21.2 FORMAL RISK ANALYSIS

Team-Fly

21.2 FORMAL RISK ANALYSIS

In the past, several frameworks, models, methods , and methodologies to formally perform risk analyses have been developed and proposed [2, 3]. For example, the British Central Computer and Telecommunications Agency (CCTA) came up with a methodology called CCTA Risk Analysis and Management Methodology (CRAMM) and a tool of the same name . The tool is being marketed by Logica. ^[2] Similarly, a methodology called MARION—an acronym derived from the French term methodologie d'analyse des risques informatiques et d'optimation par niveau —was developed by the French club de la scurit informatique francais (CLUSIF ^[3] ).

Unfortunately, the performance of a formal risk analysis has turned out to be difficult in practice. There are mainly two reasons:

A formal risk analysis process requires the establishment of an inventory for all assets (e.g., to decide whether they are valuable ). Unfortunately, this is a very difficult and labor- intensive task. To make things worse , the inventory is a moving target that changes permanently and must be periodically updated.
A formal risk analysis always requires the quantification of loss exposures based on estimated frequencies and costs of occurrence. Either value—the estimated frequencies and the costs of occurrence—is hard to quantify. How do you, for example, quantify the estimated frequency for a system being hacked? Does this value depend on the operating system in use? Does it depend on the actual configuration? Does is depend on software patches being installed or not installed? Similarly, how do you quantify the costs of occurrence? Note that-no system or network resource must be damaged during the system hack. Nevertheless, the loss of reputation and customer confidence may still be large and worrisome. It turns out that probability theory is an inappropriate approach to quantify loss exposures in the IT world. Unfortunately, we do not have an alternative approach so far.

Because of these difficulties, it is common today to perform only qualitative risk analyses. A qualitative risk analysis , in turn , differs from a (quantitative or formal) risk analysis in the quantification step. In fact, a qualitative risk analysis only addresses risks that are existent (independent from potential loss exposures). For example, if a Web site is connected to the Internet, a qualitative risk analysis would only identify the risk of being hacked (possibly specifying the risk to be low, medium, or high), whereas a (quantitative or formal) risk analysis would additionally try to quantify the estimated frequency and the costs of occurrence to eventually compute a quantitative value for the risk under consideration. In either case, risk analysis must start with an analysis of vulnerabilities and threats.

In many companies and organizations it is not even possible to perform a qualitative risk analysis, and some simpler risk management approaches and technologies must be used instead. Some alternative approaches and technologies are addressed next .

^[2] http://www.logica.com

^[3] http://www.clusif.asso.fr/

Team-Fly

21.3 ALTERNATIVE APPROACHES AND TECHNOLOGIES

Given the difficulties of performing formal risk analyses, IT security professionals are looking into alternative approaches and technologies to manage the relevant risks. The two most promising approaches and technologies are security scanning to perform vulnerability analyses, and intrusion detection to identify and respond to potentially malicious activities. One major difference between security scanning and intrusion detection is related to the temporal use. A security scanner is running in real time when it is started (i.e., it is rarely run all of the time). Contrary to that, intrusion detection tools and products are designed to run in real time and to constantly monitor systems and networks for possible attacks [4]. Security scanning and intrusion detection are overviewed and briefly discussed next .

21.3.1 Security Scanning

The term security scanning refers to the process of performing vulnerability analyses, whereas the term security scanner refers to a tool that can be used to automatically perform such analyses. In essence, a security scanner holds a database that includes known vulnerabilities of operating systems and corresponding configurations. Each system can be compared against this database to detect and identify the vulnerabilities that are relevant.

Security scanning tools and security scanners can be partitioned into host-based scanners and network-based scanners :

A host-based scanner runs on a system and looks into the configuration of the system from the inside. For example, a host-based scanner can check whether files that contain user authentication information (e.g., user passwords) can be read by nonprivileged processes.
Contrary to that, a network-based scanner runs on a system and looks into the configurations of systems from the outside. For example, a network-based scanner can check what systems are accessible and what services are running on the ports of these systems.

Ideally, a scanner is host-based and network-based, meaning that it can investigate on and take into account information that is available on either side. As of this writing, there are many security scanners commercially or freely available on the Internet. The most widely used and deployed security scanners on the Internet are developed and marketed by Internet Security Systems, Inc. ^[4] In addition, there are many security scanners publicly and freely available on the Internet. For example, the Nessus security scanner was developed in an open source project of the same name . ^[5]

21.3.2 Intrusion Detection

According to [5], an intrusion refers to "a sequence of related actions by a malicious adversary that results in the occurrence of unauthorized security threats to a target computing or networking domain," and the term intrusion detection refers to the process of identifying and responding to intrusions.

There are many tools that can be used to automate intrusion detection. These tools are commonly referred to as intrusion detection systems (IDSs). Although the research community has been actively designing, developing, and testing IDSs for more than a decade , corresponding products have only recently received wider market interest. Furthermore, the IETF has chartered an Intrusion Detection Exchange Format (IDWG) WG "to define data formats and exchange procedures for sharing information of interest to intrusion detection and response systems, and to management systems which may need to interact with them." Refer to the IDWG's home page ^[6] to get more information about the relevant Internet-Drafts and RFC documents.

There are basically two technologies that can be used to implement an IDS: attack signature recognition and anomaly detection.

Using attack signature recognition, an IDS uses a database with known attack patterns (or attack signatures) and an engine that uses this database to detect and recognize attacks. The database can either be local or remote. In either case, the quality of the IDS is as good as the database and its attack patterns as well as the engine that makes use of this database. The situation is similar and quite comparable to the antivirus software (i.e., the database must be updated on a regular basis).
Using anomaly detection, an IDS uses a database with a formal representation of "normal" (or "normal-looking") user activities and an engine that makes use of this database to detect and recognize attacks. For example, if a user almost always starts up his or her e-mail user agent after having successfully logged onto a system, the IDS's engine may get suspicious if he or she starts a Telnet session to a trusted host first. The reason for this activity may be an attacker misusing the account to gain illegitimate access to a remote system. Again, the database can either be local or remote, and the quality of the IDS is as good as the database and its statistical material.

Again, it is possible to combine both technologies in an IDS. More information about intrusion detection technologies and IDSs that employ these technologies and are commercially available can be found in [5-9].

^[4] http://www.iss.net/

^[5] http://www.nessus.org/

^[6] http://www.ietf.org/html. charters /idwg-charter.html

Team-Fly