7. Managing Risk

  • Threats and Threat Vectors
    • Natural Threats – “I AM A HURRICANE”
    • Malicious Human Threats – “Muahahahaa”
    • Accidental Human Threats – “Whoops!”
    • Environmental Threats – Long term power failure leading to chemical spills, etc
    • Malicious Insider Threat
      • Someone with legit access to internal resources and seeks to exploit them
      • Hence, least privilege.
    • Threat Assessments
      • How likely are specific things, and what will cause the most harm?
      • Vulnerabilities
        • Lack of Updates
        • Default Configurations
        • Lack of Malware Protection
        • Lack of Firewalls
        • Lack of Organizational Policies
        • Just because it hasn’t been attacked, doesn’t mean it’s not vulnerable. Audit regularly and look for new things each time.
      • Risk Management
        • Risk Avoidance – Don’t participate in risky activity or opt not to provide a risky service
          • If something requires you to open several unsecure ports, ask yourself if its worth it
        • Risk Transference – Can you share the risk with another entity, or put it on their lap?
          • Insurance, outsourcing, etc
        • Risk Acceptance
          • Would it be more expensive to protect the device than the device is worth?
          • What’s the real cost of a loss, vs the cost of the protection
        • Risk Mitigation
          • Reduce the risk with up-to-date tech
        • Risk Deterrence
          • Security controls make it harder to attack you, and make you a less appealing target
        • Risk Assessment
          • Identify assets and their values
          • Identify threats and vulnerabilities to the highest value assets
          • Set recommendation for what controls will mitigate those risks
          • These assessments should change as conditions do
          • Quantitative Risk Assessment
            • Lists the specific monetary value of assets vs specific cost of mitigating controls
            • Single Loss Expectancy (SLE)
              • Cost of a single loss
            • Annual Rate of Occurrence (ARO)
              • How often will that loss occur in a year?
            • Annual Loss Expectancy (ALE)
              • SLExARO=ALE
            • Compare the ALE to the Annual cost of mitigating controls. How much do you spend to save how much more?
            • Qualitative risk might say that even though it costs a little more for the protection, its worth it (for savings in privacy, company’s status, etc)
          • Qualitative Risk Assessment
            • Judge based on probability and impact
            • Probability is obvious
            • Impact includes loss of confidentiality, integrity, or availability of system data
            • You might use a host of experts in a focus group to determine the risk and impact
            • You can assign numbers on a 1-10 scale to make it easier to assess risk
          • Documenting the Assessment
            • File a report including the numerical risk values and recommended solutions
            • Management can review these reports to make final decisions
            • A final report can document what risks were accepted vs. mitigated
            • DO NOT let an attacker get these reports
          • Metrics to Assess Risk
            • Mean Time Between Failure (MTBF) – System’s reliability in hours. Lists average hours between failures.
            • Mean Time To Failure (MTTF) – Length of time a device can be in service before it fails. Primarily indicates a device that cannot be repaired.
            • Mean Time To Recover (MTTR) – Average length of time to restore a system

Checking for Vulnerabilities

Anatomy of an Attack

  • Recon on the larger target, then honing in for details (fingerprinting) of individual targets.
  • Identifying IP Address of Targets
    • Starts with Geographic Location
    • Use ICMP sweep to identify operational systems in a region using Ping Scanner
    • Its possible to block ICMP at a firewall to prevent Ping Scanners
  • Identifying Open Ports with a Port Scanner
    • By noting open ports, you know what protocols and applications are likely in use
    • Advanced Scanners send further queries to some known ports to make sure a protocol is running and find out more info about the system
    • For instance, HTTP can tell you whether its on Apache or IIS
    • Nmap, Netcat, and Nessus all include port scanning abilities, and sec professionals use them to perform self-analysis
  • Fingerprint System
    • Sends specific protocol queries to identify what OS is running based on details of query responses
    • Banner Grabbing
      • Gain info about a service running on an open port
      • For example, Telnet into a website (port 80) and send an HTTP request, it will shoot back information like OS, server type/version, Content type, time
    • Identifying Vulnerabilities
      • Once you know the fingerprint details, you get experts on the specific infrastructure you’re trying to attack.
      • You can test input validation, default accounts, and use vulnerability scanners to identify current patches
    • Attack
      • Once everything is planned, attackers try to move quickly so nothing can be patched or updated, and that its harder to detect them. They’ll smash and grab, trying to get as much as possible before they’re blocked out
    • APT – Advanced Persistent Threats are very real, and can be government funded, well-organized, and resourceful. They have the skills and patience to break through most defenses given enough time.
      • This is why it’s important to segment traffic and data, limit user permissions, and train people to avoid malware. Attacks are very reasonably possible, so you must l0imit the damage that can be caused by a single attack.

