Risk Assessment Plan

profileNIK-raj
Chapter8_ISOL533.pdf

Page 20Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com All rights reserved.

Chapter 8 Slides

Chapter 8: “Identifying and Analyzing Threats, Vulnerabilities, and Exploits”

Page 21Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Types of Assessments

Threat Assessment

Vulnerability Assessments

Exploits Assessments

Page 22Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Threat Assessments § Identifies and evaluates threats • Determines impact on confidentiality • Determines impact on integrity • Determines impact on availability

Page 23Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company

www.jblearning.com All rights reserved.

Key to Risk Management § Risk = Threat X Vulnerability • Threat assessments

- Help reduce impact of threats

• Vulnerability assessments - Help reduce vulnerabilities

• Exploit assessments - Help validate actual threats and

vulnerabilities

Page 24Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Techniques for Identifying Threats

Reviewing historical data

Performing threat modeling

Analogy and comparison with similar situations and activities

Page 25Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Internal Threats § Internal threats • Users with unintentional access • Users responding to phishing

attempts

• Users forwarding viruses • Disgruntled ex-employees • Equipment failure • Data loss • Attacks

Page 26Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

External Threats § Attack public-facing servers § Weather conditions and natural

disasters

Page 27Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Threat Modeling § What system are you trying to protect? § Is the system susceptible to attacks? § Who are the potential adversaries? § How might a potential adversary attack? § Is the system susceptible to hardware

or software failure? § Who are the users? § How might an internal user misuse the

system?

Page 28Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Best Practices for Threat Assessments

§ Assume nothing, recognizing that things change.

§ Verify that systems operate and are controlled as expected.

§ Limit the scope of the assessment to a single domain at a time.

§ Use documentation and flow diagrams to understand the system you’re evaluating.

Page 29Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Best Practices for Threat Assessments (Continued) § Identify all possible entry points for the

domain you’re evaluating. § Consider threats to confidentiality,

integrity, and availability. § Consider internal and external human

threats. § Consider natural threats.

Page 30Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Seven Domains of a Typical IT Infrastructure

Page 31Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Vulnerability Assessments § Vulnerabilities are any weaknesses in

an IT infrastructure. § Assessments identify vulnerabilities

within an organization: • Servers • Networks • Personnel

§ Entire networks can be vulnerable if access controls aren’t implemented

Page 32Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Internal/External Vulnerability Assessments

• Security professionals exploit internal systems to learn about vulnerabilities

Internal assessments

• Personnel outside the company exploit systems to learn about vulnerabilities

External assessments

Page 33Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Assessing Vulnerabilities

Documentation review

Review logs

Vulnerability scans

Audits and personnel interviews

Process and output analysis

System testing

Page 34Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Documentation Review

• Review incident documentation • Cause of an incident directly related to a

vulnerability Incidents

• Investigate outages that affect mission of business • If outage affected bottom line, you can probably

identify a vulnerability Outage reports

• Review past assessment reports • Helps identify common problems and problems

that have not been corrected

Assessment reports

Page 35Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Intrusion Detection System Outputs § IDS uses logs § Logs can be used in assessments

Page 36Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Vulnerability Scans and Other Assessment Tools

Identify vulnerabilities

Scan systems and

network Provide metrics

Document results

Page 37Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Audits and Personnel Interviews § Audits performed to check compliance

with rules and guidelines § VA audits check compliance with

internal policies • Checks to see if an organization is

following the policies that are in place § Audits can be:

• Manual • Auomated, scripted • Personnel interviews

Page 38Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Process Analysis and Output Analysis § Firewall has five rules • Use process analysis

§ Firewall has 100 rules • Use output analysis

Page 39Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

System Testing

§ Functionality testing ~ • Defining requirements

§ Access controls ~ • Verifying user rights and allocations

§ Penetration testing ~ • Verifying security countermeasures

§ Tests transactions with applications

Page 40Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Verifying Rights and Permissions § Verify user rights and permissions • Principle of least privilege

Page 41Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Best Practices for Vulnerability Assessments

Identify assets Ensure

scanners are kept up to date

Perform internal and external

checks

Document the results Provide reports

Page 42Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Exploit Assessments § Exploit assessments attempt to

exploit vulnerabilities • They simulate an attack to determine

if attack can succeed § An exploit test: • Uually starts with a vulnerability test

to determine vulnerabilities • Follows with an attempt to exploit the

vulnerability

Page 43Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Identifying Exploits

Vulnerability test • Perform a vulnerability test to determine

vulnerabilities.

Seven domains • Look at all seven domains of a typical IT

infrastructure.

Page 44Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Common Exploits

Social engineering

MAC flood attack

TCP Syn Flood Attack

Page 45Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

TCP Flood Attack § Common DoS attack

Page 46Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Mitigating Exploits with a Gap Analysis and Remediation Plan § An exploit assessment identifies: • Exploits that are mitigated • Exploits that are not mitigated

§ Difference represents a gap in security § Gap analysis report documents

differences § Remediation plan often included with

gap analysis

Page 47Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Implementing Configuration or Change Management § Both help prevent or remediate

exploits § Configuration management • Use standards to ensure that systems

are configured similarly § Change management • A process that controls changes to

systems

Page 48Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Verifying and Validating the Exploit Has Been Mitigated

§ Verify that exploit has been mitigated in the same way you identified it originally • Run vulnerability scan again • Repeat audit related to the exploit

Page 49Managing Risk in Information Systems © 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved.

Best Practices for Exploit Assessments § Get permission first

• Without permission, you are the attacker § Identify as many exploits as possible § Use a gap analysis for legal

compliance § Verify that exploits have been

mitigated