200 likes | 381 Views
IT Risk Management Threat and Vulnerability Analysis - Web & E-Mail Application Exploits. Welcome Presented by Marc D’Aloisio and Frank Ward DOIT IT Security. Introduction.
E N D
IT Risk ManagementThreat and Vulnerability Analysis- Web & E-Mail Application Exploits Welcome Presented by Marc D’Aloisio and Frank Ward DOIT IT Security
Introduction • To open today's presentation we will provide working definitions for what we mean when we talk about threats, risks and risk management. • Threat and Vulnerability Analysis will then be placed within the context of the DOIT Risk Analysis Methodology • Next we will discuss the strategic options we have available for threat evaluation. We can either strive to establish and verify objective measurements or we can settle for subjective intelligence. • We will conclude the presentation with detailed explanations of several significant web application and e-mail vulnerabilities.
Definitions • A Threat is any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. (NIST 800-53)
Definitions • A Vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. (NIST 800-53)
Definitions (cont’d) • Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. (NIST 800-30) • Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. (NIST 800-30)
RISK ANALYSIS METHODOLOGY PROCESS FLOW Interviews STEP ONE Hardware Documentation Risk Analysis Scope Workbook Scope of Analysis Software Documentation SDM Documentation System Event Logs MITRE CVE Database Prior Technical Evaluations Threat and Prior Risk Analyses STEP TWO Vulnerability Matrix Prior System Audits Threat and Vulnerability Identification Incident Response Logs Regulatory Environments Vulnerability Scans Public Domain Authoritative Checklists Mapped to NIST 800-53 Control Catalog Custom Checklists Mapped to NIST 800-53 Control Catalog Listing of Current and Planned Controls STEP THREE Mapped to the NIST 800 - 53 Control Analysis NIST 800 - 53 Control Catalog Threat Source Motivation Likelihood Ratings For Each Threat and Vulnerability Pairing Threat Capacity STEP FOUR Nature of Vulnerability Likelihood Determination Effectiveness of Current And Planned Controls BIA from Prior BCP / DR Impact Ratings For Each Threat and Vulnerability Pairing Asset Criticality STEP FIVE STEP FIVE Data Criticality Impact Analysis Impact Analysis Data Sensitivity Regulatory Requirements Risk Level Ratings For Each Threat and Vulnerability Pairing Likelihood Ratings STEP SIX X Risk Determination Impact Analysis Ratings Detailed Control Recommendations Grouped by Risk Level STEP SEVEN Output from Steps 2, 3, 4, 5 & 6 above Control Recommendations Remediation Workplans Providing Resource Requirements, Priorities, Roles & Responsibilities STEP EIGHT Remediation Workplans DOIT Risk Analysis Methodology
Subjective Threat and Vulnerability Analysis (It is easy and fun, but……)
Objective Threat and Vulnerability Analysis • Systems need to be evaluated against objective threat and vulnerability standards • DISA Checklists, NSA Guides, National Checklist program (National Institute of Standards and Technology - NIST) • Regulatory requirements (HIPAA, IRS, SSA) can add specific threat protection requirements • Commercial and open source vulnerability and control assessment tools are absolute necessities for enterprise threat evaluations
Matching Threats with known Vulnerabilities • Ethical hacking is defined as discovering and verifying system vulnerabilities to help secure enterprise data • The good guys and the bad guys utilize similar tools, techniques and knowledge • Today we are going demonstrate four of the most popular and exploitable web application and e-mail vulnerabilities.
Today’s Vulnerability Menu(Featuring Web Application Weaknesses and Creative E-mail Hacks) • SQL Injection • Show AppScan representation of SQL injection • Show log representation of SQL injection • XSS • Show AppScan representation of XSS flaw in marcd.org/demo • Demonstrate XSS flaw in marcd.org/demo • create user (fname/lname) • show profile (fname/lname returned) • create user (script/lname) • show profile (script is executed - could do anything) • Email Spoof • Email from marcd.org spoofing Rick Bailey with link to marcd.org/corect • Man in the Middle • Click on email link • Show that site is at Marcd.org • Option to capture credentials or proxy entire session • Easier to proxy entire session
Today’s Vulnerability Menu(Featuring Web Application Weaknesses and Creative E-mail Hacks) • DISCLAIMER • The real world threat examples that follow have been documented as affecting information systems and users worldwide. The vulnerabilities they exploit must be continually guarded against but are not representative of any specific systems or system implementations. • And now over to Marc on the split screen……….
E-Mail Spoofing • Email spoofing may occur in different forms, but all have a similar result: a user receives email that appears to have originated from one source when it actually was sent from another source. Email spoofing is often an attempt to trick the user into making a damaging statement or releasing sensitive information (such as passwords). Examples of spoofed include: • email claiming to be from a system administrator requesting users to change their passwords to a specified string and threatening to suspend their account if they do not do this • email claiming to be from a person in authority requesting users to send them a copy of a password file or other sensitive information www.cert.org