Vulnerability Assessment

  • Use vulnerability scanners, port scanners, etc
  • Identify assets and risks
  • Prioritize what mitigating factors you’ll use
  • Vulnerability Scanning
    • Identifies Vulnerabilities
    • Identifies Misconfigurations
      • Open Ports
      • Weak Passwords
      • Default accounts and pws
      • Sensitive Data – DLP
      • Security and Configuration Errors
    • Passively Tests Security Controls
      • Identifies only, does not exploit
      • Does not interfere with normal operations until an admin can assess
    • Identifies Lack of Security Controls
      • Lack of patches or antivirus
    • Other Assessments
      • Checking for tailgating spots, social engineering risks, etc
      • See if employees are dumb enough to give out passwords
      • Baseline Reporting
      • Code Review
      • Attack Surface Review
      • Architecture Review
        • Is a database accidently in a DMZ? Add a firewall
      • Design Review
        • How do apps interact? What’s the building layout?
      • Credentialed v Noncredentialed
        • Scanners can run with a variety of credentials to see the risk at different levels of user access
      • Penetration Testing
        • Tries to exploit vulnerabilities to detect impact of an attack
        • You can also use this to see how a company will respond in case of an emergency
        • Verify a Threat
        • Bypass Security Controls
        • Actively Test Security Controls
        • Exploit Vulnerabilities
        • A fake attacker could try an SQL injection to get credentials, then use those credentials to break in further and test his luck
        • This can disrupt daily ops, but is very informative
      • White, Gray, Black Box testing
        • Black Box – Testers have 0 knowledge of environment just like an attacker
        • White Box – Full knowledge of environment and documentation
        • Gray Box – Testers kind of know whats going on
      • Obtaining Consent
        • Don’t pentest without consent in writing.
        • Use a “rules of engagement” doc
      • Passive v Active Tools
        • Vuln scanning is PASSIVE
        • Pentesting is ACTIVE
      • Continuous Monitoring
        • CONSTANT VIGILANCE

Identifying Security Tools

  • Sniffing with a Protocol Analyzer
    • Captures and analyzes packets sent over a network
    • Can be used by admins or attackers
    • Any open wiring or switch could be vulnerable
    • Wireshark is a free protocol analyzer you can use
    • Analyzing packets is tedious, but full of info
    • An NIC must use Promiscuous Mode to capture all traffic- it allows it receive traffic without being the designated IP
  • Routine Audits
    • Double checks to ensure everything is at baseline and rules are being followed
  • User Reviews
    • Ensure least privilege is being followed and users aren’t accessing what they shouldn’t
    • Privilege Creep and Inactive Accounts are both threats
    • If someone keeps transferring departments and getting new access, does anyone ever clear the old access?
    • Role-based privileges make this easier to manage
  • Monitoring Events with Logs
    • Don’t waste disk space, log whats important.
    • Operating System Event Logs
      • Security Log
        • Includes log ons/offs and resource access
        • You can configure auditing to denote what should be logged
      • Application
        • Records events logged by apps or errors
      • System
        • Starts, shuts down, services starting or stopping, drivers loading or failing
      • Firewall and Router Access Logs
        • Packet sources and destinations including IPs, ports, MAC addresses
        • Antivirus Logs
        • Application Logs
        • Performance Logs
      • Reviewing Logs
        • NetIQ has a suite of apps that will review logs on multiple servers and computers
        • Notes ‘of interest’ events and sends up an alert
        • Likely centralizes logs beyond individual hosts
Advertisements
Advertisements

I post all things that interest me. Mainly computers.

%d bloggers like this: