Download - Cyber Security Risk Assessment Spring 2018...23/04/18 1 Cyber Security Risk Assessment Spring 2018 Lecture 11 Quan,ta,ve Risk Analysis Scoring Vulnerabili,es – CVSS Environment 23/04/18

23/04/18

1

CyberSecurityRiskAssessmentSpring2018

Lecture11Quan,ta,veRiskAnalysis

ScoringVulnerabili,es–CVSSEnvironment

23/04/18 FabioMassacci-CyberRiskAssessment 1

RecallExampleScenario

•  Chris,ne’scompanyhasrecentlybecomeaLevel3merchant…–  Level3Merchant=Morethan20000ecommercetransacAonsperyear(~55transac?onsxday)

–  TheymustbecerAfiedbyanexternalassessornottohavehighriskvulnerabiliAes

•  LotsofVulnerabili,esAround–  itdiscoversthatitsinternalassessorshaveunderesAmatedthescopeofPCIduetotheirflatcorporatenetwork.

–  Therearelegacysystemnotinvolvedincardprocessingonitscorporatenetwork,andmanyofthosearenolongermaintainedandcannotmeetPCIDSSrequirements.

•  Whatisshegoingtodoasacountermeasure?–  Differentsecuritymeasurescostsalot.


23/04/18

2

Recall:qualita?vevsquan?ta?ve•  Isthisalwaysreasonable?–  ShouldChrisAnePatchALLSQLivulnerabiliAesonALLsoWware?

–  Cannotknowwithoutatechnical/objecAveanalysisofthevulnerability/threat


Whatwedidlast?me?

•  Notallvulnerabili,esarethesame– HowseverearethesecurityproblemsaffecAngmysoWwareanddatabaseconfiguraAon?

•  FirstPartoftheQues,on:– Howseverearethesecurityproblems…àusedCVSSBasetomakeaspecificguideline

•  Secondpartoftheques,on– …affecAngmysoWwareanddatabaseconfiguraAon?àwilluseCVSSEnvironment


23/04/18

3

CVSSv3hKp://www.first.org/cvss/v3/development

•  CVSSisbasedonthreemetricgroups

FabioMassacci-CyberRiskAssessment 523/04/18

Qualita?vera?ngsofGlobalCVSS

FabioMassacci-CyberRiskAssessment 623/04/18

23/04/18

4

TheWebServer

•  CVE-2016-5425– TheTomcatpackageonRedHatEnterpriseLinux(RHEL)7,Fedora,CentOS,OracleLinux,andpossiblyotherLinuxdistribuAonsusesweakpermissionsfor/usr/lib/tmpfiles.d/tomcat.conf,whichallowslocaluserstogainrootprivilegesbyleveragingmembershipinthetomcatgroup.

– Basescore•  AV: AC: UI: PR: S: C: I: A:

23/04/18 FabioMassacci-OffensiveTechnologies 7

WebServerScoring


23/04/18

5

Vulnerabilityseverity–astablemetric?

•  CVSSBasescore– DescribestechnicalproperAesofthevulnerability– Alwaysthesameindependentlyof

•  Time•  DeploymentofthesoWware

•  Doyouthink,memaTers?–  CantheriskberepresentedbyavulnerabilitychangewithAme?

•  DospecificdeploymentsofthesoVwaremaTer?–  IstheriskrepresentedbyavulnerabilitythesameforallinstallaAonsofthesoWware?


Whatcanchange?

•  In,me– Exploits(alleged,workingorevenautomated)– RemediaAonfixes– Patches

•  Inspace– LocalmiAgaAngmeasures(configuraAons)– RelaAveimportanceofthesoWwaretotheorganizaAon•  LinkfromprimarytosupporAngasset


23/04/18

6

Scenarioexample

•  Youworkforaflightcompany•  Eachplanewithamediacenteronboardforpassengers

hasasmallserverrunningRHEL7–  Theservermanagescontentdeliveredtoeachmonitorinfrontofthepassengers

–  NospecificinformaAonabouteachclientexistsontheserver•  MedianetworkOpera,onalDeployment

–  Thein-flightserveronlyinterfacecanbeaccessedfromthephysicalterminalonboard

–  ThenetworksharestheentertainmentandtheoperaAonalcontrolnetwork

–  NoauthenAcaAonrequiredbydefaultonthesedeployments•  Doesthischangehowyouevaluateotherbasemetrics?


