies and procedures. • Physical Access This involves the determination and enforcement of just who is able to gain physical entry to the place where an encryption device is located. Related risks include:  Theft of an encryption device by an intruder or an employee  Sabotaging the encryption system by changing the admin password. This is fairly easy to accomplish if one has physical access to the encryption device console or management interface. • Configuration Issues This relates to risks created by poorly planned or implemented encryption equipment or infrastructure configuration. These include:  The dropping of packets due to network congestion. This can be a result of not taking latency and jitter issues into account in configuration planning and implementation.  Unavailability of the encryption infrastructure caused by unanticipated downtime. This can be avoided by designing a structure with redundant and failover capabilities, minimizing single points of failure.  Unavailability of the ACCESS messaging system due to troubleshooting problems brought about by an increase in complexity between the regional site clients and the WSP head end.  The unauthorized accessing, blocking or tampering with sensitive data due a poorly configured access control mechanism.  Unauthorized configuration changes can be made by an attacker exploiting unsecured access to management interfaces.  The uninvited accessing of the ACCESS messaging system could be the result of a configuration error in the assignment of users to groups. Such an error could be exploited by a would-be intruder. IV. Safeguard Recommendations All of the risks discussed previously are, to one degree or another, issues of policy and procedure. When it comes to establishing sound policies and enforcing appropriate procedures, those relating directly to the operation of the head end concentrator are the responsibility of the WSP. However, while WSP can suggest procedures to be
implemented by the regional sites, it is up to those sites to implement those procedures in keeping with their own security policies. Regional sites are responsible for setting and maintaining their own policies and procedures. Anything other than broad recommendations by WSP would be out of scope for this document. This section is concerned with specifying possible safeguards, or countermeasures, and how they relate to WSP’s decision to either mitigate the perceived risk or accept it. Security safeguards are measured in terms of its cost, functionality and effectiveness. Areas that need to be addressed include: • Network Latency and Jitter - Communication between a regional site and the head end, which pass over network segments affected by traffic congestion, will result in unacceptable packet loss. This can adversely affect IPSec tunnels. The WSP will need to monitor the Cisco 3030 logs to identify problem sites. When problems exist, the WSP will need to work with the DIS, and the regional site to determine what options are available to mitigate network congestion. • Single Point of Failure – The risk of unanticipated downtime can be mitigated by identifying potential single points of failure and applying redundant solutions. This might mean, for example, adding a second encryption module to the concentrator. Another option would be installation of a redundant 3030 concentrator. If the active concentrator were to fail, Cisco’s Virtual Router Redundancy Protocol (VRRP) could enable a seamless failover to the standby device. To make a decision as to which (if either) of the above two options makes the most sense, WSP management would need to weigh the cost of each solution against the likelihood and consequences of module or device failure and come to a decision. High availability service contracts should also be considered. It must be kept in mind that another weak link in the WSP network (a non- redundant firewall for example) could mean that a redundant concentrator or module solution would not adequately mitigate the risk. • Lax Physical Security – The risk of someone stealing or damaging the head end concentrator can be mitigated by establishing a secured area within the data center that only the crypto-officer and perhaps a second trusted person would have physical access to. Ideally, similar measures should be put in place at each of the regional sites, but this is clearly the responsibility of each regional site and is out of scope for WSP’s NCIC 2000 Encryption Project risk mitigation strategy. The most serious consequence of the theft on such an encryption device is not the cost of replacement, but the possibility that the intruder will gain access to the private and secret keys held by the device. • Insecure Password Changing Mechanism – As pointed out earlier, it’s relatively easy for anyone possessing the administrative password and physical access to the concentrator or hardware client console to change any other password. This could invite the possibility of encryption system sabotage. As with the previous recommendation, risk mitigation here takes the form of creating a secured area within the presumably secured area of the data center. Again, no more than two trusted persons would have access to the secured area within a secured area.
