Now Hiring Teamwork Innovation Quality Integrity Passion
Sense of Security
Compliance, Protection and
Sense of Security is an Australian based information security and risk management consulting practice. From our offices in Sydney and Melbourne we deliver industry leading services and research to our clients locally, nationally and internationally. Since our inception in 2002, our company has performed tremendously well. We thrive on team work, service excellence and leadership through research and innovation. We are seeking talented people to join our team. If you are an experienced security consultant with a thorough understanding of Networking, Operation Systems and Application Security, please apply with a resume to careers@senseofsecurity.com.au and quote reference PTM-TS-12.
info@senseofsecurity.com.au www.senseofsecurity.com.au
scanning isn’t enough Cyber Security Auditing Software
Device Auditing
• Device information remains confidential
Scanners
Nipper Studio
Audit without Network Traffic Authentication Configuration
• Settings that allow you to hide sensitive information in the report
Authorization Configuration Accounting/Logging Configuration Intrusion Detection/Prevention Configuration
• Low cost, scalable licensing
Password Encryption Settings
• Point and click GUI or CLI scripting
Timeout Configuration
• Audit without network traffic
Routing Configuration
Physical Port Audit VLAN Configuration Network Address Translation
It was refreshing to discover Nipper and to find that it supported so many devices that Cisco produces. Nipper enables Cisco to test these devices in a fraction of the time it would normally take to perform a manual audit. For many devices, it has eliminated the need for a manual audit to be undertaken altogether.
Network Protocols Device Specific Options Time Synchronization
Cisco Business Benefits to Cisco • Nipper quickly produces detailed reports, including known vulnerabilities. • By using Nipper, manual testing has been altogether eliminated for particular Cisco devices.
Multi-Platform Support for
Warning Messages (Banners)
*
Network Administration Services
*
Network Service Analysis
*
Password Strength Assessment
*
Software Vulnerability Analysis
*
Network Filtering (ACL) Audit
*
Wireless Networking
*
VPN Configuration
*
* Limitations and constraints will prevent a detailed audit
Nipper Studio reduces manual auditing time by quickly producing a consistent, clear and detailed report. This report will; 1.
Summarize your network’s security
2.
Highlight vulnerabilities in your device configurations
3.
Rate vulnerabilities by potential system impact and ease of exploitation (using CVSSv2 or the established Nipper Rating System)
4.
Provide an easy to action mitigation plan based on customizable settings that reflect your organizations systems and concerns.
5.
Allow you to add previous reports and enable change tracking functionality. You can then easily view the progress of your network security.
for free at enquiries@titania.com T: +44 (0)845 652 0621
www.titania.com
Editor’s note Dear Readers
A u d & S t a n d
TEAM Managing Editor: Magdalena Król magdalena.krol@software.com.pl Associate Editor: Aby Rao abyrao@gmail.com 2nd Associate Editor: Gareth Watters garethwatters@gmail.com Betatesters / Proofreaders: Jeff Weaver, William Whitney, Shrinath Nerlekar, Harish Chaudhary, Daniel Wood, Scott Christie, Dennis Distler, Johan Snyman, Eric Schultz, Ed Werzyn, David Kosorok, Stefanus Natahusada, Michael Munty Senior Consultant/Publisher: Paweł Marciniak CEO: Ewa Dudzic ewa.dudzic@software.com.pl
Art Director: Ireneusz Pogroszewski ireneusz.pogroszewski@software.com.pl DTP: Ireneusz Pogroszewski Production Director: Andrzej Kuca andrzej.kuca@software.com.pl
Marketing Director: Ewa Dudzic ewa.dudzic@software.com.pl Publisher: Software Media Sp. z o.o. ul. Bokserska 1, 02-682 Warszawa Phone: +48 22 427 36 56 www.pentestmag.com
August is usually a time for our holidays. When the sun is shining, the weather is great and we are spending nice time with our family and friends…So it’s hard to find even a moment to think about security of important data we left on our computer. However, taking some time to read PenTest Auditing & Standards can help you find new solutions to secure your information. This month we give you some hints about Information Security and we focus especially on Risk Assessment Measurement in order to simplify taking care of data security. I know that many people call that subject boring, but with this issue you probably see that this topic could be also very interesting. The issue opens with the Introduction section which describes the subject matter of Information Security and the basics of carrying out an information security risk assessment. This section confirms the importance of performing regular and systematic risk assessments. We can also find an explanation of how to provide secure environments that effectively protect the organizations assets, networks, systems, vital business processes, and data. In the Policies & Tactics section we have an opportunity to learn about successfully approach risk management and find out the reason why management can be seen as the dominantly force in every corner of organizations. We can also see how Steganography can be useful in Information Security. In the Metrics and Measurement section the 4M of Management criteria are shown: Management needs Monitoring , Measurement and Metrics as a way to“ manage” risks, and the efficiency of controls. We can find also technical and practical description of how to measure IS Risk. For the end we have something Extra for you, really interesting article about Biometrics, which explains us the possibility of prediction a web based face mask system only from fingerprints. Enjoy reading! Magdalena Król & PenTest Team
Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage. All trade marks presented in the magazine were used only for informative purposes.
