Xem mẫu
- Risk Management
The Big Picture – Part VI
Risk Assessment and Auditing
Information Risk Management - SANS ©2001 1
Now that we know the tools and the primary concepts, this part of the course is designed to help you
pull everything together. This section is especially important if you need to present security
proposals to management. Your next slide, titled Risk Management – Where do I Start presents the
roadmap we showed you almost at the beginning of the course. We will bet you have a much clearer
idea of how to analyze risks and establish a security infrastructure at this point. Let’s go take a look
at the roadmap!
6-1
- Risk Management – Where do I
Start?
• Write the security policy (with business input)
• Analyze risks, or identify industry practice for due
care; analyze vulnerabilities
• Set up a security infrastructure
• Design controls, write standards for each technology
• Decide what resources are available, prioritize
countermeasures, and implement top priority
countermeasures you can afford
• Conduct periodic reviews and possibly tests
• Implement intrusion detection and incident response
Risk Management: The Big Picture SANS ©2001
Information Risk Management - - SANS ©2001 2
This slide is the result of a long international flight. Several top experts in information security were
on the plane and this is the roadmap they developed. So far in the entire course, we haven’t read a
slide to you so please relax and listen:
• Write the security policy (with business input)
• Analyze risks, or identify industry practice for due care; analyze vulnerabilities
• Set up a security infrastructure
• Design controls, write standards for each technology
• Decide what resources are available, prioritize countermeasures, and implement top priority
countermeasures you can afford
• Conduct periodic reviews and possibly tests
• Implement intrusion detection and incident response
Students that complete Security Essentials certification are well on their way to accomplishing each
of these tasks, you will learn how to do policy and about the tools you can use for controls and tests.
As we enter this last section, we are going to change our approach. So far in the courseware you
have seen a lot of tools, now let’s work to bring these tools into a framework for risk management.
6-2
- The Three Risk Choices
• Accept the risk as is
• Mitigate or reduce the risk
• Transfer the risk (insurance model)
Risk Management: The Big Picture SANS ©2001
Information Risk Management - - SANS ©2001 3
It is critical to have an understanding of risk management to properly choose and deploy intrusion
detection and response assets. To manage risk, one must be able to assess it. In this section of the
course we will cover the basic theory of risk assessment. We will also talk about three methods of
risk assessment: Qualitative, quantitative, and knowledge-based (also known as best practices).
Whether or not we explicitly choose, we have exactly three options and we do choose between:
Acceptance, mitigation, and transference.
When we accept the risk, this means we make no changes in policy or process. This decision means
that we judge the risk of a given threat to be inconsequential in the greater scheme of things.
If we feel the threat is significant and could cause harm to our business or enterprise, then we have
the option of taking action to protect operations by reducing the risk. A firewall or system patch are
obvious examples of risk mitigation.
Transferring the risk is sometimes a workable technique. The classic example is to buy insurance.
This means that you do not have to fully protect yourself against a catastrophic threat. Instead, for a
fee you pass this risk to a risk broker that insures you up to some limit against the threat. A real
world example of this is hacker insurance. The insurance company still expects you to have a
firewall and patches, but insures you should these fail.
6-3
- Risk Management Questions
• What could happen? (what is the threat)
• If it happened, how bad could it be? (impact
of threat)
• How often could it happen? (frequency of
threat - annualized)
• How reliable are the answers to the above
three questions? (recognition of
uncertainty)
Risk Management: The Big Picture SANS ©2001
Information Risk Management - - SANS ©2001 4
In order to decide between the choices (accept, mitigate, or transfer risk) we want to make, we
analyze the risk to better understand it.
What exactly are we afraid of? What is it - can we name it specifically or is it just a vague, uneasy
feeling?
If the threat is successful, how bad will it hurt? What is the probable extent of the damage?
How often is this likely to occur? Is this more like a hundred year flood, or a hot day in Biloxi,
Mississippi? We are more willing to accept the risk of a threat that is not likely to happen often.
But, if something can damage us on a daily basis, this is a significant problem.