Vulnerability“riskfactors”

•  Vulnerabilityseveritymaychangebothin,meandspace–  Severaloftheseaspectsarecommonlyrecognizedintheindustry•  Ad-hocmodificaAonsoWenemployedinorganizaAons

•  Time–  Howcertainareyouofthevulnerabilityexistence?–  Doesanexploitexist,andwhatlevelofautomaAondiditreach?–  Doesapermanentfixexist?

•  Space–  DospecificdeploymentcondiAonsaltersomecharacterisAcsofthevulnerability?

–  AresomecharacterisAcsmoreimportantthanothers?


23/04/18

7

TemporalandEnvironmental


CVSSTEMPORAL

LucaAllodi-VulnerabilityassessmentwithCVSSv3 14

23/04/18

8

Temporalmetric

•  TheTemporalmetricsmeasurecharacteris,csofthevulnerabilitythatmaychangewith,me–  currentstateofexploittechniques/codeavailability–  existenceofanypatchesorworkarounds–  theconfidencethatonehasinthedescripAonofavulnerability.

•  Theymodifythescoreassignedbythebasemetric–  ”Notdefined”valueleavesscoreuntouched


Temporal:Exploitcodematurity

•  ExploitCodeMaturitymeasuresthecurrentstateofexploittechniques

•  Publicavailabilityofeasy-to-useexploitcodeincreasesthenumberofpoten,alaTackers

•  Theexploitcodeavailablemayprogressfromaproof-of-conceptdemonstra,ontoexploitcodethatissuccessfulinexploi,ngthevulnerabilityconsistently.

•  Possiblevalues–  Notdefinedàdonotmodifybasescore–  HighàfuncAonalcodeexistsornoexploitrequired,detailsarepublic

available.Exploitishighlyreliable,possiblybeingusedinthewild–  FuncAonalàcodeexistsandworks,butnotreliably–  Proof-of-conceptàexisAngafackdemonstraAonisnotpracAcaland

requiressubstanAalmodificaAontoworkreliably–  UnprovenàexploitonlytheoreAcallypossible,nopubliccode

availableLucaAllodi-Vulnerabilityassessmentwith

CVSSv3 16

23/04/18

9

Temporal:Remedia?onlevel

•  Thetypicalvulnerabilityisunpatchedwhenini,allypublished.

•  Workaroundsorho`ixesmayofferinterimremedia,onun,lanofficialpatchorupgradeisissued.

•  Possiblevalues:–  Notdefinedànochangetobasescore–  UnavailableàsoluAondoesnotexistorcannotbeapplied–  WorkaroundàunofficialsoluAonavailable–  Temporaryàtemporaryhojixesorworkaroundsissuedbyvendor

–  OfficialFixàofficialpatchexists


Temporal:reportconfidence

•  Thismetricmeasuresthedegreeofconfidenceintheexistenceofthevulnerabilityandthecredibilityoftheknowntechnicaldetails.

•  Possiblevalues:– Notdefinedànochangetobasemetric–  ConfirmedàreproducAonispossible,detailsareavailableandverifiedbyvendor/sourcecodeanalysis

–  ReasonableàRootcauseofvulnerabilityisunknown,vulnmayexistbutnotreacheable/traceable

– Unknownàvulnerabilityisnotverified(e.g.not-reproduciblebugthatleadstocrash)


23/04/18

10

WebServer–ExploitsintheWild?

•  Youdosomeinves,ga,onsandfindsomeinfoonaPoC


WebServerScoring-II

•  Supposeatsomepointyoudiscoverthataproofofconceptexploitforthevulnerabilityexists– Somebodyclaimsitdoes

•  Shouldyourriskchange?– Evidencethatitcanbeexploited,unclearwhetherthisrepresentsrealthreat


23/04/18

11

23/04/18 FabioMassacci-OffensiveTechnologies 21hfp://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.html

TheWebServerScoring-III

•  Nowyouknowthattheexploitworks– Andcanbeautomated

•  Youalsofindthataworkaroundexists–  “Adjustpermissionson/usr/lib/tmpfiles.d/tomcat.conffiletoremovewritepermissionforthetomcatgroup.”