All rights to trade marks presented in the magazine are reserved by the companies which own them. program To create graphs and diagrams we used by
Mathematical formulas created by Design Science MathType™
DISCLAIMER!
The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.
07/2012(7)
Page 4
http://pentestmag.com
CONTENTS
Introduction
The Information Security Risk Assessment – Security for the Enterprise
The Right way of Risk Assessment
06
by Marcus J. Ranum
by Tarot “Taz”Wake
As the saying goes, nothing can ever be 100% secure and we all know that in practice security is always a trade-off between competing forces such as user requirements, cost, government regulations and the like. Risk management provides the overarching framework for this tradeoff and one of the most fundamental parts of the risk management process is the risk assessment.
IT Risk Management and Risk Assessment
by Timothy Nolan and Serge Jorgensen
14
50
The concept of “vagueness” is important to philosophers, and (perhaps) is relevant to the real world of security. Briefly, the idea of vague concepts is that it’s often difficult to determine a sharp dividing line between two states – at what point, for example, do we say that a person has “gone bald”?
Metrics & Measurement Information Systems Metrics and Measurement by Berker Tasoluk
54
In order to “manage” our risks, and the efficiency of our controls, we have to depend on some quantitative criteria. Here comes the metrics.
IT Risk Assessment is an important component of Enterprise Risk Management – detecting and dealing with new and emerging threats and vulnerabilities in a prudent, effective and responsible manner.
Measuring the effectiveness of Information Security Risk Assessment
Policies & Tactics
The cure for the headache is not to cut off the head. This proverb encapsulates the basic principle surrounding information security risk assessment.
Risky Business: IT security risk Management Demystified by Michael D. Peters
26
As a career security practitioner and Chief Security Officer to several companies over the years, I was responsible for reduction or elimination threat exposures to its core business assets.
IS Risk Assessment & Measurement by Dan Ross
34
With the ever changing world of Information Security and the rapid increase of users accessing the Internet over the past decade IS Risk Assessment and Measurement has in more recent years become a much higher priority for businesses around the world to address.
Rısk Management Approach by Ozan Ozkara
by Omoruyi Osagiede
Measuring the imponderable: Auditing IT risks
58
64
by Stefano Maccaglia and Prof. Anna Scaringella
Many technologies, today, offer a “click one and catch all” solution. But in our experience such technologies are just a good start.
Security Risk Assessment: How to measure and to be aware of the Risk Assessment element as part of Risk Management in the field of cyber security
70
by Predrag Tasevski
Many organizations – both public and private – nowadays, have implemented and developed their own security risk assessment template tool.
38
Why IT Security or general enterprise needs to understand risk management is? Risk Management is important fundamental element of security and can be seen as the dominantly force in every corner of organizations.
Extra
Security By Obscurity: Do Not Spurn In An Era Of Automated Hacking
by Seref Sagiroglu, Uraz Yavanoglu and Necla Ozkaya
by Sang Lee
44
Camouflage... if so successfully used by nature, why is obfuscation scorned in information security? Take a look at Steganography, which can be called Data Camouflage.
07/2012(7)
Biometrics: A web based face mask prediction system from only fingerprints
74
Most efforts in biometrics have recently been focused on how to improve the accuracy and processing time of the biometric systems, to design more intelligent systems, and to develop more effective and robust techniques and algorithms.
Page 5
http://pentestmag.com
A u d & S t a n d
Introduction
The Information Security Risk Assessment Security for the Enterprise As the saying goes, nothing can ever be 100% secure and we all know that in practice security is always a trade-off between competing forces such as user requirements, cost, government regulations and the like. Risk management provides the overarching framework for this trade-off and one of the most fundamental parts of the risk management process is the risk assessment.
