Transcript
Page 1: Cyber Security Risk Assessment Spring 2018...23/04/18 1 Cyber Security Risk Assessment Spring 2018 Lecture 11 Quan,ta,ve Risk Analysis Scoring Vulnerabili,es – CVSS Environment 23/04/18

23/04/18

1

CyberSecurityRiskAssessmentSpring2018

Lecture11Quan,ta,veRiskAnalysis

ScoringVulnerabili,es–CVSSEnvironment

23/04/18 FabioMassacci-CyberRiskAssessment 1

RecallExampleScenario

•  Chris,ne’scompanyhasrecentlybecomeaLevel3merchant…–  Level3Merchant=Morethan20000ecommercetransacAonsperyear(~55transac?onsxday)

–  TheymustbecerAfiedbyanexternalassessornottohavehighriskvulnerabiliAes

•  LotsofVulnerabili,esAround–  itdiscoversthatitsinternalassessorshaveunderesAmatedthescopeofPCIduetotheirflatcorporatenetwork.

–  Therearelegacysystemnotinvolvedincardprocessingonitscorporatenetwork,andmanyofthosearenolongermaintainedandcannotmeetPCIDSSrequirements.

•  Whatisshegoingtodoasacountermeasure?–  Differentsecuritymeasurescostsalot.

23/04/18 FabioMassacci-CyberRiskAssessment 2

Page 2: Cyber Security Risk Assessment Spring 2018...23/04/18 1 Cyber Security Risk Assessment Spring 2018 Lecture 11 Quan,ta,ve Risk Analysis Scoring Vulnerabili,es – CVSS Environment 23/04/18

23/04/18

2

Recall:qualita?vevsquan?ta?ve•  Isthisalwaysreasonable?–  ShouldChrisAnePatchALLSQLivulnerabiliAesonALLsoWware?

–  Cannotknowwithoutatechnical/objecAveanalysisofthevulnerability/threat

23/04/18 FabioMassacci-CyberRiskAssessment 3

Whatwedidlast?me?

•  Notallvulnerabili,esarethesame– HowseverearethesecurityproblemsaffecAngmysoWwareanddatabaseconfiguraAon?

•  FirstPartoftheQues,on:– Howseverearethesecurityproblems…àusedCVSSBasetomakeaspecificguideline

•  Secondpartoftheques,on– …affecAngmysoWwareanddatabaseconfiguraAon?àwilluseCVSSEnvironment

23/04/18 FabioMassacci-CyberRiskAssessment 4

Page 3: Cyber Security Risk Assessment Spring 2018...23/04/18 1 Cyber Security Risk Assessment Spring 2018 Lecture 11 Quan,ta,ve Risk Analysis Scoring Vulnerabili,es – CVSS Environment 23/04/18

23/04/18

3

CVSSv3hKp://www.first.org/cvss/v3/development

•  CVSSisbasedonthreemetricgroups

FabioMassacci-CyberRiskAssessment 523/04/18

Qualita?vera?ngsofGlobalCVSS

FabioMassacci-CyberRiskAssessment 623/04/18

Page 4: Cyber Security Risk Assessment Spring 2018...23/04/18 1 Cyber Security Risk Assessment Spring 2018 Lecture 11 Quan,ta,ve Risk Analysis Scoring Vulnerabili,es – CVSS Environment 23/04/18

23/04/18

4

TheWebServer

•  CVE-2016-5425– TheTomcatpackageonRedHatEnterpriseLinux(RHEL)7,Fedora,CentOS,OracleLinux,andpossiblyotherLinuxdistribuAonsusesweakpermissionsfor/usr/lib/tmpfiles.d/tomcat.conf,whichallowslocaluserstogainrootprivilegesbyleveragingmembershipinthetomcatgroup.

– Basescore•  AV: AC: UI: PR: S: C: I: A:

23/04/18 FabioMassacci-OffensiveTechnologies 7

WebServerScoring

23/04/18 FabioMassacci-OffensiveTechnologies 8

Page 5: Cyber Security Risk Assessment Spring 2018...23/04/18 1 Cyber Security Risk Assessment Spring 2018 Lecture 11 Quan,ta,ve Risk Analysis Scoring Vulnerabili,es – CVSS Environment 23/04/18

23/04/18

5

Vulnerabilityseverity–astablemetric?

