Embed Size (px)
Citation preview
1
Security Risk Analysis of Computer Networks: Techniques and Challenges
Anoop SinghalComputer Security DivisionNational Institute of Standards and Technology
Simon OuDept. of Computer and Information ScienceKansas State University
Outline
Basics of Network Security Risk Analysis Threats to Networks Common Vulnerability Scoring System
(CVSS) Attack Graphs, Bayesian Networks and
Tools for generating Attack Graphs Quantifying Security Risk using attack
graphs and CVSS Conclusions
Enterprise Network Security Management
Networks are getting large and complex Vulnerabilities in software are constantly
discovered Network Security Management is a
challenging task Even a small network can have numerous
attack paths
Trends for Published Vulnerabilities
Enterprise Network Security Management
Currently, security management is more of an art and not a science
System administrators operate by instinct and learned experience
There is no objective way of measuring the security risk in a network
“If I change this network configuration setting will my network become more or less secure?”
Challenges in Security Metrics Typical issues addressed in the literature
How can a database server be secured from intruders? How do I stop an ongoing intrusion?
Notice that they all have a qualitative nature Better questions to ask:
How secure is the database server in a given network configuration?
How much security does a new configuration provide? How can I plan on security investments so it provides a
certain amount of security? For this we need a system security modeling and
analysis tool
Challenges in Security Metrics
Metric for individual vulnerability exists Impact, exploitability, temporal,
environmental, etc. E.g., the Common Vulnerability Scoring System
(CVSS) v2 released on June 20, 20071
However, how to compose individual measures for the overall security of a network? Our work focuses on this issue
1. Common Vulnerability Scoring System (CVSS-SIG) v2, http://www.first.org/cvss/
Challenges in Security Metrics
Counting the number of vulnerabilities is not enough Vulnerabilities have different importance The scoring of a vulnerability is a challenge
Context of the Application Configuration of the Application
How to compose vulnerabilities for the overall security of a network system
What is an Attack Graph
A model for
How an attacker can combine vulnerabilities to stage an attack such as a data breach
Dependencies among vulnerabilities
Attack Graph Example
`
AttackerMachine 0
Firewall Router
sshd
DatabaseServer
Machine 2
FTPServer
Machine 1
Different Paths for the Attack
sshd_bof(0,1) → ftp_rhosts(1,2) → rsh(1,2) → local_bof(2)
ftp_rhosts(0,1) → rsh(0,1) → ftp_rhosts(1,2) → rsh(1,2) → local_bof(2)
ftp_rhosts(0,2) → rsh(0,2) → local_bof(2)
Attack Graph from machine 0 to DB Server
What is ?
Stands for Common Vulnerability Scoring SystemAn open framework for communicating characteristics and impacts of IT vulnerabilitiesConsists three metric groups: Base, Temporal, and Environmental
CVSS (Cont’d)
Base metric : constant over time and with user environments
Temporal metric : change over time but constant with user environment
Environmental metric : unique to user environment
CVSS (Cont’d)
CVSS metric groups
Each metric group has sub-matriciesEach metric group has a score associated with itScore is in the range 0 to 10
Access Vector
This metric measures how the vulnerability is exploited.
Local Adjacent Network Network
Access Complexity
This metric measures the complexity of the attack required to exploit the vulnerability
High: Specialized access conditions exist Medium: The access conditions are
somewhat specialized Low: Specialized access conditions do not
exist
Authentication
This metric measures the number of times an attacker must authenticate to a target to exploit a vulnerability
Multiple: The attacker needs to authenticate two or more times
Single: One instance of authentication is required
None: No authentication is required
Confidentiality Impact
This metric measures the impact onconfidentiality due to the exploit. None: No Impact Partial: There is a considerable
information disclosure Complete: There is total information
disclosure
Similar things for the Integrity Impact and Availability Impact
Base Score
Base Score = Function(Impact, Exploitability)
Impact = 10.41 * (1-(1-ConImp)*(1-IntImp)*(1-AvailImpact))
Exploitability = 20*AccessV*AccessComp*Authentication
Base Score Example CVE-2002-0392
Apache Chunked Encoding Memory Corruption
BASE METRIC EVALUATION SCOREAccess Vector [Network] (1.00)Access Complex. [Low] (0.71)Authentication [None] (0.704)Availability Impact[Complete] (0.66)Impact = 6.9Exploitability = 10.0BaseScore = (7.8)
Attack Graph with Probabilities Numbers are estimated
probabilities of occurrence for individual exploits, based on their relative difficulty.
The ftp_rhosts and rsh exploits take advantage of normal services in a clever way and do not require much attacker skill
A bit more skill is required for ftp_rhosts in crafting a .rhost file.
sshd_bof and local_bof are buffer-overflow attacks, which require more expertise.
8.0
8.0
9.01.0
9.0 9.0
1.0
8.0
Probabilities Propagated Through Attack Graph
When one exploit must follow another in a path, this means both are needed to eventually reach the goal, so their probabilities are multiplied: p(A and B) = p(A)p(B)
When a choice of paths is possible, either is sufficient for reaching the goal: p(A or B) = p(A) + p(B) – p(A)p(B).
60.08.0
8.0
72.09.0
1.0
54.09.0
72.09.0
087.01.0
8.0
Network Hardening
When we harden the network, this changes the attack graph, along with the way its probabilities are propagated.
Our options to block traffic from the Attacker: Make no change to the network (baseline) Block ftp traffic to prevent ftp_rhosts(0,1) and
ftp_rhosts(0,2) Block rsh traffic to prevent rsh(0,1) and
rsh(0,2) Block ssh traffic to prevent sshd_bof(0,1)
Comparison of Options We can make comparisons of relative
security among the options Make no change p=0.1 Blocking rsh traffic from Attacker leaves
a remaining 4-step attack path with total probability p = 0.1∙0.8∙0.9∙0.1 = 0.0072
Blocking ftp traffic, p=0.0072 But blocking ssh traffic leaves 2 attack
paths, with total probability p ≈ 0.0865, i.e., compromise is 10 times more likely as compared to blocking rsh or ftp.
Need for a Modeling Tool
For a large enterprise network that has hundreds of host machines and several services we need a modeling tool that can Generate the attack graph Use the attack graph for quantitative analysis
of the current configuration Help the network administrators to decide
what changes to make to improve security
System Architecture
NetworkConfiguration
HostConfiguration
Security Modeling
Tool
AttackGraphs
VulnerabilityDB
Conclusions
Based on attack graphs, we have proposed a model for security risk analysis of information systems Composing individual scores to more
meaningful cumulative metric for overall system security
The metric meets intuitive requirements The metric can be used for making
recommendations to improve network security
