A-1

nrvamcni143

Chapter08.pptx

Home >Computer Science homework help >A-1

Managing Risk in Information Systems

Lesson 8

Identifying and Analyzing Threats, Vulnerabilities, and Exploits

www.jblearning.com

Threat Assessments

Identifies and evaluates threats

Determines impact on confidentiality

Determines impact on integrity

Determines impact on availability

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

Risks Assessments and Threat Assessment have 1 common characteristic; both are for a specific time (now) while the TA is also for a specific environment. Don’t look for every threat – look for most likely threats.

Loss of Confidentiality = minimize unauthorized disclosure – Control who has access to data; use encryption to protect data

Loss of Integrity = minimize data modification errors or destruction– Control access and use Hashing to detect illegal modifications

Loss of Availability = minimize system downtimes – ensure systems continue to operate during disruptions; quick restore of data from backups

Key to Risk Management

Risk = Threat X Vulnerability

Threat assessments

Help reduce impact of threats

Vulnerability assessments

Help reduce vulnerabilities

Exploit assessments

Help validate actual threats and vulnerabilities

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

Remember the equation to calculate Risk. Risk = Vulnerability x Threat

Threat assessment identifies and evaluates potential threats. The goal is to identify as many potential threats as possible.

Vulnerability assessment (VA) is performed to identify vulnerabilities within an organization. Vulnerabilities are any weaknesses in your IT infrastructure.

Exploit assessments attempt to exploit vulnerabilities. In other words, they simulate an attack to determine if the attack can succeed.

Review Historical Data

Organizational data

Similar Organization’s data

Perform Threat Modeling

Techniques for Identifying Threats

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

Review your organizations historical data for past incidents – look for accidental or malicious errors – look at Internal users or external attackers or natural events.

Perform threat modeling before writing an application or deploying a system; throughout the full life cycle of a product or service. If Information Security is only considered at the end of the project, it frequently falls short. First identify the assets you want to evaluate. Asset management helps you to identify the assets that are important to an organization. It is important to think like the attacker. Threat Modeling is very complex and takes time.

Many threats are common to similar organizations. By identifying the threats against similar organizations, you can identify possible threats against your organization.

Internal Threats

Internal threats

Users with unintentional access

Users responding to phishing attempts

Users forwarding viruses

Disgruntled ex-employees

Equipment failure

Data loss

Attacks

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

Human threats can be internal or external; intentional or unintentional; and are the biggest threats to a company.

Internal threats include:

Unintentional access – Users having access to data they don’t need but can destroy – Control is enforcement of least-privilege and need-to-know policies.

Phishing attempts—getting users to provide information they shouldn’t. Spear Phishing appears to come from within the company.

Forwarding viruses—Forwarding infected e-mails to coworkers; loading bringing viruses from (USB) flash drives.

Disgruntled ex-employees—user account should be deleted or disabled.

Equipment and Software failure

Data loss— lacks of backups

Attacks

Threat Modeling

What system are you trying to protect?

Is the system susceptible to attacks?

Who are the potential adversaries?

How might a potential adversary attack?

Is the system susceptible to hardware or software failure?

Who are the users?

How might an internal user misuse the system?

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

Best Practices for Threat Assessments

Assume nothing, recognizing that things change.

Verify that systems operate and are controlled as expected.

Limit the scope of the assessment to a single domain at a time.

Use documentation and flow diagrams to understand the system you’re evaluating.

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

Best Practices for Threat Assessments (Continued)

Identify all possible entry points for the domain you’re evaluating.

Consider threats to confidentiality, integrity, and availability.

Consider internal and external human threats.

Consider natural threats.

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

Vulnerability Assessments

Vulnerabilities are any weaknesses in an IT infrastructure.

Assessments identify vulnerabilities within an organization:

Servers

Networks

Personnel

Entire networks can be vulnerable if access controls aren’t implemented

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

A vulnerability assessment (VA) is performed to identify vulnerabilities within an organization. Vulnerabilities are any weaknesses in your IT infrastructure (hardware, software, service, people, etc)

Vulnerabilities exist if people don’t understand the value of security. Social engineering tricks people into revealing sensitive information or taking unsafe actions.

You will perform some assessments more often than others. As an example, automated vulnerability scans of systems are performed more frequently than manual actions.

Internal/External Vulnerability Assessments

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

Internal assessments —Security professionals exploit internal system to see what they can learn about vulnerabilities. I described earlier that one of the 1st things the new Information Systems Security Manager did at the south Texas University’s was to have the network administrators run scans of their IT servers to look for issues. The next step was to complete these same scans of all networks at the university – Enrollment Management, Student Affairs an all the colleges.

External assessments —Outside security consultants try to exploit the system to see what they can learn. Outside consultants don’t have preconceived ideas about the organization – they just look for pathways anywhere. They expertise is such that they can quickly find and exploit weaknesses.

