Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC.

Published byPatience Caldwell Modified over 8 years ago

Similar presentations

Presentation on theme: "Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC."— Presentation transcript:

1

2 Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC

3 Security+ Chapter 7 – Managing Vulnerabilities and Risks Brian E. Brzezicki

4 Threats, Vulnerabilities and Risks (335) Asset – resource or information an organization needs to conduct it’s business Threat – any circumstance or event with the potential to cause harm to an asset. – Natural – Human – Accidental – Environmental

5 Threats Vulnerabilities and Risks Vulnerability - A software hardware or procedural weakness that may provide an attacker the opportunity to obtain unauthorized access. Impact – the resulting loss when a threat exploits a vulnerability Risks – Likelihood that a threat will be able to exploits a vulnerability and cause an impact (loss) – It is IMPOSSIBLE to 100% remove risks

6 Risk Management (337) Attempting to minimize risks to an acceptable level. Risk management is an important responsibility of senior management. Risk Assessment is the methodical analysis of threats, vulnerabilities, and risks and employing countermeasures and other protections to minimize risks as best as possible in a cost effective manner.

7 Quantitative Risk Analysis (338) An objective method of risk analysis that attempts to measure and assign values to every aspect of the risk analysis process. Note: – nothing can be 100% quantified – This step requires lots of work on the front end and software to fully implement. There are very important terms and concepts needed to understand Quantitative Risk Analysis

8 Quantitative Risk Analysis (338-339) Asset Value – The total value of an asset More than just replacement cost – Replacement cost – Development cost – Opportunity cost – Value of asset to competitors – Legal costs – Public Relation costs – Etc…

9 Quantitative Risk Analysis (338-339) SLE – Single Loss Expectancy. The amount of loss you expect on average for any occurance of a (asset, threat, vulnerability) combination. Example: A warehouse’s asset value is $1,000,000.00. If the warehouse caught fire, let’s say you expect 30% of the asset value to be lost per fire. SLE = $1,000,000 *.30 = $300,000

10 Quantitative Risk Analysis (338-339) ARO – Annual Rate of Occurance. The number of times in one year that you expect a certain threat to exploit and vulnerability and cause a loss. This can be a whole number or a fraction If you expect 1 fire every 10 years then ARO = (1 fire)/(10 years) =.10 or 10% This is calculated based on specific conditions, statistics, historical data… etc.

11 Quantitative Risk Analysis (338-339) ALE – Annual Loss Expectancy. The average amount of money you expect to lose every year for a certain (asset, threat, vulnerability) combination. ALE = SLE * ARO For the warehouse/fire example we have been doing ALE = $300,000 per fire *.10 fires per year ALE = $30,000

12 Countermeasures Once you have computed an ALE, you need to choose cost effective countermeasures that will reduce the ALE such that the new ALE + the countermeasure costs is less than the original ALE. ALE_before > ALE_after + countermeasure_cost

13 Example Problem (338-339) You have an important server. For every hour that the server is down it costs your company $1000.00. There is a 25% chance every month that the server will get hacked, if it does it will cost you 4 hours to clean and reinstall the server (nobody will be able to use it) There is an intrusion prevention system that will take the risk of hacked system to 0% (don’t we wish), however it costs $5,000.00 per year subscription fee. Should you purchase the IPS? If you do how much money will you save or lose?

14 Qualitative Risk Analysis (340) Qualitative Risk Analysis is another less formal method of Risk Analysis, more commonly used “in the field” No metrics Subjective Based more on experience and intuition

15 Other Ways of Mitigating Risks (n/b) Sometimes there are not effective countermeasures to reduce the risk in a way that is cost effective when that’s the case you can mitigate risks with other methods. Transferring the Risk Avoiding the Risk Accepting the Risk

16 Vulnerability Assessments (340) Though many vulnerabilities are NOT computer or network related. Vulnerability Assessment is a special process of analyzing computer networks for technical vulnerabilities. 1)Identifying systems on the network 2)Determining what applications / services are running 3)Determining if these services have security holes 4)Reporting on deficiencies found so they can be corrected Note that vulnerability assessment is not intrusive. It is simply a methodology of determining vulnerabilities. A vulnerability assessment does not try to actually exploit the vulnerabilities.

