Risk Assessment Plan
Page 20Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com All rights reserved.
Chapter 8 Slides
Chapter 8: “Identifying and Analyzing Threats, Vulnerabilities, and Exploits”
Page 21Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Types of Assessments
Threat Assessment
Vulnerability Assessments
Exploits Assessments
Page 22Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Threat Assessments § Identifies and evaluates threats • Determines impact on confidentiality • Determines impact on integrity • Determines impact on availability
Page 23Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com All rights reserved.
Key to Risk Management § Risk = Threat X Vulnerability • Threat assessments
- Help reduce impact of threats
• Vulnerability assessments - Help reduce vulnerabilities
• Exploit assessments - Help validate actual threats and
vulnerabilities
Page 24Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Techniques for Identifying Threats
Reviewing historical data
Performing threat modeling
Analogy and comparison with similar situations and activities
Page 25Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Internal Threats § Internal threats • Users with unintentional access • Users responding to phishing
attempts
• Users forwarding viruses • Disgruntled ex-employees • Equipment failure • Data loss • Attacks
Page 26Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
External Threats § Attack public-facing servers § Weather conditions and natural
disasters
Page 27Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Threat Modeling § What system are you trying to protect? § Is the system susceptible to attacks? § Who are the potential adversaries? § How might a potential adversary attack? § Is the system susceptible to hardware
or software failure? § Who are the users? § How might an internal user misuse the
system?
Page 28Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Best Practices for Threat Assessments
§ Assume nothing, recognizing that things change.
§ Verify that systems operate and are controlled as expected.
§ Limit the scope of the assessment to a single domain at a time.
§ Use documentation and flow diagrams to understand the system you’re evaluating.
Page 29Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Best Practices for Threat Assessments (Continued) § Identify all possible entry points for the
domain you’re evaluating. § Consider threats to confidentiality,
integrity, and availability. § Consider internal and external human
threats. § Consider natural threats.
Page 30Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Seven Domains of a Typical IT Infrastructure
Page 31Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Vulnerability Assessments § Vulnerabilities are any weaknesses in
an IT infrastructure. § Assessments identify vulnerabilities
within an organization: • Servers • Networks • Personnel
§ Entire networks can be vulnerable if access controls aren’t implemented
Page 32Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Internal/External Vulnerability Assessments
• Security professionals exploit internal systems to learn about vulnerabilities
Internal assessments
• Personnel outside the company exploit systems to learn about vulnerabilities
External assessments
Page 33Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Assessing Vulnerabilities
Documentation review
Review logs
Vulnerability scans
Audits and personnel interviews
Process and output analysis
System testing
Page 34Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Documentation Review
• Review incident documentation • Cause of an incident directly related to a
vulnerability Incidents
• Investigate outages that affect mission of business • If outage affected bottom line, you can probably
identify a vulnerability Outage reports
• Review past assessment reports • Helps identify common problems and problems
that have not been corrected
Assessment reports
Page 35Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Intrusion Detection System Outputs § IDS uses logs § Logs can be used in assessments
Page 36Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Vulnerability Scans and Other Assessment Tools
Identify vulnerabilities
Scan systems and
network Provide metrics
Document results
Page 37Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Audits and Personnel Interviews § Audits performed to check compliance
with rules and guidelines § VA audits check compliance with
internal policies • Checks to see if an organization is
following the policies that are in place § Audits can be:
• Manual • Auomated, scripted • Personnel interviews
Page 38Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Process Analysis and Output Analysis § Firewall has five rules • Use process analysis
§ Firewall has 100 rules • Use output analysis
Page 39Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
System Testing
§ Functionality testing ~ • Defining requirements
§ Access controls ~ • Verifying user rights and allocations
§ Penetration testing ~ • Verifying security countermeasures
§ Tests transactions with applications
Page 40Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Verifying Rights and Permissions § Verify user rights and permissions • Principle of least privilege
Page 41Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Best Practices for Vulnerability Assessments
Identify assets Ensure
scanners are kept up to date
Perform internal and external
checks
Document the results Provide reports
Page 42Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Exploit Assessments § Exploit assessments attempt to
exploit vulnerabilities • They simulate an attack to determine
if attack can succeed § An exploit test: • Uually starts with a vulnerability test
to determine vulnerabilities • Follows with an attempt to exploit the
vulnerability
Page 43Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Identifying Exploits
Vulnerability test • Perform a vulnerability test to determine
vulnerabilities.
Seven domains • Look at all seven domains of a typical IT
infrastructure.
Page 44Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Common Exploits
Social engineering
MAC flood attack
TCP Syn Flood Attack
Page 45Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
TCP Flood Attack § Common DoS attack
Page 46Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Mitigating Exploits with a Gap Analysis and Remediation Plan § An exploit assessment identifies: • Exploits that are mitigated • Exploits that are not mitigated
§ Difference represents a gap in security § Gap analysis report documents
differences § Remediation plan often included with
gap analysis
Page 47Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Implementing Configuration or Change Management § Both help prevent or remediate
exploits § Configuration management • Use standards to ensure that systems
are configured similarly § Change management • A process that controls changes to
systems
Page 48Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Verifying and Validating the Exploit Has Been Mitigated
§ Verify that exploit has been mitigated in the same way you identified it originally • Run vulnerability scan again • Repeat audit related to the exploit
Page 49Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.
Best Practices for Exploit Assessments § Get permission first
• Without permission, you are the attacker § Identify as many exploits as possible § Use a gap analysis for legal
compliance § Verify that exploits have been
mitigated