A
s the saying goes, nothing can ever be 100% secure and we all know that in practice security is always a trade-off between competing forces such as user requirements, cost, government regulations and the like. Risk management provides the overarching framework for this trade-off and one of the most fundamental parts of the risk management process is the risk assessment. In this article I will cover how you can carry out a detailed Information Security Risk Assessment and deliver genuine value to the end business. This is a process that I, and others, have used with numerous businesses, across all market sectors, and has proven to be resilient and straightforward to deliver. What you will learn in this article
taking a risk. We do this automatically, because throughout our lives we have taken on board the lessons of our parents, teachers and own experiences as to what risks are likely to happen and if so how much they will hurt us. We then weigh this up against what our benefit will be and decide how we will act (Figure 1). For most people, this becomes so much “second nature” it happens without any conscious thought. This is risk management on a personal level and while it may not be perfect (accidents still happen), it generally serves people throughout their lives and enables them to reap the benefits of taking occasional controlled risks. The same principle applies to businesses [1] whereby taking risks allows them to open up new markets, deliver better services, or just enhance the quality of their offerings. Any business that re-
• Why you need an information security risk assessment. • The basics of carrying out an information security risk assessment. • What you need to do with your findings. Risk management for dummies Risks are everywhere – when we cross the road, when we take a flight, when we eat sushi, we are 07/2012(7)
Figure 1. Risk Management
Page 6
http://pentestmag.com
A u d & S t a n d
Introduction
IT Risk Management And Risk Assessment IT Risk Assessment is an important component of Enterprise Risk Management - detecting and dealing with new and emerging threats and vulnerabilities in a prudent, effective and responsible manner. Performing regular and systematic risk assessments is a crucial best practice and helps provide a secure environment and protect an organization’s assets, networks, systems, vital business processes, and data.
T
he assessment is often placed onto a relative plot using these four items as axes and rating various items against each other. Fundamentally, a risk assessment can not be “done” by an outside agency. While the assessment can be “lead” through outside input, the information developed is maintained by various business owners inside the company. Without continuous and intel-
Figure 1. Risk Assessment Team Sources 07/2012(7)
ligent input from the business units discussed below, the assessors will rate the wrong risks, assign the wrong impact and generally deliver a flawed end product. The primary consideration for conducting a successful risk assessment is to involve the right teams. A risk assessment conducted only with input from IT is almost immediately severely limited in scope, knowledge and potential for success (Figure 1). Teams should include input from: Legal, Human Resources, Audit, Finance as well as the specific areas of IT of Operations, Security, Databases and Storage. Each distinct group brings a unique perspective to the assessment, with different priorities, understanding and knowledge. Specifically: • Legal and Audit assist with regulatory compliance • Legal assists with 3rd-party contracts and data exchange agreements • Finance provides insight on valuation of risk • HR assists with identifying data repositories as well as internal response and controls • IT involvement is two-fold • Present the various data repositories to the group for identification
Page 14
http://pentestmag.com
A u d & S t a n d
Policies & Tactics
Risky Business: IT security risk Management Demystified As a career security practitioner and Chief Security Officer to several companies over the years, I was responsible for reduction or elimination threat exposures to its core business assets. Depending on the nature of that business and its size, this might be a daunting task at first blush, however, I have discovered that with an organized, systematic approach, you can approach risk management effectively.
A
s a career security practitioner and Chief Security Officer to several companies over the years, my significant responsibility to the organization I am responsible for is simply to reduce or eliminate threat exposures to its core business assets. Depending on the nature of that business and its size, this might be a daunting task at first blush, however, I have discovered that with an organized, systematic approach, you can approach risk management effectively. Risk simply put is the negative impact to business assets by the exercise of vulnerabilities to those assets, considering both the probability of that event as the Single Loss Expectancy (SLE) and the resulting impact of the occurrence, otherwise known as the Annualized Loss Expectancy (ALE) both terms of which I will define more in depth shortly. This article is focused on helping you understanding the core elements of a successful IT security risk management program for a commercial enterprise, the processes of calculating the cost of a risk exposure and what the appropriate costs of mitigating those risks should be. We must first understand what the essence of IT security risk management is which can be defined as the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level. The resulting impact of an event can be de07/2012(7)
scribed in terms of loss or degradation of any, or a combination of any, of the following three security characteristics: integrity, availability, and confidentiality. The following list provides a brief description of each security goal and the impact of its not being met: Figure 1. IT security risk management plays an essential role in protecting an organization’s intellectual property and information assets and subsequently, the business mission, from information technology related security risks. Each organization is unique and the thresholds for how much risk it is willing to accept, otherwise known as their risk appetite, will have a measurable impact on the IT security risk management program implemented. Regardless, every effective IT security risk management plan should contain three essential facets; something I refer to as The Security Trifecta in one of my books, Governance Documentation and Information Technology Security Policies Demystified which is a combination of governance, technology and vigilance. If you are preparing to lead a company’s security function or improve what you have implemented already, I’m going to lay out a sustainable IT security risk management plan for you that should be part of your first one-hundred days on the job or at the very least, implemented during your tenure as soon as possible.
Page 26
http://pentestmag.com
A u d & S t a n d
Policies & Tactics
IS Risk Assessment & Measurement With the ever changing world of Information Security and the rapid increase of users accessing the Internet over the past decade IS Risk Assessment and Measurement has, in more recent years, become a much higher priority for businesses around the world to address.
