Building and running a

security program
Teklebrhan W/Aregay
15/11/2012
 Building and running risk management program

• Understand threat and vulnerability management

• Security risk reviews

• A blue print for security

• Building a program from scratch

 Threat and vulnerability management

• Building blocks

• Threat identification

• Advisories and testing

• An efficient workflow

• The FAIR approach

 Threat and vulnerability management(continued)

๏ Building blocks
✓Build (TVM) program or TVA that deals with
➡processing of new vulnerability notifications,
➡keeping up to date on the news and reports of the latest emerging
threats,

➡scanning the environment for vulnerabilities and unauthorized services,

➡ reviewing the results of penetration tests, and working with the
operational teams to ensure that security patches are being rolled out.
Threat and vulnerability management(continued)

✓Sources of info to build (TVM) program are:

➡Vendor announcement on a new critical
vulnerability

➡SANS Internet Storm Center diary

➡Your SW inventory
➡Failed attempts from web server logs
Threat and vulnerability management(continued)

✓Program essentials:
➡Take a strategic approach by starting small
➡Establish a program to cover a very small scope
‣ for example, start with a handful of Internet-facing servers
or even just one workstation and iron out any hiccups in the
process before you expand the program to tackle the entire
organization.

‣ Most risk models will grow and can be revised over time
Threat and vulnerability management(continued)

➡Start with the following TVM development steps:

‣ Establish an asset inventory
‣ Profile your environments (sensitivity)
‣ Define your risk scales
‣ Define a workflow for assessing vulnerabilities
Threat and vulnerability management(continued)

‣ Establish an asset inventory

- Assign business owners and custodians
Threat and vulnerability management(continued)

‣ Profile your environments (sensitivity)

- Before any risk analysis can be performed, a risk
sensitivity score for each resource/environment
needs to be assigned (profiling).

- That helps business owner to rate the resource’s

importance to the organization from an information
security perspective and relative to the enterprise
environment.
Threat and vulnerability management(continued)

- Start with the question-which resources are critical

to the functioning of the business?

- Decide your focus on either your most prevalent

asset type (for example, a Windows desktop) or
the asset type that is most exposed to threats (for
example, laptops and other mobile devices) or the
most sensitive asset.
Threat and vulnerability management(continued)

- When an activity is so operational and

vulnerability focused, the magnitude of the
applicability will often out-weigh the importance
of any one asset. Meaning that the percentage of
the systems that are vulnerable can sometimes
increase the likelihood so much that it makes the
sensitivity of the asset irrelevant.
Threat and vulnerability management(continued)

‣ Define your risk scales

- define the qualitative risk scales for assessing the
severity and likelihood of a given
threat/vulnerability pair.

- These scales will vary based on your organization

and the maturity of your program.
Threat and vulnerability management(continued)

‣ Define a workflow for assessing vulnerabilities

- you need to define the workflow for processing any newly
identified risks.

- How you implement this workflow is probably the single

biggest factor for the success of your program.

- If you overwhelm the Subject Matter Experts (SMEs) or

don’t provide them with actionable data, then the TVM
program will fall flat on its face.
Threat and vulnerability management(continued)

✓Asset and Data Inventory

➡Critical step to build security program
➡At a minimum, you will want to capture this basic data in your inventory:
- System Type and Version

- Software (including Version)

- Physical and Logical Location

- Logical Network Addressing

- Owner

- Resource Administrator

- Data Sensitivity
Threat and vulnerability management(continued)

➡Asset and data inventory

- What do you do if you don’t have a central
database of digital assets? How are you going to
build your data and asset inventory?
Threat and vulnerability management(continued)

‣ Vulnerability scanning

‣ Use infrastructure devices DHCP, DNS, NAC

‣ Vendors (licensing)
‣ Records of technology purchases
‣ scans of your environment, passively monitor
communications, interview business owners, and so
on.
Threat and vulnerability management(continued)

‣ Vulnerability scanning

‣ Use infrastructure devices DHCP, DNS, NAC

‣ Vendors (licensing)
‣ Records of technology purchases
 Threat and vulnerability management(continued)

➡Resource Profiling
‣you must first assign sensitivity ratings for the resources in
question.
- Focus on the resources on which the organization is dependent in
order to function,
- the resources with the most sensitive data, or even those that are
the most visible to the public
 Threat and vulnerability management(continued)

‣Critical attributes to rate risk sensitivity of assets:

- General description

- Function and Features

- Information Classification

- Criticality to Organization

- Applicable Regulations

- User Community
 Threat and vulnerability management(continued)

‣two common ways to approach sensitivity ratings for a TVM

program:
- To look at each category of asset (for example, printer, PC, server, network device, and so on) and
assign each an overall sensitivity value,

- To assign sensitivity ratings environment by environment for example, research lab, Web server farm,
sales laptops/mobile devices, backup servers/network
 Threat and vulnerability management(continued)

‣When you start assessing your assets, try the simple Low-
Moderate-High scale
‣To keep things in perspective, remind yourself that if a hacker
compromised your central network switch or router that would be
much worse for the organization than a compromise of any one
desktop or laptop.
‣As you rate the assets in your organization, it can be helpful to
keep reminding yourself that you aren’t evaluating their risk
exposure, but just their sensitivity to risk.
 TVM (continued…)
๏ Threat identification
✓ Threat?
‣ Describe a source of an exploitation
‣ Has the potential to harm the resource
‣ Is anything capable of acting against an asset in a
manner that can result in harm.

