Upload
tranminh
View
216
Download
2
Embed Size (px)
Citation preview
1
IMS5002 Information Systems Security
Managing Security in the organisation – Part 2
Vulnerability Management
Lecturer: Sue Foster Week 3
Lecturer: Sue Foster: Week 3IMS5002
Review Questions – Week 1
l Explain the concept of risk in risk-based analysis
l Discuss the advantages and disadvantages of using various risk based approaches for analysing system security
Lecturer: Sue Foster: Week 3IMS5002
Housekeeping
PLEASE NOTE - TUTORIAL 2 ONLY: l Tutorial 05 and 06 will be combined in Room K2.04 l Tutorial 07 and 08 will be combined in Room F4.32
ASSIGNMENTl Any questionsl 3 options
l Option 1 – Reportl Option 2 – Literature reviewl Option 3 – topic is open – in depth analysis
– Suitable for students who have an interest in a particular area of security and would like to develop their interest further
– Please liaise with myself or your tutor as to the suitability of the topic
– Do not assume we will accept your assignment once written without consultation
Lecturer: Sue Foster: Week 3IMS5002
Course Structurel Week 1 – Security Governancel Week 2 – Managing Security in the organisation – Part 1
l Risk Managementl Week 3 – Managing Security in the organisation – Part 2
l Risk Analysisl Threats, vulnerabilities, breaches
l Week 4 – Managing Security in the organisation – Part 3l Risk Mitigationl access controls
l Week 5 – IS Security l Computer forensics
l Week 1- 6 – The impact of e- commerce on the organisationl The role of e- security
l Week 7 – Security over the internetl Week 8 – Security as a critical business function
l Designing a Secure Systeml Week 9 – Managing Security in the organisation – Part 4
l Security policies and proceduresl Week 10 – Business continuity plans
l -Disaster recovery l Week 11 – Security standards, Privacy and lawl Week 12 – Current issues and future trendsl Week 13 – Revision and exam preparation
2
Lecturer: Sue Foster: Week 3IMS5002
Lecture Objectives
l After this lecture you should be able to:
– Discuss the advantages and disadvantages of risk-based security techniques specifically and risk based analysis generally
Lecturer: Sue Foster: Week 3IMS5002
Keywords
Lecturer: Sue Foster: Week 3IMS5002
The goals of security
ConfidentialityConfidentiality
IntegrityIntegrity AvailabilityAvailability
Accountability?Accountability?
Non-repudiation?
Security is the process by which organizations TRY to maintain:
Authentication
Lecturer: Sue Foster: Week 3IMS5002
Risk Management Activities
Risk Management
Security Policies, procedures and standards
Risk Mitigation
Risk Assessment Security Auditing
Workf low Workf low Workf low
Corrective actions
risk is important to the design and management of IT systems as they are an essential part of the operation of organisations
3
Lecturer: Sue Foster: Week 3IMS5002
Risk Management Overview
l detailed assessment and evaluation of the most significant risks
l Detailed assessment and evaluation of the most significant assets
– build a threat/asset matrix– calculate loss expectancies– build a threat/control matrix– calculate potential loss reductions– select cost-effective controls
l Management buy in
Lecturer: Sue Foster: Week 3IMS5002
Risk Management Regions
RA
TE
OF
OC
CU
RR
EN
CE
Low
High
HighCONSEQUENCE
Minimum significant occurrence rate
Ignore events in this area
Maximum acceptable loss
Mitigate events in this area
Igno
re e
vent
s in
thi
s ar
ea
Minimumconsequencelevel
Mitigate/transfer risks in this area(management decision)
Lecturer: Sue Foster: Week 3IMS5002
Analysing Threats
l Analyse threats to an existing information system –
l threats catalogue (T1, T2 etc)l http://www.bsi.bund.de/gshb/english/etc/index.htm1
l IT Baseline certification and protection
l Select appropriate controls to reduce or contain the threat
– safeguard catalogue (S1, S2 etc)– http://www.bsi.bund.de/gshb/english/s/s01.html 1
Reference : 1Federal Office of IT Security. (2003). IT Baseline Protection Manual (IT BPM). Located at http://www.bsi.bund.de/gshb/english/etc/index.htm
2IT Security Guidelines: IT Baseline Protection in Brief. Retrie ved on 14/03/05
located at: http://www.bsi.bund.de/english/gshb/guidelines/guide lines.pdfLecturer: Sue Foster: Week 3
IMS5002
Quantitative method
ALE – Annual Loss Expectancy3
Reference: 3Microsoft Corp (2004). Security Risk Management Guide: Chapter 2: Survey of Security Risk Management Practices. Retrieved on 14.03.05 located at
http://www.microsoft.com/technet/security/topics/policiesandproc edures/secrisk/srsgch02.mspx#EAAA
4
Lecturer: Sue Foster: Week 3IMS5002
Quantitative method - ALE (Annual Loss Expectancy)
l This approach employs two fundamental elements;
– the probability of a threat impacting on the system
– The probability that the event will occur and the likely loss incurred from the event
l makes use of a single figure produced from these elements.