•  CVSSBasescore– DescribestechnicalproperAesofthevulnerability– Alwaysthesameindependentlyof

•  Time•  DeploymentofthesoWware

•  Doyouthink,memaTers?–  CantheriskberepresentedbyavulnerabilitychangewithAme?

•  DospecificdeploymentsofthesoVwaremaTer?–  IstheriskrepresentedbyavulnerabilitythesameforallinstallaAonsofthesoWware?

23/04/18 FabioMassacci-OffensiveTechnologies 9

Whatcanchange?

•  In,me– Exploits(alleged,workingorevenautomated)– RemediaAonfixes– Patches

•  Inspace– LocalmiAgaAngmeasures(configuraAons)– RelaAveimportanceofthesoWwaretotheorganizaAon•  LinkfromprimarytosupporAngasset

23/04/18 FabioMassacci-CyberRiskAssessment 10

Page 6: Cyber Security Risk Assessment Spring 2018...23/04/18 1 Cyber Security Risk Assessment Spring 2018 Lecture 11 Quan,ta,ve Risk Analysis Scoring Vulnerabili,es – CVSS Environment 23/04/18

23/04/18

6

Scenarioexample

•  Youworkforaflightcompany•  Eachplanewithamediacenteronboardforpassengers

hasasmallserverrunningRHEL7–  Theservermanagescontentdeliveredtoeachmonitorinfrontofthepassengers

–  NospecificinformaAonabouteachclientexistsontheserver•  MedianetworkOpera,onalDeployment

–  Thein-flightserveronlyinterfacecanbeaccessedfromthephysicalterminalonboard

–  ThenetworksharestheentertainmentandtheoperaAonalcontrolnetwork

–  NoauthenAcaAonrequiredbydefaultonthesedeployments•  Doesthischangehowyouevaluateotherbasemetrics?

23/04/18 FabioMassacci-OffensiveTechnologies 11

Vulnerability“riskfactors”

•  Vulnerabilityseveritymaychangebothin,meandspace–  Severaloftheseaspectsarecommonlyrecognizedintheindustry•  Ad-hocmodificaAonsoWenemployedinorganizaAons

•  Time–  Howcertainareyouofthevulnerabilityexistence?–  Doesanexploitexist,andwhatlevelofautomaAondiditreach?–  Doesapermanentfixexist?

•  Space–  DospecificdeploymentcondiAonsaltersomecharacterisAcsofthevulnerability?

–  AresomecharacterisAcsmoreimportantthanothers?

23/04/18 FabioMassacci-OffensiveTechnologies 12

Page 7: Cyber Security Risk Assessment Spring 2018...23/04/18 1 Cyber Security Risk Assessment Spring 2018 Lecture 11 Quan,ta,ve Risk Analysis Scoring Vulnerabili,es – CVSS Environment 23/04/18

23/04/18

7

TemporalandEnvironmental

23/04/18 FabioMassacci-OffensiveTechnologies 13

CVSSTEMPORAL

LucaAllodi-VulnerabilityassessmentwithCVSSv3 14

Page 8: Cyber Security Risk Assessment Spring 2018...23/04/18 1 Cyber Security Risk Assessment Spring 2018 Lecture 11 Quan,ta,ve Risk Analysis Scoring Vulnerabili,es – CVSS Environment 23/04/18

23/04/18

8

Temporalmetric

•  TheTemporalmetricsmeasurecharacteris,csofthevulnerabilitythatmaychangewith,me–  currentstateofexploittechniques/codeavailability–  existenceofanypatchesorworkarounds–  theconfidencethatonehasinthedescripAonofavulnerability.

•  Theymodifythescoreassignedbythebasemetric–  ”Notdefined”valueleavesscoreuntouched

LucaAllodi-VulnerabilityassessmentwithCVSSv3 15

Temporal:Exploitcodematurity

•  ExploitCodeMaturitymeasuresthecurrentstateofexploittechniques

•  Publicavailabilityofeasy-to-useexploitcodeincreasesthenumberofpoten,alaTackers

•  Theexploitcodeavailablemayprogressfromaproof-of-conceptdemonstra,ontoexploitcodethatissuccessfulinexploi,ngthevulnerabilityconsistently.