•  …Andeventuallythatthereisanofficialupdate–  “AlternaAvely,updatetothelatestpackagesprovidedbyyourdistribuAon.ConfirmthefilepermissionsaWertheupdate.”


23/04/18

12

Backtoourscenario(on-flightmediaserver)

1.  Exploitcodeexists,youtesteditanditworksunderallcondi,ons:–  Exploitcodematurityà

2.  Youfindseveralreportsofthisvulnerabilityformul,plesources–  Reportconfidenceà

3.  Anofficialpatchexists–  RemediaAonlevelà


TemporalscoreI–ExploitExists


23/04/18

13

TemporalScoreII–KnowledgeWidespread


TemporalScore–FixExists


23/04/18

14

CVSSENVIRONMENTAL


Environmental:Securityrequirements

•  AccountfortheimportanceoftheaffectedITassettoauser'sorganiza,on–  e.g.ifanITassetsupportsabusinessfuncAonforwhichAvailabilityis

mostimportant,theanalystcanassignagreatervaluetoAvailabilityrelaAvetoConfidenAalityandIntegrity.

•  ImportanceofITassetisdefinedbythebusinessunit+technical–  SystemsupporAngcriAcalfuncAonality–  SystemcriAcaltomeetcompliance

•  PossiblevaluesforanyofC,I,A–  Notdefinedànochangetotemporalmetric–  High[C,I,A]àcatastrophiceffectonorganizaAon/individuals–  Medium[C,I,A]àseriouseffectsonorganizaAon/individuals–  Low[C,I,A]àlimitedeffectonorganizaAon/individuals


23/04/18

15

Environmental:modifiedbasemetrics

•  It’spossibletomodifyeachofthebasemetricsrela,vetothespecificsehng

•  Exploitability– ModifiedAV,ModifiedAC,ModifiedPR,…

•  Scope– ModifiedS

•  Impact– ModifiedC,ModifiedI,ModifiedA


Scenarioexample-Environmental

•  EachplanewithamediacenteronboardforpassengershasasmallserverrunningRHEL7–  Theservermanagescontentdeliveredtoeachmonitorinfrontofthe

passengers–  NospecificinformaAonabouteachclientexistsontheserver

•  MedianetworkOpera,onalDeployment–  Thein-flightserveronlyinterfacecanbeaccessedfromthephysical

terminalonboard–  ThenetworksharestheentertainmentandtheoperaAonalcontrol

network–  NoauthenAcaAonrequiredbydefaultonthesedeployments

•  Forthemediaserverdoesthischange–  howyouevaluatebasemetrics?–  howyouevaluatesecurityrequirements


23/04/18

16

Scenarioexample-Requirments








Scenario–ModifiedBaseMetrics








23/04/18

17

Scenario–ModifiedMetrics+Requirements








Scenario–ThreeAlterna?ves•  Eachplanewithamediacenteronboardforpassengershasa

smallserverrunningRHEL7–  Theservermanagescontentdeliveredtoeachmonitorinfrontofthe



terminalonboardinthepilotcabin(1)–  ThenetworksharestheentertainmentandtheoperaAonalcontrol

network(2)–  Nostrong(3)authenAcaAonrequiredonthesedeployments

•  Forthemediaserverdoesthischange–  howyouevaluatebasemetrics?–  howyouevaluatesecurityrequirements?


23/04/18

18

Scenario–ThreeAlterna?ves•  MedianetworkOpera,onalDeployment–  Thein-flightserveronlyinterfacecanbeaccessedfromthephysicalterminalonboardinthepilotcabin(1)

–  ThenetworksharestheentertainmentandtheoperaAonalcontrolnetwork(2)

–  Nostrong(3)authenAcaAonrequiredonthesedeployments

•  Opera,onalQues,ons– Whodoyouwanttorestartthemediaserverifitcrashesorifthereissomethingthatdoesn’twork?Theflightafendantorthepilot?

–  Howmanyflightafendants/pilotsareonthesamephysicalplane(asopposedtothesameflight)?


Scenario–NewCustomerFeature!

