Week 1 IMS5002 Vulnerability Management - Monash … · Vulnerability Management Lecturer: Sue Foster Week 3 ... l Week 1 – Security Governance ... patching process but does not

1

IMS5002 Information Systems Security

Managing Security in the organisation – Part 2

Vulnerability Management

Lecturer: Sue Foster Week 3

Lecturer: Sue Foster: Week 3IMS5002

Review Questions – Week 1

l Explain the concept of risk in risk-based analysis

l Discuss the advantages and disadvantages of using various risk based approaches for analysing system security


Housekeeping

PLEASE NOTE - TUTORIAL 2 ONLY: l Tutorial 05 and 06 will be combined in Room K2.04 l Tutorial 07 and 08 will be combined in Room F4.32

ASSIGNMENTl Any questionsl 3 options

l Option 1 – Reportl Option 2 – Literature reviewl Option 3 – topic is open – in depth analysis

– Suitable for students who have an interest in a particular area of security and would like to develop their interest further

– Please liaise with myself or your tutor as to the suitability of the topic

– Do not assume we will accept your assignment once written without consultation


Course Structurel Week 1 – Security Governancel Week 2 – Managing Security in the organisation – Part 1

l Risk Managementl Week 3 – Managing Security in the organisation – Part 2

l Risk Analysisl Threats, vulnerabilities, breaches

l Week 4 – Managing Security in the organisation – Part 3l Risk Mitigationl access controls

l Week 5 – IS Security l Computer forensics

l Week 1- 6 – The impact of e- commerce on the organisationl The role of e- security

l Week 7 – Security over the internetl Week 8 – Security as a critical business function

l Designing a Secure Systeml Week 9 – Managing Security in the organisation – Part 4

l Security policies and proceduresl Week 10 – Business continuity plans

l -Disaster recovery l Week 11 – Security standards, Privacy and lawl Week 12 – Current issues and future trendsl Week 13 – Revision and exam preparation

2


Lecture Objectives

l After this lecture you should be able to:

– Discuss the advantages and disadvantages of risk-based security techniques specifically and risk based analysis generally


Keywords


The goals of security

ConfidentialityConfidentiality

IntegrityIntegrity AvailabilityAvailability

Accountability?Accountability?

Non-repudiation?

Security is the process by which organizations TRY to maintain:

Authentication


Risk Management Activities

Risk Management

Security Policies, procedures and standards

Risk Mitigation

Risk Assessment Security Auditing

Workf low Workf low Workf low

Corrective actions

risk is important to the design and management of IT systems as they are an essential part of the operation of organisations

3


Risk Management Overview

l detailed assessment and evaluation of the most significant risks

l Detailed assessment and evaluation of the most significant assets

– build a threat/asset matrix– calculate loss expectancies– build a threat/control matrix– calculate potential loss reductions– select cost-effective controls

l Management buy in


Risk Management Regions

RA

TE

OF

OC

CU

RR

EN

CE

Low

High

HighCONSEQUENCE

Minimum significant occurrence rate

Ignore events in this area

Maximum acceptable loss

Mitigate events in this area

Igno

re e

vent

s in

thi

s ar

ea

Minimumconsequencelevel

Mitigate/transfer risks in this area(management decision)


Analysing Threats

l Analyse threats to an existing information system –

l threats catalogue (T1, T2 etc)l http://www.bsi.bund.de/gshb/english/etc/index.htm1

l IT Baseline certification and protection

l Select appropriate controls to reduce or contain the threat

– safeguard catalogue (S1, S2 etc)– http://www.bsi.bund.de/gshb/english/s/s01.html 1

Reference : 1Federal Office of IT Security. (2003). IT Baseline Protection Manual (IT BPM). Located at http://www.bsi.bund.de/gshb/english/etc/index.htm

2IT Security Guidelines: IT Baseline Protection in Brief. Retrie ved on 14/03/05

located at: http://www.bsi.bund.de/english/gshb/guidelines/guide lines.pdfLecturer: Sue Foster: Week 3

IMS5002

Quantitative method

ALE – Annual Loss Expectancy3

Reference: 3Microsoft Corp (2004). Security Risk Management Guide: Chapter 2: Survey of Security Risk Management Practices. Retrieved on 14.03.05 located at

http://www.microsoft.com/technet/security/topics/policiesandproc edures/secrisk/srsgch02.mspx#EAAA

4


Quantitative method - ALE (Annual Loss Expectancy)

l This approach employs two fundamental elements;

– the probability of a threat impacting on the system

– The probability that the event will occur and the likely loss incurred from the event

l makes use of a single figure produced from these elements.

l This is called the (ALE)' or the 'Estimated Annual Cost (EAC)'.


