Presentation is loading. Please wait.

Presentation is loading. Please wait.

Vulnerability Analysis

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Vulnerability Analysis"— Presentation transcript:

1 Vulnerability Analysis

2 Vulnerability Analysis
Formal verification Formally (mathematically) prove certain characteristics Proves the absence of flaws in a program or design but not in a system Penetration testing Attempt to violate specific constrains stated in a policy Cannot prove correctness but absence of a vulnerability Review

3 Penetration Testing Goals Layering of tests
Prove the existence/absence of a previously defined flaw Find vulnerabilities under given restrictions (time, resources, ...) Layering of tests External attacker with no knowledge of the system External attacker with knowledge of the system Internal attacker with knowledge of the system

4 Penetration Testing Procedure
Information gathering Find problem areas in the specification Flaw hypothesis Derive possible flaws from the information gathered Flaw testing Verify the possible flaws (exploiting, testing) – but no harming! Flaw generalization Generalize the obtained insights Flaw elimination proposal Flaws need to be fixed but sometimes this takes time and than the tester can suggest ways to prevent the exploit

5 Vulnerability Scanners
Automated tools to test if the network or host is vulnerable to known attacks Run in batch mode against the system Process A set of system attributes are sampled and stored The results are compared to a reference set and the deviation derived

6 Nessus The Nessus Security Scanner is a security auditing tool made up of two parts: The server, nessusd is in charge of the attacks The client nessus provides an interface to the user Nessusd inspect the remote hosts and attempts to list all the vulnerabilities and common misconfigurations that affects them. Nessus can be set up to use other tools such as Nmap and Hydra. New plug-ins can be downloaded or written in the nasl scripting language.

7 ISS Internet scanner is a commercial security analysis tool similar to Nessus. It also consists of two parts a console and a sensor that is the client and server part of ISS. Runs exclusively on Windows systems. New pluggins can be downloaded or written as programs in C or Perl and added through the FlexCheck system. ISS and Nessus are the most popular security analysis tools

8 Network Based Analysis
Probing the system actively by Looking for weaknesses Derive information from system responses Two different techniques Testing by exploit – really doing the attack Interference Methods – monitoring the system for vulnerable applications

9 Host Based Analysis Assessing system data sources (file contents, configuration setting, status information) to determine vulnerabilities Passive assessment where the tool has legitimated access which mostly involves privilege escalation attacks Targets are password files, SUID, access permissions, anonymous ftp ...

10 Advantage/Disadvantage
+ - Host based are tightly bound to the environment Network based can harm the system and are more prone to false alarms Can misguide a running IDS system May violate legal prescriptions (privacy, others sphere of influence ...) Helping to document the security state of a system Regular application can spot system changes which could lead to problems A way to double-check any changes made to the system

11 Risk analysis

12 Terms - Risk Risk constitutes from the expected likelihood of a hazardous event and the expected damage of the event. DIN, VDE Norm 31000, Risks are a function of the values of the assets at risk, the likelihood of threats occurring to cause the potential adverse business impacts, the ease of exploitation of the vulnerabilities by the identified threats, and any existing or planned safeguards which might reduce the risk. ISO – Guidelines for the management of IT Security (GMITS)

13 Terms - Risk Analysis The total process to identify, control, and manage the impact of uncertain harmful events, commensurate with the value of the protected assets. National Information Systems Security Glossary

14 Risk Analysis Approaches
Bottom up The risk is an aggregate of lower level risks e.g. The risk that a phone break is a aggregation of the risk of the consiting parts Mainly used in technical risk analysis Top down The risk is detailed to derive more clarity Mainly use in organizational risk analysis

15 Risk Analysis Approaches
Baseline Approach Do not analysis but apply baseline security Informal Approach Pragmatic risk analysis Detailed Risk Analysis In-depth valuation of assets, threat assessment and vulnerability assessment Combined Approach Initial high level approach where important systems are further analysis with a detailed approach ISO – Guidelines for the management of IT Security (GMITS)

16 Risk Identification Checklists/Best practices Mathematical Approaches
RA Tools (e.g. CRAMM, COBRA …) Standards ISO 17799, ISO 13335, Common criteria Basic Protection Manual (Grundschutzhandbuch) ... Mathematical Approaches Trend Analysis, Regression Analysis ... Creative approaches Brainstorming, Delphi Method ..

