security risk analysis of computer networks: techniques and challenges
DESCRIPTION
Security Risk Analysis of Computer Networks: Techniques and Challenges. Anoop Singhal Computer Security Division National Institute of Standards and Technology Simon Ou Dept. of Computer and Information Science Kansas State University. Outline. Basics of Network Security Risk Analysis - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Security Risk Analysis of Computer Networks: Techniques and Challenges](https://reader036.vdocuments.us/reader036/viewer/2022062500/5681585a550346895dc5b621/html5/thumbnails/1.jpg)
1
Security Risk Analysis of Computer Networks: Techniques and Challenges
Anoop SinghalComputer Security DivisionNational Institute of Standards and Technology
Simon OuDept. of Computer and Information ScienceKansas State University
![Page 2: Security Risk Analysis of Computer Networks: Techniques and Challenges](https://reader036.vdocuments.us/reader036/viewer/2022062500/5681585a550346895dc5b621/html5/thumbnails/2.jpg)
Outline
Basics of Network Security Risk Analysis Threats to Networks Common Vulnerability Scoring System
(CVSS) Attack Graphs, Bayesian Networks and
Tools for generating Attack Graphs Quantifying Security Risk using attack
graphs and CVSS Conclusions
![Page 3: Security Risk Analysis of Computer Networks: Techniques and Challenges](https://reader036.vdocuments.us/reader036/viewer/2022062500/5681585a550346895dc5b621/html5/thumbnails/3.jpg)
Enterprise Network Security Management
Networks are getting large and complex Vulnerabilities in software are constantly
discovered Network Security Management is a
challenging task Even a small network can have numerous
attack paths
![Page 4: Security Risk Analysis of Computer Networks: Techniques and Challenges](https://reader036.vdocuments.us/reader036/viewer/2022062500/5681585a550346895dc5b621/html5/thumbnails/4.jpg)
Trends for Published Vulnerabilities
![Page 5: Security Risk Analysis of Computer Networks: Techniques and Challenges](https://reader036.vdocuments.us/reader036/viewer/2022062500/5681585a550346895dc5b621/html5/thumbnails/5.jpg)
Enterprise Network Security Management
Currently, security management is more of an art and not a science
System administrators operate by instinct and learned experience
There is no objective way of measuring the security risk in a network
“If I change this network configuration setting will my network become more or less secure?”
![Page 6: Security Risk Analysis of Computer Networks: Techniques and Challenges](https://reader036.vdocuments.us/reader036/viewer/2022062500/5681585a550346895dc5b621/html5/thumbnails/6.jpg)
Challenges in Security Metrics Typical issues addressed in the literature
How can a database server be secured from intruders? How do I stop an ongoing intrusion?
Notice that they all have a qualitative nature Better questions to ask:
How secure is the database server in a given network configuration?
How much security does a new configuration provide? How can I plan on security investments so it provides a
certain amount of security? For this we need a system security modeling and
analysis tool
![Page 7: Security Risk Analysis of Computer Networks: Techniques and Challenges](https://reader036.vdocuments.us/reader036/viewer/2022062500/5681585a550346895dc5b621/html5/thumbnails/7.jpg)
Challenges in Security Metrics
Metric for individual vulnerability exists Impact, exploitability, temporal,
environmental, etc. E.g., the Common Vulnerability Scoring System
(CVSS) v2 released on June 20, 20071
However, how to compose individual measures for the overall security of a network? Our work focuses on this issue
1. Common Vulnerability Scoring System (CVSS-SIG) v2, http://www.first.org/cvss/
![Page 8: Security Risk Analysis of Computer Networks: Techniques and Challenges](https://reader036.vdocuments.us/reader036/viewer/2022062500/5681585a550346895dc5b621/html5/thumbnails/8.jpg)
Challenges in Security Metrics
Counting the number of vulnerabilities is not enough Vulnerabilities have different importance The scoring of a vulnerability is a challenge
Context of the Application Configuration of the Application
How to compose vulnerabilities for the overall security of a network system
![Page 9: Security Risk Analysis of Computer Networks: Techniques and Challenges](https://reader036.vdocuments.us/reader036/viewer/2022062500/5681585a550346895dc5b621/html5/thumbnails/9.jpg)
What is an Attack Graph
A model for
How an attacker can combine vulnerabilities to stage an attack such as a data breach
Dependencies among vulnerabilities
![Page 10: Security Risk Analysis of Computer Networks: Techniques and Challenges](https://reader036.vdocuments.us/reader036/viewer/2022062500/5681585a550346895dc5b621/html5/thumbnails/10.jpg)