• Password Non-recoverable In this situation, the Crypto Officer who forgets the password serves as the threat agent. The only way the password can be recovered is by returning the concentrator or the hardware client to Cisco. The encryption system is inoperable until Cisco is able to solve the problem. There is a series of steps that must be followed to mitigate this risk. 1. The Crypto Officer creates the password and only that person should ever know it. It should be a word or phrase (FIPS requires a minimum password length of 6 characters) that has some meaning to the Crypto Officer but is obscure enough that it can withstand a brute force or dictionary attack. 2. The Crypto Officer writes down the password only once and immediately places the paper the password is written on in a secure off-site facility such as a safety deposit box. 3. The administration of the off-site facility is instructed that only the Crypto Officer is to have access to the stored document. The only exception is that if the Crypto Officer is incapacitated, the person designated as back- up Crypto Officer will have access to the paper the password is written on. • Network Complexity – The threat of difficulty troubleshooting and the consequent risk of an unavailable messaging system can be mitigated through the development of new troubleshooting techniques which expand upon existing troubleshooting techniques as well as additional training of personnel. • Lax Access Control Mechanism – The threat of an unauthorized person accessing the private interface of either the 3030 concentrator at the head end or the 3002 client at a regional site could result in the compromise of sensitive data. Risk mitigation, in such an instance, would call for securing traffic between the private interface and its termination interface (i.e. firewall). In the case of the 3030 concentrator, this is the responsibility of WSP. In the case of the 3002 client, this is the responsibility of the regional site. • Inadequate Crypto Officer Backup Mechanism – The threat agent is an unqualified person cast in the role of Crypto Officer. This can result in a compromise of the encryption system. This risk can be mitigated by the creation of thoroughly documented procedures defining the role and responsibilities of the Crypto Officer. • Failure to Enforce the Policy of Least Privilege – The threat agent in this scenario is any person with privileges not required for the job. This could be someone with elevated privileges left over from a previous position. It could be someone no longer employed by the organization but still holding the privileges of a previous position. Again the result could be the compromise of the sensitive or the deliberate or accidental disruption of the messaging or encryption system. These risks can be mitigated by rigorous enforcement of the principle of least privilege. No one should be assigned privileges not required for the position. Anyone ceasing to work for WSP or any regional organization should have all privileges revoked immediately. Anyone granted new privileges should be thoroughly familiar with the procedures related to those privileges.
• Assignment or Elevation of Privileges Without Adequate Training – Here the threat agent is anyone unfamiliar with the procedures necessary to accomplish an assigned set of tasks. This can result in unintentional errors that could put the messaging or encryption system at risk. It can also leave the inexperienced employee susceptible to manipulation by someone with questionable intentions. This risk can be mitigated by an appropriate amount of training, not so much as to overwhelm the employee but enough so that the employee can assume a new role with a thorough understanding of the procedures necessary to do the job. • Unsecured Access to Management Interface – The threat agent here is an attack resulting in undesirable configuration changes. This risk can be addressed by a meticulously designed and carefully implemented secure management interface access scheme. When carefully executed, these procedures can significantly reduce the chances of an intruder mounting a successful brute force or other attack against the management interface of either the head end concentrator or the regional site 3002 hardware client. • Misconfiguring the Assignment of Users to Groups – Poor planning and implementation can result in the assignment of users to inappropriate groups. Again, the threat agent is the person (whether employee or intruder) who can exploit this vulnerability by either mounting an attack or making an innocent mistake that could place the encryption and messaging systems in jeopardy. In this situation, risk mitigation calls for carefully constructed procedures designed to minimize human error when assigning users to groups. • Inadequate or No Log Auditing. In this environment, the threat agent is an intruder who can mount a passive attack undetected. Passive attacks are done by monitoring a system performing its tasks and collecting information. In general, it is very hard to detect passive attacks since they do not interact or disturb normal system functions. Examples of passive attacks are monitoring network traffic, CPU and disk usage. Passive attacks often serve to precede a brute force attack. This risk can be mitigated through the maintenance of adequate logs and a system of real time monitoring. This action will not be successful however unless the logs are carefully audited and the monitoring is performed rigorously and at regular intervals. • Power Failure – The threat agent is the absence of a UPS. During a power failure, the messaging and encryption systems could be rendered inoperable. This risk can be mitigated by means of the installation and careful maintenance of a UPS designed to provide uninterrupted power until a longer term solution can be employed. • Limited Scalability – The threat agent, is the need to grow beyond the 100 group and user limit. The risk can be mitigated by through the use of an external authentication server. • FIPS Standards Limiting WSP and Regional Sites to Firmware Known to be Vulnerable. The known vulnerabilities constitute the threat agent and the risk is a device running firmware known to be vulnerable. Due to Criminal Justice
Information Service (CJIS) Security Policy requirements to adhere to FIPS standards, it is necessary to accept this risk until a newer firmware release is validated and then to proceed with a firmware upgrade after careful testing. • Lack of Bandwidth – The risk, loss of data, brought about by an increase in traffic, can be mitigated by the addition of more bandwidth capacity. • No Backup Configuration File in the 3030 Concentrator- The risk, in this case, excessive downtime caused by the concentrator’s inability to restore damaged files, can be mitigated through the implementation of proper backup and restore procedures.