•  Possiblevalues–  Notdefinedàdonotmodifybasescore–  HighàfuncAonalcodeexistsornoexploitrequired,detailsarepublic

available.Exploitishighlyreliable,possiblybeingusedinthewild–  FuncAonalàcodeexistsandworks,butnotreliably–  Proof-of-conceptàexisAngafackdemonstraAonisnotpracAcaland

requiressubstanAalmodificaAontoworkreliably–  UnprovenàexploitonlytheoreAcallypossible,nopubliccode

availableLucaAllodi-Vulnerabilityassessmentwith

CVSSv3 16

Page 9: Cyber Security Risk Assessment Spring 2018...23/04/18 1 Cyber Security Risk Assessment Spring 2018 Lecture 11 Quan,ta,ve Risk Analysis Scoring Vulnerabili,es – CVSS Environment 23/04/18

23/04/18

9

Temporal:Remedia?onlevel

•  Thetypicalvulnerabilityisunpatchedwhenini,allypublished.

•  Workaroundsorho`ixesmayofferinterimremedia,onun,lanofficialpatchorupgradeisissued.

•  Possiblevalues:–  Notdefinedànochangetobasescore–  UnavailableàsoluAondoesnotexistorcannotbeapplied–  WorkaroundàunofficialsoluAonavailable–  Temporaryàtemporaryhojixesorworkaroundsissuedbyvendor

–  OfficialFixàofficialpatchexists

LucaAllodi-VulnerabilityassessmentwithCVSSv3 17

Temporal:reportconfidence

•  Thismetricmeasuresthedegreeofconfidenceintheexistenceofthevulnerabilityandthecredibilityoftheknowntechnicaldetails.

•  Possiblevalues:– Notdefinedànochangetobasemetric–  ConfirmedàreproducAonispossible,detailsareavailableandverifiedbyvendor/sourcecodeanalysis

–  ReasonableàRootcauseofvulnerabilityisunknown,vulnmayexistbutnotreacheable/traceable

– Unknownàvulnerabilityisnotverified(e.g.not-reproduciblebugthatleadstocrash)

LucaAllodi-VulnerabilityassessmentwithCVSSv3 18

Page 10: Cyber Security Risk Assessment Spring 2018...23/04/18 1 Cyber Security Risk Assessment Spring 2018 Lecture 11 Quan,ta,ve Risk Analysis Scoring Vulnerabili,es – CVSS Environment 23/04/18

23/04/18

10

WebServer–ExploitsintheWild?

•  Youdosomeinves,ga,onsandfindsomeinfoonaPoC

23/04/18 FabioMassacci-OffensiveTechnologies 19

WebServerScoring-II

•  Supposeatsomepointyoudiscoverthataproofofconceptexploitforthevulnerabilityexists– Somebodyclaimsitdoes

•  Shouldyourriskchange?– Evidencethatitcanbeexploited,unclearwhetherthisrepresentsrealthreat

23/04/18 FabioMassacci-OffensiveTechnologies 20

Page 11: Cyber Security Risk Assessment Spring 2018...23/04/18 1 Cyber Security Risk Assessment Spring 2018 Lecture 11 Quan,ta,ve Risk Analysis Scoring Vulnerabili,es – CVSS Environment 23/04/18

23/04/18

11

23/04/18 FabioMassacci-OffensiveTechnologies 21hfp://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.html

TheWebServerScoring-III

•  Nowyouknowthattheexploitworks– Andcanbeautomated

•  Youalsofindthataworkaroundexists–  “Adjustpermissionson/usr/lib/tmpfiles.d/tomcat.conffiletoremovewritepermissionforthetomcatgroup.”

•  …Andeventuallythatthereisanofficialupdate–  “AlternaAvely,updatetothelatestpackagesprovidedbyyourdistribuAon.ConfirmthefilepermissionsaWertheupdate.”

