Risk Management Facts

Risk management is the process of identifying vulnerabilities and threats, and deciding what countermeasures to take in reducing risk to an acceptable level. The main objective is to reduce the risk for an organization to a level that is deemed acceptable by Senior management. Risk management consists of the following: Process Description Asset identification includes the following processes: Asset identification identifies the organization's resources. Asset valuation determines the worth of that resource to the organization. Asset valuation is important because it establishes the level of protection appropriate for each asset.

When identifying assets and values, be sure to include both tangible and intangible assets. Asset identification A tangible asset is a physical item such as a computer, storage device, or document. Such items are typically purchased. The valuation of these assets can be easily determined by the cost to replace the item. An intangible asset is a resource that has value and may be saleable even though it is not physical or material. Intangible assets typically present a greater challenge to identify and establish a value for.

Assets can have both tangible and intangible components. For example, a computer that functions as a server has a tangible value associated with the replacement cost of the hardware. Intangible assets include the data on the computer, the value of the role that the computer performs within the organization, and also what the computer's information is worth to a competitor or an attacker. When identifying threats, consider the various sources of threats: External threats are those events originating outside of the organization that typically focus on compromising the organization's information assets. Examples are hackers, fraud perpetrators, and viruses. Internal threats are intentional or accidental acts by employees including: o Malicious acts such as theft, fraud, or sabotage. o Intentional or unintentional actions that destroy or alter data. o Disclosing sensitive information through snooping or espionage. Natural events are those events that may reasonably be expected to occur over time. Examples are a fire or a broken water pipe. Disasters are major events that have significant impact on an organization. Disasters can disrupt production, damage assets and/or compromise security. Examples of disasters are tornadoes, hurricanes, and floods.

Threat identification

In addition to identifying sources of threats, consider common vulnerabilities to identify weaknesses that can be exploited. Vulnerabilities include: Software, operating system, and hardware vulnerabilities Lax physical security Weak policies and procedures

Risk assessment is the practice of assessing which threats identified are relevant and pressing to the organization, and then attaching a potential cost that can be expected if the identified threat occurs. There are two general risk assessment methods: Quantitative analysis assigns "real" numbers to the costs of damages and countermeasures. It also assigns concrete probability percentages to risk occurrence. Qualitative analysis uses scenarios to identify risks and responses. Qualitative risk analysis is more speculative (based on opinion) and results in relative costs or rankings.

Note: Strict quantitative value of the loss is typically not possible. Determination of value must also include qualitative components. To measure risk quantitatively requires identifying the following components: Risk assessment Single loss expectancy (SLE) is the amount of loss expected for any single successful threat attack on any given asset. This is a monetary value that describes how much the incident will cost in terms of lost asset value. Exposure factor is the percent of the asset lost from a successful threat attack. Annualized rate of occurrence (ARO) identifies how often in a single year the successful threat attack will occur. ARO information is frequently obtained from insurance companies, law enforcement agencies, and computer incident monitoring organizations. For example, an ARO of 2 indicates that the incident is expected to occur twice a year, while an ARO of .25 means the incident is expected once every 4 years. Annual loss expectancy (ALE) estimates the annual loss resulting from an incident. For example, if you expect a successful attack every 4 years, the ALE for the incident would be 1/4 of the SLE.

The quantitative value of risk can be determined with the following calculation: SLE x ARO = ALE. This tells you how much a potential threat costs each year. For example, if the asset loses $1,000 for each incident, and you expect an incident every 4 years, the annual cost for that asset would be $250. After you have identified the risks and their associated costs, you can determine how best to respond to the risk. Responses include: Taking measures to reduce (or mitigate) the likelihood of the threat by deploying security controls (i.e., countermeasures) or other protections. When deploying countermeasures, the annual cost of the countermeasures should not exceed the ALE. If it does, you are paying more to protect the asset than it is worth. Security control types include: o Management o Operational o Technical Consider the following factors when implementing security controls to reduce risk: o o o o o Compatibility with the existing infrastructure Effectiveness Regulatory compliance Organizational policies Operational (performance) impact

Risk response

o Feasibility (i.e., technical requirements or usability) o Safety and reliability Transferring (or assigning) risk by purchasing insurance to protect the asset. When the incident occurs, the cost to the asset is covered by insurance. When deciding to transfer the risk, be sure to compare the cost of insurance with the ALE, and purchase the insurance only if its cost is less than the ALE. Accepting the risk and choosing to do nothing. For example, you might decide that the cost associated with a threat is acceptable, or that the cost of protecting the asset from the threat is unacceptable. In this case, you would plan for how to recover from the threat, but not implement any measures to avoid it. Risk rejection (or denial) is choosing not to respond to the risk even though the risk is not at an acceptable level. Risk rejection introduces the possibility of negligence and may lead to liability. Risk rejection is not an appropriate response. Risk deterrence is letting threats know of the consequences they face if they choose to attack the asset. This could include posting warnings on logon pages to indicate prosecution policies.

