Data and System Security

Chapter2RiskAnalysisIM.pptx

Home >Computer Science homework help > Data and System Security

Chapter 2

Risk Analysis

Introduction

The objective of a security program is to mitigate risks. Mitigating risks does not mean eliminating them; it means reducing them to an acceptable level.

What is being protected?

What are the threats?

Where are the weaknesses that may be exploited?

Threat Definition

Threat vectors

Threat sources and targets

Types of attacks

Malicious mobile code

Advanced Persistent Threats (APTs)

Manual attacks

Threat Sources

Insider threats should be an important consideration in any security program.

Security professionals know that many real-world threats come from inside the organization, which is why just building a wall around your trusted interior is not good enough.

Threat Vectors

Sources	Threats	Targets
Employees Contractors Consultants System integrators Service providers Resellers Vendors Cleaning staff Third-party support Competitors Insiders Terrorists Internet attackers Software Malware Software bugs Accidents Weather Natural causes	Theft Loss Exposure Unauthorized changes Deletion (complete) Deletion (partial) Unauthorized addition Fraud Impersonation Harassment Espionage Denial of service Malfunction Corruption Misuse Errors Outages Physical hazards Injury	Intellectual property Trade secrets Personally identifiable information Protected health information Financial data Credit card numbers Social Security numbers Documents Computers Peripherals Storage Networks Operating systems E-mail Voice communications Applications Privacy Productivity Health and safety

A threat vector is a term used to describe where a threat originates and the path it takes to reach a target.

Types of Attacks

Threats found in the real world

Types of Security Controls

Preventative: Block security threats before they can exploit a vulnerability.

Detective: Discover and provide notification of attacks or misuse when they happen.

Deterrent: Stop people from wanting to violate policy.

Corrective: Restore the integrity of data or another asset.

Recovery: Restore the availability of a service.

Compensative: In a layered security strategy, provide protection even when another control fails.

Types of Attacks

Malicious Mobile Code

Computer viruses

Computer worms

e-mail worms

Trojans

Remote access Trojans

Zombie Trojans and DDoS attacks

Malicious HTML

Advanced Persistent Threats (APTs)

Manual Attacks

Physical attacks

Network-layer attacks

Application-layer attacks

Malicious Mobile Code

There are three generally recognized variants of malicious mobile code: viruses, worms, and Trojans. In addition, many malware programs have components that act like two or more of these types, which are called hybrid threats or mixed threats.

Lifecycle of malicious mobile code:

Find

Exploit

Infect

Repeat

Computer Viruses

A virus is a self-replicating program that uses other host files or code to replicate.

Anatomy of a Virus

The damage routine of a virus (or really of any malware program) is called the payload.

Payloads can be intentionally destructive, deleting files, corrupting data, copying confidential information, formatting hard drives, and removing security settings.

Types of Viruses

If the virus overwrites the host code with its own code, effectively destroying much of the original content, it is called an overwriting virus.

If the virus inserts itself into the host code, moving the original code around so the host programming still remains and is executed after the virus code, the virus is called a parasitic virus.

Viruses that copy themselves to the beginning of the file are called prepending viruses.

Viruses that place themselves at the end of a file are called appending viruses.

Viruses that appear in the middle of a host file are labeled mid-infecting viruses.

Example of an Overwriting Virus

Example of a Prepending Parasitic Virus

Computer Worms

A computer worm uses its own coding to replicate, although it may rely on the existence of other related code to do so.

The key to a worm is that it does not directly modify other host code to replicate.

E-mail Worms

Originates from e-mail

The worm first modifies the PC in such a way that it makes sure it is always loaded into memory when the machine starts.

Then it looks for additional e-mail addresses to send itself to.

Trojans

Trojan horse programs, or Trojans, work by posing as legitimate programs that are activated by an unsuspecting user.

Remote Access Trojans

A RAT becomes a back door into the compromised system and allows the remote attacker to do virtually anything he or she wants to the compromised PC.

Zombie Trojans

Zombie Trojans infect a host and wait for their originating attacker’s commands telling them to attack other hosts.

Malicious HTML

Pure HTML coding can be malicious when it breaks browser security zones or when it can access local system files.

Advanced Persistent Threats (APTs)

The use of sophisticated malware for targeted cybercrime is known as advanced persistent threats (APTs).

Usually targeted at businesses and governments

Begins with a simple malware attack.

“Phones home” to download further malware—reaches out to a command and control server (CnC server) to bring down rootkits, Trojans, RATs, and other sophisticated malware.

The RATs open up connections to their CnC servers to be used by their human controllers.

Manual Attacks

Typical Attacker Scenarios

Port-scanning a particular IP subnet, looking for open TCP/IP ports

Attempting to identify the host or service by using fingerprinting mechanisms

Attempting to compromise the system in such a way as to gain the highest privileged access to the computer

Physical Attacks

If an attacker can physically access a computer, it’s game over.

Network-Layer Attacks

Packet Sniffing

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= 08/02-12:00:44 0:60:8:26:85:D -> 0:40:10:C:9D:D type:0x800 len:0x43 x.x.x.x:1873->x.x.x.x:21 TCP TTL:128 TOS:0x0 ID:53973 IpLen:20 DgmLen:53 DF ***AP*** Seq: 0x1C88EB9C Ack: 0xF308B9B7 Win: 0xFFCD TcpLen: 20 55 53 45 52 20 72 6F 67 65 72 67 0D 0A USER rogerg.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= 08/02-12:00:46 0:60:8:26:85:D->0:40:10:C:9D:D type:0x800 len:0x43 x.x.x.x:1873->x.x.x.x:21 TCP TTL:128 TOS:0x0 ID:53978 IpLen:20 DgmLen:53 DF ***AP*** Seq: 0x1C88EBA9 Ack: 0xF308B9DA Win: 0xFFAA TcpLen: 20 50 41 53 53 20 70 61 72 72 6F 74 0D 0A PASS parrot.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

Protocol-Anomaly Attacks

Network packets that do not follow the intended format and purpose of the protocol.

The attacker can either compromise a remote host or network or compromise a confidential network data stream.

Network-layer attacks are most often used to get past firewalls and to cause DoS attacks.

Application-Layer Attacks

Content attacks

Buffer overflows

Password cracking

P2P attacks

Man-in-the-middle attacks

ARP poisoning

MAC flooding

DHCP poisoning

DNS spoofing

ICMP poisoning

Wireless attacks

Risk Assessment

Analyze and categorize the things to be protected and avoided.

Facilitate the identification and prioritization of protective elements.

Provide a means to measure the effectiveness of the overall security architecture.

The Definition of Risk

Risk is the probability of an undesired event (a threat) exploiting a vulnerability to cause an undesired result to an asset.

Risk = Probability (Threat + Exploit of Vulnerability) × Cost of Asset Damage

Annualized Loss (ALE) = Single Loss (SLE) × Annualized Rate (ARO)

Summary

Threat definition and risk assessment are necessary to focus the security program on the areas that are most important and relevant to the environment.

Threat definition should take into account threat vectors that represent the greatest potential harm.

Many threat sources and targets need to be considered:

Malicious mobile code

Advanced persistent threats

Manual attacks

Once the threats are identified, risks should be analyzed.

Risk is a combination of the threats, exploitation of vulnerabilities, and the resulting cost of damage.

Based on this analysis, the proper defensive, detective, and deterrent controls can be applied.