•  EachplanewithamediacenteronboardforpassengershasasmallserverrunningRHEL7–  Theservermanagescontentdeliveredtoeachmonitorinfrontofthepassengers

–  NospecificinformaAonabouteachclientexistsontheserver•  MedianetworkOpera,onalDeployment

–  Thein-flightserveronlyinterfacecanbeaccessedfromthephysicalterminalonboard

–  ThenetworksharestheentertainmentandtheoperaAonalcontrolnetwork

–  NoauthenAcaAonrequiredbydefaultonthesedeployments•  Businesscustomerscannowconnecttothemediaserver

tostreamtheirowncontentontheseat’svideo


23/04/18

19

CVSSENVIRONMENTALANDCOMPLIANCE

TheexampleofPCI-DSS


PCI-DSS

•  PaymentCardIndustryDataSecurityStandard•  Informa,onsecuritystandardfororganiza,onsthathandlecreditcarddata– OperaAonsonVISA,Mastercard,AEcircuits,etc.–  POSsystems,serversthathandlepayments..

•  CardholderDataEnvironment(CDE)– Allprocessesandtechnologyaswellasthepeoplethatstore,processortransmitcustomercardholderdataorauthenAcaAondata,includingconnectedsystemcomponentsandanyvirtualizaAoncomponents(i.e.,servers,applicaAons,etc.)


23/04/18

20

PCI-DSSandenvironments

•  StandardcomplianceoVenrequires”sensi,ve”systemstobesegmentedawayfromsystemsthatdonotmanagesensi,vedata

•  Isola,onofsensi,vecomponentsfromtherestofthenetwork–  InPCI-DSS,called“ScopereducAon”

•  e.g.segmentaAonofanetworkinseveralsubnetworks•  Scope:Anynetworkcomponent,server,orapplica,on

thatisincludedorconnectedtothecardholderdataenvironment–  “Anetworkcomponentsincludebutarenotlimitedtofirewalls,switches,routers,wirelessaccesspoints,netappliances..”

–  Anysysteminthescopeisconsideredtohavehighsecurityrequirements


Joe’sStore.

POSterminals

RouterDSL

Kiosk

Wi-fiFree

PCsusedbymanagerandassistantmanager

e-commerceWebsite

HosAngCompany

InternetSwitch

Customers

Store

A

A SystemsmanagingcustomerdataRegistertoshop’smailinglistCustomercomputers

B

C

B

C

23/04/18

21

Joe’sStoreInstalledaFirewall

POSterminals

RouterDSL

Kiosk

Wi-fiFree


e-commerceWebsite

HosAngCompany

Internet

Customers

Store

ManagedSwitch

DMZ

Firewall

DMZandFirewallInternalsoftheRouterSub-net01

Sub-net02

A

A SystemsmanagingcustomerdataRegistertoshop’smailinglistCustomercomputersManagedSwitchtoPOSsubnet

B

C

D

B

C

D

PCI-DSSandCVSS

•  PCI-DSSmandatesthatavulnerabilityassessmentshouldbeperiodicallyrunonthesystemsinscope–  Rememberthat“PCI-DSSnscope”=somehowaccesssensiAvedata

•  Rule– AnythingwithaCVSS(base)>=4needbepatched

•  CanCVSSenvironmentalhelp?•  ForRequirements–  In-scopesystemsàhigherscore– Out-of-scopesystemsàlowerscore


23/04/18

22

JoerunsaVAtoolonhissystems

SystemID

Aff_Sw(NVD) CVE_ID

Descrip?on

A,C WIN10 CVE-2016-3236

TheWebProxyAutoDiscovery(WPAD)protocolimplementaAoninMicrosoWWindowsVistaSP2,WindowsServer2008SP2andR2SP1,Windows7SP1,Windows8.1,WindowsServer2012GoldandR2,WindowsRT8.1,andWindows10Goldand1511mishandlesproxydiscovery,whichallowsremoteafackerstoredirectnetworktrafficviaunspecifiedvectors,aka"WindowsWPADProxyDiscoveryElevaAonofPrivilegeVulnerability."