More Related Content

PDF
Network security-S.Karthika II-M.Sc computer science,Bon Securous college for...
bykarthikasivakumar3
 
PDF
Network srcurity
bysheikhparvez4
 
PDF
Introduction to cyber security i
byEmmanuel Gbenga Dada (BSc, MSc, PhD)
 
PDF
Chapter 2 konsep dasar keamanan
bynewbie2019
 
PPTX
Network Security Risk
byDedi Dwianto
 
PPTX
dos attacks
byAMAL PERUMPALLIL
 
PDF
AN ISP BASED NOTIFICATION AND DETECTION SYSTEM TO MAXIMIZE EFFICIENCY OF CLIE...
byIJNSA Journal
 
PPTX
Distributed network security management
bySwati Sinha
 
Network security-S.Karthika II-M.Sc computer science,Bon Securous college for...
bykarthikasivakumar3
 
Network srcurity
bysheikhparvez4
 
Introduction to cyber security i
byEmmanuel Gbenga Dada (BSc, MSc, PhD)
 
Chapter 2 konsep dasar keamanan
bynewbie2019
 
Network Security Risk
byDedi Dwianto
 
dos attacks
byAMAL PERUMPALLIL
 
AN ISP BASED NOTIFICATION AND DETECTION SYSTEM TO MAXIMIZE EFFICIENCY OF CLIE...
byIJNSA Journal
 
Distributed network security management
bySwati Sinha
 

What's hot

PPTX
Computer Security Chapter 1
byTemesgen Berhanu
 
PDF
S.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavur
byvkarthi314
 
PDF
Chapter 2 konsep dasar keamanan
bynewbie2019
 
PDF
NSA and PT
byRahmat Suhatman
 
PPTX
PACE-IT: Physical Network Security Control
byPace IT at Edmonds Community College
 
PPT
Security communication
bySay Shyong
 
PPT
Lect13 security
byUmang Gupta
 
PPT
Eidws 107 information assurance
byIT2Alcorn
 
PDF
C02
bynewbie2019
 
PDF
Security Holes and Vulnerabilities in Corporate Network_Pre Null Meet Kolkata
byamiyadutta
 
PDF
Honey Pot Intrusion Detection System
byInternational Journal of Engineering Inventions www.ijeijournal.com
 
PDF
IMPROVED IDS USING LAYERED CRFS WITH LOGON RESTRICTIONS AND MOBILE ALERTS BAS...
byIJNSA Journal
 
PDF
Enhanced method for intrusion detection over kdd cup 99 dataset
byijctet
 
PPTX
PACE-IT: Common Threats (part 2)
byPace IT at Edmonds Community College
 
PDF
A technical review and comparative analysis of machine learning techniques fo...
byIJECEIAES
 
PDF
A REVIEW ON DDOS PREVENTION AND DETECTION METHODOLOGY
byijasa
 
PDF
International Journal of Computational Science and Information Technology (I...
byijcsity
 
PDF
Current Studies On Intrusion Detection System, Genetic Algorithm And Fuzzy Logic
byijdpsjournal
 
PPT
Euro mGov Securing Mobile Services
byMiguel Ponce de Leon @ TSSG / Waterford Institute of Technology
 
Computer Security Chapter 1
byTemesgen Berhanu
 
S.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavur
byvkarthi314
 
Chapter 2 konsep dasar keamanan
bynewbie2019
 
NSA and PT
byRahmat Suhatman
 
PACE-IT: Physical Network Security Control
byPace IT at Edmonds Community College
 
Security communication
bySay Shyong
 
Lect13 security
byUmang Gupta
 
Eidws 107 information assurance
byIT2Alcorn
 
C02
bynewbie2019
 
Security Holes and Vulnerabilities in Corporate Network_Pre Null Meet Kolkata
byamiyadutta
 
Honey Pot Intrusion Detection System
byInternational Journal of Engineering Inventions www.ijeijournal.com
 
IMPROVED IDS USING LAYERED CRFS WITH LOGON RESTRICTIONS AND MOBILE ALERTS BAS...
byIJNSA Journal
 
Enhanced method for intrusion detection over kdd cup 99 dataset
byijctet
 
PACE-IT: Common Threats (part 2)
byPace IT at Edmonds Community College
 
A technical review and comparative analysis of machine learning techniques fo...
byIJECEIAES
 
A REVIEW ON DDOS PREVENTION AND DETECTION METHODOLOGY
byijasa
 
International Journal of Computational Science and Information Technology (I...
byijcsity
 
Current Studies On Intrusion Detection System, Genetic Algorithm And Fuzzy Logic
byijdpsjournal
 
Euro mGov Securing Mobile Services
byMiguel Ponce de Leon @ TSSG / Waterford Institute of Technology
 