Finally, how do we know? In the cyberworld, how accurate are our risk calculations when new
program or operating system vulnerabilities are discovered weekly?
6-4
- Risk Requires Uncertainty
If you have reason to believe there is no uncertainty,
there is no risk. For example, jumping out of an airplane
two miles up without a parachute isn’t risky; it is suicide.
For such an action there is a 1.0 probability you will go
splat when you hit the ground and almost 0.0 probability
you will survive.
Probability ranges between 0.0 and 1.0 though people
often express it as a percent.
Risk Management: The Big Picture SANS ©2001
Information Risk Management - - SANS ©2001 5
Jumping out of an airplane with a parachute involves risk. If you were to try the James Bond stunt of
jumping out of an airplane without a chute, you are committing suicide, but you aren’t doing
anything risky. Risk involves uncertainty. Let’s tie this back to the information assurance world.
If you run a DNS server that has known vulnerabilities and is neither patched nor shielded by the
perimeter, it is certainly going to be compromised. It might not happen in a single day, but it will
happen over the course of a year. In the same way that gravity is the compelling reason jumping
from a plane without a chute is near-certain death, the continuous probing and poking of exposed
systems on the Internet is the compelling reason the box will be compromised. So what? How bad
can a compromise be? Well, once they compromise the box they have the ability to manipulate the
addresses associated with the names of the network entities (such as computers) at your site. These
names and addresses are often used to identify which computers are allowed to access other
computers - your organization’s trust model. If you have valuable assets, that may be what
happens. Or they may just create weird system domains and hit systems all over the Internet, giving
your organization a bad name.
6-5
- What is an Unacceptable Risk?
• You can define the threat.
• If it happened, it would be bad. (high
impact)
• If one shot didn’t kill you, and then it
hit you again and again. (frequent
threat)
• There is high certainty the threat exists,
it is high impact, and potentially could
occur multiple times.
Risk Management: The Big Picture SANS ©2001
Information Risk Management - - SANS ©2001 6
So, it would seem that running an unpatched, unshielded DNS server is not an acceptable risk. To
have an unacceptable risk, there has to be a defined threat. They will compromise the DNS server,
most likely via a buffer overflow. How bad would it be? If they chose to manipulate the trust model
and had several days to work without being detected - such as over the Christmas holidays - they
could make considerable headway at owning the entire organization’s information assets. You might
never get them dislodged. What if they chose simply to use your box to attack others?
People are usually forgiving if it only happens once, but there are domains that have been
compromised a number of times. These are not usually respected and may even be blocked. One of
the classics is the Brazilian Research Network. This loose group of addresses has been the source of
hundreds and hundreds of attacks against Internet hosts. The price? Besides being a standing joke,
legitimate users continue to find their access blocked.
6-6
- Single Loss Expectancy
(SLE - one shot)
• Asset value x exposure factor = SLE
• Exposure factor: 0 - 100% of loss
to asset
• Example Nuclear bomb/small town
($90M x 100% = $90M)
Risk Management: The Big Picture SANS ©2001
Information Risk Management - - SANS ©2001 7
How much financial loss am I willing to accept in a single event? It all comes down to money in the
end. When considering one shot, or Single Loss Expectancy (SLE), we consider the value of the
information resource asset. Example: A company’s top salesman accounts for 25% of their $40
million in revenue, or $10 million. His client contact list and fee schedule is stored on his laptop and
is not encrypted. If it fell into the wrong hands it would be worth at least 10% of its value to the
competition ($1 million) and possibly more if they can finesse the information. So we find we can
calculate a minimum approximate SLE, but there is uncertainty as to a maximum value.
Another example: An author takes a royalty of $100,000 to write a book. He receives partial
payments every 25% of the project. What is the SLE if his hard drive crashes at the 70% mark and
the data is not recoverable? $25,000 x 80% or $20,000, unless he has been sending chapters in as
they are done.
