Book - Chapter 2

Question 1

Why was SSL developed?

Answer 1

It was developed by netscape to deal with the lack of security around card transactions over the internet

Question 2

What is identity theft?

Answer 2

Using somebody elses identity to gain access to a resource or service, exploits a weakness inherent in services that non-secret information to authentication requests.

Question 3

What is a security policy?

Answer 3

a statement aht defines the security objectives of an organisation; it has to state what needs to be protected; it may also indicate how this is to be done.

Question 4

What do the terms security policy objective, organisational security policy and automated security policy mean?

Answer 4

A policy has given objectives:

• Security policy objective: A statement of intent to protect an identified resource from unauthorized use.

A policy also has to explain how the objectives are to be met. This can be done first at the level of the organization.

• Organizational security policy: The set of laws, rules, and practices that regulate how an organization manages, protects, and distributes resources to achieve specified security policy objectives.

Within an IT system, organizational policies can be supported by technical means.

• Automated security policy: The set of restrictions and properties that specify how a computing system prevents information and computing resources from being used to violate an organizational security policy.

Automated policies define access control lists and firewall settings, stipulate the services that may be run on user devices, and prescribe the security protocols for protecting network traffic

Question 5

In SANS terminology, what is a security metric?

Answer 5

In security engineering we would love to measure security. To convince managers (or customers) of the benefits of a new security mechanism, wouldn’t it be nice if you could measure the security of the system before and after introducing the mechanism? Indeed, it is difficult to reach well-founded management decisions if such information cannot be procured. The terms security measurement and security metric are used in this context, but there is no common agreement on their exact meaning. There are, however, two clearly defined phases.

First, values for various security-relevant factors are obtained. In SANS terminology obtaining a value for such a factor is a security measurement. Some values can be established objectively, e.g. the number of open network ports, whether the latest patch has been installed for a software product, or the privilege level under which a service program is running. Other values are subjective, e.g. the reputation of a company or the security awareness of its employees.

Secondly, a set of measurements may be consolidated into a single value that is used for comparing the current security state against a baseline or a past state. In SANS terminology, the values used by management for making security comparisons are called security metrics. Other sources do not make this distinction in their terminology [64]. Sometimes, the result of a measurement can directly be used as a metric, e.g. the number of software vulnerabilities flagged by an analysis tool.

Question 6

What is a product?

Answer 6

A product is a package of IT software, firmware and/or hardware, providing functionality designed for use or incorporation within a multiplicity of systems.

Question 7

What is a system?

Answer 7

A system is a specific IT installation, with a particular purpose and operational environment

Question 8

How could you measure the cost of mounting an attack?

Answer 8

You could consider

• the time an attacker has to invest in the attack, e.g. analyzing software products,
• the expenses the attacker has to incur, e.g. computing cycles or special equipment,
• the knowledge necessary to conduct the attack.

Question 9

What are hazard risks?

Answer 9

Hazard risks relate to damaging events

Question 10

What are oppotunity risks?

Answer 10

opportunity risks to events that might have also have a positive outcome, e.g. to a financial investment on the stock exchange

Question 11

What is risk?

Answer 11

Informally, risk is the possibility that some incident or attack can cause damage to your enterprise. An attack against an IT system consists of a sequence of actions, exploiting vulnerabilities in the system, until the attacker’s goals have been achieved. To assess the attack exposure environment source exploitability vulnerability enabler impact asset (value) target. Factors in Risk Analysis risk posed by the attack you have to evaluate the impact of the attack and the likelihood of the attack occurring. This likelihood will depend on the exposure of your system to potential attackers and how easily the attack can be mounted (exploitability of vulnerabilities). In turn, this will further depend on the security configuration of the system under attack.

Question 12

What do systems consist of?

Answer 12

Systems consist of resources and of agents operating on those resources. In a computer, processes are the agents. In an organization, an agent can be a person given a task to perform. This person may have been authorized to use resources necessary for executing the task

Question 13

What is the first step in a risk analysis?

Answer 13

As a first step assets have to be identified and valued.

Question 14

How can you value assets?