•  LooksitupontheNVD•  Basescore:9.8•  AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

OriginalConfigura?onofJoe’sStore

POSterminals

RouterDSL

Kiosk

Wi-fiFree


e-commerceWebsite

HosAngCompany

InternetSwitch

Customers

Store

A


B

C

B

C

WhatHappenstotheRequirements?DowehaverequirementsonCustomers’Computers

23/04/18

23

OriginalConfigura?onofJoe’sStore-II

POSterminals

RouterDSL

Kiosk

Wi-fiFree


e-commerceWebsite

HosAngCompany

InternetSwitch

Customers

Store

A


B

C

B

C

OriginalConfigura?onofJoe’sStore-III

POSterminals

RouterDSL

Kiosk

Wi-fiFree


e-commerceWebsite

HosAngCompany

InternetSwitch

Customers

Store

A


B

C

B

C

23/04/18

24

Joe’sOriginalStore

POSterminals

RouterDSL

Kiosk

Wi-fiFree


e-commerceWebsite

HosAngCompany

InternetSwitch

Customers

Store

A


B

C

B

C

AoerJoe’sInstalledtheFirewall

POSterminals

RouterDSL

Kiosk

Wi-fiFree


e-commerceWebsite

HosAngCompany

Internet

Customers

Store

ManagedSwitch

DMZ

Firewall


Sub-net02

A


B

C

D

B

C

D

23/04/18

25

AoerJoe’sInstalledtheFirewall-II

POSterminals

RouterDSL

Kiosk

Wi-fiFree


e-commerceWebsite

HosAngCompany

Internet

Customers

Store

ManagedSwitch

DMZ

Firewall


Sub-net02

A


B

C

D

B

C

D

AoerJoe’sInstalledtheFirewall-III

POSterminals

RouterDSL

Kiosk

Wi-fiFree


e-commerceWebsite

HosAngCompany

Internet

Customers

Store

ManagedSwitch

DMZ

Firewall


Sub-net02

A


B

C

D

B

C

D

23/04/18

26

Scoringexample

•  YouworkinthePSIRTofafirewallvendor.•  Asecurityresearchersendsdetailsofavulnerabilitythey

havefoundinoneofyourfirewallproducts.Yourcompanypriori,zesworkbasedonCVSSscores.

•  Details:thevulnerabilityallowsaTackerstobypassauthen,ca,ontothefirewall’sadminpanelwhenthedefault“defragpacketsbeforeforward”flagisdisabled,duetoafaultymanagementofinvalidfragmentedIPdatagrams.

1.   calculateaCVSSBaseScorebasedontheresearcher'sreport,toratetheseverityofthevulnerability.

AV,AC,UI,PR,S,C,I,A


Scoringexample

•  Beforeyoucanreproducethevulnerabilityonyourtestsystemsusingtheproof-of-conceptcodetheresearcherprovided,customerscontactyousayingtheirsystemshavebeencompromisedandbelieveyourfirewallproductisatfault.Youreleaseapublicadvisorytoallcustomerswarningthemoftheproblem.

2.   calculateaCVSSTemporalScoresothepublicadvisoryindicatesthecurrentsitua,onwithrespecttoreproducingandfixingthevulnerability.

E(exploitcodematurity),R(emedia,onlevel),R(eport

confidence)


23/04/18

27

Scoringexample

•  YourcompanyusestheaffectedfirewallproductforitsmainInternetsite,whichmanages– Customersupport– Onlineorders

3.  CalculateaCVSSEnvironmentalScoretodeterminetherisktothefirewallinstanceusedonthemainInternetsite.


Scoringexample

•  Duetothehighpriorityyouputonthevulnerability.thedevelopmentteamsoonreproducetheproblemandhaveafix.RecalculatetheTemporalscoresothatitiscreateforanupdatedpublicadvisorythatyouwillsendtocustomers,alongwiththefixes.

4.   RecalculatetheCVSSTemporalScore.

E(exploitcodematurity),R(emedia,onlevel),R(eportconfidence)


23/04/18

28

EXAMPLE2


Furtherreading

•  Chapters10,11onTextbook•  RossAnderson’sbook.•  CVSSFirstWebSite(SeeWikiforlinks)


Download - Cyber Security Risk Assessment Spring 2018...23/04/18 1 Cyber Security Risk Assessment Spring 2018 Lecture 11 Quan,ta,ve Risk Analysis Scoring Vulnerabili,es – CVSS Environment 23/04/18

Top Related