6-7
- Annualized Loss Expectancy
(ALE - multi-hits)
• SLE x Annualized rate occurrence = Annual
Loss Expectancy (ALE)
• Annual loss is the frequency the threat is
expected to occur
• Example, web surfing on the job
– SLE: 1000 employees, 25% waste an hour per
week surfing, $50/hr x 250 = $12,500
– ALE: They do it every week except when on
vacation: $12,500 x 50 = $625,000
Risk Management: The Big Picture SANS ©2001
Information Risk Management - - SANS ©2001 8
If you are screaming, “But what if??”, relax - we understand. Again, a main point of the chapter is
uncertainty, this is what drives the “what ifs”. The key question, however, is how much continuing
risk am I willing to accept?
Even if you can survive a given event (possibly sadder but wiser) can you survive it six times? This
is the notion of annualized risk. It applies well to shoplifting. We expect to lose 9% of revenue over
N occurrences.
The information about expected losses due to cyber attacks is much harder to come up with, as
organizations do not tend to share this type of information so it is only available in the micro-view of
a given organization.
6-8
- Qualitative - Another Risk
Assessment Approach
• Banded values: High, medium, low
• Asset value and safeguard cost can
be tied to monetary value, but not
the rest of the model
• Very commonly used
Risk Management: The Big Picture SANS ©2001
Information Risk Management - - SANS ©2001 9
For most applications the best approach is the financial one, with the exceptions of critical systems
(such as nuclear plant control) and weapon systems. However, it does take a lot more effort to
quantify what the value of things are, and so the qualitative approach is far more popular.
The single biggest problem with the qualitative approach is in the implementation - people tend to
mark “low risk” even if it is other than that. Or they mark “medium” or “high” for their pet peeves
as opposed to actually calculating the risk.
6-9
- Quantitative vs. Qualitative
• Qualitative is easier to calculate, but its
results are more subjective
• Qualitative is much easier to accomplish
• Qualitative succeeds at identifying high
risk areas
• Quantitative is far more valuable as a
business decision tool since it works in
metrics, usually dollars
Risk Management: The Big Picture SANS ©2001
Information Risk Management - - SANS ©2001 10
The main point between the two approaches is that qualitative is much easier and when done well,
can certainly identify the areas that need attention. This is because as soon as an area is marked high
risk, you know you need to look into it.
There is still another approach to risk assessment. This is the knowledge-based or best practices
approach. There is much more up-front work required to implement this, but the results are more
accurate and consistent.
6 - 10
- Best Practice Risk Assessment
• System administration is a high-
turnover job for large organizations,
which affects continuity
• System administrators tend to be
focused on having the “trains run on
time”
• Security configuration may not be
understood or implemented
Risk Management: The Big Picture SANS ©2001
Information Risk Management - - SANS ©2001 11
In many organizations, there is a large amount of staff rotation and employee turnover, particularly
in the fields of system administration and network security. This fact, combined with the need to
simply keep the systems up and running with a minimum support staff, leads to dangerous situations
where security and safety are often neglected.
A best practice risk assessment can help an organization that does not have the in-house ability to
perform a more formal risk assessment. This type of risk assessment is based on checklists built by
the consensus of many security professionals. New automated tools make these risk assessments
simple and easy to perform by most system administrators.
6 - 11
- Best Practice
• No single organization or person is
likely to produce best practice
• Consensus of many organizations
and stringent review will
• Examples:
– SANS Research Consensus Projects
– Center for Internet Security
Risk Management: The Big Picture SANS ©2001
Information Risk Management - - SANS ©2001 12
One of the powerful ideas that is developing is the use of consensus tools to test and score the
security of a system. In this case we will look at a level 1 test. A level 1 test is one that everyone
ought to be able to pass if they are running their system at an acceptable risk.
6 - 12
- Risk Management: The Big Picture SANS ©2001
Information Risk Management - - SANS ©2001 13
We have downloaded the Windows 2000 tool from the Center for Internet Security,
www.cisecurity.org and run the test. As you can see, we have a bit of work that we need to do.
Your next slide is from Microsoft Update. Let’s download the critical fixes, reboot a few times, and
see how we are doing.
