Risk Identification: Vulnerability Analysis

Transcription

1 Risk Identification: Vulnerability Analysis

2 Vulnerability Analysis Vulnerability flaw or weakness in an info. asset, its design, implementation or security procedure that can be exploited accidentally or deliberately by a threat a known threat is a real threat to an organization only if there is an actual vulnerability it can exploit sheer existence of a vulnerability does not mean harm WILL be caused threat agent is required vulnerability that is easy to exploit is often a high-danger vulnerability Asset Vulnerability Threat

3 Vulnerability Analysis (cont.) TVA Worksheet at the end of risk identification procedure, organization should derive threats-vulnerabilities-assets (TVA) worksheet this worksheet is a starting point for risk assessment phase TVA worksheet combines prioritized lists of assets and threats prioritized list of assets is placed on x-axis, with most important assets on the left prioritized list of threats is placed on y-axis, with most dangerous threats at the top resulting grid enables a simplified prioritybased vulnerability assessment

4 Vulnerability Analysis (cont.) If one multiple vulnerabilities exist between T1 & A1, they can be categorized: T1V1A1 Vulnerability 1 that exists between Threat 1 and Asset 1 T1V2A1 Vulnerability 2 that exists between Threat 1 and Asset 1, If intersection between T2 and A2 has no vulnerability, the risk assessment team simply crosses out that box.

5 Vulnerability Analysis (cont.) Example: Vulnerability assessment of critical files people open suspicious attachments and/or copy files off USBs [procedural weakness] Deliberate Software Attack Virus Attack desktop (files) on a particular computer/workstation Asset antivirus software not up-to-date [procedural weakness] Vulnerability Threat

6 Vulnerability Analysis (cont.) Example: Vulnerability assessment of critical files NIC can support data-rates of up to 50 Mbps [design weakness] DDoS Attack CPU freezes at 10,000 packets/sec [design/implementation flaw] server Asset Vulnerability Threat

7 Vulnerability Analysis (cont.) Example: Vulnerability assessment of a router temperature control in router/server room is not adequate router overheats and shuts downs [design and implementation weakness] Act of Human Error or Failure router net. administrator allows access to unauthor. user unauthor. user uploads a virus, router crashes [procedural weakness] Asset Vulnerability Threat

8 Vulnerability Analysis (cont.) Example: Vulnerability assessment of a DMZ router Asset!!!

9 Risk Assessment

10 Risk Assessment Summary of Vulnerability Analysis Act of human error or failure People Procedure Data Software Hardware Networking cause damage (loss) flaw or weakness in asset s design, exploit implementation, or security procedure Deliberate act of trespass Deliberate act of extortion Deliberate act of sabotage Deliberate software attacks Technical software failures Technical hardware failures Forces of nature Etc. Vulnerability Asset Threat

11 Risk Assessment (cont.) Risk Assessment provides relative numerical risk ratings (scores) to each vulnerability in risk management, it is not the presence of a vulnerability that really matters, but the associated risk! (Security) Risk quantifies: 1) possibility that a threat successfully acts upon a vulnerability and 2) how severe the consequences would be R = P * V P = probability of risk-event occurrence V = value lost / cost to organization

12 Risk Assessment (cont.) Weighted score indicating the relative importance (associated loss) of the given asset. Should be used if concrete $ amounts are not available.

13 Risk Assessment (cont.) Extended Risk Formula v.1. R = P a P s V P P a = probability that an attack/threat (against a vulnerability) takes place P s = probability that the attack successfully exploits the vulnerability Vulnerability Asset Threat

14 Risk Assessment (cont.) Extended Risk Formula v.2. R = P a (1-P e ) V P e = probability that the system s security measures effectively protect against the attack (reflection of system s security effectiveness) P s P s = probability that the attack is successfully executed P e = probability that the attack is NOT successfully executed, i.e. system defences are effective

15 Risk Assessment (cont.) Extended Risk Formula v.2. (cont.) R = P a V P a V P e Risk if no protection is implemented Risk reduction if measure of P e effectiveness are implemented

16 Risk Assessment (cont.) Extended Whitman s Risk Formula * R = P a V CC (P a V) + UK (P a V) LE = Loss Expectancy (i.e. = Potential P a V Loss [ 1 before CC Control + UK is Applied) ] P a = probability that certain vulnerability (affecting a particular asset) will/could get exploited V = value of information asset [1, 100] CC = current control = percentage/fraction of risk already mitigated by current control UK = uncertainty of knowledge = fraction of risk that is not fully known

17 Risk Assessment (cont.) Example: Risk determination Asset A Has a value of 50. Has one vulnerability, with a likelihood of 1.0. No current control for this vulnerability. Your assumptions and data are 90% accurate. Asset B Has a value of 100. Has two vulnerabilities: * vulnerability #2 with a likelihood of 0.5, and a current control that addresses 50% of its risk; * vulnerability #3 with a likelihood of 0.1 and no current controls. Your assumptions and data are 80% accurate. P a = 1 A V = 50 P a = 0.5 P a = 0.1 B V = 100 Which asset/vulnerability should be dealt with first?!