l This is called the (ALE)' or the 'Estimated Annual Cost (EAC)'.
Lecturer: Sue Foster: Week 3IMS5002
Simple Calculation Of ALE (Annual Loss Expectancy)
l P = probability of the threat attacking the asset per year
l C = Cost attributed to the asset lossl ALE = C / P
l Eg P = once every three years = 1/3l C = approximate loss $1000l ALE = $1000 / 3l = $333
Lecturer: Sue Foster: Week 3IMS5002
Issues With Quantitative Method
l unreliability and inaccuracy of the data l Probability can rarely be precise and can, in some
cases, promote complacency.l How do you put a value on an asset??l Subjective estimates, often quantitativel Unreliable industry statisticsl Assumes high risk threats controlled as easily as low
riskl Not always feasiblel Assumes a well-known set of controls is universally
applicable
Lecturer: Sue Foster: Week 3IMS5002
Benefits to using ALE
l the introduction of a security measure is justified if the reduction in ALE more than offsets the cost of the control
l in principle this applies to– physical safeguards such as guards, secure
buildings etc.– system safeguards including software such
as encryption packages, firewalls etc.
5
Lecturer: Sue Foster: Week 3IMS5002
Vulnerability Management
The Twenty Most Critical Internet Security Vulnerabilities (Updated) ~ The Experts ConsensusVersion 5.0 October 8, 2004 Copyright (C) 2001-2004, SANS Institute Retrieved on 16 March
located at http://www.sans.org/top20/
ALSOhttp://www.sans.org/top20/#threats
Question: What does letters SANS refer to
Ans: SysAdmin, Audit, Network, Security InstituteLecturer: Sue Foster: Week 3
IMS5002
Vulnerability Assessment and remediation – Proactive measures
Vulnerabilities – defined– Vulnerabilities are Inherent software flaws, such
as program errors, design limitations and system misconfigurations (errors) in software applications that exposes information to attack from malicious code (See appendix 1) and damage4
Vulnerability assessment– The process of identifying and documenting
specific and provable flaws in the organisations information asset environment4
Reference: 4Whitman, M.E., & Mattord, H. J. (2003). Principles of Information Security. Massachusetts: Thomson Learning Inc.
Lecturer: Sue Foster: Week 3IMS5002
THREATS
VULNERABILITIES
CONTROLS
INFORMATION SYSTEM
Question: What are threats? Provide an example
Lecturer: Sue Foster: Week 3IMS5002
Trophy Hunting
Symantec and McAfee are targeted by intruders due to the inherent value in breaking in to their websites.
Symantec has approx 3000 to 4000 people each day trying to break into its website. Most of it is trophy hunting by the intruder
6
Lecturer: Sue Foster: Week 3IMS5002
Vulnerability assessment issues
Programmes, designers and systems administrators must deliver functional applications that operate according to business requirements
Issues:time constraintsbudget constraints
QUESTION: If the choice comes down to delivering a revenue- generating system on time and on budget or delaying it for 2 months to check for vulnerabilities, how often will a business choose the latter?