W
ith the ever changing world of Information Security and the rapid increase of users accessing the Internet over the past decade IS Risk Assessment and Measurement has, in more recent years, become a much higher priority for businesses around the world to address. Thus clearly defined standards that have good procedural practice and policies in place have been created over time to allow these businesses to operate with a greater sense of security in their IS Risk auditing process. This article will try to identify and outline some of the problems and issues these businesses have been required to overcome by addressing there IS Risk Assessment and Measurement needs. The reason why a business is likely to adopt IS Risk Assessment and Measurement is to allow them to collect all the necessary data required to identify and audit their resources in a clear and accurate manner. This allows for the highest residual risks to be identified and then be rated into individual auditable units and discrete segments in order for them to classify each individual risk into highrisk and low-risk areas or categories. This mainly exists in relationship to their critical control systems that will help the business address its inherent high-risk areas so thus different techniques and methods are required to help build a 07/2012(7)
volume of data which can then be broken into all of the different audit-able units. This can then be understood and also more easily presented to assist with and provide a reasonable assurance in relation to the relevant information collected. This includes all of the different areas of the Information Security landscape to essentially assist the management to effectively discharge their responsibilities while also providing a reasonable assurance that the IS Audit activities are directed to all the high business risk areas and thus adding true value to the management of their assets. There are several methods that are currently being used to assist in IS Risk Assessments. A useful method that is widely used is a scoring system that identifies and prioritises it’s IS audits based upon the prior evaluation of these risk factors that will consider both the technical complexity, extent of system and process change and materiality upon a weight score. The risk values are then juxtaposed upon one another in order to prepare an annual IS Audit plan to present to an audit committee or the CEO. Once the IS plan is approved, reviews can then be scheduled accordingly. Other forms of IS risk assessment can be judgmental or requiring an independent action based upon past directives and/or previous decisions made under the same business climate.
Page 34
http://pentestmag.com
A u d & S t a n d
Policies & Tactics
Risk Management Approach Why IT Security or general enterprise needs to understand risk management is? Risk Management is important fundamental element of security and can be seen as the dominantly force in every corner of organizations
B
efore setting up, why IT Security or generRisk is a very large topic and detail the differal enterprise needs to understand risk man- ent approaches and methods are already using by agement is? Risk Management is important security process. Almost fifty or more risk assessfundamental element of security and can be seen ment and management models, tools and applicaas the dominantly force in every corner of orga- tions available in the industry today. Although it is nizations. We already have number of materials not enough, the problem may be somewhere else? which is assuming inMy Point is that risk to methods related to The general who wins the battle makes many calculations in his management undermanaging information temple before the battle is fought. The general who loses makes standing of your mind risks. However, given but few calculations beforehand. and well – defined ac– Sun Tzu, Art of War tions in your processthat risk management is part of overall securies. According to me, ty program and must be work with other things, it is risk management as it interconnected to enterprise important role that we have to explore and find the management aspects. Risk Model identifies that evrelationships that must exist as well as new role of ery risk management model is based on the a few risk management in security program. basic principles and is not interested what methods Ask a few security guys to define risk and you’ll have been used before. Characterizing risk as a get different kind of answers. If read any risk man- supportive feature opposed to being “the” program agement based security book and you are likely to may be difficult for some, In an effort to summarize find the author has used the terms of risk – threat, this new role of risk and what it may mean to existvulnerability, assets and interchangeability. The ing programs, consider the following points: problem is that executive’s always thinking risk – threat and continuous business development is- • It is exceedingly likely that what is sues base on new risks. The good thing is that • Being performed in the management of risk will some within our profession have recognized the not have to change. How risk is evaluated, need to focus on risk. The difficult part is that with- • Managed, and monitored. out understanding of what risk is, what elements • Assessing risk as part of a risk management are, metrics and measuring up the process. program is usually detailed which utilizes ar07/2012(7)
Page 38
http://pentestmag.com
OWASP Top 10 Quiz
Special quiz from MyAppSecurity. Solve it and send us the answers at malgorzata.skora@software.com.pl to get a gift from MyAppSecurity. 1. Which threat can be prevented by having unique usernames
A. XML Injection
generated with a high degree of entropy?
B. SQL Injection
A. Authorization Bypass
C. Access to Sensitive Data Possible
B. Crypt-Analysis of Hash Values
D. Brute Forcing of Stored Encrypted Credentials
C. Spamming 9. Attack that exploits the trust that a site has in a user’s brows2. An attack technique that forces a user’s session credential or
er.
session ID to an explicit value.