18 Risk Assessment (cont.) Example: Risk determination The resulting ranked list of risk ratings for the three vulnerabilities is as follows: Asset A: Vulnerability 1 rated as 55 = 50* ( ) Asset B: Vulnerability 2 rated as 35 = 50 * ( ) Asset B: Vulnerability 3 rated as 12 = 10 * ( )

19 Risk Assessment (cont.) Documenting Results 5 types of documents Of Risk Assessment ideally created 1) Information asset classification worksheet 2) Weighted asset worksheet 3) Weighted threat worksheet 4) TVA worksheet 5) Ranked vulnerability risk worksheet extension of TVA worksheet, showing only the assets and relevant vulnerabilities assigns a risk-rating ranked value for each uncontrolled asset-vulnerability pair

20 Risk Assessment (cont.) A: vulnerable assets AI: weighted asset value V: each asset s vulnerability VL: likelihood of vulnerability realization AI x VL Customer service has relatively low value but represents most pressing issue due to high vulnerability likelihood. At the end of risk assessment process, the TVA and/or ranked-vulnerability worksheets should be used to develop a prioritized list of tasks.

21 Risk Control

22 Computer Security, Stallings, pp. 487 Risk Control Strategies Once all vulnerabilities/risks are evaluated, the company has to decide on the course of action often influenced by $$$ risk high, cost low risk low, cost high

23 Risk Control Strategies (cont.) Basic Strategies to Control Risks Avoidance do not proceed with the activity or system that creates this risk Reduced Likelihood (Control) by implementing suitable controls, lower the chances of the vulnerability being exploited Transference share responsibility for the risk with a third party Mitigation reduce impact should an attack still exploit the vulnerability Acceptance understand consequences and acknowledge risks without any attempt to control or mitigate

24 Risk Control Strategies (cont.) Avoidance strategy that results in complete abandonment of activities or systems due to overly excessive risk usually results in loss of convenience or ability to preform some function that is useful to the organization the loss of this capacity is traded off against the reduced risk profile Recommended for vulnerabilities with very high risk factor that are very costly to fix.

25 Risk Control Strategies (cont.) Reduced risk control strategy that attempts to Likelihood prevent exploitation of vulnerability by (Control) means of following techniques: application of technology implementation of security controls & safeguards, such as: anti-virus software, firewall, secure HTTP and FTP servers, etc. policy e.g. insisting on safe procedures training and education change in technology and policy must be coupled with employee s training and education Recommended for vulnerabilities with high risk factor that are moderately costly to fix.

26 Risk Control Strategies (cont.) Transference risk control strategy that attempts to shift risk to other assets, other processes or other organizations if organization does not have adequate security experience, hire individuals or firms that provide expertise stick to your knitting! e.g., by hiring a Web consulting firm, risk associated with domain name registration, Web presence, Web service, are passed onto organization with more experience Recommended for vulnerabilities with high risk factor that are moderately costly to fix if employing outside expertise.

27 Risk Control Strategies (cont.) Mitigation risk control strategy that attempts to reduce the significance of impact caused by a vulnerability includes 3 plans: Recommended for vulnerabilities that are low-risk and moderately costly to fix.

28 Risk Control Strategies (cont.) Acceptance assumes NO action towards protecting an an information asset accept outcome should be used only after doing all of the following assess the probability of attack and likelihood of successful exploitation of a vulnerability approximate annual occurrence of such an attack steps to be discussed estimate potential loss that could result from attacks perform a thorough cost-benefit analysis assuming various protection techniques determine that particular asset did not justify the cost of protection! Recommended when vulnerability risk < cost of any control.

29 Risk Control Strategies (cont.) How do we know whether risk control techniques have worked / are sufficient?! Example: Risk tolerance vs. residual risk Risk Company s Risk Tolerance Residual Risk vulnerability risk before controls vulnerability risk after controls Time

30 Risk Control Strategies (cont.) Risk Tolerance risk that organization is willing to accept after implementing riskmitigation controls Residual Risk risk that has not been completely removed, reduced or planned for, after (initial) risk-mitigation controls have been employed goal of information security is not to bring residual risk to 0, but to bring it in line with companies risk tolerance risk-mitigation controls may (have to) be reinforced until residual risk falls within tolerance