Note: It is not possible to eliminate all risk. Taking actions reduces risk to acceptable levels. Risk that remains after reducing or transferring risk is called residual risk.

Vulnerability Assessment Facts

Vulnerability assessment is the process of identifying the vulnerabilities in a system or network. An attacker attempts to take advantage of vulnerabilities to gain access to information or to a network to which he is not authorized. An administrator checks a network for vulnerabilities to plug security holes and provide a more secure network. Tools that can be used to monitor the vulnerability of systems include: Tool Description A vulnerability scanner is a software program that passively searches an application, computer, or network for weaknesses such as: Open ports Active IP addresses Running applications or services Missing critical patches Default user accounts that have not been disabled Default or blank passwords Misconfigurations Missing security controls

Vulnerability scanner

Vulnerability scanners: Should be updated regularly to include the latest known vulnerabilities. Are the least intrusive methods to check the environment for known software flaws. Port scanners and penetration testers are potentially more intrusive. Protocol analyzers cannot check for known software flaws. Can be used to scan again after a security hole has been patched to verify that the vulnerability has been removed and the system is secure.

Security tools that can be used for vulnerability scanning include: Nessus is a comprehensive vulnerability assessment tool. Microsoft Baseline Security Analyzer (MBSA) is used to evaluate security vulnerabilities in Microsoft products. Retina Vulnerability Assessment Scanner is used to remotely scan an organization's network for vulnerabilities.

Ping scanner

A ping scanner is a tool that sends ICMP echo/request packets to one or multiple IP addresses. Use a ping scanner to quickly identify systems on the network that respond to ICMP packets. To protect against attacks that use ICMP, use a ping scanner to identify systems that allow ICMP, then configure those systems to block ICMP messages. A vulnerability scanner often includes a ping scanner. A port scanner is a tool that probes systems for open ports. A TCP SYN scan is the most common type of port scan of a port scanning tool. It performs a two-way handshake, also called a half-open scan, which does not complete the TCP three-way handshake process (the TCP session is not established). Devices that respond indicate devices with ports that are in a listening state. The port scan output is a combination of IP address and port number separated by a colon (e.g., 192.168.0.1:x where x is the port number) for both the source of the port scan and the destination of the port scan.

Port scanner

A vulnerability scanner often includes a port scanner. Network mapper A network mapper is a tool that can discover devices on the network, then shows those devices in a graphical representation. Network mappers typically use a ping scan to discover devices, as well as a port scanner to identify open ports on those devices. Note: Many port scanners are technically network mappers. A password cracker is a tool that performs cryptographic attacks on passwords. Use a password cracker to identify weak passwords or passwords protected with weak encryption. Common password cracking tools include: Password cracker John the Ripper Cain and Abel LOphtcrack, now called LC4

The Open Vulnerability and Assessment Language (OVAL) is an international standard for testing, analyzing, and reporting the security vulnerabilities of a system. Open Vulnerability and Assessment Language (OVAL) OVAL is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. OVAL identifies the XML format for identifying and reporting system vulnerabilities. Each vulnerability, configuration issue, program, or patch that might be present on a system is identified as a definition. OVAL repositories are like libraries or databases that contain multiple definitions.

Penetration Testing Facts

Penetration testing is the attempt by an organization to circumvent security controls to identify vulnerabilities in their information systems. It simulates an actual attack on the network and is conducted from outside the organization's security perimeter. Penetration testing helps assure the effectiveness of an organization's security policy, security mechanism implementations, and deployed countermeasures. In general, the following steps are included in the penetration testing process: Verifying that a threat exists Bypassing security controls Actively testing security controls Exploiting vulnerabilities

Before starting a penetration test (also called a pen test) it is important to define the Rules of Engagement (ROE), or the boundaries of the test. Important actions to take include: Obtain a written and signed authorization from the highest possible senior management. Delegate personnel who are experts in the areas being tested. Gain approval from the Internet provider to perform the penetration test. Make sure that all tools or programs used in the testing are legal and ethical. Establish the scope and timeline. Identify systems that will not be included in the test. Include in the authorization a statement which limits the tester's liability. Recognize that even if this process is approved by management, some aspects may be illegal. Review test findings with administrative personnel.