Answer 14

Identification of assets should be a relatively straightforward systematic exercise. Measurement of asset values is more of a challenge. Some assets, such as hardware, can be valued according to their monetary replacement costs. For other assets, such as data and information, this is more difficult. If your business plans are leaked to the competition or private information about your customers is leaked to the public you have to account for indirect losses due to lost business opportunities. The competition may underbid you and your customers may desert you. Even when equipment is lost or stolen you have to consider the value of the data stored on it, and the value of the services that were running on it. In such situations assets can be valued according to their importance. As a good metric for importance, ask yourself how long your business could survive when a given asset has been damaged: a day, a week, a month?

Question 15

What is a threat?

Answer 15

A threat is an undesirable negative impact on your assets

Question 16

How could you identify threats?

Answer 16

There are various ways of identifying threats. You can categorize threats by their impact on assets and agents. For example, Microsoft’s STRIDE threat model for software security lists the following categories:

• Spoofing identities – an agent pretends to be somebody else; this can be done to avoid responsibility or to misuse authority given to someone else.
• Tampering with data – violates the integrity of an asset; e.g. security settings are changed to give the attacker more privileges.
• Repudiation – an agent denies having performed an action to escape responsibility.
• Information disclosure – violates the confidentiality of an asset; information disclosed to the wrong parties may lose its value (e.g. trade secrets); your organization may face penalties if it does not properly protect information (e.g. personal information about individuals).
• Denial of service – violates the availability of an asset; denial-of-service attacks can make websites temporarily unavailable; the media have reported that such attacks have been used for blackmail.
• Elevation of privilege – an agent gains more privileges beyond its entitlement.

Alternatively, you may identify threats by source. Would the adversary be a member of your organization or an outsider, a contractor or a former member? Has the adversary direct access to your systems or is an attack launched remotely?

Question 17

What do IT risk analysis tools look at?

Answer 17

IT risk analysis looks at hazard risks. It can be conducted during the design phase of a system, during the implementation phase, and during operations. It can be applied

• during the development of new components, e.g. in the area of software security,
• specifically for the IT infrastructure of an enterprise,
• comprehensively for all information assets of an enterprise

Question 18

What are vulnerabilities?

Answer 18

Once you move to the implementation stage, you have to examine your system for vulnerabilities. Vulnerabilities are weaknesses of a system that could be accidentally or intentionally exploited to damage assets. In an IT system, typical vulnerabilities are:

• accounts with system privileges where the default password, such as ‘MANAGER’, has not been changed;
• programs with unnecessary privileges;
• programs with known flaws;
• weak access control settings on resources, e.g. having kernel memory world-writable;
• weak firewall configurations that allow access to vulnerable services.

Question 19

What is a vulnerability scanner?

Answer 19

Vulnerability scanners provide a systematic and automated way of identifying vulnerabilities. Their knowledge base of known vulnerabilities has to be kept up to date. Organizations such as SANS or computer emergency response teams (CERTs) provide this information, as do security advisories of software companies.

Question 20

What is an attack and attack tree?

Answer 20

A threat materializes when an attack succeeds. An attack is a sequence of steps. It may start innocuously, gathering information needed to move on to gain privileges on one machine, from there jump to another machine, until the final target is reached.

To get a fuller picture of its potential impact, a forest of attack trees can be constructed. The root of an attack tree is a threat. The nodes in the tree are subgoals that must be achieved for the attack to succeed. Subgoals can be broken into further subgoals. There are AND nodes and OR nodes. To reach an AND node, all subgoals have to be achieved. To reach an OR node, it is enough if one subgoal is achieved.

Question 21

What is an example of an attack tree?

Answer 21

The figure gives a basic attack tree for the attack ‘get password’. A password can be obtained by guessing, or by tricking an operator to reveal it, or by spying on the user. Guessing could be on-line or off-line. For off-line guessing, the attacker needs the encrypted password and has to perform a dictionary attack. The attacker could spy on the victim in person (so-called shoulder surfing), direct a camera at the keyboard, or direct a microphone at the keyboard and distinguish by sound the keys being pressed

Question 22

What does the severity of an attack and likelihood depend on?