A. Cross Site Tracing
A. Session Hijacking
B. SQL Injection
B. Session Fixation
C. Cross Site Scripting
C. Brute Force Attack
D. Cross Site Request Forgery
D. Dictionary Attack 10. For a connection that changes from HTTP to HTTPS, what 3. For every link or form which invoke state-changing functions
flaw arises if you do not change the session identifier?
with an unpredictable token for each user what attack can be
A. Cross Site Scripting
prevented?
B. Session Replay
A. OS Commanding
C. Cross Site Request Forgery
B. Cross Site Request Forgery
D. Session Hijacking
C. Cross Site Tracing D. Cross Site Scripting
11. What threat arises from not flagging HTTP cookies with tokens as secure?
4. Which attack can execute scripts in the user’s browser and is
A. Access Control Violation
capable of hijacking user sessions, defacing websites or redi-
B. Session Hijacking
recting the user to malicious sites.
C. Session Replay
A. SQL Injection
D. Insecure Cryptographic Storage
B. Malware Uploading C. Man in the Middle
12. Role-Based Access control helps prevent this OWASP Top
D. Cross Site Scripting
10 weakness A. Failure to Restrict URL Access
5. What threat are you vulnerable to if you do not validate autho-
B. Insufficient Transport Layer Protection
rization of user for direct references to restricted resources?
C. Unvalidated Redirect or Forward
A. Cross-Site Scripting
D. Security Misconfiguration
B. SQL Injection C. Cross-Site Request Forgery
13. What is the type of flaw that occurs when untrusted user
D. Insecure Direct Object References
entered data is sent to the interpreter as part of a query or command?
6. What happens when an application takes user inputted data
A. Insufficient Transport Layer Protectin
and sends it to a web browser without proper validation and es-
B. Cross Site Request Forgery
caping?
C. Insecure Direct Object References
A. Security Misconfiguration
D. Injection
B. Cross Site Scripting C. Insecure Direct Object References
14. What flaw can lead to exposure of resources or functionality
D. Broken Authentication and Session Management
to unintended actors? A. Session Fixation
7. What is the attack technique used to exploit web sites by al-
B. Improper Authentication
tering backend database queries through inputting manipulat-
C. Insecure Cryptographic Storage
ed queries?
D. Unvalidated Redirects and Forwards
A. SQL Injection B. Cross Site Request Forgery
15. What flaw arises from session tokens having poor random-
C. OS Commanding
ness across a range of values?
D. XML Injection
A. Session Hijacking B. Session Fixation
8. For an an indirect reference, what happens if there’s no list
C. Session Replay
of limited values authorized for a user in the direct reference?
D. Insecure Direct Object References
A u d & S t a n d
Policies & Tactics
Security By Obscurity Do Not Spurn In An Era Of Automated Hacking Camouflage... if so successfully used by nature, why is obfuscation scorned in information security? Take a look at Steganography, which can be called Data Camouflage. It is one of most extreme cases of obfuscation that I have heard of in the digital realm.
I
f you work in the information security space, you have heard it before. It is the first thing you learn, and it is almost axiomatic: security via obscurity does not work. If you have not encountered this saying before, Wikipedia has an excellent definition of security through obscurity: "a principle in security engineering, which attempts to use secrecy of design or implementation to provide security." The Wikipedia entry goes on to note that the principle of security through obscurity has never been accepted, and that the United States National Institute of Standards and Technology (NIST) disavows its use. Indeed, one would be hard pressed to find someone who works in the security space who disagrees with the above observation. Security through obscurity is not a viable security strategy, especially in the long run. But is it a viable security tactic? The latter is a valid and pertinent question. All too often, I come across security professionals who will ignore the use of anything that even remotely hints at "obscurity" (or its brothers: hiding, disguising, etc.) because in the long run it does not work to secure or protect anything. Theoretically, a successful attack could be carried out for no other reason than that someone managed to stumble across the obfuscation attempt. Further07/2012(7)
more, the argument goes, it is a waste of time and it breeds indolence. That last statement is a hard one to defend for proponents of transparency, though: how many delay or forget to apply patches? With attackers of all types trying to gain access to networks accessible via the internet, it pays to aim for security that does not rely on someone uncovering something, accidentally or otherwise, that causes a full-blown data breach. But, whenever I hear of this long-run requirement, I am frequently reminded of an economist's observation: "In the long run we are all dead." I am using John Maynard Keynes's quote out of context, but it still stands to reason that if one's guiding principle is the long run – and that only its outcome dictates one's current behavior – then one would be crazy to eat right, exercise, get medical checkups, etc. After all, no matter how much one fights against it, all hearts cease beating one day. There is no argument that it pays to pay attention and to aim for security that will work for the long run, if not in the long run. But if obscurity works in the short run, why not employ it for short term benefits or as an extra layer of protection? Before moving on, I would like to point out that "obfuscation" was chosen to refer to all instances
Page 44
http://pentestmag.com
A u d & S t a n d
Policies & Tactics
The Right way of Risk Assessment The concept of “vagueness” is important to philosophers, and (perhaps) is relevant to the real world of security. Briefly, the idea of vague concepts [1] is that it’s often difficult to determine a sharp dividing line between two states – at what point, for example, do we say that a person has “gone bald”?