Lecturer: Sue Foster: Week 3IMS5002
Ad Hoc response to vulnerability management
Deal with each one vulnerability as it becomes known. No formal method.
– Hear about the vulnerability– Search for a patch– Download a patch– Apply the patch– Contact other administrators about the
vulnerability– Assume the vulnerability is mitigated
Question: What is a patch?Ans: Patches are corrected versions of application code; they donot address configuration vulnerabilities
Lecturer: Sue Foster: Week 3IMS5002
Problems with ad hoc responses
Patching does not address all vulnerabilities:
– Increased likelihood of missed assets– Increased likelihood of overlooked configuration
vulnerabilities not covered by patching– Failure to conduct thorough impact testing– Inadequate production of change management
documents– Poor process management– Poor prioritisation
Lecturer: Sue Foster: Week 3IMS5002
Missing configuration vulnerabilities
Table: Patching corrects only a fraction of vulnerabilities (Source: CA Security Advisor Statistics, March 2004)
15%85%66SuSE Linux 9.0
50%50%54Windows XP Professional SP1
70%30%70Microsoft Internet Explorer 6.0 Service Pack 1 (SP1)
Percentage of vulnerabilities fixed by configuration changes
Percentage of vulnerabilities fixed by patching
Total number of vulnerabilities
Technology
Ad hoc approaches to vulnerability management tend to depend on the existence of patches to determine the existence of a vulnerability. For example, running an OS update procedure streamlines parts of thepatching process but does not assess configuration problems.
7
Lecturer: Sue Foster: Week 3IMS5002
Dependencies on multiple systems
l Vendors patch services do not address the vulnerabilities related to dependencies between multiple assets
l A bug in one vendor’s firewall and a vulnerability in another vendor’s database application will require two different types of vulnerability management
Lecturer: Sue Foster: Week 3IMS5002
Poor Impact Testing
Before applying a patch, systems administrators should understand:
l Exactly which vulnerability is addressedl What are the prerequisits for installing the patchl Which applications or other assets are affected by
the changel How to restore a system if a patch fails or adversely
affects other assets
ALSOthere is no way to know prior to installing a patch on a shared code how it will affect all other applications
Lecturer: Sue Foster: Week 3IMS5002
Managed responses
Managed responses are systematic, they are process not technology centric
l Procedures for identifying vulnerabilities, patches and configuration changes
l Procedures for determining the appropriateness of a patch or configurationchange to each system
l Prioritisation rulesl Test proceduresl Guidelines for implementing patches, configuration
changes or shielding
Lecturer: Sue Foster: Week 3IMS5002
Shielding and Perimeter Defences
Shielding is the process of protecting assets against potential threats without targeting a specific threat.
l Shielding techniques:– Closing firewall ports– Denying write access to server directories– Scanning content for malicious code– Ensuring that a PC or laptop has up to date
patches and antivirus software and otherwise complies with security policies
8
Lecturer: Sue Foster: Week 3IMS5002
Example: Internet Vulnerability Assessment (Whitman & Mattord, 2003 Chapt 12)
Find and document vulnerabilities that may be present in the public facing network of the organisation
Steps include:
Planning, scheduling and notification of the penetration testing
Target selection
Test selection
Scanning for vulnerabilities
Analyse
Recording details of the vulnerability(ies) and assigning a response risk level
Lecturer: Sue Foster: Week 3IMS5002
Best Practices in vulnerability Management4
Reference: 4 Sullivan, D. (2005).the definitive Guide to Security Management.Computer Associates: Realtime Publishers (Chapter 3, p66)
Monitor Analyze
Notify
Prioritize
PlanTest
Remediate
Report
Terminate: Not sufficient threat
Asess Test failure
Lecturer: Sue Foster: Week 3IMS5002
Cost of compensating for Vulnerabilities 4
l Costs are comprised of:– Sofwaremaintenance fees or other costs related to
purchasing patches
– Staff time required to l research, l test, l categorize, l analyze impact potential, l validate a vulnerability and correlate to affected assets
– Opportunity cost of reassigning staff from operations or development to apply patches or reconfigure systems
– Lost productivity while applications are patched and reconfigured
Lecturer: Sue Foster: Week 3IMS5002
CA database of vulnerabilities
l Ad Hoc research
Latest vulnerabilities can be checked at these sites:– http://www3.ca.com/securityadvisor/– http://www3.ca.com/securityadvisor/vulninfo/
9
Lecturer: Sue Foster: Week 3IMS5002
Zero day vulnerabilities
As vulnerabilities are discovered vendors move quickly to patch
Concern:A threat will emerge soon after the discovery of a vulnerability BEFORE a patch is available
Vulnerabilities exploited the day they become known have been called “Zero day vulnerabilities”
Once a vulnerability becomes known, the race to exploit versus patch is on .