Viewers also liked

PDF
Statistical Methods to Handle Missing Data
byTianfan Song
 
PPTX
Infosys
bySourabh Patil
 
DOCX
Design engineering report
byimshahbaz
 
DOCX
Design report
byyash patel
 
DOC
Report on design engineering
byRavi Patel
 
DOC
Richards-CV-word 2003 format updated
byRichard Cope
 
DOC
Rootin’ Around Show 29 Script
byLarry Yurdin
 
PDF
One Way Out - Chapter 1
byLarry Yurdin
 
PPTX
Fotografia ambiental (1)
byRitiele Brasil da Silveira
 
PDF
CelluonMarketingProspectus041414
byLarry Yurdin
 
PPTX
The Human Side of the Web
byTanya Moushi
 
PPTX
The Human Side of the Web PPT
byTanya Moushi
 
PPTX
Diapositivas compu
byDaniela Godoy
 
PDF
B. soal praktek bab ii ipdf
bychiki153
 
PDF
B. soal praktek bab ii ipdf
bychiki153
 
PDF
4 guia limpieza_unidades_rehidratacion
byHoracio Segura Abanto
 
PDF
B. soal praktek (107)
bychiki153
 
PDF
2.13 latihan
bychiki153
 
PDF
2.13 latihan
bychiki153
 
Statistical Methods to Handle Missing Data
byTianfan Song
 
Infosys
bySourabh Patil
 
Design engineering report
byimshahbaz
 
Design report
byyash patel
 
Report on design engineering
byRavi Patel
 
Richards-CV-word 2003 format updated
byRichard Cope
 
Rootin’ Around Show 29 Script
byLarry Yurdin
 
One Way Out - Chapter 1
byLarry Yurdin
 
Fotografia ambiental (1)
byRitiele Brasil da Silveira
 
CelluonMarketingProspectus041414
byLarry Yurdin
 
The Human Side of the Web
byTanya Moushi
 
The Human Side of the Web PPT
byTanya Moushi
 
Diapositivas compu
byDaniela Godoy
 
B. soal praktek bab ii ipdf
bychiki153
 
B. soal praktek bab ii ipdf
bychiki153
 
4 guia limpieza_unidades_rehidratacion
byHoracio Segura Abanto
 
B. soal praktek (107)
bychiki153
 
2.13 latihan
bychiki153
 
2.13 latihan
bychiki153
 

Similar to Risk Analysis Report review

PDF
BAIT1103 Chapter 1
bylimsh
 
PPTX
CH01-CompSec4e.pptx
byams1ams11
 
PPT
M.Florence Dayana/Cryptography and Network security
byDr.Florence Dayana
 
PDF
Incident Response
byMichaelRodriguesdosS1
 
PPTX
Information Security Lecture One for Basic
byhassankhan978073
 
PPT
Information Security Introduction Unit 1
byLokeshSaiKumarDasari2
 
PPT
ch01_overview_nemo cryptography concepts.ppt
byMubeenaBegum11
 
PPT
ch01_overview_bywillialmstallings_nemo.ppt
byblockchaincrc2023
 
PDF
Information security for dummies
byIvo Depoorter
 
PPTX
Information and network security 4 osi architecture
byVaibhav Khanna
 
ODP
Network Security Topic 1 intro
byKhawar Nehal khawar.nehal@atrc.net.pk
 
DOCX
Running Head SECURITY AWARENESSSecurity Awareness .docx
bytoltonkendal
 
PPTX
BCA-601N_final_1-1.pptx uuggjjgghjjhhjjj
bysurvhiagrawal
 
PPTX
BCA-601N_final_1-1Finalsem6metworks.pptx
byPareshLimbad1
 
PPTX
security in is.pptx
byselvapriyabiher
 
PDF
Describe two methods for communicating the material in an Informatio.pdf
byarchgeetsenterprises
 
PPTX
Security & Risk Mgmt_WK1.pptx
byTechnocracy2
 
PPTX
Security & Risk Mgmt_WK1.pptx
bydotco
 
PPT
Lecture1 Introduction
byrajakhurram
 
PPTX
It and-cyber-module-2
byMarneil Sanchez
 
BAIT1103 Chapter 1
bylimsh
 
CH01-CompSec4e.pptx
byams1ams11
 
M.Florence Dayana/Cryptography and Network security
byDr.Florence Dayana
 
Incident Response
byMichaelRodriguesdosS1
 
Information Security Lecture One for Basic
byhassankhan978073
 
Information Security Introduction Unit 1
byLokeshSaiKumarDasari2
 
ch01_overview_nemo cryptography concepts.ppt
byMubeenaBegum11
 
ch01_overview_bywillialmstallings_nemo.ppt
byblockchaincrc2023
 
Information security for dummies
byIvo Depoorter
 
Information and network security 4 osi architecture
byVaibhav Khanna
 
Network Security Topic 1 intro
byKhawar Nehal khawar.nehal@atrc.net.pk
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
bytoltonkendal
 