W
hen they lose 50% of their hair? 60%? And is there one single critical hair that’s the one that makes them flip from “hirsute” to “bald”? This may seem like a philosophical quibble, but it’s something we deal with rapidly and easily all the time in our day-to-day lives. It’s not simply the difference between the glass being half full or empty, it’s the difference between being “secure” and “insecure” and, ultimately, it comes down to our ability to confidently make assertions of knowledge about the state of our systems. We are asked: “is the network secure?” and are expected by management to give a yes/no answer. In effect we’re being asked to boil down a hugely complex set of knowledge, belief, and unknowns into a very simple answer – an answer we’re really never qualified to give.
How secure are we – unanswerable question, isn't it?
Our (and our managers’) desire to have a clear answer to the question of “are we secure” has pushed security practitioners into perhaps trying too hard to quantify what may be unquantifiable. The field of risk management deals with trying to answer “how secure are we?” by extrapolating from estimates; something that can be useful, we suppose, but only if used with extreme caution. 07/2012(7)
Anyone who has ever studied the stock market ought to be familiar with the observation “past results do not predict future performance!” That’s a casual recap of David Hume’s analysis of the problem of induction: [2] it’s easy to assess observations about things that have happened in the past, but it’s very difficult if not outright impossible to guarantee a cause/effect relationship. Again, this is not merely an academic objection based on obscure philosophical arguments; rather it is a manifestation of one of the most interesting problems in the philosophy of science, dealing as it were with the foundation of the scientific method itself. We have to remind ourselves of it every time we hear of a site that had passed a PCI audit getting compromised. The premise of standards such as PCI is that adhering to them will have some definite, positive, but indeterminate effect over not adhering to them. The skeptic should ask, “if it’s an indeterminate effect, why do it at all?” To which the proponent must answer that that it’s most likely greater than zero. Where we wish to be, with risk assessment, is to be able to assert with confidence that, for example, use of a certain technology reduces our likelihood of compromise by 10%, whereas another does by 5%, etc. Why can’t we do that? Because risk as-
Page 50
http://pentestmag.com
A u d & S t a n d
Metrics & Measurement
Information Systems Metrics and Measurement In order to “manage” our risks, and the efficiency of our controls, we have to depend on some quantitative criteria. Here comes the metrics. We have to monitor our processes and measure them using our metrics. There is a famous saying, you can not manage what you can not measure. Remember the 4M: Management needs Monitoring , Measurement and Metrics.
I
nformation Systems Security Management is all about risk management. “Risk” is generally defined as a possibility of a loss. That loss occurs on our “assets”. What can cause harm is a “threat”. We have to be aware of our assets, possible threats to them and their consequences. If we find the situation (our risks) acceptable, we do nothing, and that’s perfectly a risk management strategy. It’s called risk acceptance. If we find the situation (our risks) unbearable, then we have to reduce the risks to an acceptable level. So we put some countermeasures in place, thats our “controls”. Controls reduce our risks to an acceptable level. That was the short risk management primer. In order to “manage” our risks, and the effectiveness / efficiency of our controls, we have to depend on some quantitative criteria. Here comes the metrics. We have to monitor our processes, we have to measure them using our metrics. There is a famous saying, you can not manage what you can not measure. Remember the 4M: Management needs Monitoring, Measurement and Metrics. We can use several metrics from several information security activities / domains. Some examples are stated below: 07/2012(7)
Metrics from auditing / compliance activities
The most widespread auditing / it control framework is ISACA’s COBIT. Although COBIT v5 is released recently, the most widespread used framework is the version 4.1. COBIT has many processes and the metric used for COBIT is a process’ maturity model. Taken from the Carnegie Mellon University’s Capability Maturity Model and associated CMMI (CMM Integration) approach, this model uses a scale from 0 to 5 for a process’ maturity level. The levels are described as below: 0 Non-Existent: The process isn’t present. 1 Initial: The process is not consistent. It may happen one way or another from time to time. 2 Repeatable: The process seems to repeat itself. 3 Defined: The processes are documented and distributed across the organization. 4 Managed: The processes are monitored, measured; thus managed. 5 Optimized: Best practices are implemented. Some processes of COBIT 4.1 framework are related to general IT management processes, but some are directly related to IT security.