Attack Graph Example
`
AttackerMachine 0
Firewall Router
sshd
DatabaseServer
Machine 2
FTPServer
Machine 1
![Page 11: Security Risk Analysis of Computer Networks: Techniques and Challenges](https://reader036.vdocuments.us/reader036/viewer/2022062500/5681585a550346895dc5b621/html5/thumbnails/11.jpg)
Different Paths for the Attack
sshd_bof(0,1) → ftp_rhosts(1,2) → rsh(1,2) → local_bof(2)
ftp_rhosts(0,1) → rsh(0,1) → ftp_rhosts(1,2) → rsh(1,2) → local_bof(2)
ftp_rhosts(0,2) → rsh(0,2) → local_bof(2)
![Page 12: Security Risk Analysis of Computer Networks: Techniques and Challenges](https://reader036.vdocuments.us/reader036/viewer/2022062500/5681585a550346895dc5b621/html5/thumbnails/12.jpg)
Attack Graph from machine 0 to DB Server
![Page 13: Security Risk Analysis of Computer Networks: Techniques and Challenges](https://reader036.vdocuments.us/reader036/viewer/2022062500/5681585a550346895dc5b621/html5/thumbnails/13.jpg)
What is ?
Stands for Common Vulnerability Scoring SystemAn open framework for communicating characteristics and impacts of IT vulnerabilitiesConsists three metric groups: Base, Temporal, and Environmental
![Page 14: Security Risk Analysis of Computer Networks: Techniques and Challenges](https://reader036.vdocuments.us/reader036/viewer/2022062500/5681585a550346895dc5b621/html5/thumbnails/14.jpg)
CVSS (Cont’d)
Base metric : constant over time and with user environments
Temporal metric : change over time but constant with user environment
Environmental metric : unique to user environment
![Page 15: Security Risk Analysis of Computer Networks: Techniques and Challenges](https://reader036.vdocuments.us/reader036/viewer/2022062500/5681585a550346895dc5b621/html5/thumbnails/15.jpg)
CVSS (Cont’d)
CVSS metric groups
Each metric group has sub-matriciesEach metric group has a score associated with itScore is in the range 0 to 10
![Page 16: Security Risk Analysis of Computer Networks: Techniques and Challenges](https://reader036.vdocuments.us/reader036/viewer/2022062500/5681585a550346895dc5b621/html5/thumbnails/16.jpg)
Access Vector
This metric measures how the vulnerability is exploited.
Local Adjacent Network Network
![Page 17: Security Risk Analysis of Computer Networks: Techniques and Challenges](https://reader036.vdocuments.us/reader036/viewer/2022062500/5681585a550346895dc5b621/html5/thumbnails/17.jpg)
Access Complexity
This metric measures the complexity of the attack required to exploit the vulnerability
High: Specialized access conditions exist Medium: The access conditions are
somewhat specialized Low: Specialized access conditions do not
exist
![Page 18: Security Risk Analysis of Computer Networks: Techniques and Challenges](https://reader036.vdocuments.us/reader036/viewer/2022062500/5681585a550346895dc5b621/html5/thumbnails/18.jpg)
Authentication
This metric measures the number of times an attacker must authenticate to a target to exploit a vulnerability
Multiple: The attacker needs to authenticate two or more times
Single: One instance of authentication is required
None: No authentication is required
![Page 19: Security Risk Analysis of Computer Networks: Techniques and Challenges](https://reader036.vdocuments.us/reader036/viewer/2022062500/5681585a550346895dc5b621/html5/thumbnails/19.jpg)
Confidentiality Impact
This metric measures the impact onconfidentiality due to the exploit. None: No Impact Partial: There is a considerable
information disclosure Complete: There is total information
disclosure
Similar things for the Integrity Impact and Availability Impact
![Page 20: Security Risk Analysis of Computer Networks: Techniques and Challenges](https://reader036.vdocuments.us/reader036/viewer/2022062500/5681585a550346895dc5b621/html5/thumbnails/20.jpg)
Base Score
Base Score = Function(Impact, Exploitability)
Impact = 10.41 * (1-(1-ConImp)*(1-IntImp)*(1-AvailImpact))
Exploitability = 20*AccessV*AccessComp*Authentication
![Page 21: Security Risk Analysis of Computer Networks: Techniques and Challenges](https://reader036.vdocuments.us/reader036/viewer/2022062500/5681585a550346895dc5b621/html5/thumbnails/21.jpg)
Base Score Example CVE-2002-0392
Apache Chunked Encoding Memory Corruption
BASE METRIC EVALUATION SCOREAccess Vector [Network] (1.00)Access Complex. [Low] (0.71)Authentication [None] (0.704)Availability Impact[Complete] (0.66)Impact = 6.9Exploitability = 10.0BaseScore = (7.8)
![Page 22: Security Risk Analysis of Computer Networks: Techniques and Challenges](https://reader036.vdocuments.us/reader036/viewer/2022062500/5681585a550346895dc5b621/html5/thumbnails/22.jpg)
Attack Graph with Probabilities Numbers are estimated
probabilities of occurrence for individual exploits, based on their relative difficulty.