BCA-601N_final_1-1.pptx uuggjjgghjjhhjjj
bysurvhiagrawal
 
BCA-601N_final_1-1Finalsem6metworks.pptx
byPareshLimbad1
 
security in is.pptx
byselvapriyabiher
 
Describe two methods for communicating the material in an Informatio.pdf
byarchgeetsenterprises
 
Security & Risk Mgmt_WK1.pptx
byTechnocracy2
 
Security & Risk Mgmt_WK1.pptx
bydotco
 
Lecture1 Introduction
byrajakhurram
 
It and-cyber-module-2
byMarneil Sanchez
 

Risk Analysis Report review

  • 1.
    Washington State Patrol NCIC2000 ACCESS Encryption Project Task Order 2 – Design Task 2a – Risk Assessment Report August 16, 2005
  • 2.
    Background The National CrimeInformation Center (NCIC), originally established in 1967, is the most extensive criminal justice information system in the US and is maintained by the FBI. Its successor, NCIC 2000 now includes requirements for all CJIS data to be encrypted between regional sites and the WSP ACCESS messaging system. In accordance with the FBI’s Criminal Justice Information Service (CJIS) Division Security Policy v4.1, all CJIS data transmitted through any public network segment or Internet connections shall be encrypted by a pair of secret keys, each with a minimum of 128 bits. Each cryptographic module, used for this purpose, must be certified by the National Institute of Standards and Technology’s (NIST) Computer Systems Laboratory to ensure that it meets the standards set forth in Federal Information Processing Standards (FIPS) Publication 140-2, “Security Requirements for Cryptographic Modules”. I. Scope Statement This report deals entirely with risks relating to the deployment and maintenance of an encryption structure, designed to secure communication from regional sites to the WSP ACCESS messaging system. The implementation of the encryption-decryption architecture will introduce new potential threats and vulnerabilities, both physical and procedural. These issues will be addressed in this document. II. Vulnerability and Threat Identification This section is concerned with the process used to identify threats, issues, concerns, risks etc. Risk is defined as the possibility of a threat exploiting a vulnerability and thereby causing harm to an asset. The threat will exploit the vulnerability to compromise one or more of the principles previously mentioned: • Confidentiality means that information is protected from being read or copied by anyone who does not have permission of the owner of that information. • Integrity means that information is not deleted or altered in a way that will cause damage or disruption. • Availability means that information should be protected so that it is readily available to those with proper authorization. • Non-repudiation means that an individual should not be able to deny having received or sent information. The following formula is one way of measuring risk: • Risk = threat × vulnerability × impact The key terms are risk, threat, vulnerability and impact. Without a threat agent, a vulnerability, or an impact, there is no risk. There must be a threat agent to exploit a vulnerability, and this exploitation must cause an impact for there to be a risk to the organization. Relevant definitions include:
  • 3.
    • Threat -The capabilities and intentions of adversaries to exploit an information system; or any natural or unintentional event with the potential to cause harm to an information system, resulting in a degradation of an organization’s ability to fully perform its mission. • Vulnerability - A characteristic of an information system or its components that could be exploited by an adversary, or harmed by a natural act or an act unintentionally caused by human activity • Impact – The result of a particular threat exploiting a particular vulnerability. • Risk – The probability that a particular threat will exploit a particular vulnerability. • Safeguard – Any protective action, device, procedure, technique, or other measure that reduces exposures. Safeguard, in this context, is synonymous with countermeasure. There are three types of device interfaces referred to in this section: • Public Interface points to any untrusted network. • Private Interface points to any trusted network • Management Interface can either be the console or a private Ethernet interface. This section is devoted to identifying vulnerabilities that might be present in the NCIC 2000 Encryption Project and the potential of a given threat agent exploiting one of these vulnerabilities, thereby constituting a risk. These include: • Network Latency and Jitter– Latency indicates that the network is prone to delay. Jitter refers to an unpredictable variation in the time between packets arriving. Network congestion is, in this instance, the risk agent, which, when it exploits latency or jitter, could lead to the dropping of packets, jeopardizing availability. • Single Point of Failure – The absence of redundant modules and/or devices could be threatened by equipment failure whose impact could be unanticipated downtime, again posing a risk to the availability of the infrastructure. • Lax Physical Security – Poor physical security could make it possible for an intruder, or even a disgruntled employee, to remove or damage an encryption device. This could be the concentrator located at the WSP head end or a hardware client located at a regional site. This would enable the thief to, at the least, sabotage the encryption process and, at the worst, use the secret keys obtained to access or tamper with sensitive information. • Insecure Password Changing Mechanism – Cisco has pointed out that it is relatively easy for any person with possessing the administrative password and physical access to the console to change any password on a Cisco concentrator or hardware client. Combine this vulnerability with the lax physical security mentioned earlier, and the threat agent, in this case, a malicious person could effectively sabotage the encryption system.
  • 4.