Types of penetration testing include: Test Examples In a physical penetration test, the tester attempts to: Physical penetration Enter a building without authorization. Access servers or workstations without authorization. Access wiring closets. Shut down power or other services.

In an operations penetration test, the tester attempts to gain as much information as possible using the following methods: Operations penetration In dumpster diving, the attacker looks through discarded papers or media for sensitive information. With over the shoulder reconnaissance, attackers eavesdrop or obtain sensitive information from items that are not properly stored. Using social engineering, attackers act as an imposter with the intent to gain access or information.

Electronic penetration

In an electronic penetration test, the tester attempts to gain access and information about computer systems and the data on those systems. Definitions of the types of electronic penetration testing are as follows.

System scanning is using discovery protocols such as ICMP and SNMP to get as much information as possible from a system. Port scanning is scanning various ports on remote hosts looking for well-known services. Network monitoring is using specialized tools to watch and log network activities. Sniffing is the duplication of captured packets without altering or interfering with the flow of traffic on that medium. Fingerprinting (also called footprinting) is scanning the system to identify the operating system, the patch level, and applications and services available on it. For example, you can identify the operating system used by examining the format of the response to specific probes or messages.

One distinction in penetration testing is the knowledge that the attacker and system personnel have prior to the attack. In a zero knowledge test (also called a black box test), the tester has no prior knowledge of the target system. In a full knowledge test (also called a white box test), the tester has detailed information prior to starting the test. In a partial knowledge test (also called the grey box test), the tester has the same amount of information that would be available to a typical insider in the organization. A single blind test is one in which one side has advanced knowledge. For example, either the attacker has prior knowledge about the target system, or the defender has knowledge about the impending attack. A double blind test is one in which the penetration tester does not have prior information about the system and the network administrator has no knowledge that the test is being performed. The double blind test provides more accurate information about the security of the system.

The Open Source Security Testing Methodology Manual (OSSTMM) is a manual of a peer-reviewed methodology for performing security tests and metrics which analyze an organization's security in five categories: Personnel security Fraud and social engineering Computer and telecommunications networks Wireless and mobile devices Physical security

Protocol Analyzer Facts

A protocol analyzer, also called a packet sniffer, is special software that captures (records) frames that are transmitted on the network. A protocol analyzer is a passive device in that it copies frames and allows you to view frame contents, but does not allow you to capture, modify, and retransmit frames (activities that are used to perform an attack). Use a protocol analyzer to: Check for specific protocols on the network such as SMTP, DNS, POP3, and ICMP. Identifying the traffic that exists on the network helps you to: o Identify devices that might be using unallowed protocols, such as ICMP or legacy protocols such as IPX/SPX or NetBIOS. o Identify traffic that might be sent by attackers.

Identify frames that might cause errors. For example, you can: o Determine which flags are set in a TCP handshake. o Detect many malformed or fragmented packets. Examine the data contained within a packet. For example, by looking at the packet data you can: o Identify users that are connecting to an unauthorized Web site. o Discover cleartext passwords allowed by protocols or services. o Identify unencrypted traffic that includes sensitive data. Troubleshoot communication problems or investigate the source of heavy network traffic.

Note: A protocol analyzer shows the traffic that exists on the network, and the source and destination of that traffic. It does not tell you if the destination ports on a device are open unless you see traffic originating from that port. For example, seeing traffic addressed to port 80 of a device does not automatically mean that the firewall on that device is open or that the device is responding to traffic directed to that port. You typically run a protocol analyzer on one device with the intent of capturing frames for all other devices on a subnet. Using a packet sniffer in this way requires the following configuration changes: By default, a NIC will only accept frames addressed to that NIC. To enable the packet sniffer to capture frames sent to other devices, configure the NIC in promiscuous mode (sometimes called p-mode). In p-mode, the NIC will process every frame it sees. When using a switch, the switch will only forward packets to the switch port that holds a destination device. This means that when your packet sniffer is connected to a switch port, it will not see traffic sent to other switch ports. To configure the switch to send all frames to the packet sniffing device, configure port mirroring on the switch. With port mirroring, all frames sent to all other switch ports will be forwarded on the mirrored port. Note: If the packet sniffer is connected to a hub, it will already see all frames sent to any device on the hub.

When using a protocol analyzer, you can filter the frames so that you see only the frames with information of interest. Filters can show only frames or packets to or from specific addresses, or frames that include specific protocol types. A capture filter captures (records) only the frames identified by the filter. Frames not matching the filter criteria will not be captured. A display filter shows only the frames that match the filter criteria. Frames not matching the filter criteria are still captured, but not shown. Save the results of a capture to analyze frames at a later time or on a different device.

