Download presentation
Presentation is loading. Please wait.
Published byShannon Phelps Modified over 9 years ago
1
1 Security Risk Analysis of Computer Networks: Techniques and Challenges Anoop Singhal Computer Security Division National Institute of Standards and Technology Simon Ou Dept. of Computer and Information Science Kansas State University
2
Outline Basics of Network Security Risk Analysis Threats to Networks Common Vulnerability Scoring System (CVSS) Attack Graphs, Bayesian Networks and Tools for generating Attack Graphs Quantifying Security Risk using attack graphs and CVSS Conclusions
3
Enterprise Network Security Management Networks are getting large and complex Vulnerabilities in software are constantly discovered Network Security Management is a challenging task Even a small network can have numerous attack paths
4
Trends for Published Vulnerabilities
5
Enterprise Network Security Management Currently, security management is more of an art and not a science System administrators operate by instinct and learned experience There is no objective way of measuring the security risk in a network “ If I change this network configuration setting will my network become more or less secure? ”
6
Challenges in Security Metrics Typical issues addressed in the literature How can a database server be secured from intruders? How do I stop an ongoing intrusion? Notice that they all have a qualitative nature Better questions to ask: How secure is the database server in a given network configuration? How much security does a new configuration provide? How can I plan on security investments so it provides a certain amount of security? For this we need a system security modeling and analysis tool
7
Challenges in Security Metrics Metric for individual vulnerability exists Impact, exploitability, temporal, environmental, etc. E.g., the Common Vulnerability Scoring System (CVSS) v2 released on June 20, 2007 1 However, how to compose individual measures for the overall security of a network? Our work focuses on this issue 1. Common Vulnerability Scoring System (CVSS-SIG) v2, http://www.first.org/cvss/
8
Challenges in Security Metrics Counting the number of vulnerabilities is not enough Vulnerabilities have different importance The scoring of a vulnerability is a challenge Context of the Application Configuration of the Application How to compose vulnerabilities for the overall security of a network system
9
What is an Attack Graph A model for How an attacker can combine vulnerabilities to stage an attack such as a data breach Dependencies among vulnerabilities
10
Attack Graph Example
11
Different Paths for the Attack sshd_bof(0,1) → ftp_rhosts(1,2) → rsh(1,2) → local_bof(2) ftp_rhosts(0,1) → rsh(0,1) → ftp_rhosts(1,2) → rsh(1,2) → local_bof(2) ftp_rhosts(0,2) → rsh(0,2) → local_bof(2)
12
Attack Graph from machine 0 to DB Server
13
What is ? Stands for Common Vulnerability Scoring System An open framework for communicating characteristics and impacts of IT vulnerabilities Consists three metric groups: Base, Temporal, and Environmental
14
CVSS (Cont ’ d) Base metric : constant over time and with user environments Temporal metric : change over time but constant with user environment Environmental metric : unique to user environment
15
CVSS (Cont ’ d) CVSS metric groups Each metric group has sub-matricies Each metric group has a score associated with it Score is in the range 0 to 10
16
Access Vector This metric measures how the vulnerability is exploited. Local Adjacent Network Network
17
Access Complexity This metric measures the complexity of the attack required to exploit the vulnerability High: Specialized access conditions exist Medium: The access conditions are somewhat specialized Low: Specialized access conditions do not exist
18
Authentication This metric measures the number of times an attacker must authenticate to a target to exploit a vulnerability Multiple: The attacker needs to authenticate two or more times Single: One instance of authentication is required None: No authentication is required
19
Confidentiality Impact This metric measures the impact on confidentiality due to the exploit. None: No Impact Partial: There is a considerable information disclosure Complete: There is total information disclosure Similar things for the Integrity Impact and Availability Impact
20
Base Score Base Score = Function(Impact, Exploitability) Impact = 10.41 * (1-(1-ConImp)*(1-IntImp)*(1- AvailImpact)) Exploitability = 20*AccessV*AccessComp*Authentication
21
Base Score Example CVE-2002-0392 Apache Chunked Encoding Memory Corruption BASE METRICEVALUATIONSCORE Access Vector[Network](1.00) Access Complex. [Low](0.71) Authentication [None] (0.704) Availability Impact[Complete] (0.66) Impact = 6.9 Exploitability = 10.0 BaseScore = (7.8)
22
Attack Graph with Probabilities Numbers are estimated probabilities of occurrence for individual exploits, based on their relative difficulty. The ftp_rhosts and rsh exploits take advantage of normal services in a clever way and do not require much attacker skill A bit more skill is required for ftp_rhosts in crafting a.rhost file. sshd_bof and local_bof are buffer-overflow attacks, which require more expertise.
23
Probabilities Propagated Through Attack Graph When one exploit must follow another in a path, this means both are needed to eventually reach the goal, so their probabilities are multiplied: p(A and B) = p(A)p(B) When a choice of paths is possible, either is sufficient for reaching the goal: p(A or B) = p(A) + p(B) – p(A)p(B).
24
Network Hardening When we harden the network, this changes the attack graph, along with the way its probabilities are propagated. Our options to block traffic from the Attacker: Make no change to the network (baseline) Block ftp traffic to prevent ftp_rhosts(0,1) and ftp_rhosts(0,2) Block rsh traffic to prevent rsh(0,1) and rsh(0,2) Block ssh traffic to prevent sshd_bof(0,1)
25
Comparison of Options We can make comparisons of relative security among the options Make no change p=0.1 Blocking rsh traffic from Attacker leaves a remaining 4-step attack path with total probability p = 0.1∙0.8∙0.9∙0.1 = 0.0072 Blocking ftp traffic, p=0.0072 But blocking ssh traffic leaves 2 attack paths, with total probability p ≈ 0.0865, i.e., compromise is 10 times more likely as compared to blocking rsh or ftp.
26
Need for a Modeling Tool For a large enterprise network that has hundreds of host machines and several services we need a modeling tool that can Generate the attack graph Use the attack graph for quantitative analysis of the current configuration Help the network administrators to decide what changes to make to improve security
27
System Architecture Network Configuration Host Configuration Security Modeling Tool Attack Graphs Vulnerability DB
28
Conclusions Based on attack graphs, we have proposed a model for security risk analysis of information systems Composing individual scores to more meaningful cumulative metric for overall system security The metric meets intuitive requirements The metric can be used for making recommendations to improve network security
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.