23/04/18 FabioMassacci-OffensiveTechnologies 22

Page 12: Cyber Security Risk Assessment Spring 2018...23/04/18 1 Cyber Security Risk Assessment Spring 2018 Lecture 11 Quan,ta,ve Risk Analysis Scoring Vulnerabili,es – CVSS Environment 23/04/18

23/04/18

12

Backtoourscenario(on-flightmediaserver)

1.  Exploitcodeexists,youtesteditanditworksunderallcondi,ons:–  Exploitcodematurityà

2.  Youfindseveralreportsofthisvulnerabilityformul,plesources–  Reportconfidenceà

3.  Anofficialpatchexists–  RemediaAonlevelà

23/04/18 FabioMassacci-OffensiveTechnologies 23

TemporalscoreI–ExploitExists

LucaAllodi-VulnerabilityassessmentwithCVSSv3 24

Page 13: Cyber Security Risk Assessment Spring 2018...23/04/18 1 Cyber Security Risk Assessment Spring 2018 Lecture 11 Quan,ta,ve Risk Analysis Scoring Vulnerabili,es – CVSS Environment 23/04/18

23/04/18

13

TemporalScoreII–KnowledgeWidespread

LucaAllodi-VulnerabilityassessmentwithCVSSv3 25

TemporalScore–FixExists

LucaAllodi-VulnerabilityassessmentwithCVSSv3 26

Page 14: Cyber Security Risk Assessment Spring 2018...23/04/18 1 Cyber Security Risk Assessment Spring 2018 Lecture 11 Quan,ta,ve Risk Analysis Scoring Vulnerabili,es – CVSS Environment 23/04/18

23/04/18

14

CVSSENVIRONMENTAL

23/04/18 FabioMassacci-OffensiveTechnologies 27

Environmental:Securityrequirements

•  AccountfortheimportanceoftheaffectedITassettoauser'sorganiza,on–  e.g.ifanITassetsupportsabusinessfuncAonforwhichAvailabilityis

mostimportant,theanalystcanassignagreatervaluetoAvailabilityrelaAvetoConfidenAalityandIntegrity.

•  ImportanceofITassetisdefinedbythebusinessunit+technical–  SystemsupporAngcriAcalfuncAonality–  SystemcriAcaltomeetcompliance

•  PossiblevaluesforanyofC,I,A–  Notdefinedànochangetotemporalmetric–  High[C,I,A]àcatastrophiceffectonorganizaAon/individuals–  Medium[C,I,A]àseriouseffectsonorganizaAon/individuals–  Low[C,I,A]àlimitedeffectonorganizaAon/individuals

LucaAllodi-VulnerabilityassessmentwithCVSSv3 28

Page 15: Cyber Security Risk Assessment Spring 2018...23/04/18 1 Cyber Security Risk Assessment Spring 2018 Lecture 11 Quan,ta,ve Risk Analysis Scoring Vulnerabili,es – CVSS Environment 23/04/18

23/04/18

15

Environmental:modifiedbasemetrics

•  It’spossibletomodifyeachofthebasemetricsrela,vetothespecificsehng

•  Exploitability– ModifiedAV,ModifiedAC,ModifiedPR,…

•  Scope– ModifiedS

•  Impact– ModifiedC,ModifiedI,ModifiedA

LucaAllodi-VulnerabilityassessmentwithCVSSv3 29

Scenarioexample-Environmental

•  EachplanewithamediacenteronboardforpassengershasasmallserverrunningRHEL7–  Theservermanagescontentdeliveredtoeachmonitorinfrontofthe

passengers–  NospecificinformaAonabouteachclientexistsontheserver

•  MedianetworkOpera,onalDeployment–  Thein-flightserveronlyinterfacecanbeaccessedfromthephysical

terminalonboard–  ThenetworksharestheentertainmentandtheoperaAonalcontrol

network–  NoauthenAcaAonrequiredbydefaultonthesedeployments

•  Forthemediaserverdoesthischange–  howyouevaluatebasemetrics?–  howyouevaluatesecurityrequirements

23/04/18 FabioMassacci-OffensiveTechnologies 30

Page 16: Cyber Security Risk Assessment Spring 2018...23/04/18 1 Cyber Security Risk Assessment Spring 2018 Lecture 11 Quan,ta,ve Risk Analysis Scoring Vulnerabili,es – CVSS Environment 23/04/18

23/04/18

16

Scenarioexample-Requirments

•  EachplanewithamediacenteronboardforpassengershasasmallserverrunningRHEL7–  Theservermanagescontentdeliveredtoeachmonitorinfrontofthe

passengers–  NospecificinformaAonabouteachclientexistsontheserver

•  MedianetworkOpera,onalDeployment–  Thein-flightserveronlyinterfacecanbeaccessedfromthephysical

terminalonboard–  ThenetworksharestheentertainmentandtheoperaAonalcontrol

network–  NoauthenAcaAonrequiredbydefaultonthesedeployments

•  Forthemediaserverdoesthischange–  howyouevaluatebasemetrics?–  howyouevaluatesecurityrequirements

