Syngress Managing Cisco Network Security

Chapter 2 What Are We Trying to Prevent?
Solutions in this chapter: ¦ What Threats Face Your Network? ¦ Malicious Mobile Code ¦ Denial of Service ¦ Detecting Breaches ¦ Preventing Attacks ? Summary ? Solutions Fast Track ? Frequently Asked Questions Introduction
An attentive network administrator is always looking for the right strategy for information services security. You need to understand the risks you are facing, and assign resources to reduce and manage those risks. To do this correctly, one needs a quantitative security risk assessment.You write down all the potential adverse events, estimate the loss from such events, and calculate the probability of such events occurring. Multiplying the latter and then adding up the results gives a value known as the “Annual Loss Expectation” or “Expected Annual Costs.” For information security, this is a difficult problem on several levels. Writing down every potential adverse event is a complex and time-consuming task. Estimating the loss from such events is no trivial feat either. For risks like fire or earthquake, we at least have data culled over a long period of time. Risks due to information security events, on the other hand, are highly variable, and change over time as new tools emerge and new malicious code is distributed. Insurance companies are busy developing data for new information security insurance, but that data remains regrettably limited. On the upside, undertakings of this sort produce hard numbers—the kind a CEO can appreciate. It’s a type of exercise that can be helpful when considering strategies or identifying where security resources should be deployed. Even a simple first-pass approach—identify the crucial assets, think about what can go wrong for those assets, figure out some likely scenarios and assign likelihood—can help with the decision-making process. Quantitative risk analysis is a path that many enterprises do follow, particularly in high-risk environments such as financial institutions, or highly-regulated environments such as health care. Given the drawbacks, an alternative qualitative security business risk assessment is often more cost effective. The idea here is that probability data and cost impacts are not required, but instead, a rough estimate is employed—for instance, evaluating threats, vulnerabilities, and controls. This allows you to take a look at what risks you are facing (threats), the potential impacts of those threats (vulnerabilities), and potential ways to minimize both the threats and the vulnerabilities (controls). Controls that correspond to events of high probability and high impact are generally worth exploring first, while controls that correspond to events of low probability and low impact are worth examining later. A vulnerability approach is generally followed (rather than an asset protection approach) because the vulnerabilities usually are a smaller set of things to consider, and more directly relate to the controls that will be proposed. When conducting security environmental vulnerability assessments in a qualitative environment, one associates a Risk Mitigation Factor with each device. This factor is based upon two elements: The potential impact of the security violation on functional operations (severity of the hazard) and the probability that the violation will occur. The severity of the risk is classified in one of four categories: Critical, Severe, Moderate, and Low. The probability ranking is also categorized in one of four different classifications: Frequent, Probable, Occasional, and Possible. Table 2.1 lists the different levels of risk severity, while Table 2.2 shows the different levels of risk probability. Table 2.1 Risk Severity Level of Severity Description Critical Business impact is considered Critical when exploitation of the vulnerability would result in a total system compromise, which may include complete loss of management control and/or use of the compromised system to launch attacks or intrusions against other companies. In addition to direct costs, there may be significant indirect financial loss, due in part to litigation or damaged reputation. An example of vulnerabilities of this nature would be installation of remote control software that would permit a remote intruder full access to the machine. Severe The business impact is considered Severe when exploitation of the vulnerability would result in a partial system compromise, potentially losing control over a delivered service or prompting unauthorized distribution of sensitive information. The primary impact of this sort of vulnerability is the direct cost associated with loss of service or information. An example of vulnerabilities of this nature would be a weakness in Web server configuration that allowed for Web page defacement. Moderate Impact is considered Moderate when exploitation of the vulnerability would result in degraded performance and loss of system integrity. Primary impact of this sort of vulnerability is the indirect cost associated with event normalization. An example of vulnerabilities of this nature would be a server subject to a Denial of Service attack. Low Business impact is considered Low when exploitation of the vulnerability results in degraded performance without loss of integrity, or which prompts an inability to control integrity in a functioning host. The primary impact of this sort of vulnerability is the indirect cost associated with higher maintenance. An example of vulnerabilities of this nature would be user-controlled desktops. Table 2.2 Risk probability Frequent The probability is considered Frequent when the event is likely to happen often. This might occur if the vulnerability has been widely publicized, automated tools are available, and/or if a worm using the exploit is available. Probable The probability is considered Probable when the event is likely to happen several times during the life cycle of the host system. This might occur because the vulnerability is well known, but "user friendly" exploit tools are not available, and thus require a higher level of skill to compromise the system. Occasional The probability is considered Occasional when the event is likely to occur sometime during the host system's life cycle. This would occur when the vulnerability is not well known, or when specific circumstances would be required for a breach (such as a maintenance window when certain protections are not in place). Possible The probability is considered Possible when it is unlikely but possible to occur in the system's lifecycle. A classification may be such when the vulnerability is of a theoretical nature and no exploit code is known, or specific circumstances of low probability are required, or when the vulnerability is of a theoretical nature and no way to exploit the vulnerability is currently known. More information about identifying vulnerabilities is given in Chapter 11, where the Cisco Secure Scanner is discussed. What Threats Face Your Network?
A threat to your network might come from actual intent to do harm to it, or from a malicious source a user may inadvertently activate. Both arise as a result of violations to a security policy. Policy is driven by goals. Back in the summer of 1986, Hal Tipton, Richard W. Owen, Jr., and Ross Leo coined the term CIA—Confidentiality, Integrity, and Assurance—as a compact and succinct description of the things that matter in a secure information delivery/processing system. (The fact that it provides a nice chuckle at the expense of the U.S. Central Intelligence Agency only helps to make it more memorable.) Looking at harm from the perspective of a breakdown in CIA is a good way to approach potential problems. Loss of Confidentiality
Loss of confidentiality is often the most serious form of harm. For example, when a merchant has customer credit card numbers compromised, he can expect a serious loss of customer confidence. The owner of the credit card loses, due to potential charges on their account, and the hassle of getting them cleared. The credit card company loses, due to absorbing the risk of fraud. In December of 2000, Egghead lost control of its 3.7 million customer database. Some clients lost access to their cards during the Christmas season, while the card’s issuing companies were forced to cancel and reissue cards. Other credit card companies absorbed the risk of the fraud – and the estimate was that millions of dollars were lost. The biggest loser was Egghead itself: It saw its stock drop twenty-five percent overnight, and shortly thereafter ceased to be a...