Common protocol analyzers include: Wireshark Ethereal dSniff Ettercap Tcpdump Microsoft Network Monitor

Log Facts
Logs contain a record of events that have happened on a system. Logging capabilities are built into operating systems, services, and applications. Log entries are generated in response to configuration changes, changes in system state, or in response to network conditions.

Many systems have logs for different purposes: o A system log records operating system, system, and hardware events. o A security log (also known as an access log) records information related to logons, such as incorrect passwords being used, and the use of user rights. o A performance log records information about the use of system resources. o A firewall log identifies traffic that has been allowed or denied through a firewall. You can detect attempted attacks by examining firewall logs and looking for traffic allowed or blocked by the firewall. You can identify traffic types used by computers on your network by looking at the outgoing ports. For example, you can identify servers that are running a specific service, or you can see computers that are communicating using ports that might indicate malicious software. Logs must be analyzed to be useful; only by looking at the logs will you be able to discover problems. Depending on the log type, additional tools might be available to analyze logs for patterns. By default, some logging is enabled and performed automatically. To gather additional information, you can usually enable more extensive logging. Logging requires system resources (processor, memory, and disk). You should only enable additional logging based on information you want to gather, being sure to gather enough information so that you can reconstruct events. Disable logging after you obtain the information you need. Log files should be saved (archived) for future reference. Apply retention policies to control how logs are saved. Retention policies specify: o The types of information that is logged. o How often logs are saved. o How long log files are saved, and when (if ever) log files can be deleted. o Who can view and manage the log files. o How log files are encrypted or protected. A best practice to secure log files is to save the archived logs to a remote log server. Archived log server considerations include: o The amount of disk space required to save the files. o Backup requirements on the server. o Time stamping to ensure that the computer generating the event and the computer where the logs are saved have common system clocks. o Integrity of the logs to ensure that logs have not been modified. Syslog is a protocol that defines how log messages are sent from one device to a logging server on an IP network. o The sending device sends a small text message to the syslog receiver (the logging server). o Log messages are sent in cleartext. You can use SSL to encrypt these messages. o Syslog uses either UDP or TCP. Log files are susceptible to access or modification attacks. For example, attackers can try to cover their tracks by modifying audit logs to remove traces of their actions. To protect log files from alteration: o The best protection is to save log files to a remote server. In this way, compromise of a system does not provide access to the log files for that system. o Configure file system permissions to restrict access to the log files. o Use retention policies to save logs and to prevent logs from being overwritten. o Configure policies that shut down the system when the system runs out of disk space. If the system is configured to stop logging when the log is full and disk space is low, then subsequent actions are not being logged. o Perform hashing of the log files to detect alteration. A security baseline is a component of the configuration baseline that ensures that all workstations and servers comply with the security goals of the organization. As part of ongoing monitoring, configure alerts or alarms to inform you of incidents outside the security baseline.

Audit Facts
In a general sense, an audit is the activity of examining a system, its settings, and relevant documentation to ensure that past actions or current configuration settings match the written security policy and that no unauthorized actions have taken place. Logging is a system feature that records events that take place. Logs (also sometimes called an audit log or audit trail) are events generated by the logging feature. Information included in audited events may include: o Date and time of action o Identity of user logged in o What action took place o Success or failure of action Auditing is the human activity of examining and interpreting logs and other resources to ensure compliance with the written security policies. An auditor is a person who performs auditing activities. Auditor Description An internal auditor is hired from within an organization to examine existing internal controls and map the security structure for compliance with management's goals and Internal statutes. Internal auditors are familiar with the organization and its goals, but might not have the skills of an external auditor and their summation of the organization might not be viewed as objective. An external auditor is hired from outside of the company to give an objective consultation of the security and controls structure of an organization. Though having an external audit can be very beneficial, it is important to be careful when allowing an External external auditor to become familiar with the inner-workings of an organization. Make sure to examine the qualifications of the auditor and allow them sufficient time to learn about your organization. A user access and rights review determines whether privilege-granting processes are appropriate and whether computer use and escalation processes are in place and working. Privilege auditing checks rights and privileges of users and groups and guards against creeping privileges. It also aids in user/group administration. Usage auditing logs user's activities to document incidents for security investigations and incident response. By reviewing the log, compromised accounts can be identified, actions can be evaluated, and incidents can be replicated. Escalation auditing checks the user accounts used to complete certain actions. For example, administrators should be required to use normal user accounts for most activities and special user accounts for administrator actions. Administrators might circumvent these protections by granting additional privileges to their normal user accounts.