23/04/18 FabioMassacci-OffensiveTechnologies 31

Scenario–ModifiedBaseMetrics

•  EachplanewithamediacenteronboardforpassengershasasmallserverrunningRHEL7–  Theservermanagescontentdeliveredtoeachmonitorinfrontofthe

passengers–  NospecificinformaAonabouteachclientexistsontheserver

•  MedianetworkOpera,onalDeployment–  Thein-flightserveronlyinterfacecanbeaccessedfromthephysical

terminalonboard–  ThenetworksharestheentertainmentandtheoperaAonalcontrol

network–  NoauthenAcaAonrequiredbydefaultonthesedeployments

•  Forthemediaserverdoesthischange–  howyouevaluatebasemetrics?–  howyouevaluatesecurityrequirements

23/04/18 FabioMassacci-OffensiveTechnologies 32

Page 17: Cyber Security Risk Assessment Spring 2018...23/04/18 1 Cyber Security Risk Assessment Spring 2018 Lecture 11 Quan,ta,ve Risk Analysis Scoring Vulnerabili,es – CVSS Environment 23/04/18

23/04/18

17

Scenario–ModifiedMetrics+Requirements

•  EachplanewithamediacenteronboardforpassengershasasmallserverrunningRHEL7–  Theservermanagescontentdeliveredtoeachmonitorinfrontofthe

passengers–  NospecificinformaAonabouteachclientexistsontheserver

•  MedianetworkOpera,onalDeployment–  Thein-flightserveronlyinterfacecanbeaccessedfromthephysical

terminalonboard–  ThenetworksharestheentertainmentandtheoperaAonalcontrol

network–  NoauthenAcaAonrequiredbydefaultonthesedeployments

•  Forthemediaserverdoesthischange–  howyouevaluatebasemetrics?–  howyouevaluatesecurityrequirements

23/04/18 FabioMassacci-OffensiveTechnologies 33

Scenario–ThreeAlterna?ves•  Eachplanewithamediacenteronboardforpassengershasa

smallserverrunningRHEL7–  Theservermanagescontentdeliveredtoeachmonitorinfrontofthe

passengers–  NospecificinformaAonabouteachclientexistsontheserver

•  MedianetworkOpera,onalDeployment–  Thein-flightserveronlyinterfacecanbeaccessedfromthephysical

terminalonboardinthepilotcabin(1)–  ThenetworksharestheentertainmentandtheoperaAonalcontrol

network(2)–  Nostrong(3)authenAcaAonrequiredonthesedeployments

•  Forthemediaserverdoesthischange–  howyouevaluatebasemetrics?–  howyouevaluatesecurityrequirements?

23/04/18 FabioMassacci-OffensiveTechnologies 34

Page 18: Cyber Security Risk Assessment Spring 2018...23/04/18 1 Cyber Security Risk Assessment Spring 2018 Lecture 11 Quan,ta,ve Risk Analysis Scoring Vulnerabili,es – CVSS Environment 23/04/18

23/04/18

18

Scenario–ThreeAlterna?ves•  MedianetworkOpera,onalDeployment–  Thein-flightserveronlyinterfacecanbeaccessedfromthephysicalterminalonboardinthepilotcabin(1)

–  ThenetworksharestheentertainmentandtheoperaAonalcontrolnetwork(2)

–  Nostrong(3)authenAcaAonrequiredonthesedeployments

•  Opera,onalQues,ons– Whodoyouwanttorestartthemediaserverifitcrashesorifthereissomethingthatdoesn’twork?Theflightafendantorthepilot?

–  Howmanyflightafendants/pilotsareonthesamephysicalplane(asopposedtothesameflight)?

23/04/18 FabioMassacci-OffensiveTechnologies 35

Scenario–NewCustomerFeature!