    • Password Non-recoverableCisco warns that, for the VPN 3000 Series Concentrator and the 3002 hardware client, there is no way to recover your system if you forget the administrator password. In such a situation, the crypto- officer who forgets the password is the threat agent. The impact is that the concentrator or client has to be returned to Cisco so that the password can be recovered. This could render the encryption system inoperable for an unspecified period of time. • Network Complexity – An increase in complexity between regional sites and the WSP Data Center will make it more difficult to troubleshoot outages. The troubleshooting problem can be seen as the threat agent causing an increase in the Mean Time to Repair (MTTR). This could negatively impact the availability of the ACCESS messaging system. • Lax Access Control Mechanism – Access to the private interface could compromise the data integrity of the messaging system. This vulnerability could allow an unauthorized person, whether an intruder or an employee, to access, block or tamper with sensitive data. • Inadequate Crypto Officer Backup Mechanism - The role of Crypto Officer is responsible for the configuration and maintenance of the concentrator. When the person who usually assumes the Crypto Officer role is unavailable, it is essential that the person designated as the replacement be fully trained and familiar with the role. The threat agent, in this instance, in the unprepared person suddenly cast into the role. The resulting risk is that this person could inadvertently compromise the encryption system. • Failure to Enforce the Policy of Least Privilege – Least privilege is a policy that limits both the system’s users and processes to access only those resources necessary to perform assigned functions. Ensuring least privilege requires identifying what each user’s job is, outlining the minimum set of privileges required to perform that job, and restricting the user to only those privileges on a system/network. Changing the role of a process or user, without changing the rights associated with the role, is one manner of failing to enforce the policy of least privilege that a threat agent can exploit. The more users or processes sharing these same rights, the greater the chance that access by an uninformed or unscrupulous user or an inappropriate process can result in denial of service, loss of confidentiality or compromise of data. Another failure to enforce the policy of least privilege can result from a breakdown in communications between IT and HR. In such an instance, the privileges of a former employee may not be removed in a timely fashion. In this case, the threat agent is the former employee whose continued privileges could result in deliberate sabotage of the encryption structure and the messaging system (or in an unauthorized sharing of access information). • Lack of Adequate Training – This is a vulnerability where the threat agent is a new employee or an employee assigned an unfamiliar role. This could result in mistakes that could put the ACCESS messaging system at risk. This also opens
  • 5.
    the possibility ofsocial engineering where a nefarious intruder is able to obtain a password or other information from the inexperienced user. • Elevation of Privileges – This vulnerability is similar to the previous two. The abrupt increase in privileges without proper preparation, even when essential to the functioning of a process or a user, can result in both mistakes and in deliberate misuse of authority, either or which can put the system at risk. • Unsecured Access to Management Interface – This vulnerability is the result of weak control over the access to management interfaces. The threat agent is an attack that could be mounted, resulting in unauthorized configuration changes. • Misconfiguring the Assignment of Users to Groups presents a vulnerability that can serve as an invitation to access the messaging system for a nefarious purpose (Denial of Service (DoS) attack and compromise of sensitive data.) • Inadequate or No Log Auditing. This is a vulnerability than can be exploited by a threat agent, unauthorized access attempts. Such attempts may remain undetected due to the failure to maintain adequate logs and could serve to precede a brute force attack. • Power Failure – The vulnerability of a facility power failure can be exploited by the threat agent, the lack of an Uninterrupted Power Supply (UPS). This results in the unavailability of the messaging and encryption systems on the 3030 concentrator and the 3002 client. • Limited scalability – The internal database in the 3030 concentrator can support a maximum of 100 groups and users. The threat agent, in this instance, is the need to grow beyond the 100 group and user limit. Unless an external authentication server is used, it will not be possible to add any more groups or users. • FIPS Standards Limiting WSP and Regional Sites to Firmware Known to be Vulnerable In order to adhere to FIPS 140-2 standards, firmware for either the 3030 or the 3002 cannot be updated beyond the 3.6.7.F release. The threat agent here is the exploits known to exist in the 3.6.7.F release. The result is a device running firmware known to be vulnerable. • Lack of Bandwidth – The threat agent that can exploit this vulnerability is an increase in traffic. This will result in the loss of data. • No Backup Configuration File in the 3030 Concentrator- The threat agent that can exploit this vulnerability is data corruption caused by a device failure or other difficulties. This results in excessive downtime brought about by the concentrator’s inability to restore damaged files.
  • 6.