Lecturer: Sue Foster: Week 3IMS5002
In summary
The key business drivers behind vulnerability management include:
– Regulatory compliance– Business continuity– Asset protection
Vulnerabilities and threats must be managed with a well-defined process that balance costs and benefits.
Vulnerabilities and threats are part of the information management landscape; preparing for and responding to them is not optional.
Lecturer: Sue Foster: Week 3IMS5002
Cost Philosophy
l Dollars spent for security measures should never be more than the projected dollar loss
l Cost effective security results when reduction in risk is balanced with the cost of implementing safeguards
l The greater the value of information processed the greater the need for control measures to protect it
Lecturer: Sue Foster: Week 3IMS5002
Conclusion
l The importance of identifying possible threats, analysing risk areas and setting up controls cannot be overstated
l All too often organisations do not spend the time (and money) to manage risks adequately and are often reactive to security violations rather than taking a proactive approach
l Chuvakin, A. (2002). Approaches to choosing the strength of your security measures located at:
l http://www.linuxsecurity.com/content/view/117631/49/
10
Lecturer: Sue Foster: Week 3IMS5002
Review Questions
l What issues are posed with a lack of vulnerability management
l What security systems could a small enterprise set up to manage vulnerabilities and threats
Lecturer: Sue Foster: Week 3IMS5002
Appendix 1
Threats: Malicious Code
Lecturer: Sue Foster: Week 3IMS5002
Threats: Malicious code
l Malicious code is a general term for programs that, when executed, would cause undesired results on a system.
l Users of the system usually are not aware of the program until they discover the damage:
Lecturer: Sue Foster: Week 3IMS5002
Malicious Code
l Virusesl Wormsl Trojan Horsesl Bombsl Trapdoorsl Salami slicing
11
Lecturer: Sue Foster: Week 3IMS5002
Viruses
l Programs that replicate themselves, infecting programs or disks and damaging programs and /or data.
l Most companies encounter viruses. l Virus controls include:
– passwords– regular backups– antivirus programs
Lecturer: Sue Foster: Week 3IMS5002
Worms
l These are programs similar to viruses but they do not destroy any programs or data
l Replicates without infecting other programs l Spread as either email attachments or by
being network aware– Use network calls to find shared writable drives
across the network to which they copy themselves
Lecturer: Sue Foster: Week 3IMS5002
Trojan Horses
l program fragments that hide, and perform a disguised function.
l They can:– capture passwords, – disguise the introductions of viruses and worms;– spoof (trick) an individual into giving away access rights, file
ownership or other privileges– masquerade as someone else.
l A variation called the Trojan mule destroys itself after it has quietly completed its task
Lecturer: Sue Foster: Week 3IMS5002
Bombs
l These are variants of the Trojan Horse. They are activated when a date, event or condition occurs, or when a period of time has elapsed after a given date event or condition.
l Typically they destroy data, programs or both.
l However they may take other malicious actions or send nasty messages.
12
Lecturer: Sue Foster: Week 3IMS5002
Trapdoors/Backdoors
defined as: unauthorised undocumented code in the source document, that gives special privileges to certain users. (see SDLC phases – documentation)
l They are typically created during software development to facilitate such things as monitoring program performance, testing its features and making corrections and improvements in the code.
l Unfortunately they are not always removed at the end of software development. They may then be accidentally discovered and exploited by third parties.