•  EachplanewithamediacenteronboardforpassengershasasmallserverrunningRHEL7–  Theservermanagescontentdeliveredtoeachmonitorinfrontofthepassengers

–  NospecificinformaAonabouteachclientexistsontheserver•  MedianetworkOpera,onalDeployment

–  Thein-flightserveronlyinterfacecanbeaccessedfromthephysicalterminalonboard

–  ThenetworksharestheentertainmentandtheoperaAonalcontrolnetwork

–  NoauthenAcaAonrequiredbydefaultonthesedeployments•  Businesscustomerscannowconnecttothemediaserver

tostreamtheirowncontentontheseat’svideo

23/04/18 FabioMassacci-OffensiveTechnologies 36

Page 19: Cyber Security Risk Assessment Spring 2018...23/04/18 1 Cyber Security Risk Assessment Spring 2018 Lecture 11 Quan,ta,ve Risk Analysis Scoring Vulnerabili,es – CVSS Environment 23/04/18

23/04/18

19

CVSSENVIRONMENTALANDCOMPLIANCE

TheexampleofPCI-DSS

23/04/18 FabioMassacci-OffensiveTechnologies 37

PCI-DSS

•  PaymentCardIndustryDataSecurityStandard•  Informa,onsecuritystandardfororganiza,onsthathandlecreditcarddata– OperaAonsonVISA,Mastercard,AEcircuits,etc.–  POSsystems,serversthathandlepayments..

•  CardholderDataEnvironment(CDE)– Allprocessesandtechnologyaswellasthepeoplethatstore,processortransmitcustomercardholderdataorauthenAcaAondata,includingconnectedsystemcomponentsandanyvirtualizaAoncomponents(i.e.,servers,applicaAons,etc.)

23/04/18 FabioMassacci-OffensiveTechnologies 38

Page 20: Cyber Security Risk Assessment Spring 2018...23/04/18 1 Cyber Security Risk Assessment Spring 2018 Lecture 11 Quan,ta,ve Risk Analysis Scoring Vulnerabili,es – CVSS Environment 23/04/18

23/04/18

20

PCI-DSSandenvironments

•  StandardcomplianceoVenrequires”sensi,ve”systemstobesegmentedawayfromsystemsthatdonotmanagesensi,vedata

•  Isola,onofsensi,vecomponentsfromtherestofthenetwork–  InPCI-DSS,called“ScopereducAon”

•  e.g.segmentaAonofanetworkinseveralsubnetworks•  Scope:Anynetworkcomponent,server,orapplica,on

thatisincludedorconnectedtothecardholderdataenvironment–  “Anetworkcomponentsincludebutarenotlimitedtofirewalls,switches,routers,wirelessaccesspoints,netappliances..”

–  Anysysteminthescopeisconsideredtohavehighsecurityrequirements

23/04/18 FabioMassacci-OffensiveTechnologies 39

Joe’sStore.

POSterminals

RouterDSL

Kiosk

Wi-fiFree

PCsusedbymanagerandassistantmanager

e-commerceWebsite

HosAngCompany

InternetSwitch

Customers

Store

A

A SystemsmanagingcustomerdataRegistertoshop’smailinglistCustomercomputers

B

C

B

C

Page 21: Cyber Security Risk Assessment Spring 2018...23/04/18 1 Cyber Security Risk Assessment Spring 2018 Lecture 11 Quan,ta,ve Risk Analysis Scoring Vulnerabili,es – CVSS Environment 23/04/18

23/04/18

21

Joe’sStoreInstalledaFirewall

POSterminals

RouterDSL

Kiosk

Wi-fiFree

PCsusedbymanagerandassistantmanager

e-commerceWebsite

HosAngCompany

Internet

Customers

Store

ManagedSwitch

DMZ

Firewall

DMZandFirewallInternalsoftheRouterSub-net01

Sub-net02

A

A SystemsmanagingcustomerdataRegistertoshop’smailinglistCustomercomputersManagedSwitchtoPOSsubnet

B

C

D

B

C

D

PCI-DSSandCVSS

•  PCI-DSSmandatesthatavulnerabilityassessmentshouldbeperiodicallyrunonthesystemsinscope–  Rememberthat“PCI-DSSnscope”=somehowaccesssensiAvedata

•  Rule– AnythingwithaCVSS(base)>=4needbepatched

•  CanCVSSenvironmentalhelp?•  ForRequirements–  In-scopesystemsàhigherscore– Out-of-scopesystemsàlowerscore