    III. Risk FactorDetermination This section is concerned with the process used to determine the probability that a specific threat might occur as well as its impact on the deployment and maintenance of the encryption structure designed to secure the ACCESS messaging system Each of the risks described in the section, “Vulnerability and Threat Identification” fall into one or more of these categories: • Policies and Procedures Risk, in this context, is dependent upon the degree to which policies and procedures, relating to the encryption-decryption process between regional sites and ACCESS, are clearly defined and effectively implemented. To some degree, every one of the risks characterized in the previous section is impacted by policies and procedures. • Physical Access This involves the determination and enforcement of just who is able to gain physical entry to the place where an encryption device is located. Related risks include:  Theft of an encryption device by an intruder or an employee  Sabotaging the encryption system by changing the admin password. This is fairly easy to accomplish if one has physical access to the encryption device console or management interface. • Configuration Issues This relates to risks created by poorly planned or implemented encryption equipment or infrastructure configuration. These include:  The dropping of packets due to network congestion. This can be a result of not taking latency and jitter issues into account in configuration planning and implementation.  Unavailability of the encryption infrastructure caused by unanticipated downtime. This can be avoided by designing a structure with redundant and failover capabilities, minimizing single points of failure.  Unavailability of the ACCESS messaging system due to troubleshooting problems brought about by an increase in complexity between the regional site clients and the WSP head end.  The unauthorized accessing, blocking or tampering with sensitive data due a poorly configured access control mechanism.  Unauthorized configuration changes can be made by an attacker exploiting unsecured access to management interfaces.  The uninvited accessing of the ACCESS messaging system could be the result of a configuration error in the assignment of users to groups. Such an error could be exploited by a would-be intruder. IV. Safeguard Recommendations All of the risks discussed previously are, to one degree or another, issues of policy and procedure. When it comes to establishing sound policies and enforcing appropriate procedures, those relating directly to the operation of the head end concentrator are the responsibility of the WSP. However, while WSP can suggest procedures to be
  • 7.
    implemented by theregional sites, it is up to those sites to implement those procedures in keeping with their own security policies. Regional sites are responsible for setting and maintaining their own policies and procedures. Anything other than broad recommendations by WSP would be out of scope for this document. This section is concerned with specifying possible safeguards, or countermeasures, and how they relate to WSP’s decision to either mitigate the perceived risk or accept it. Security safeguards are measured in terms of its cost, functionality and effectiveness. Areas that need to be addressed include: • Network Latency and Jitter - Communication between a regional site and the head end, which pass over network segments affected by traffic congestion, will result in unacceptable packet loss. This can adversely affect IPSec tunnels. The WSP will need to monitor the Cisco 3030 logs to identify problem sites. When problems exist, the WSP will need to work with the DIS, and the regional site to determine what options are available to mitigate network congestion. • Single Point of Failure – The risk of unanticipated downtime can be mitigated by identifying potential single points of failure and applying redundant solutions. This might mean, for example, adding a second encryption module to the concentrator. Another option would be installation of a redundant 3030 concentrator. If the active concentrator were to fail, Cisco’s Virtual Router Redundancy Protocol (VRRP) could enable a seamless failover to the standby device. To make a decision as to which (if either) of the above two options makes the most sense, WSP management would need to weigh the cost of each solution against the likelihood and consequences of module or device failure and come to a decision. High availability service contracts should also be considered. It must be kept in mind that another weak link in the WSP network (a non- redundant firewall for example) could mean that a redundant concentrator or module solution would not adequately mitigate the risk. • Lax Physical Security – The risk of someone stealing or damaging the head end concentrator can be mitigated by establishing a secured area within the data center that only the crypto-officer and perhaps a second trusted person would have physical access to. Ideally, similar measures should be put in place at each of the regional sites, but this is clearly the responsibility of each regional site and is out of scope for WSP’s NCIC 2000 Encryption Project risk mitigation strategy. The most serious consequence of the theft on such an encryption device is not the cost of replacement, but the possibility that the intruder will gain access to the private and secret keys held by the device. • Insecure Password Changing Mechanism – As pointed out earlier, it’s relatively easy for anyone possessing the administrative password and physical access to the concentrator or hardware client console to change any other password. This could invite the possibility of encryption system sabotage. As with the previous recommendation, risk mitigation here takes the form of creating a secured area within the presumably secured area of the data center. Again, no more than two trusted persons would have access to the secured area within a secured area.
  • 8.