Answer 22

The severity of an attack depends on the likelihood that it will be launched, the likelihood that it will succeed, and the damage that it might do.

Likelihood depends on the difficulty of the attack, on the motivation of the attacker, on the number of potential attackers, and on existing countermeasures. For example, attack scripts automate attacks, making it easy to launch the attack.

Question 23

What is DREAD?

Answer 23

The DREAD methodology that complements STRIDE demonstrates how the severity of an attack can be measured in a systematic manner

• Damage potential – relates to the values of the assets being affected.
• Reproducibility – attacks that are easy to reproduce are more likely to be launched from the environment than attacks that only work in specific circumstances.
• Exploitability – captures the effort, expertise, and resources required to launch an attack.
• Affected users – the number of assets affected contributes to the damage potential.
• Discoverability – will the attack be detected? In the most damaging case, you will never know that your system has been compromised. (In World War II, German intelligence refused to believe that many of their encryption schemes had been broken.)

Question 24

What is the CVSS?

Answer 24

The Common Vulnerability Scoring System (CVSS) starts from the vulnerabilities when organizing impact assessment. The basic metric group collects generic aspects of a vulnerability. The rating considers from where the vulnerability can be exploited (local or remote attacker?), how complex an exploit would have to be (related to exploitability in DREAD), and how many times an attacker would have to be authenticated during an attack (related to exposure and also to lacking social inhibitions due to a feeling of impunity). The rating also considers the standard impact categories of confidentiality, integrity, and availability.

Question 25

What are the CVSS temporal metrics?

Answer 25

The temporal metrics group captures the current state of exploits and countermeasures. Exploitability is related to reproducibility in DREAD and captures the state of exploits available. The remediation level notes to what extent fixes addressing the vulnerability are available. Report confidence rates the quality of the source announcing the vulnerability.

Question 26

What are the CVSS environmental metrics?

Answer 26

The environmental metrics group rates the impact on the assets of a given organization. Collateral damage potential covers damage outside the IT system, such as loss of life, loss of productivity, or loss of physical assets. Target distribution measures the number of potential targets within the organization. Environmental metrics rate IT assets according to the standard security requirements of confidentiality, integrity, and availability.

Question 27

How can you calculate risk?

Answer 27

Risk = Assets × Threats × Vulnerabilities

This expression overloads the term threat. It stands for the potential negative impact on assets, but also for the likelihood that damage will occur.

Question 28

What is quantitive risk analysis?

Answer 28

Quantitative risk analysis takes ratings from a mathematical domain such as a probability space. For example, you can assign monetary values to assets and probabilities to the likelihood of attacks, and then calculate the expected loss. This method has the pleasing feature of having a well-established mathematical theory as its basis, but the considerable drawback that your inputs are often just educated guesses. In short, the quality of the results you obtain cannot be better than the quality of the inputs provided. You could consider other mathematical frameworks, such as fuzzy theory, to make some provisions for the imprecise nature of your ratings. There are areas of risk analysis where quantitative methods work, but more often the lack of precision in the inputs does not justify a mathematical treatment.

Question 29

What is qualitative risk analysis?

Answer 29

Qualitative risk analysis takes values from domains that do not have an underlying mathematical structure:

• Assets could be rated on a scale of critical – very important – important – not important.
• Criticality of vulnerabilities could be rated on a scale of has to be fixed immediately – has to be fixed soon – should be fixed – fix if convenient.
• Threats could be rated on a scale of very likely – likely – unlikely – very unlikely.

CVSS follows this approach. The individual ratings are then mapped to weights that serve as input to the combination algorithm. DREAD uses a finer granularity for its ratings, i.e. numerical values from 1 to 10. The average of the five DREAD ratings is the final risk value. Whatever scheme you are using, guidance on how to assign ratings consistently is essential.

Question 30

What is the result of a risk analysis?

Answer 30

The result of a risk analysis is a prioritized list of threats, together with recommended countermeasures to mitigate risk. Risk analysis tools usually come with a knowledge base of countermeasures for the threats they can identify. Risk analysis is also used for calculating the return on security investment (ROSI). ROSI compares for given security measures the expected reduction in risk with the costs of fielding the security measures.