Sunday, November 2, 2014

Beginning Risk Assessment

Recently, I had the opportunity to conduct a formal risk assessment for Fictional Inc. This was my first opportunity at a formal risk assment and I must say it was quite an interesting activity. It allowed me to see things from a perspective for which, while I may have thought about it and have done it I never had to document it formally. The documentation aspect is the most important part. So without further ado, let's get cracking.



Fictional Inc.
Information Technology Risk Assessment
Prepared for
Fictional Inc.
Prepared By
Nik Alleyne
2014-09-02





EXECUTIVE SUMMARY
Fictional Inc. requested of Nik Alleyne, to perform a formal Risk Analysis to identity the threats posed to the company. This Risk Analysis also aims to identify technical vulnerabilities within Fictional Inc. infrastructure while identifing and or proposing possible countermeasures.

Fictional Inc. is a small grocery retailer and currently does not have an IT staff. Its IT support issues are contracted out to a third party. 
This assessment identified 2 critical vulnerabilities which should be immediately addressed by Fictional Inc.’s management  




DETAILED ASSESSMENT
1.      Introduction
1.1              Purpose
The purpose of this Risk Assessment is to identify the threats and vulnerabilities related to the operating of Fictional Inc. Through the identification of these threats and vulnerabilities, the relevant countermeasures will be recommended.

1.2              Scope of this Risk Assessment
Fictional Inc.’s systems comprises of a PFSense based firewall, a Wireless Access Point which also performs switching functionality. In addition the infrastructure also contains a Windows 2003 Server, Windows 8.1 and Windows XP Desktops. Mobile platforms such as Android 4.0 and Blackberry 10,2 are also in use.
All of the systems mentioned above are within scope of this formal Risk Assessment.

2.      Risk Assessment Approach
2.1              Participants

Role
Participant
Third Party Support Personnel
Joe Admin
Store Owner
Jane Owner
Risk Assessment Team
Nik Alleyne


2.2              Techniques used
Technique
Description
Risk Assessment Method and guidance
This assessment is being done following the NIST 800-30 (Guide For Conducting Risk Assessments), NIST 800-37 (Guide for Applying the Risk Management Framework to Federal Information Systems) and Commonwealth of Virgina Information Technology Risk Management Guideline Template.
Assessment Tools
The Nessus Vulnerability Scanner was used for identifying technical vulnerabilities.
Vulnerability Sources
Vulnerabilities were primarily determined based on results received from the Nessus Vulnerability Scanner.
US-Cert
Cisco Systems
Countermeasures sources
SANS Critical Security Controls for Effective Cyber Defense.


2.3              Identifying Threats
Credible Threats
Malicious Use
Compromise user accounts
Power Loss
System Failure
System Compromise
Unauthorized Access

2.4              Risk Model Approach
The Risk Model used to conduct Fictional Inc.’s Risk Assessment is based on the Risk Assessment methodology used by OWASP.

Risk = Likelihood * impact

Threat Likelihood (Weight)
Threat Rating
Threat Description
High (1.0)
The probability that a threat can exploit an identified vulnerability is very high as the source may have the means, motives and opportunity to exploit the vulnerabilities. In addition, the current controls to mitigate this threat is ineffective.
Medium (0.5)
The probability that this threat will occur is medium. Current controls may be effective in mitigating this threat.
Low (0.1)
The probability that this threat can be exploited is very low. In addition, the controls in place are effective in mitigating the threats.




Impact Rating
Impact Description
High (100)
Occurrence of this risk may result in:
i. Financial loss to the business
ii. Damage to the infrastructure
iii. Loss of Confidentiality
iv. Loss of Integrity
v. Loss of Availability
vi. Loss of Fictional Inc. reputation
Medium (50)
Occurrence of this risk may result in:
i. Damage to the infrastructure
ii. Loss of Confidentiality
iii. Loss of Integrity
iv. Loss of Availability
Low (10)
Occurrence of this risk may result in:
i. Loss of Availability


Risk Impact


Risk Likelihood
Low (10)
Medium (50)
High (100)
High (1.0)
Low
10 x 1.0 = 10
Medium
50 x 1.0 = 50
High
100 x 1.0 = 100
Medium (.5)
Low
10 x 0.5 = 5
Medium
50 x 0.5 = 25
Medium
100 x 0.5 = 50
Low (.1)
Low
10 x 0.1 = 1
Low
50 x 0.1 = 5
Low
100 x 0.1 = 10


3.      IT Systems Characterization
3.1              IT Systems

 IT Systems Inventory and Definition
System Name
Description
Value
FICTIONAL-FW
Firewall
IP: 192.168.0.1
Services: SSH, HTTPS, NTP, DHCP, RADIUS, IPS,
Bandwidth Analysis
Traffic Analysis

Mission Critical
FICTIONAL-AP
Wireless Access Point
IP: 192.168.0.2
Firmware Version:
3.7.2 Build 071123 Rel.38995n
Hardware Version:
WR340G v5 08118989
Services: HTTP
High
FICTIONAL-PC
Desktop Computer running Windows 8.1
IP: 192.168.0.11
Productivity Software: Accounting, Excel, Graphic Designing, Browser
Medium
FICTIONAL-XP
Desktop Computer running Windows XP
IP: 192.168.0.14
Productivity Software: Accounting, Excel, Graphic Designing, Browser
Low
FICTIONAL-SRV
File Server Running Windows 2003
IP Address:192.168.0.21
High
FICTIONAL-TABLET
Tablet running Android OS 4.0
Productivity Software: Excel, Browser
IP Address:192.168.0.14
Low
FICTIONAL-MOBILE1
Mobile Phone running Blackberry OS 10.2
Productivity Software: Excel, Browser
IP Address:192.168.0.15
Low
FICTIONAL-MOBILE2
Mobile Phone running Blackberry OS 10.2
Productivity Software: Excel, Browser
IP Address:192.168.0.16
Low