    • Password Non-recoverableIn this situation, the Crypto Officer who forgets the password serves as the threat agent. The only way the password can be recovered is by returning the concentrator or the hardware client to Cisco. The encryption system is inoperable until Cisco is able to solve the problem. There is a series of steps that must be followed to mitigate this risk. 1. The Crypto Officer creates the password and only that person should ever know it. It should be a word or phrase (FIPS requires a minimum password length of 6 characters) that has some meaning to the Crypto Officer but is obscure enough that it can withstand a brute force or dictionary attack. 2. The Crypto Officer writes down the password only once and immediately places the paper the password is written on in a secure off-site facility such as a safety deposit box. 3. The administration of the off-site facility is instructed that only the Crypto Officer is to have access to the stored document. The only exception is that if the Crypto Officer is incapacitated, the person designated as back- up Crypto Officer will have access to the paper the password is written on. • Network Complexity – The threat of difficulty troubleshooting and the consequent risk of an unavailable messaging system can be mitigated through the development of new troubleshooting techniques which expand upon existing troubleshooting techniques as well as additional training of personnel. • Lax Access Control Mechanism – The threat of an unauthorized person accessing the private interface of either the 3030 concentrator at the head end or the 3002 client at a regional site could result in the compromise of sensitive data. Risk mitigation, in such an instance, would call for securing traffic between the private interface and its termination interface (i.e. firewall). In the case of the 3030 concentrator, this is the responsibility of WSP. In the case of the 3002 client, this is the responsibility of the regional site. • Inadequate Crypto Officer Backup Mechanism – The threat agent is an unqualified person cast in the role of Crypto Officer. This can result in a compromise of the encryption system. This risk can be mitigated by the creation of thoroughly documented procedures defining the role and responsibilities of the Crypto Officer. • Failure to Enforce the Policy of Least Privilege – The threat agent in this scenario is any person with privileges not required for the job. This could be someone with elevated privileges left over from a previous position. It could be someone no longer employed by the organization but still holding the privileges of a previous position. Again the result could be the compromise of the sensitive or the deliberate or accidental disruption of the messaging or encryption system. These risks can be mitigated by rigorous enforcement of the principle of least privilege. No one should be assigned privileges not required for the position. Anyone ceasing to work for WSP or any regional organization should have all privileges revoked immediately. Anyone granted new privileges should be thoroughly familiar with the procedures related to those privileges.
  • 9.
    • Assignment orElevation of Privileges Without Adequate Training – Here the threat agent is anyone unfamiliar with the procedures necessary to accomplish an assigned set of tasks. This can result in unintentional errors that could put the messaging or encryption system at risk. It can also leave the inexperienced employee susceptible to manipulation by someone with questionable intentions. This risk can be mitigated by an appropriate amount of training, not so much as to overwhelm the employee but enough so that the employee can assume a new role with a thorough understanding of the procedures necessary to do the job. • Unsecured Access to Management Interface – The threat agent here is an attack resulting in undesirable configuration changes. This risk can be addressed by a meticulously designed and carefully implemented secure management interface access scheme. When carefully executed, these procedures can significantly reduce the chances of an intruder mounting a successful brute force or other attack against the management interface of either the head end concentrator or the regional site 3002 hardware client. • Misconfiguring the Assignment of Users to Groups – Poor planning and implementation can result in the assignment of users to inappropriate groups. Again, the threat agent is the person (whether employee or intruder) who can exploit this vulnerability by either mounting an attack or making an innocent mistake that could place the encryption and messaging systems in jeopardy. In this situation, risk mitigation calls for carefully constructed procedures designed to minimize human error when assigning users to groups. • Inadequate or No Log Auditing. In this environment, the threat agent is an intruder who can mount a passive attack undetected. Passive attacks are done by monitoring a system performing its tasks and collecting information. In general, it is very hard to detect passive attacks since they do not interact or disturb normal system functions. Examples of passive attacks are monitoring network traffic, CPU and disk usage. Passive attacks often serve to precede a brute force attack. This risk can be mitigated through the maintenance of adequate logs and a system of real time monitoring. This action will not be successful however unless the logs are carefully audited and the monitoring is performed rigorously and at regular intervals. • Power Failure – The threat agent is the absence of a UPS. During a power failure, the messaging and encryption systems could be rendered inoperable. This risk can be mitigated by means of the installation and careful maintenance of a UPS designed to provide uninterrupted power until a longer term solution can be employed. • Limited Scalability – The threat agent, is the need to grow beyond the 100 group and user limit. The risk can be mitigated by through the use of an external authentication server. • FIPS Standards Limiting WSP and Regional Sites to Firmware Known to be Vulnerable. The known vulnerabilities constitute the threat agent and the risk is a device running firmware known to be vulnerable. Due to Criminal Justice
  • 10.
    Information Service (CJIS)Security Policy requirements to adhere to FIPS standards, it is necessary to accept this risk until a newer firmware release is validated and then to proceed with a firmware upgrade after careful testing. • Lack of Bandwidth – The risk, loss of data, brought about by an increase in traffic, can be mitigated by the addition of more bandwidth capacity. • No Backup Configuration File in the 3030 Concentrator- The risk, in this case, excessive downtime caused by the concentrator’s inability to restore damaged files, can be mitigated through the implementation of proper backup and restore procedures.