Risk management during development Flashcards
What is the idea behind risk management?
To identify, track, rank and understand security risks as it changes over time
What are the stages of the risk management framework?
- Understand business context
- Identify and link the business and technical risks (artifact analysis, business context)
- Synthesize and rank the risks
- Define the Risk mitigation strategy
- Carry out fixes and validate
2-5: Part of measurement and reporting
What is the flow of the steps in risk management framework?
Risk management is a continuous and iterative process
1 -> 2 -> 3 -> 4 -> 5 ->2
5 goes back to 2, and repeate flow above from step 2.
What happens during step 1. of the risk management framework?
Identify business goals: What are the circumstances we care about.
Define risk scales: What is a bad risk, what is an acceptable risk (impact, likelyhood)
Identify business assets: Something of value, what are we trying to protect
Identify the stakeholders: Who cares about the system (users, regulators, attackers, etc.)
What happens during step 2. of the risk management framework?
Identify business risks and technical risks. Linking each business to a technical risk.
The business risks can be related to:
- Data: sensitive data stolen
- Time: Processing delay
- Money: Can’t make sales, can’t process transactions
- Repudiation and brand: Loss of trust
- Legal: Compliance, contractual regulation
What happens during step 3. of the risk management framework?
Create a matrix with Likelyhood on the x-axis and impact on the y-axis.
The combination of these says something about the severity of the risk.
Rank the technical and business risks.
Use the result from ranking to place business risks in the matrix.
What happens during step 4. of the risk management framework?
Goal is to either reduce impact or likelihood of risk, or reduce both.
One way of doing this is by deriving security requirements for the technical risks:
e.g.:
Attacker locks out user by typing wrong password -> 2FA
What happens during step 5. of the risk management framework?
Carry out fixes and validate the requirements
Implementation of mitigation strategies.
Validation in the form of risk-based testing
How can a likelyhood-scale be defined?
Can use expected frequency of events.
Can use an attacker-centric approach: A highely motivate attacker might cause higher likelyhood.
Low: Once per 10 year or less
Medium: Once per year or less
High: Once per month or less
Extreme: Every week
How can consequences be defined using dimensions and scales?
Define dimensions that are relevant for you system: e.g.:
- Confidentiality
- Availablility
- Financial
- Repudiation
Define what low, medium, high and extreme mean for each dimension.
How is business risks related to goals?
Business risks directly threaten one or more of a customer’s goals
What are technical risks?
Various threats and attacks that may bring negative impacts on business.
How do you find technical risks?
Look through documents, system design, architecture, code.
Talk to users, look at feedback, interviews, discussions.
Test system
Use threat intelligence, look at common threat vectors, what are the most common vulnerabilities these days, etc.
What are some useful tools when identifying technical risks?
Misuse cases, attack trees, data flow diagrams
How is linking done in risk management?
Link business goal to one or more business risks
Link business risk to one or more technical risks
Why is linking done in risk management?
To show traceability, to justify how business goals are threatend.
What should you focus on when ranking technical risks?
Do not focus on impact, as it is very difficult to know the exact impact of these low level risks.
Focus on likelyhood. Use these likelyhood values to say something about the likelyhood of the business risk that is linked to it.
How are business risks ranked
Look at likelihood and impact
Combine the ranking of likelihood and impact to get a ranking of the business risk.
Then put the business risk in the likelihood-impact matrix, based on likelihood and impact.
What is a security requirement?
A statement of needed security functionality that ensures one of many different security properties of software is being satisfied
What are the criteria for good security requirements?
Define what you require, not how to achieve it
- the requirement is not a design, should be open to many implementations
- avoid premature design or implementation decisions
The requirement should be understandable and clear (not ambiguous)
Cohesion: Only define one thing per requirement
Testability: Have clear acceptance criteria, which often requires some quantification
Shouldn’t define criteria as something that shouldn’t be done (e.g. have no vulnerabilities in the code): this is very difficult to test.
What is OWASP ASVS?
The OWASP Application Security Verification Standard
Helps with creating security requirements.
A catalog of available security requirements and verification criteria
What is risk-based testing?
Focus on the security requirements
Make a test plan to test security requirements
Link the test cases with the technical risks/requirements
Prioritize tests (costs can have an effect here)
What affects safety of software systems?
Safety deals with the effect of random failures. The random failures often follow a distribution function.
What is a hostile opponent?
Someone who can cause some of the components of a system to fail at the least convenient time and in the most damaging way possible.
What data can be used about cyber attacks?
Attack frequency
Attack type distribution
Number of successful attacks
Number of prevented attacks
Loss per attack
This type of information, however, is not always available
What is security economics?
Can be used to improve risk estimates.
What are some costs that should be considered when considering risks?
Look at defender’s side, and attacker’s
Defender:
- Investment: How much would the defender have to invest
- Reactive cost
- Loss
- Reimbursement: Received if attack happens
Attacker:
- Investment
- Penalty (if fail/caught)
- Profit
- Supplier profit: Attacker’s can buy equipment from others
- Opportunity cost: Cost of doing something instead of other things (Attacker’s could profit more if they used their skill to do something legit, waste their skill)
What sources could be used to figure out defender and attacker cost?
Expert/specialist opinions
Cyber loss events
Coverage estimations
Incident claims
Retail price lists
Dark net markets
Coin crypto market cap
Profit simulations
Why do we have so much ransomware?
It works, it pays
Cheap to buy - direct profit to attackers
What is the defender’s dilemma?
Breaches are inevitable because defenders have to be right 100% of the time, whereas attackers only have to be right once. The attacker also know about the defenders and their tactics.
What is CVSS?
The common vulnerability scoring system
A standardized way of measuring the technical severity of a vulnerability. This can say something about the likelihood or complexity of an attack.
How does CVSS work?
Gives a score between 0 and 10
Consist of:
- Base: Constant over time and across user environments, independent of what environment the software is running on
- Threat: Characteristics of a vulnerability that changes over time (threat can be known, proven, etc.)
- Environmental: Gives a local score
- Supplemental: Do not modify score, but gives additional insight about the vulnerability
How should CVSS be used in risk analysis?
CVSS != risk, so don’t use it directly as risk value
A high CVSS does not necessary mean a high risk likelihood. or impact.
Name some exploitability metrics used in the Base group of CVSS
Attack vector (network, adjacent, local, physical)
Attack complexity (low, high)
Attack requirements (any circumstances required, can the attack be done at any time)
Privileges required (none, low, high)
user interaction (do we need the victim to do anything)
Name some impact metrics used in the Base group of CVSS
Vulnerable system confidentiality, integrity, availability: How are these dimensions affected by the attack?
Subsequent system confidentiality, integrity, availability: Do we impact other systems, other than the one we are attacking?
Name metrics in the Threat matric group
Exploit maturity
Whether this vulnerability has been proven, or used/doable, POC (proof of concept, theoretical)
Name some metrics in the supplemental metric group
Automatable (are we able to automate the attack)
recovery
safety
value density (is it a focused attack or not)
Vulnerability response effort
Provider urgency (how urgent is it to fix the issue)
Give an example of a scenario that could get a CVSS score
After login to inspera, you find out that you can manipulate the URL to change the user ID and get read access to exercises of other students
What type of attackers are hard to defend against?
Irrational attackers
These are not motivated by economic profits, have other motivations