Page 54
http://pentestmag.com
Virscent Technologies Pvt. Ltd., Ltd. a Brainchild of a team of IIT Kharagpur Graduates, Graduates has been Incubated in E-Cell Cell IIT Kharagpur. Kharagpur It is an IT Solutions & Training Company, Offering ffering Web, Security and Network Solutions, IT Consulting and Support Services to numerous clients across the Globe. We provide the following services: a. b. c. d.
Penetration Testing Multimedia Services Web Development Training: a. Corporate Training b. Classroom Training c. Training programs for Educational Institutions.
Our Partners: 1. E-Cell IIT Kharagpur 2. Education Project Council of India
Website: www.virscent.com Blog
: www.virscent.com/blog
A u d & S t a n d
Metrics & Measurement
Measuring the effectiveness of Information Security Risk Assessment The cure for the headache is not to cut off the head. This proverb encapsulates the basic principle surrounding information security risk assessment. The objective of IS risk assessment is to provide management with timely and meaningful information that will enhance their ability to make pragmatic decisions regarding the protection of information assets.
A
traditional proverb from the South West region of Nigeria, when roughly translatedgoes, “The cure for the headache is not to cut off the head.” In other words, never expend effort or resources that are disproportionate to the scale of the problem that you are trying to solve. This simple proverb encapsulates the basic principle surrounding information security (IS) risk assessment. The objective of IS risk assessment is to provide management with timely and meaningful information that will enhance their ability to make pragmatic decisions regarding the protection of information assets. This article suggests five ways by which organisations can measure the effectiveness of their IS risk assessment processes. Adopting a risk-based approach is considered to be acceptable practice when selecting, designing and implementing security controls to mitigate known vulnerabilities. This approach puts management in a position where they are able to prioritise their available (and often scarce) resources, to address the exposures that present the greatest risk to the organisation. This would imply that organisations that follow a risk-based approach have implemented information security management systems (ISMS); one which includes processes for conducting security risk assessments and processes for performing a cost-benefit analysis of 07/2012(7)
security controls based on an understanding of the risk of not implementing them. In many cases, the difference between effective and ineffective security control implementations is the extent to which the controls have been designed to address specific risks. The IS function should be set up as a business enabling function, and therefore IS processes (including risk assessments) should be geared towards achieving this goal. Much has been written about IS risk assessments including frameworks, methodologies, tools and techniques. However, like any other business process, impact can only be appreciated if there are clear and measurable indices, which provide management with a view of its effectiveness. When measuring the effectiveness of IS risk assessments, it is common to use quantitative indices such as the ‘number of vulnerabilities identified on a given platform’ or the ‘number of outstanding remediation actions on a given system’. In my opinion, the true measure of the effectiveness of IS risk assessments is how much benefit the business derives from them. This article takes a different approach by deliberately deemphasising the commonly used quantitative measures and considering more qualitative measures of the effectiveness of IS risk assessments.
Page 58
http://pentestmag.com
A u d & S t a n d
Metrics & Measurement
Measuring the Imponderable: Auditing IT Risks Many technologies today offer a “click one and catch all” solution. However, in our experience such technologies are simply just a good start. Technologies rely on a wide set of cases already collected and analysed but there is no technology that can “understand” your environment because it is unique and different from others.
O
k! We have been through exploits, persistence, and crime packs but now we should wear our suits, neckties, and blue suede laptop suitcases to go high level. We are talking about IT Auditing this time. No place for nerdy talks. Measuring the risk in an ICT environment is quite a complex task. Blackhats, spies and reckless Internet users all constitute a risk which is something that could affect our environments and change them forever. At once, we could also consider our unpatched Web application, our not updated intrusion detection system or even our browsers a risk. All these are potential risks. The difference between them is related to their impact on the specific environment, the simplicity of the attack and the capability to limit the impact. Measuring risk is a very complex task. The measurement is strongly related to the ability of the Auditor (the tester) to consider every possible risk and to evaluate every possible consequence. If we are aware of a risk we can try to mitigate it or choose to accept it, but we cannot deny it. If we are unaware of a risk, because we have not considered it, we are vulnerable. Denying or ignoring the risk is the quickest way to be hacked to the root! The first problem is identifying the risk. 07/2012(7)
Many technologies today offer a “click one and catch all” solution. However, in our experience such technologies are simply just a good start. Technologies rely on a wide set of cases already collected and analysed but there is no technology that can “understand” your environment because it is unique and different from others. Risk identification aims to generate a list of ICT security risks to be managed and next evaluates the appropriate approach to their treatment. Risk Management identifies at least five aspects to be considered when identifying risks: • Strategic risk • Operational risk (including those related to service delivery, technology, people) • Financial risk • Reputation risk • Legal/regulatory/compliance. Risk identification considers what is at risk along with the associated threats and vulnerabilities. Sometimes we have been able to spot vulnerabilities and risks in what appears to be normal user activity while participating in ICT auditing, such as downloading .pdf manuals from a site disguised as an original retailer’s website. Although, in reality, no one was controlling the manuals against poten-
Page 64
http://pentestmag.com
A u d & S t a n d
Metrics & Measurement
Security Risk Assessment How to measure and to be aware of the Risk Assessment element as part of Risk Management in the field of cyber security Many organizations – both public and private – nowadays, have implemented and developed their own security risk assessment template tool. The main goal for the template is first to analyse workflow, then to identify the assets, threat sources and vulnerabilities.
