Security Risk Analysis of Computer Networks: Techniques and Challenges

Security Risk Analysis of Computer Networks: Techniques and Challenges Anoop Singhal Computer Security Division National Institute of Standards and Technology Simon Ou Dept. of Computer and Information Science Kansas State University

Outline • Basics of Network Security Risk Analysis • Threats to Networks • Common Vulnerability Scoring System (CVSS) • Attack Graphs, Bayesian Networks and Tools for generating Attack Graphs • Quantifying Security Risk using attack graphs and CVSS • Conclusions

Enterprise Network Security Management • Networks are getting large and complex • Vulnerabilities in software are constantly discovered • Network Security Management is a challenging task • Even a small network can have numerous attack paths

Trends for Published Vulnerabilities

Enterprise Network Security Management • Currently, security management is more of an art and not a science • System administrators operate by instinct and learned experience • There is no objective way of measuring the security risk in a network • “If I change this network configuration setting will my network become more or less secure?”

Challenges in Security Metrics • Typical issues addressed in the literature • How can a database server be secured from intruders? • How do I stop an ongoing intrusion? • Notice that they all have a qualitative nature • Better questions to ask: • How secure is the database server in a given network configuration? • How much security does a new configuration provide? • How can I plan on security investments so it provides a certain amount of security? • For this we need a system security modeling and analysis tool

Challenges in Security Metrics • Metric for individual vulnerability exists • Impact, exploitability, temporal, environmental, etc. • E.g., the Common Vulnerability Scoring System (CVSS) v2 released on June 20, 20071 • However, how to compose individual measures for the overall security of a network? • Our work focuses on this issue 1. Common Vulnerability Scoring System (CVSS-SIG) v2, http://www.first.org/cvss/

Challenges in Security Metrics • Counting the number of vulnerabilities is not enough • Vulnerabilities have different importance • The scoring of a vulnerability is a challenge • Context of the Application • Configuration of the Application • How to compose vulnerabilities for the overall security of a network system

What is an Attack Graph • A model for • How an attacker can combine vulnerabilities to stage an attack such as a data breach • Dependencies among vulnerabilities

Attack Graph Example

Different Paths for the Attack • sshd_bof(0,1) → ftp_rhosts(1,2) → rsh(1,2) → local_bof(2) • ftp_rhosts(0,1) → rsh(0,1) → ftp_rhosts(1,2) → rsh(1,2) → local_bof(2) • ftp_rhosts(0,2) → rsh(0,2) → local_bof(2)

Attack Graph from machine 0 to DB Server

What is ? Stands for Common Vulnerability Scoring System An open framework for communicating characteristics and impacts of IT vulnerabilities Consists three metric groups: Base, Temporal, and Environmental

CVSS (Cont’d) Base metric : constant over time and with user environments Temporal metric : change over time but constant with user environment Environmental metric: unique to user environment

CVSS (Cont’d) • CVSS metric groups • Each metric group has sub-matricies • Each metric group has a score associated with it • Score is in the range 0 to 10

Access Vector This metric measures how the vulnerability is exploited. • Local • Adjacent Network • Network

Access Complexity This metric measures the complexity of the attack required to exploit the vulnerability • High: Specialized access conditions exist • Medium: The access conditions are somewhat specialized • Low: Specialized access conditions do not exist

Authentication This metric measures the number of times an attacker must authenticate to a target to exploit a vulnerability • Multiple: The attacker needs to authenticate two or more times • Single: One instance of authentication is required • None: No authentication is required

Confidentiality Impact This metric measures the impact on confidentiality due to the exploit. • None: No Impact • Partial: There is a considerable information disclosure • Complete: There is total information disclosure • Similar things for the Integrity Impact and Availability Impact

Base Score Base Score = Function(Impact, Exploitability) Impact = 10.41 * (1-(1-ConImp)*(1-IntImp)*(1-AvailImpact)) Exploitability = 20*AccessV*AccessComp*Authentication

Base Score Example CVE-2002-0392 • Apache Chunked Encoding Memory Corruption BASE METRIC EVALUATION SCORE Access Vector [Network] (1.00) Access Complex. [Low] (0.71) Authentication [None] (0.704) Availability Impact[Complete] (0.66) Impact = 6.9 Exploitability = 10.0 BaseScore = (7.8)

Numbers are estimated probabilities of occurrence for individual exploits, based on their relative difficulty. The ftp_rhosts and rsh exploits take advantage of normal services in a clever way and do not require much attacker skill A bit more skill is required for ftp_rhosts in crafting a .rhost file. sshd_bof and local_bof are buffer-overflow attacks, which require more expertise. Attack Graph with Probabilities

When one exploit must follow another in a path, this means both are needed to eventually reach the goal, so their probabilities are multiplied: p(A and B) = p(A)p(B) When a choice of paths is possible, either is sufficient for reaching the goal: p(A or B) = p(A) + p(B) –p(A)p(B). Probabilities Propagated Through Attack Graph

Network Hardening • When we harden the network, this changes the attack graph, along with the way its probabilities are propagated. • Our options to block traffic from the Attacker: • Make no change to the network (baseline) • Block ftp traffic to prevent ftp_rhosts(0,1) and ftp_rhosts(0,2) • Block rsh traffic to prevent rsh(0,1) and rsh(0,2) • Block ssh traffic to prevent sshd_bof(0,1)

Comparison of Options • We can make comparisons of relative security among the options • Make no change p=0.1 • Blocking rsh traffic from Attacker leaves a remaining 4-step attack path with total probability p = 0.1∙0.8∙0.9∙0.1 = 0.0072 • Blocking ftp traffic, p=0.0072 • But blocking ssh traffic leaves 2 attack paths, with total probability p ≈ 0.0865, i.e., compromise is 10 times more likely as compared to blocking rsh or ftp.

Need for a Modeling Tool • For a large enterprise network that has hundreds of host machines and several services we need a modeling tool that can • Generate the attack graph • Use the attack graph for quantitative analysis of the current configuration • Help the network administrators to decide what changes to make to improve security

Network Vulnerability Host Configuration DB Configuration Security Modeling Tool Attack Graphs System Architecture

Conclusions • Based on attack graphs, we have proposed a model for security risk analysis of information systems • Composing individual scores to more meaningful cumulative metric for overall system security • The metric meets intuitive requirements • The metric can be used for making recommendations to improve network security

Security Risk Analysis of Computer Networks: Techniques and Challenges

Security Risk Analysis of Computer Networks: Techniques and Challenges

Presentation Transcript

Security in Computer Networks

Chapter 5

Network+ Guide to Networks 5 th Edition

An Overview of E-Voting Security Challenges

Peer-Assisted Content Distribution Networks: Techniques and Challenges

Country Risk Analysis – Sovereign Risk Analysis

Computer Network Security

Chapter 8 Security Issues and Strategies

Wireless Sensor Networks Security

Advance in Intrusion Detection Techniques

Security Issues in Mobile Ad hoc Networks

Advanced Networks and Computer Security

ECE 454 / CS 594 Computer and Network Security

Computer Networks

Risk Assessment

Computer Security

Wireless Sensor Networks Security

Computer Security

Security Audit

Computer Networks An Open Source Approach

Computer Security

15-441 Computer Networks