Risk management during development

Question 1

What is the idea behind risk management?

Answer 1

To identify, track, rank and understand security risks as it changes over time

Question 2

What are the stages of the risk management framework?

Answer 2

1. Understand business context
2. Identify and link the business and technical risks (artifact analysis, business context)
3. Synthesize and rank the risks
4. Define the Risk mitigation strategy
5. Carry out fixes and validate

2-5: Part of measurement and reporting

Question 3

What is the flow of the steps in risk management framework?

Answer 3

Risk management is a continuous and iterative process

1 -> 2 -> 3 -> 4 -> 5 ->2

5 goes back to 2, and repeate flow above from step 2.

Question 4

What happens during step 1. of the risk management framework?

Answer 4

Identify business goals: What are the circumstances we care about.

Define risk scales: What is a bad risk, what is an acceptable risk (impact, likelyhood)

Identify business assets: Something of value, what are we trying to protect

Identify the stakeholders: Who cares about the system (users, regulators, attackers, etc.)

Question 5

What happens during step 2. of the risk management framework?

Answer 5

Identify business risks and technical risks. Linking each business to a technical risk.

The business risks can be related to:
- Data: sensitive data stolen
- Time: Processing delay
- Money: Can’t make sales, can’t process transactions
- Repudiation and brand: Loss of trust
- Legal: Compliance, contractual regulation

Question 6

What happens during step 3. of the risk management framework?

Answer 6

Create a matrix with Likelyhood on the x-axis and impact on the y-axis.

The combination of these says something about the severity of the risk.

Rank the technical and business risks.

Use the result from ranking to place business risks in the matrix.

Question 7

What happens during step 4. of the risk management framework?

Answer 7

Goal is to either reduce impact or likelihood of risk, or reduce both.

One way of doing this is by deriving security requirements for the technical risks:
e.g.:
Attacker locks out user by typing wrong password -> 2FA

Question 8

What happens during step 5. of the risk management framework?

Answer 8

Carry out fixes and validate the requirements

Implementation of mitigation strategies.

Validation in the form of risk-based testing

Question 9

How can a likelyhood-scale be defined?

Answer 9

Can use expected frequency of events.

Can use an attacker-centric approach: A highely motivate attacker might cause higher likelyhood.

Low: Once per 10 year or less
Medium: Once per year or less
High: Once per month or less
Extreme: Every week

Question 10

How can consequences be defined using dimensions and scales?

Answer 10

Define dimensions that are relevant for you system: e.g.:
- Confidentiality
- Availablility
- Financial
- Repudiation

Define what low, medium, high and extreme mean for each dimension.

Question 11

How is business risks related to goals?

Answer 11

Business risks directly threaten one or more of a customer’s goals

Question 12

What are technical risks?

Answer 12

Various threats and attacks that may bring negative impacts on business.

Question 13

How do you find technical risks?

Answer 13

Look through documents, system design, architecture, code.

Talk to users, look at feedback, interviews, discussions.

Test system

Use threat intelligence, look at common threat vectors, what are the most common vulnerabilities these days, etc.

Question 14

What are some useful tools when identifying technical risks?

Answer 14

Misuse cases, attack trees, data flow diagrams

Question 15

How is linking done in risk management?

Answer 15

Link business goal to one or more business risks

Link business risk to one or more technical risks

Question 16

Why is linking done in risk management?

Answer 16

To show traceability, to justify how business goals are threatend.

Question 17

What should you focus on when ranking technical risks?

Answer 17

Do not focus on impact, as it is very difficult to know the exact impact of these low level risks.

Focus on likelyhood. Use these likelyhood values to say something about the likelyhood of the business risk that is linked to it.

Question 18

How are business risks ranked

Answer 18

Look at likelihood and impact

Combine the ranking of likelihood and impact to get a ranking of the business risk.

Then put the business risk in the likelihood-impact matrix, based on likelihood and impact.

Question 19

What is a security requirement?

Answer 19

A statement of needed security functionality that ensures one of many different security properties of software is being satisfied

Question 20

What are the criteria for good security requirements?