R
isk assessment is a vital step in Risk Management, as it aims to determine the quantitative or qualitative value of risks related to an array of threats (i.e. attacks) at any given point in time. Many individual, organizations, and those they interconnect with will have to be able to identify, prioritize and estimate risks. Additionally, we have to keep in mind that a security incident happens when there are threats and at the same time vulnerability, and a likelihood the event will occur. In general, risk is when the chosen action or activity will lead to organizational loss. In addition, risk is the likelihood that something wrong or/and bad will happen and it will cause harm to the organizational information asset, or lead to the entire loss of the asset. In risk, vulnerability is a weakness that could be used to jeopardize or cause harm. Threat is anything (artificial or act of nature) that has the potential to cause harm to organizational information assets [3]. Moreover, the probability that a threat will use a vulnerability to cause damage creates a risk to organizations. When a threat does use a vulnerability to inflict damage, it has an impact. In the context of information security, the impact is a loss of availability, integrity and confidentiality. Similarly, to information security, in cyber security the additional impacts are: non-repudiation, authentication, infor07/2012(7)
mation systems importance and criticality from the standpoint of state Critical Information Infrastructure / Critical Infrastructure. Other possible losses can occur too, such as loss of income and loss of life, etc. It is very important to point out that it is not possible to identify all risks, nor is it possible to eliminate all risks. Therefore, the main goal of this article is to provide the readers with background information about information technology related to risks and an illustrated template tool for security risk assessment. Furthermore, it shows how to identify and evaluate the risk elements by delivering a solution with an expanded definition of risks and risk measurement techniques by probability, or even better, by the frequency of security incident occurrence.
Background
The first book on computer security appeared in the 1970s, and it was tailored for professionals and the general public. It also served as a public recognition of security as a problem and the value of the risk assessment process. Moreover, the introduction of networked systems had relatively limited impact on the risk profiles of most organisations, since unauthorised access to the network was physically and technically very difficult, and the growth in the numbers of people who entered
Page 70
http://pentestmag.com
A u d & S t a n d
Extra
A web based face mask prediction system from only fingerprints Most efforts in biometrics have recently been focused on how to improve the accuracy and processing time of the biometric systems, to design more intelligent systems, and to develop more effective and robust techniques and algorithms [1]-[2].
A
lthough the numbers of these new techniques and algorithms increase, new techniques or approaches have been always desired. Achieving faces from only fingerprints might be a challenging as well as pioneering study. Best of our knowledge, investigating relationships among fingerprints and face masks including the inner face parts and face borders has not been studied in the literature so far except the authors. The authors have most recently introduced to literature for the first time that there have been close relationships among faces and fingerprints [3]. Generating the face borders, the face contours including face border and ears, the face models including eyebrows, eyes and mouth, the inner face parts including eyes, nose and mouth, the face parts including eyes, nose, mouth and ears and the face models including eyes, nose, mouth, ears and face border from only fingerprints without any need for face information have been the studies to introduce these relationships. It is clear from these studies that an unknown biometric feature can be successfully achieved from a known biometric feature. The aim of the proposed study is to develop a web based automatic and intelligent face prediction system capable of providing more complex and distinguished solution. Web based experimental results and feedbacks have shown 07/2012(7)
that the proposed system yields good performance and it is capable of efficiently generating the whole face masks for web applications. A new approach to generate face masks from fingerprints without having any information about faces is successfully achieved and introduced in this study. In addition, the relationship among fingerprints and faces (Fs&Fs) is also experimentally shown. This relationship among the face masks and the fingerprints can be mathematically represented as: y = H(x)
(1)
where y is a vector indicating the feature set of the face mask and its parameters achieved from a person, x is a vector representing the feature set of the fingerprint acquired from the same person, H(.) is a highly nonlinear system approximating y onto x. In this study, H(.) is approximated to a model to predict the relationship among Fs&Fs via artificial neural networks (ANNs). ANNs have been successfully applied in fingerprint recognition and face recognition applications. In this study, an ANN predicts the relationships among x and y vectors. An ANN model has been implemented with the help of 4-layered MLP structure trained with the scaled conjugate gradient al-
Page 74
http://pentestmag.com