3.2              Flow Diagram
The diagram below identifies all the devices within scope of this Risk Assessment



4.      Vulnerability Statement
4.1              The following vulnerabilities were identified.
No.
Vulnerability
Description
1.
Use of magnetic stripe card reader
The use of magnetic stripe card reader is a critical vulnerability at this time. This vector is being constantly exploited to gain access to Credit Card Track data.
2.
Unsupported Operating System
The use of unsupported operating systems is a critical vulnerability since vendor issued patches and updates may no longer be available.
3.
SSL Certificate Cannot Be Trusted
Users would be unable to verify the authenticity and identity of the systems. This could make it easier to carry out man-in-the-middle attacks.
4.
DNS Server Cache Snooping Remote Information Disclosure
This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently visited.
5.
Web Server Generic XSS
The remote host is running a web server that fails to adequately sanitize request strings of malicious JavaScript. By leveraging this issue, an attacker may be able to cause arbitrary HTML and script code to be executed in a user's browser within the security context of the affected site.
6.
Lack of Centralized Authentication
This makes it difficult to disable an account if compromised. In addition, it means that passwords & other user and computer controls cannot be done centrally.



5.      Risk Assessment Results
Risk No.
Vulnerability 
Threat
Risk of Compromise
Risk Summary
Risk Likelihood rating
Risk Impact rating
Overall Risk Rating
Analysis of  Relevant Controls
Recommendations
1.
Use of magnetic stripe card reader
Unauthorized Access
Unauthorized Use
Malicious Use
System Compromise
Confidentiality and Integrity of Fictional Inc. data may be lost
The use of magnetic stripe card reader is a critical vulnerability at this time. This vector is being constantly exploited to gain access to Credit Card Track data.
High
High
High
None
Fictional Inc. should consider working with a vendor who provides POS terminals that uses hardware based encryption, since Fictional Inc. does not control the production and or distribution of Credit Cards.
Consider implementing Firewall rules which restrict access to the POS systems
2.
Unsupported Operating System
Unauthorized Access
System Compromise
Malicious Use
Confidentiality, Integrity and Availability of data and systems
The use of unsupported operating systems is a critical vulnerability since vendor issued patches and updates may no longer be available.
High
Medium
Medium
Currently no controls are in place for mitigating this risk.
Fictional Inc. should consider implementing a software inventory and or patch management system which allows it to track its currently installed used software versions
3.
SSL Certificate Cannot Be Trusted
Unauthorized Access
System Compromise
Integrity of Fictional Inc. data can be compromised
Users would be unable to verify the authenticity and identity of the systems. This could make it easier to carry out man-in-the-middle attacks.
Medium
High
Medium
None

Ensure all new services requiring certificate services uses a certificate signed by a trusted third party
4.
DNS Server Cache Snooping Remote Information Disclosure
Malicious Use
Unauthorized Access
Availability of Fictional Inc. Infrastructure can be compromised
This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently visited.
Low
High
Low
Currently none exists. However, a plan is in place for obtaining a software patch from the DNS software vendor
Fictional Inc. should consider implementing a software inventory and or patch management system which allows it to track its currently installed used software versions
5.
Web Server Generic XSS
Unauthorized use
Unauthorized Access
System Compromise
Confidentiality and Integrity of Fictional Inc. data
The remote host is running a web server that fails to adequately sanitize request strings of malicious JavaScript. By leveraging this issue, an attacker may be able to cause arbitrary HTML and script code to be executed in a user's browser within the security context of the affected site.
Medium
Medium
Medium
The control in place for this vulnerability is the Firewall. Access to this device is only granted to specific systems.
Conduct quarterly vulnerability scan to ensure these types of vulnerability can be detected.
Conduct quarterly reviews of the firewall rules
6.
Lack of Centralized Authentication
Unauthorized use  Unauthorized Access
System Compromise
Confidentiality
This makes it difficult to disable an account if compromised. In addition, it means that passwords & other user and computer controls cannot be done centrally.
Medium
Medium
Medium
No control is currently in place to address user authentication
Fictional Inc. should implement a centralized Directory Server, which allows for the ability of controlling both users and their computers.

6.      Summary of Nessus Scan Results

References

(n.d.). Retrieved from tenable.com: http://www.tenable.com/products/nessus
(n.d.). Retrieved from sans.org: http://www.sans.org/critical-security-controls
(n.d.). Retrieved from owasp.org: https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
(2014, January 02). Retrieved from us-cert.gov: https://www.us-cert.gov/ncas/alerts/TA14-002A
Gundert, L. (2014, January 13). Retrieved from blog.cisco.com: http://blogs.cisco.com/security/detecting-payment-card-data-breaches-today-to-avoid-becoming-tomorrows-headline/
NIST. (2012, September). Retrieved from http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf
VITA. (2006, 11 12). Retrieved from it.vt.edu: http://www.it.vt.edu/ctssr/risk_assessment/documents/VITA_Risk_Assessment_Instructions.pdf
 

2 comments:

  1. Well done Nik,

    just saw this today, its amazing..liked your detailed approach.
    thinking if we have to perform many RAs with different contexts at once .. how can we do it quickly .. like with some excel based approach?

    Regards,

    ReplyDelete
    Replies
    1. Umer,
      Thanks for the comment! It's much appreciated and I'm glad that you found it helpful.

      If you were performing many RAs I would suggest you build a template and try to leverage that. The tool would be dependent on you but if Excel works I would recommend that route.

      Delete