The ftp_rhosts and rsh exploits take advantage of normal services in a clever way and do not require much attacker skill
A bit more skill is required for ftp_rhosts in crafting a .rhost file.
sshd_bof and local_bof are buffer-overflow attacks, which require more expertise.
8.0
8.0
9.01.0
9.0 9.0
1.0
8.0
![Page 23: Security Risk Analysis of Computer Networks: Techniques and Challenges](https://reader036.vdocuments.us/reader036/viewer/2022062500/5681585a550346895dc5b621/html5/thumbnails/23.jpg)
Probabilities Propagated Through Attack Graph
When one exploit must follow another in a path, this means both are needed to eventually reach the goal, so their probabilities are multiplied: p(A and B) = p(A)p(B)
When a choice of paths is possible, either is sufficient for reaching the goal: p(A or B) = p(A) + p(B) – p(A)p(B).
60.08.0
8.0
72.09.0
1.0
54.09.0
72.09.0
087.01.0
8.0
![Page 24: Security Risk Analysis of Computer Networks: Techniques and Challenges](https://reader036.vdocuments.us/reader036/viewer/2022062500/5681585a550346895dc5b621/html5/thumbnails/24.jpg)
Network Hardening
When we harden the network, this changes the attack graph, along with the way its probabilities are propagated.
Our options to block traffic from the Attacker: Make no change to the network (baseline) Block ftp traffic to prevent ftp_rhosts(0,1) and
ftp_rhosts(0,2) Block rsh traffic to prevent rsh(0,1) and
rsh(0,2) Block ssh traffic to prevent sshd_bof(0,1)
![Page 25: Security Risk Analysis of Computer Networks: Techniques and Challenges](https://reader036.vdocuments.us/reader036/viewer/2022062500/5681585a550346895dc5b621/html5/thumbnails/25.jpg)
Comparison of Options We can make comparisons of relative
security among the options Make no change p=0.1 Blocking rsh traffic from Attacker leaves
a remaining 4-step attack path with total probability p = 0.1∙0.8∙0.9∙0.1 = 0.0072
Blocking ftp traffic, p=0.0072 But blocking ssh traffic leaves 2 attack
paths, with total probability p ≈ 0.0865, i.e., compromise is 10 times more likely as compared to blocking rsh or ftp.
![Page 26: Security Risk Analysis of Computer Networks: Techniques and Challenges](https://reader036.vdocuments.us/reader036/viewer/2022062500/5681585a550346895dc5b621/html5/thumbnails/26.jpg)
Need for a Modeling Tool
For a large enterprise network that has hundreds of host machines and several services we need a modeling tool that can Generate the attack graph Use the attack graph for quantitative analysis
of the current configuration Help the network administrators to decide
what changes to make to improve security
![Page 27: Security Risk Analysis of Computer Networks: Techniques and Challenges](https://reader036.vdocuments.us/reader036/viewer/2022062500/5681585a550346895dc5b621/html5/thumbnails/27.jpg)
System Architecture
NetworkConfiguration
HostConfiguration
Security Modeling
Tool
AttackGraphs
VulnerabilityDB
![Page 28: Security Risk Analysis of Computer Networks: Techniques and Challenges](https://reader036.vdocuments.us/reader036/viewer/2022062500/5681585a550346895dc5b621/html5/thumbnails/28.jpg)
Conclusions
Based on attack graphs, we have proposed a model for security risk analysis of information systems Composing individual scores to more
meaningful cumulative metric for overall system security
The metric meets intuitive requirements The metric can be used for making
recommendations to improve network security