23/04/18 FabioMassacci-OffensiveTechnologies 42

Page 22: Cyber Security Risk Assessment Spring 2018...23/04/18 1 Cyber Security Risk Assessment Spring 2018 Lecture 11 Quan,ta,ve Risk Analysis Scoring Vulnerabili,es – CVSS Environment 23/04/18

23/04/18

22

JoerunsaVAtoolonhissystems

SystemID

Aff_Sw(NVD) CVE_ID

Descrip?on

A,C WIN10 CVE-2016-3236

TheWebProxyAutoDiscovery(WPAD)protocolimplementaAoninMicrosoWWindowsVistaSP2,WindowsServer2008SP2andR2SP1,Windows7SP1,Windows8.1,WindowsServer2012GoldandR2,WindowsRT8.1,andWindows10Goldand1511mishandlesproxydiscovery,whichallowsremoteafackerstoredirectnetworktrafficviaunspecifiedvectors,aka"WindowsWPADProxyDiscoveryElevaAonofPrivilegeVulnerability."

23/04/18 FabioMassacci-OffensiveTechnologies 43

•  LooksitupontheNVD•  Basescore:9.8•  AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

OriginalConfigura?onofJoe’sStore

POSterminals

RouterDSL

Kiosk

Wi-fiFree

PCsusedbymanagerandassistantmanager

e-commerceWebsite

HosAngCompany

InternetSwitch

Customers

Store

A

A SystemsmanagingcustomerdataRegistertoshop’smailinglistCustomercomputers

B

C

B

C

WhatHappenstotheRequirements?DowehaverequirementsonCustomers’Computers

Page 23: Cyber Security Risk Assessment Spring 2018...23/04/18 1 Cyber Security Risk Assessment Spring 2018 Lecture 11 Quan,ta,ve Risk Analysis Scoring Vulnerabili,es – CVSS Environment 23/04/18

23/04/18

23

OriginalConfigura?onofJoe’sStore-II

POSterminals

RouterDSL

Kiosk

Wi-fiFree

PCsusedbymanagerandassistantmanager

e-commerceWebsite

HosAngCompany

InternetSwitch

Customers

Store

A

A SystemsmanagingcustomerdataRegistertoshop’smailinglistCustomercomputers

B

C

B

C

OriginalConfigura?onofJoe’sStore-III

POSterminals

RouterDSL

Kiosk

Wi-fiFree

PCsusedbymanagerandassistantmanager

e-commerceWebsite

HosAngCompany

InternetSwitch

Customers

Store

A

A SystemsmanagingcustomerdataRegistertoshop’smailinglistCustomercomputers

B

C

B

C

Page 24: Cyber Security Risk Assessment Spring 2018...23/04/18 1 Cyber Security Risk Assessment Spring 2018 Lecture 11 Quan,ta,ve Risk Analysis Scoring Vulnerabili,es – CVSS Environment 23/04/18

23/04/18

24

Joe’sOriginalStore

POSterminals

RouterDSL

Kiosk

Wi-fiFree

PCsusedbymanagerandassistantmanager

e-commerceWebsite

HosAngCompany

InternetSwitch

Customers

Store

A

A SystemsmanagingcustomerdataRegistertoshop’smailinglistCustomercomputers

B

C

B

C

AoerJoe’sInstalledtheFirewall

POSterminals

RouterDSL

Kiosk

Wi-fiFree

PCsusedbymanagerandassistantmanager

e-commerceWebsite

HosAngCompany

Internet

Customers

Store

ManagedSwitch

DMZ

Firewall

DMZandFirewallInternalsoftheRouterSub-net01

Sub-net02

A

A SystemsmanagingcustomerdataRegistertoshop’smailinglistCustomercomputersManagedSwitchtoPOSsubnet

B

C

D

B

C

D

Page 25: Cyber Security Risk Assessment Spring 2018...23/04/18 1 Cyber Security Risk Assessment Spring 2018 Lecture 11 Quan,ta,ve Risk Analysis Scoring Vulnerabili,es – CVSS Environment 23/04/18