Simple Calculation Of ALE (Annual Loss Expectancy)

l P = probability of the threat attacking the asset per year

l C = Cost attributed to the asset lossl ALE = C / P

l Eg P = once every three years = 1/3l C = approximate loss $1000l ALE = $1000 / 3l = $333


Issues With Quantitative Method

l unreliability and inaccuracy of the data l Probability can rarely be precise and can, in some

cases, promote complacency.l How do you put a value on an asset??l Subjective estimates, often quantitativel Unreliable industry statisticsl Assumes high risk threats controlled as easily as low

riskl Not always feasiblel Assumes a well-known set of controls is universally

applicable


Benefits to using ALE

l the introduction of a security measure is justified if the reduction in ALE more than offsets the cost of the control

l in principle this applies to– physical safeguards such as guards, secure

buildings etc.– system safeguards including software such

as encryption packages, firewalls etc.

5


Vulnerability Management

The Twenty Most Critical Internet Security Vulnerabilities (Updated) ~ The Experts ConsensusVersion 5.0 October 8, 2004 Copyright (C) 2001-2004, SANS Institute Retrieved on 16 March

located at http://www.sans.org/top20/

ALSOhttp://www.sans.org/top20/#threats

Question: What does letters SANS refer to

Ans: SysAdmin, Audit, Network, Security InstituteLecturer: Sue Foster: Week 3

IMS5002

Vulnerability Assessment and remediation – Proactive measures

Vulnerabilities – defined– Vulnerabilities are Inherent software flaws, such

as program errors, design limitations and system misconfigurations (errors) in software applications that exposes information to attack from malicious code (See appendix 1) and damage4

Vulnerability assessment– The process of identifying and documenting

specific and provable flaws in the organisations information asset environment4

Reference: 4Whitman, M.E., & Mattord, H. J. (2003). Principles of Information Security. Massachusetts: Thomson Learning Inc.


THREATS

VULNERABILITIES

CONTROLS

INFORMATION SYSTEM

Question: What are threats? Provide an example


Trophy Hunting

Symantec and McAfee are targeted by intruders due to the inherent value in breaking in to their websites.

Symantec has approx 3000 to 4000 people each day trying to break into its website. Most of it is trophy hunting by the intruder

6


Vulnerability assessment issues

Programmes, designers and systems administrators must deliver functional applications that operate according to business requirements

Issues:time constraintsbudget constraints

QUESTION: If the choice comes down to delivering a revenue- generating system on time and on budget or delaying it for 2 months to check for vulnerabilities, how often will a business choose the latter?


Ad Hoc response to vulnerability management

Deal with each one vulnerability as it becomes known. No formal method.

– Hear about the vulnerability– Search for a patch– Download a patch– Apply the patch– Contact other administrators about the

vulnerability– Assume the vulnerability is mitigated

Question: What is a patch?Ans: Patches are corrected versions of application code; they donot address configuration vulnerabilities


Problems with ad hoc responses

Patching does not address all vulnerabilities:

– Increased likelihood of missed assets– Increased likelihood of overlooked configuration

vulnerabilities not covered by patching– Failure to conduct thorough impact testing– Inadequate production of change management

documents– Poor process management– Poor prioritisation


Missing configuration vulnerabilities

Table: Patching corrects only a fraction of vulnerabilities (Source: CA Security Advisor Statistics, March 2004)

15%85%66SuSE Linux 9.0

50%50%54Windows XP Professional SP1

70%30%70Microsoft Internet Explorer 6.0 Service Pack 1 (SP1)

Percentage of vulnerabilities fixed by configuration changes

Percentage of vulnerabilities fixed by patching

Total number of vulnerabilities

Technology

Ad hoc approaches to vulnerability management tend to depend on the existence of patches to determine the existence of a vulnerability. For example, running an OS update procedure streamlines parts of thepatching process but does not assess configuration problems.

7


Dependencies on multiple systems

l Vendors patch services do not address the vulnerabilities related to dependencies between multiple assets

l A bug in one vendor’s firewall and a vulnerability in another vendor’s database application will require two different types of vulnerability management


Poor Impact Testing

Before applying a patch, systems administrators should understand:

l Exactly which vulnerability is addressedl What are the prerequisits for installing the patchl Which applications or other assets are affected by

the changel How to restore a system if a patch fails or adversely

affects other assets

ALSOthere is no way to know prior to installing a patch on a shared code how it will affect all other applications


Managed responses

Managed responses are systematic, they are process not technology centric

l Procedures for identifying vulnerabilities, patches and configuration changes

l Procedures for determining the appropriateness of a patch or configurationchange to each system

l Prioritisation rulesl Test proceduresl Guidelines for implementing patches, configuration

changes or shielding


Shielding and Perimeter Defences

Shielding is the process of protecting assets against potential threats without targeting a specific threat.