6 - 13
- Risk Management: The Big Picture SANS ©2001
Information Risk Management - - SANS ©2001 14
This shot is Microsoft’s web site. We expect that everyone knows about update, but as you will see,
getting a perfect score just isn’t that simple.
6 - 14
- Risk Management: The Big Picture SANS ©2001
Information Risk Management - - SANS ©2001 15
Even after downloading all the Security patches that Microsoft has on the update site, the scoring
tool tells us we need to pick up two more. If we select the 'Hotfixes Needed' button we can get the
names of the missing patches. Also, you will notice that we have a zero score for restrict
anonymous. This is a big problem for Windows computers, so we will fix this next.
6 - 15
- Risk Management: The Big Picture SANS ©2001
Information Risk Management - - SANS ©2001 16
To get to this screen, we have gone to Start Programs Administrative Tools Local Security
Policy Security Options. The current setting on the system is to allow anyone to enumerate all the
information about our system. This would allow even more detailed reconnaissance than the
example that we looked at with the Mitnick attack. Therefore we will disable this. On the next slide
you see the Local Security Policy after rebooting.
6 - 16
- Risk Management: The Big Picture SANS ©2001
Information Risk Management - - SANS ©2001 17
Now as you can see, we have disabled trivial enumeration of our system.
6 - 17
- Risk Management: The Big Picture SANS ©2001
Information Risk Management - - SANS ©2001 18
After we went in and changed the restrict anonymous setting to 2, which increased the security, our
score increased to a 3.3. There’s more to be fixed, like the two additional hotfixes, but we’ll move
along to our next best practice, the SANS Securing Windows NT Step-by-step booklet.
6 - 18
- SANS’ Securing NT SBS
* Action 3.1.1 Disable the display of the last logged on username by setting the
following registry value. If the value does not already exist, it must be created. With REGEDT32 this
is done with the Edit menu, Add Value. Enter the Name "DontDisplayLastUsername” exactly as
shown and then use the String Editor to enter a "1". Also, you can use the C2 Configuration
Manager from the NT Resource kit instead of using REGEDT32.
Hive: HKEY_LOCAL_MACHINE
Key: Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Name: DontDisplayLastUsername
Type: REG_SZ
Value: 1
Note: In some situations it might be preferable to allow the display of the last logged
on user. Certain users may not be able to remember their user name, and this would keep the
administrator from having to tell them each time they logged on. Another reason to display the last
logged on username is because it will quickly let you know if someone else logged onto the
machine. Not displaying the last logged on user name will only keep novice hackers from finding
out which users exist on the machine. It is trivial for a determined hacker to get that information.
Therefore, many administrators do not bother hiding the last logged on user name.
Risk Management: The Big Picture SANS ©2001
Information Risk Management - - SANS ©2001 19
A similar project - also a community development effort - is the SANS Securing Windows NT Step-
by-step booklet. This is on its third revision and the current editors are Jason Fossen and Stephen
Northcutt.
6 - 19
- Windows 2000 Checklist
• Checklist approach designed for two
persons (check and double check) to
configure an Windows 2000 system to
at least minimal acceptable security
• Draws on SANS’ Securing Windows
2000 Step-by-step
• 80/20 rule applies
Risk Management: The Big Picture SANS ©2001
Information Risk Management - - SANS ©2001 20
Every pilot understands the effectiveness of checklists. A checklist is used to make sure the
helicopter or plane is ready to take off and also used before landing. One crew member reads the
item, the other verifies it, and states that it is correct. This is a powerful technique and prevents you
from doing something stupid like trying to take off without your wings attached to your airplane, and
yes, it really has happened!
This check and double check technique is crucial for knowledge-based risk assessment. One person
who knows security and risk in general and another that knows the specific technology make the
ideal team to work with the system owner to evaluate the system.
Let’s look at a specific example of a checklist from the Naval Surface Warfare Center. These have
been developed for a number of operating systems, but we will examine part of one developed for
Windows 2000. This and the previous project are related to one another. The main difference is that
in the SBS booklet the detailed information is shown up front, and is in the help files on the NSWC
checklist.
6 - 20
nguon tai.lieu . vn