Answer 20

Define what you require, not how to achieve it
- the requirement is not a design, should be open to many implementations
- avoid premature design or implementation decisions

The requirement should be understandable and clear (not ambiguous)

Cohesion: Only define one thing per requirement

Testability: Have clear acceptance criteria, which often requires some quantification

Shouldn’t define criteria as something that shouldn’t be done (e.g. have no vulnerabilities in the code): this is very difficult to test.

Question 21

What is OWASP ASVS?

Answer 21

The OWASP Application Security Verification Standard

Helps with creating security requirements.

A catalog of available security requirements and verification criteria

Question 22

What is risk-based testing?

Answer 22

Focus on the security requirements

Make a test plan to test security requirements

Link the test cases with the technical risks/requirements

Prioritize tests (costs can have an effect here)

Question 23

What affects safety of software systems?

Answer 23

Safety deals with the effect of random failures. The random failures often follow a distribution function.

Question 24

What is a hostile opponent?

Answer 24

Someone who can cause some of the components of a system to fail at the least convenient time and in the most damaging way possible.

Question 25

What data can be used about cyber attacks?

Answer 25

Attack frequency

Attack type distribution

Number of successful attacks

Number of prevented attacks

Loss per attack

This type of information, however, is not always available

Question 26

What is security economics?

Answer 26

Can be used to improve risk estimates.

Question 27

What are some costs that should be considered when considering risks?

Answer 27

Look at defender’s side, and attacker’s

Defender:
- Investment: How much would the defender have to invest
- Reactive cost
- Loss
- Reimbursement: Received if attack happens

Attacker:
- Investment
- Penalty (if fail/caught)
- Profit
- Supplier profit: Attacker’s can buy equipment from others
- Opportunity cost: Cost of doing something instead of other things (Attacker’s could profit more if they used their skill to do something legit, waste their skill)

Question 28

What sources could be used to figure out defender and attacker cost?

Answer 28

Expert/specialist opinions

Cyber loss events

Coverage estimations

Incident claims

Retail price lists

Dark net markets

Coin crypto market cap

Profit simulations

Question 29

Why do we have so much ransomware?

Answer 29

It works, it pays

Cheap to buy - direct profit to attackers

Question 30

What is the defender’s dilemma?

Answer 30

Breaches are inevitable because defenders have to be right 100% of the time, whereas attackers only have to be right once. The attacker also know about the defenders and their tactics.

Question 31

What is CVSS?

Answer 31

The common vulnerability scoring system

A standardized way of measuring the technical severity of a vulnerability. This can say something about the likelihood or complexity of an attack.

Question 32

How does CVSS work?

Answer 32

Gives a score between 0 and 10

Consist of:
- Base: Constant over time and across user environments, independent of what environment the software is running on

• Threat: Characteristics of a vulnerability that changes over time (threat can be known, proven, etc.)
• Environmental: Gives a local score
• Supplemental: Do not modify score, but gives additional insight about the vulnerability

Question 33

How should CVSS be used in risk analysis?

Answer 33

CVSS != risk, so don’t use it directly as risk value

A high CVSS does not necessary mean a high risk likelihood. or impact.

Question 34

Name some exploitability metrics used in the Base group of CVSS

Answer 34

Attack vector (network, adjacent, local, physical)

Attack complexity (low, high)

Attack requirements (any circumstances required, can the attack be done at any time)

Privileges required (none, low, high)

user interaction (do we need the victim to do anything)

Question 35

Name some impact metrics used in the Base group of CVSS

Answer 35

Vulnerable system confidentiality, integrity, availability: How are these dimensions affected by the attack?

Subsequent system confidentiality, integrity, availability: Do we impact other systems, other than the one we are attacking?

Question 36

Name metrics in the Threat matric group

Answer 36

Exploit maturity

Whether this vulnerability has been proven, or used/doable, POC (proof of concept, theoretical)

Question 37

Name some metrics in the supplemental metric group

Answer 37

Automatable (are we able to automate the attack)

recovery

safety

value density (is it a focused attack or not)

Vulnerability response effort

Provider urgency (how urgent is it to fix the issue)

Question 38

Give an example of a scenario that could get a CVSS score

Answer 38

After login to inspera, you find out that you can manipulate the URL to change the user ID and get read access to exercises of other students

Question 39

What type of attackers are hard to defend against?

Answer 39

Irrational attackers

These are not motivated by economic profits, have other motivations