l Shielding techniques:– Closing firewall ports– Denying write access to server directories– Scanning content for malicious code– Ensuring that a PC or laptop has up to date

patches and antivirus software and otherwise complies with security policies

8


Example: Internet Vulnerability Assessment (Whitman & Mattord, 2003 Chapt 12)

Find and document vulnerabilities that may be present in the public facing network of the organisation

Steps include:

Planning, scheduling and notification of the penetration testing

Target selection

Test selection

Scanning for vulnerabilities

Analyse

Recording details of the vulnerability(ies) and assigning a response risk level


Best Practices in vulnerability Management4

Reference: 4 Sullivan, D. (2005).the definitive Guide to Security Management.Computer Associates: Realtime Publishers (Chapter 3, p66)

Monitor Analyze

Notify

Prioritize

PlanTest

Remediate

Report

Terminate: Not sufficient threat

Asess Test failure


Cost of compensating for Vulnerabilities 4

l Costs are comprised of:– Sofwaremaintenance fees or other costs related to

purchasing patches

– Staff time required to l research, l test, l categorize, l analyze impact potential, l validate a vulnerability and correlate to affected assets

– Opportunity cost of reassigning staff from operations or development to apply patches or reconfigure systems

– Lost productivity while applications are patched and reconfigured


CA database of vulnerabilities

l Ad Hoc research

Latest vulnerabilities can be checked at these sites:– http://www3.ca.com/securityadvisor/– http://www3.ca.com/securityadvisor/vulninfo/

9


Zero day vulnerabilities

As vulnerabilities are discovered vendors move quickly to patch

Concern:A threat will emerge soon after the discovery of a vulnerability BEFORE a patch is available

Vulnerabilities exploited the day they become known have been called “Zero day vulnerabilities”

Once a vulnerability becomes known, the race to exploit versus patch is on .


In summary

The key business drivers behind vulnerability management include:

– Regulatory compliance– Business continuity– Asset protection

Vulnerabilities and threats must be managed with a well-defined process that balance costs and benefits.

Vulnerabilities and threats are part of the information management landscape; preparing for and responding to them is not optional.


Cost Philosophy

l Dollars spent for security measures should never be more than the projected dollar loss

l Cost effective security results when reduction in risk is balanced with the cost of implementing safeguards

l The greater the value of information processed the greater the need for control measures to protect it


Conclusion

l The importance of identifying possible threats, analysing risk areas and setting up controls cannot be overstated

l All too often organisations do not spend the time (and money) to manage risks adequately and are often reactive to security violations rather than taking a proactive approach

l Chuvakin, A. (2002). Approaches to choosing the strength of your security measures located at:

l http://www.linuxsecurity.com/content/view/117631/49/

10


Review Questions

l What issues are posed with a lack of vulnerability management

l What security systems could a small enterprise set up to manage vulnerabilities and threats


Appendix 1

Threats: Malicious Code


Threats: Malicious code

l Malicious code is a general term for programs that, when executed, would cause undesired results on a system.

l Users of the system usually are not aware of the program until they discover the damage:


Malicious Code

l Virusesl Wormsl Trojan Horsesl Bombsl Trapdoorsl Salami slicing

11


Viruses

l Programs that replicate themselves, infecting programs or disks and damaging programs and /or data.

l Most companies encounter viruses. l Virus controls include:

– passwords– regular backups– antivirus programs


Worms

l These are programs similar to viruses but they do not destroy any programs or data

l Replicates without infecting other programs l Spread as either email attachments or by

being network aware– Use network calls to find shared writable drives

across the network to which they copy themselves


Trojan Horses

l program fragments that hide, and perform a disguised function.

l They can:– capture passwords, – disguise the introductions of viruses and worms;– spoof (trick) an individual into giving away access rights, file

ownership or other privileges– masquerade as someone else.

l A variation called the Trojan mule destroys itself after it has quietly completed its task


Bombs

l These are variants of the Trojan Horse. They are activated when a date, event or condition occurs, or when a period of time has elapsed after a given date event or condition.

l Typically they destroy data, programs or both.

l However they may take other malicious actions or send nasty messages.

12


Trapdoors/Backdoors

defined as: unauthorised undocumented code in the source document, that gives special privileges to certain users. (see SDLC phases – documentation)

l They are typically created during software development to facilitate such things as monitoring program performance, testing its features and making corrections and improvements in the code.

l Unfortunately they are not always removed at the end of software development. They may then be accidentally discovered and exploited by third parties.

Documents

Week 1 IMS5002 Vulnerability Management - Monash … · Vulnerability Management Lecturer: Sue Foster Week 3 ... l Week 1 – Security Governance ... patching process but does not