17 Risk Assessment Assess the values for a risk (per asset)
How likely is it ? How harmful is it? Assessment Approaches Mathematical/Statistical Methods Time line analysis (Trend Analysis) Regression analysis Simulation Monte Carlo Simulation Expert guesses

18 Risk Assessment Severity Analysis Qualitative Methods
Calculate the risk; r = p * e Qualitative Methods Abstract values for ranking (high – low effect, high – low likelihood) Quantitative Methods Specific values indicating severity (p=0.32, e = 1000 or e = 0.43)

19 Risk countermeasures Avoidance Reduction
A measurement is chosen (respectively not chosen) so that the risk can not emerge. Reduction of threat the cause of the risk is tried to be reduce. of vulnerability reducing the vulnerability of impact reduce the effects

20 Risk countermeasures Detection Recovery Transfer Acceptance
identified when the risk is emerging – eliminating the risk source Recovery establish a recovery strategy Transfer transfer the risk to a third party Acceptance Preconditions set by the management Residual Risk - The maximal acceptable risk Final decision made by the management

21 AS/NZS: 4360 RM Process Identify Context Identify Risks Analyze Risks
Define the organizational context Identify Risks What can happen and how Analyze Risks Determine Likelihood and consequences Evaluate Risk Compare against criteria and set priorities Treat Risk Identify treatment options and decide for one

22 Process after ISO 17799 Asset Identification Threat Assessment
Vulnerability Assessment Safeguard Assessment Risk Assessment

23 Approaches OCTAVE CORAS CRAMM ...
Software Engineering Institute approach CORAS European Research group approach Software Tool free available CRAMM British Software Tool ...

24 Security Policy

25 Policy - Terms and definitions
As security policy is a formal statement of the rules by which people who are given access to an organization’s technology and information assets must abide. Security Policy (Site Security Handbook, B. Fraser)

26 Policy classification
Language Formal languages (mathematics, state engines, constrain languages Natural language (normative languages, free speech) Target Product (mostly a technical system) Overall (mostly an organization or humans)

27 Information Security Policy Hierarchy

28 Overall Policy Expresses policy at the highest level of abstraction
A statement about the importance of information resources Management and employee responsibility Critical and subsequent security requirements As a subdocument acceptable risks and budgets

29 Requirements to a policy
Policies need to set a high enough level to guide for longer time periods Demonstrate organizational commitment to security Position of responsibility to owners, partners and public Hierarchy of policies Concordant with organizational culture and norms

30 Target Policies Tactical regulation instrument
Can have operational guidelines Specific in a target area but not to detailed

31 Product policy Requirements to the product
Additional Security Relaxing other policies Formulating special target policies for products Privacy Confidentiality statements Reliability statements ...

32 Questions ?

Download ppt "Vulnerability Analysis"

Similar presentations

Vulnerability Analysis. Formal verification Formally (mathematically) prove certain characteristics Proves the absence of flaws in a program or design.

Vulnerability Analysis. Formal verification Formally (mathematically) prove certain characteristics Proves the absence of flaws in a program or design.
Auditing Concepts.

Auditing Concepts.
Service Design – Section 4.5 Service Continuity Management.

Service Design – Section 4.5 Service Continuity Management.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.

CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.
Project Risk Management

Project Risk Management
COMP8130 and COMP4130 Adrian Marshall Verification and Validation Risk Management Adrian Marshall.

COMP8130 and COMP4130 Adrian Marshall Verification and Validation Risk Management Adrian Marshall.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
The Australian/New Zealand Standard on Risk Management

The Australian/New Zealand Standard on Risk Management
Proprietary and confidential. © 2006 Perot Systems. All rights reserved. All registered trademarks are the property of their respective owners. www.perotsystems.com.

Proprietary and confidential. © 2006 Perot Systems. All rights reserved. All registered trademarks are the property of their respective owners.
By: Ashwin Vignesh Madhu

By: Ashwin Vignesh Madhu
Computer Security: Principles and Practice

Computer Security: Principles and Practice
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
Managing Project Risk.

Managing Project Risk.
Managing Risk to Reduce Construction Claims (And Improve Project Success) Presented by Laurie Dennis, PE, CVS-Life, FSAVE.

Managing Risk to Reduce Construction Claims (And Improve Project Success) Presented by Laurie Dennis, PE, CVS-Life, FSAVE.
Vulnerability Assessments

Vulnerability Assessments
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Sam Cook April 18, 2013. Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.

Sam Cook April 18, Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
PRM 702 Project Risk Management Lecture #28

PRM 702 Project Risk Management Lecture #28

Similar presentations

Ads by Google