Internal assessments

Security professionals exploit internal systems to learn about vulnerabilities

External assessments

Personnel outside the company exploit systems to learn about vulnerabilities

Assessing Vulnerabilities

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

Documentation Review: review the available documentation from:

• Previous Incidents – sometimes an incident is directly related to a vulnerability.

• Outage reports —outages impact the business’s mission and may affect the bottom line.

• Assessment reports —Review previous reports to find current and uncorrected problems.

The 3 common sources of information are system logs, audit trails, and intrusion detection systems. An audit trail is a series of events recorded in one or more logs and records who, what, when, and where. Many organizations have automated systems that can review audit trails. An intrusion detection system (IDS) monitors systems and alerts when an intrusion is detected. A host-based IDS is reports on a single system. A network-based IDS reports on multiple systems.

An audit checks to see if rules and guidelines are followed. When you interview employees, you can ask what they think are the weaknesses.

Process analysis checks for vulnerabilities in automated and manual processes. Consider a college’s Admissions, Financial Aid and Business Office processes. There may be weaknesses within each of these and because they interact with each other, there may be weaknesses where they intersect.

System testing tests systems for vulnerabilities, especially related to patches and updates. You can perform Functional tests (does it do what it is supposed to do), Access Control tests to include Rights (authority to do something) and Permissions (access to something), Penetration testing to exploit weaknesses and Transaction testing (that databases updates are correct).

Documentation review

Review logs

Vulnerability scans

Audits and personnel interviews

Process and output analysis

System testing

Vulnerability Scans and Other Assessment Tools

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

Many tools are available to perform vulnerability scans within a network.

They identify vulnerabilities;

They Scan systems and network — to detect open ports and access points on the network;

They Provide metrics —they can set a baseline and determine if weaknesses have been fixed.

They Document the results

Identify vulnerabilities

Scan systems and network

Provide metrics

Document results

Best Practices for Vulnerability Assessments

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

Identify assets

Ensure scanners are kept up to date

Perform internal and external checks

Document the results

Provide reports

Exploit Assessments

Exploit assessments attempt to exploit vulnerabilities

They simulate an attack to determine if attack can succeed

An exploit test:

Uually starts with a vulnerability test to determine vulnerabilities

Follows with an attempt to exploit the vulnerability

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

Exploit assessments attempt to exploit vulnerabilities by simulating an attack to determine if the attack can succeed. An exploit test usually starts with a vulnerability test to determine the vulnerabilities.

Unless you are a security professional focused only on vulnerability and exploit assessments, you won’t have the detailed knowledge of security experts.

Identifying Exploits

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

Vulnerability test

Perform a vulnerability test to determine vulnerabilities.

Seven domains

Look at all seven domains of a typical IT infrastructure.

Mitigating Exploits with a Gap Analysis and Remediation Plan

An exploit assessment identifies:

Exploits that are mitigated

Exploits that are not mitigated

Difference represents a gap in security

Gap analysis report documents differences

Remediation plan often included with gap analysis

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

An exploit assessment identifies exploits that are mitigated and exploits that are not mitigated. The difference between what is mitigated and what is not mitigated represents a gap in the security. A gap analysis report documents these differences.

A remediation plan is often included with a gap analysis and explains what must be done to close the gap. It ensures all serious exploits are mitigated once the remediation plan is completed.

Implementing Configuration or Change Management

Both help prevent or remediate exploits

Configuration management

Use standards to ensure that systems are configured similarly

Change management

A process that controls changes to systems

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

Configuration management and change management can both help prevent or remediate exploits.

Configuration management use standards to ensure that systems are configured in similar ways. Remember an earlier example where companies create an image of all corporate software and copy that image before issuing new desktop and laptop to users. . Also IT can run scans via the network to check all computers to ensure only corporate software is loaded and that patches have been applied. You have a higher level of confidence that systems are protected against exploits.

Change management controls changes to systems and ensure changes are only applied to systems after they have been reviewed and approved.

Verifying and Validating the Exploit Has Been Mitigated

Verify that exploit has been mitigated in the same way you identified it originally

Run vulnerability scan again

Repeat audit related to the exploit

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

After implementing countermeasures to mitigate an exploit, you need to repeat the testing to ensure that the exploit has been mitigated.

The easiest way to see if an exploit has been mitigated is the same way you first identified it.

Best Practices for Exploit Assessments

Get permission first

Without permission, you are the attacker

Identify as many exploits as possible

Use a gap analysis for legal compliance

Verify that exploits have been mitigated

Page ‹#›

Managing Risk in Information Systems

www.jblearning.com

Summary

Techniques used to identify relevant threats

Techniques used to identify vulnerabilities

Use of exploit assessments

Page ‹#›

Managing Risk in Information Systems