‣ A threat source can take many forms, from a

targeted attack to an infrastructure failure
 TVM (continued…)

✓Ways to evaluate threat exposure?

‣ You might focus on the aspects of threat that
would affect the likelihood of an exposure (such
as the sophistication of the attacker or size of the
threat universe)
 TVM (continued…)

‣ you might be more interested in the aspects of

threat that affect the severity of a vulnerability
(such as whether a threat is external or internal)
 TVM (continued…)

‣ looking at threat intelligence reports that can help

you to profile the vectors, motivations, and
common frequencies for reported or observed
threat activity
 TVM (continued…)

‣ Use the data most pertinent to your organization

by gathering statistics about the security incidents
that have been observed within your own
environment
 TVM (continued…)

✓Threat Data Sources

‣ CSI Computer Crime and Security Survey

‣ Symantec Internet Security Threat Report

‣ Sophos Security Threat Report

‣ Trend Micro Future Threat Report

‣ Verizon Business Data Breach Investigations Report

 TVM (continued…)

‣Connect with the anti-malware vendors

‣Use companies that provide managed security monitoring and
response services
‣You might also use resources like the CERT
‣Build your own research center
 TVM (continued…)

๏ Advisories and testing

‣ You need to have a comprehensive risk model and solid criteria in place for each
risk qualification level.

✓Rating vulnerabilities
‣ you need to know how to analyze a vulnerability report for details that
affect both the likelihood and the severity of the potential exposure.

‣ Consider some of the following questions:

- Is the vulnerability applicable in our environment?

- Is there a virus or IDS signature for it?

 TVM (continued…)

- Does it require tricking a user to be effective?

- Is authentication required prior to exploit?

- Does it affect servers, as well as desktops?

- How widely deployed is the vulnerable software or

system?

- Does it allow a limited scope of control or arbitrary

code execution?
 TVM (continued…)

- Does it require tricking a user to be effective?

- Is authentication required prior to exploit?

- Does it affect servers, as well as desktops?

- How widely deployed is the vulnerable software or

system?

- Does it allow a limited scope of control or arbitrary

code execution?
 TVM (continued…)

‣ Analysts must choose the most appropriate

severity and likelihood ratings for each
vulnerability or combination of vulnerabilities.

‣ Qualitative Vulnerability Severity Scale

- The severity scale can be 4, or 5 level

- The scale must bu built based on criteria that are

pertinent to the specific need

- Founding points to set criteria are:

TVM (continued…)

- Founding points to set criteria are:

➡Threat source? internal/external, size

➡Level of security controls?
➡The motivation and capability of threat?
➡Exposure level/Attack vector?
 TVM (continued…)

✓Analyzing a vulnerability notification

‣ You will need to determine in advance how many risk levels you will have,
what variables your risk formula will include, and which criteria you will
use to categorize vulnerabilities at each level.

‣ analysis on new vulnerability advisory is a fundamental function in

information security and major focus of a TVM program.

‣ The need for risk analysis stems from the need to prioritize vulnerability
‣ For this, you need clear and repeatable criteria for both severity and
likelihood
 TVM (continued…)

‣ The trick is to use a common set of guidelines to help analysts

consistently rate the risk of new vulnerabilities to your
particular environment

‣ Management needs to be comfortable that the vulnerabilities are

being rated consistently regardless of the experience level or
background of the particular analyst.

‣ The risk model distinguishes between sensitivity, severity, and

likelihood.
 TVM (continued…)

- The sensitivity is going to differ based on the resource in

question (for example, servers have high sensitivity, whereas
desktops have moderate sensitivity).

- Likewise, the likelihood will depend on the details of your

environment (for example, strong malware detection and proven
user awareness could make the likelihood Low, but the lack of
these controls could make it Moderate).
 TVM (continued…)

- Example:Adobe Acrobat and Reader Multiple Remote Code

Execution Vulnerabilities Initial Risk Rating: High
Multiple vulnerabilities in Adobe Reader 9 and Acrobat 9 could
allow remote attackers to crash the application or potentially
control affected systems. According to the vendor, one of these
issues (JBIG2 input validation) is currently being exploited and
could potentially lead to remote code execution.

- Assuming a 4-level (Low-Moderate-High-Critical) scale for risk

exposure, how would you rate this vulnerability in your
environment?
 TVM (continued…)

✓Defining a Workflow
TVM (continued…)
 TVM (Cont…)

๏ The FAIR approach

‣ FAIR begins with two basic factors to measure risk:
➡Loss Event Frequency (LEF)
➡Probable Loss Magnitude (PLM)
 TVM (Cont…)

➡LEF break down likelihood rating into four fundamental

factors:

- The frequency with which threat agents come into

contact with the assets (Contact) – this speaks to the
threat surface for the asset in question.

- The probability that threat agents will act against the

assets (Action) – this addresses the motivation factor
that is seen in other risk frameworks.
 TVM (Cont…)

- The probable nature (type and severity) of impact to the

assets (Threat Capability) – this accounts for the
specific type of threat and how severe it will be (that is,
the capability of the threat agent).

- The probability of threat agent actions being successful

in overcoming protective controls (Control Strength) –
this takes into account any compensating controls that
may reduce the likelihood of exploit.
 TVM (Cont…)

✓Measuring risks
‣ How do we properly calculate the rate of occurrence when
there is not enough information available? Can FAIR help
us in this case?

- See the text book starting page 232 up to 236