23/04/18

25

AoerJoe’sInstalledtheFirewall-II

POSterminals

RouterDSL

Kiosk

Wi-fiFree

PCsusedbymanagerandassistantmanager

e-commerceWebsite

HosAngCompany

Internet

Customers

Store

ManagedSwitch

DMZ

Firewall

DMZandFirewallInternalsoftheRouterSub-net01

Sub-net02

A

A SystemsmanagingcustomerdataRegistertoshop’smailinglistCustomercomputersManagedSwitchtoPOSsubnet

B

C

D

B

C

D

AoerJoe’sInstalledtheFirewall-III

POSterminals

RouterDSL

Kiosk

Wi-fiFree

PCsusedbymanagerandassistantmanager

e-commerceWebsite

HosAngCompany

Internet

Customers

Store

ManagedSwitch

DMZ

Firewall

DMZandFirewallInternalsoftheRouterSub-net01

Sub-net02

A

A SystemsmanagingcustomerdataRegistertoshop’smailinglistCustomercomputersManagedSwitchtoPOSsubnet

B

C

D

B

C

D

Page 26: Cyber Security Risk Assessment Spring 2018...23/04/18 1 Cyber Security Risk Assessment Spring 2018 Lecture 11 Quan,ta,ve Risk Analysis Scoring Vulnerabili,es – CVSS Environment 23/04/18

23/04/18

26

Scoringexample

•  YouworkinthePSIRTofafirewallvendor.•  Asecurityresearchersendsdetailsofavulnerabilitythey

havefoundinoneofyourfirewallproducts.Yourcompanypriori,zesworkbasedonCVSSscores.

•  Details:thevulnerabilityallowsaTackerstobypassauthen,ca,ontothefirewall’sadminpanelwhenthedefault“defragpacketsbeforeforward”flagisdisabled,duetoafaultymanagementofinvalidfragmentedIPdatagrams.

1.   calculateaCVSSBaseScorebasedontheresearcher'sreport,toratetheseverityofthevulnerability.

AV,AC,UI,PR,S,C,I,A

LucaAllodi-VulnerabilityassessmentwithCVSSv3 51

Scoringexample

•  Beforeyoucanreproducethevulnerabilityonyourtestsystemsusingtheproof-of-conceptcodetheresearcherprovided,customerscontactyousayingtheirsystemshavebeencompromisedandbelieveyourfirewallproductisatfault.Youreleaseapublicadvisorytoallcustomerswarningthemoftheproblem.

2.   calculateaCVSSTemporalScoresothepublicadvisoryindicatesthecurrentsitua,onwithrespecttoreproducingandfixingthevulnerability.

E(exploitcodematurity),R(emedia,onlevel),R(eport

confidence)

LucaAllodi-VulnerabilityassessmentwithCVSSv3 52

Page 27: Cyber Security Risk Assessment Spring 2018...23/04/18 1 Cyber Security Risk Assessment Spring 2018 Lecture 11 Quan,ta,ve Risk Analysis Scoring Vulnerabili,es – CVSS Environment 23/04/18

23/04/18

27

Scoringexample

•  YourcompanyusestheaffectedfirewallproductforitsmainInternetsite,whichmanages– Customersupport– Onlineorders

3.  CalculateaCVSSEnvironmentalScoretodeterminetherisktothefirewallinstanceusedonthemainInternetsite.

LucaAllodi-VulnerabilityassessmentwithCVSSv3 53

Scoringexample

•  Duetothehighpriorityyouputonthevulnerability.thedevelopmentteamsoonreproducetheproblemandhaveafix.RecalculatetheTemporalscoresothatitiscreateforanupdatedpublicadvisorythatyouwillsendtocustomers,alongwiththefixes.

4.   RecalculatetheCVSSTemporalScore.

E(exploitcodematurity),R(emedia,onlevel),R(eportconfidence)

LucaAllodi-VulnerabilityassessmentwithCVSSv3 54

Page 28: Cyber Security Risk Assessment Spring 2018...23/04/18 1 Cyber Security Risk Assessment Spring 2018 Lecture 11 Quan,ta,ve Risk Analysis Scoring Vulnerabili,es – CVSS Environment 23/04/18

23/04/18

28

EXAMPLE2

23/04/18 FabioMassacci-OffensiveTechnologies 55

Furtherreading

•  Chapters10,11onTextbook•  RossAnderson’sbook.•  CVSSFirstWebSite(SeeWikiforlinks)

23/04/18 FabioMassacci-CyberRiskAssessment 56


Top Related