W2 Risk Management

What are the three pillars of software security?

Applied Risk Management
Software Security Touchpoints
Knowledge

What is the fundamental equation for risk in software security?

Risk = Probability × Impact

What does Applied Risk Management address in software security?

• How much effort to invest in security

• Consequences of security breaches

• Acceptable level of security

• Tracking and mitigating risk throughout the full SDLC

What are software security touchpoints?

System-wide activities from design to testing and feedback that include:

• Code review

• Architectural risk analysis

• Penetration testing

• Risk-based security testing

• Abuse cases

• Security requirements

• Security operations

What are the three categories of security knowledge?

• Prescriptive knowledge: principles, guidelines, and rules
• Diagnostic knowledge: vulnerabilities, exploits, attack patterns
• Historical knowledge: historical risks

What is the key question for the "Understand Business Context" stage?

"Who cares?"

What business goals should be identified in understanding business context?

• Increasing revenue

• Meeting service-level agreements

• Reducing development cost

• Generating high return investment

What is the key question for the "Identify Business and Technical Risks" stage?

"Why should business care?"

What are the consequences of business risks?

• Financial loss

• Loss of reputation

• Violation of customer or regulatory constraints

• Liability

What are the consequences of technical risks?

• Unexpected system calls

• Avoidance of control (audit)

• Unauthorized data access

• Needless rework of artifacts

What is the key question for the "Synthesize and Rank Risks" stage?

"What should be done first?"

What risk metrics are used to rank risks?

• Likelihood

• Impact

• Severity

• Number of emerging risks

What is the key question for the "Define Risk Mitigation Strategy" stage?

"How to mitigate risks?"

What constrains risk mitigation strategies?

What the organization can afford, integrate, and understand

What does the "Carry Out Fixes and Validate" stage measure?

• Progress against risk

• Remaining risks

• Assurance of mechanisms

• Effectiveness of risk mitigation activities

What does cascading damage mean in cyber attacks?

Services may rely on the attacked service, causing damage to escalate and spread beyond the initial target

What was the average ransom payment in Q4 2019?

$84

What percentage of companies that paid ransom received working decryption tools?

98 percent

What was the average ransomware downtime in Q4 2019?

16.2 days

What are the three main ransomware defense strategies?

• Back up data regularly

• Be wary of suspicious emails and links

• Apply security patches promptly

What does TCSEC stand for?

Trusted Computer System Evaluation Criteria (also known as Orange Book)

When was TCSEC established and by whom?

1985 by the National Computer Security Center (NCSC) within NSA

What are the three main categories of Orange Book criteria?

• Security policy – protection level offered by the system

• Accountability – of users and user operations

• Assurance – of the reliability of the system

What is a Trusted Computing Base (TCB)?

Security components of the system including hardware, software, and firmware plus reference monitor

List the Orange Book security levels from lowest to highest security.

• D: Minimal Protection

• C1: Discretionary Security Protection

• C2: Controlled Access Protection

• B1: Labeled Security Protections

• B2: Structured Protection

• B3: Security Domains

• A1: Verified Protection

When was Common Criteria established?

January 1996

What is a key improvement of Common Criteria over Orange Book?

Separates functionality from assurance

How many classes of functionality does Common Criteria have?

Nine classes including audit, communications, user data protection, identification and authentication, privacy, protection of trusted functions, resource utilization, establishing user sessions, and trusted path

How many classes of assurance does Common Criteria have?

Seven classes including configuration management, delivery and operation, development, guidance documents, life cycle support, tests, and vulnerability assessment

List Common Criteria EAL levels from lowest to highest.

• EAL1: functionally tested

• EAL2: structurally tested

• EAL3: methodologically tested and checked

• EAL4: methodologically designed tested and reviewed

• EAL5: semi-formally designed and tested

• EAL6: semi-formally verified and tested

• EAL7: formally verified design and tested

What are the main challenges in quantitative security measurement?

• What security metrics are meaningful and useful

• How to collect security metrics

• How to compose enterprise-level security metrics

• How to present security metrics clearly

What is patch risk?

The risk associated with applying patches to fix vulnerabilities, including potential system malfunction, patches containing vulnerabilities, and provider trustworthiness

What factors determine patch risk?

• Trustworthiness of patch provider

• How long the patch has been released and verified

What are the three types of security scores?

• Security score for individual vulnerability (CVSS score)

• Security score for one computer with multiple vulnerabilities

• Security score for a network with multiple computers

What factors determine criticality of a computer?

• Location (intranet, DMZ, internet)

• Service (HTTP, FTP, SSH)

• Role (Firewall, Desktop, Router)

• Asset (database, financial files)

What is the purpose of time series in security metrics?

To show changes of security over a period and determine if security is improving or falling below thresholds

What factors can trigger security changes over time?

• Vulnerability changes (CVSS Temporal Metrics)

• Network configuration changes

• Security training effectiveness

• Financial problems

What does NVD stand for?

National Vulnerability Database

What does CVSS stand for?

Common Vulnerability Scoring System

What are the three CVSS metric groups?

• Base Metric Group

• Temporal Metric Group

• Environmental Metric Group

What components make up network reachability analysis?

• Network topology

• Router configuration

• Firewall rules

In the AHP security score composition example what is the weight distribution?

• Exploitability: 0.4 (40%)

• Impact: 0.6 (60%)

How is exploitability weight divided in the AHP example?

• Access Vector: 0.13333

• Access Complexity: 0.13333

• Authentication: 0.1333

How is impact weight divided in the AHP example?

• Confidentiality: 0.2

• Integrity: 0.2

• Availability: 0.2

What is a major limitation of current security metric systems?

The assumption that vulnerabilities are independent to each other, which may not be true in the real world

What problem exists with simple statistical aggregation of security scores?

Summary/Average/Max/Min of scores on computers are not good enough to represent network security

What information should be combined for better network security measurement?

Vulnerability dependent information and network reachability information

What challenge exists with correlated vulnerabilities?

How to obtain correlation information and how to incorporate it into security score calculations

What is the relationship between vulnerability Va and Vb in complex scenarios?

If vulnerability Va on computer A is a prerequisite for vulnerability Vb on computer B, the scoring method needs to account for this dependenc