Even more Chapter 4 notes

Vulnerability Assessment cont.

• Vulnerability appraisal
• Determine current weakness
• Snapshot of current organization security
• Every asset should be viewed in light of each threat
• Catalog each vulnerability

• Risk assessment
• Determine damage resulting from attack
• Assess likelihood that vulnerability is a risk to organization

More after the Jump

• Vulnerability impact scale
• No impact
• This vulnerability would not affect the organization
• Small impact
• Small impact vulnerabilities would produce limited periods of inconvenience and possibly result in changes to a procedure
• Significant
• A vulnerability that results in a loss of employee productivity due to downtime or causes a capital outlay to alleviate it could be considered significant
• Major
• Major vulnerabilities are those that have a considerable negative impact on revenue
• Catastrophic
• Vulnerabilities that are ranked as catastrophic are events that would cause the organization to cease functioning or be seriously crippled in its capacity to perform.

• Single loss expectancy (SLE)
• Expected monetary loss each time a risk occurs
• Calculated by multiplying the asset value by exposure factor
• Exposure factor: percentage of asset value likely to be destroyed by a particular risk

• Annualized loss expectancy (ALE)
• Expected monetary loss over a one year period
• Multiply SLE by annualized rate of occurrence
• Annualized rate of occurrence: probability that a risk will occur in a particular year

• Estimate probability that vulnerability will actually occur
• Risk mitigation
• Determine what to do about risks
• Determine how much risk can be tolerated

• Options or dealing with risk
• Diminish
• Transfer
• Accept

• Risk Identification Steps
• Assist identification
• Inventory the assets
• Determine the asset's relative value
• Threat identification
• Classify threats by category
• Design attack tree
• Vulnerability appraisal
• Determine current weakness in assets
• Use vulnerability assessment tools
• Risk assessment
• Estimate impact of vulnerability on organization
• calculate loss expectancy
• Estimate probability the vulnerability will occur
• Risk mitigation
• Decide what to do with the risk, diminish, transfer or accept

Assessment Techniques

• Baseline reporting
• Standard for solid security
• Compare present state to baseline
• Note, evaluate, and possibly address differences

• Application development techniques
• Minimize vulnerabilities during software development

• Challenges to approach
• Software application size and complexity
• Lack of security specifications
• Future attack techniques unknown

• Software development assessment techniques
• Review architectural design in requirements phase
• Conduct design reviews
• Consider including a security consultant
• Conduct code review during implementation phase
• Examine attack surface (code executed by users)
• Correct bugs during verification phase
• Create and distribute security updates as necessary

Assessment Tools

• IP addresses uniquely identify each network device
• TCP/IP communication
• Involves information exchange between one system's program and another system's corresponding program

• Port number
• Unique identifier for applications and services
• 16 bits in length

• Well known port numbers
• Reserved for most universal applications

• Registered port numbers
• Other applications not as widely used

• Dynamic and private port numbers
• Available for any application to use

• Commonly used default network ports
• FTP- 20 (data) and 21 (control)
• SSH, SFTP, SCP - 22
• Telnet- 23
• TFTP - 69
• HTTP- 80
• NetBIOS- 139
• HTTPS- 443
• FTPS- 989 (data), 990 (control)