17 OVAL (349) Open Vulnerability and Assessment Language The verbage below is taken directly from oval.mitre.org: OVAL is an information security community effort to standardize how to assess and report upon the machine state of computer systems. OVAL includes a language to encode system details, and an assortment of content repositories held throughout the community. Tools and services that use OVAL for the three steps of system assessment — representing system information, expressing specific machine states, and reporting the results of an assessment — provide enterprises with accurate, consistent, and actionable information so they may improve their security. Use of OVAL also provides for reliable and reproducible information assurance metrics and enables interoperability and automation among security tools and services.

18 Penetration Testing (342) The next step past vulnerability assessment. Once vulnerabilities are found one tries to actually exploit the vulnerabilities to see if the systems are actually susceptible. Dangerous, can actually cause damage Do not do this without senior management approval and without written consent Can be carried out by an internal organization or a outside (3 rd party)

19 Network Security Tools (344) Protocol Analyzers – Promiscuous mode vs. Non-promiscuous mode – Specific Tools wireshark Ping Scanners – nmap – hping Port Scanners – Nmap Network Mappers

20 Password Cracking Method (347) Dictionary Attacks Brute Force Rainbow Tables Specific Tools – John the Ripper – Cain and Able – L0phtcrack

21 Hardware Risks

22 Storage Risks (349) Removable media is a major concern for security professionals, especially USB drives. Problems Data Theft Malware installation

23 USB Storage Countermeasures (350-351) Physically disable USB ports Disable USB in the BIOS Disable USB in the operating system – Windows registry key \HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ UsbStor Disable AutoRun in Windows

24 Storage Risks (n/b) Besides USB keys, other removable media such as CD-ROM disks and floppy drives cause problems. Often through object re-use data can unintentionally leak out of an organization. Removable data should be sanitized or destroyed. Some sanitation methods include – Degaussing – Over writing media – Secure Deletion

25 Logging and Auditing

26 Logging and Auditing (352) When you spend the time and resources to protect resources. It is important that you log access attempts and then log those access attempts Can be manual or automated Sadly this is often NOT done

27 Unix Logging (n/b) Unix logging uses the syslog daemon There is also a Unix Kernel Log ring buffer

28 Windows Logs (354) Windows logging are in 3 main categories (Windows XP, many more in Windows 2003 and 2008) Application System Security Applications logs have events of different severities Information Warning Error

29 Windows Logs (355) Windows Security are noted as either Success Failure The tools used to view logs in Windows is event viewer

30 Log Security (357) Logs need to be secured, some methods of securing them are. System permissions Remote servers Hashing or Digitally Signing log files

Download ppt "Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC."

Similar presentations

Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.

Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.
Security+ All-In-One Edition Chapter 17 – Risk Management

Security+ All-In-One Edition Chapter 17 – Risk Management
Is There a Security Problem in Computing? Network Security / G. Steffen1.

Is There a Security Problem in Computing? Network Security / G. Steffen1.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 2 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
9-Performing Vulnerability Assessments Dr. John P. Abraham Professor UTPA.

9-Performing Vulnerability Assessments Dr. John P. Abraham Professor UTPA.
Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.

Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.

CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.
Introducing Computer and Network Security

Introducing Computer and Network Security
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Chapter 8 Security Transparencies © Pearson Education Limited 1995, 2005.

Chapter 8 Security Transparencies © Pearson Education Limited 1995, 2005.
Lecture 8: Risk Management Controlling Risk

Lecture 8: Risk Management Controlling Risk
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Similar presentations

Ads by Google