Beruflich Dokumente
Kultur Dokumente
Introduction
Concepts
Risks and Threats
Methods and standards
ISO2700x, OCTAVE, Ebios, Mehari,
Tools
Nessus, nmap, wireshark, ntop, ...
Hand-on Labs
Threats Clusif
Threats Clusif (2)
Source CLUSIF - Panorama Cybercriminalit 2004
Data Theft
Malware (spyware, bots, keyloggers)
Extortion / Ransomware (ex: crypted file)
Attacks from Competitors
GSM
VoIP
WiFi, RFID
Threats Clusif (3)
Source Panorama Cybercriminalit CLUSIF 2006
eMules
Identity Theft
Source Panorama Cybercriminalit CLUSIF2007
SCADA and critical infrastructures
Auction Scam, illicit purchases
Estonia 'cyber-war'
Chinese 'cyber-attacks'
Virtual Goods
New Threats ?
Historical Motivations
Extortion
Unfair Competition
Spying, Economic Intelligence
Money
Theft of data
Identity theft
New Threats ?
New Targets
Intellectual Property
Market Share
MindShare / Fame
I.S. Availability / Operation
Executive's Liability
Finance
Profiles or Virtual Goods (Paypal, Online game),
...
New Vectors
Malware (spyware, bots, keyloggers)
Active or Executable Contents
Bluetooth,
Wifi,
USB keys,
GSM,
VoIP,
RFID
...
What a wonderful world
Vulnerability
Failure or operational weakness of IS
Eventually known and documented;
Can eventually be exploited.
Main reasons :
Design/inception;
Implementation;
Operation.
Vulnerability - trends
Top 20 Vulnerabilities - sans.org
Client-side Vulnerabilities
C1. Web Browsers
C2. Office Software
C3. Email Clients
C4. Media Players
Top 20 Vulnerabilities (2)
Server-side Vulnerabilities
S1. Web Applications
S2. Windows Services
S3. Unix and Mac OS Services
S4. Backup Software
S5. Anti-virus Software
S6. Management Servers
S7. Database Software
Top 20 Vulnerabilities (3)
Security Policy and Personnel:
H1. Excessive User Rights and
Unauthorized Devices
H2. Phishing/Spear Phishing
H3. Unencrypted Laptops and Removable
Media
Application Abuse:
A1. Instant Messaging
A2. Peer-to-Peer Programs
Top 20 Vulnerabilities (4)
Network Devices:
N1. VoIP Servers and Phones
Special Section
Z1. Zero Day Attacks
Top 10 owasp.org (1)
A1 - Cross Site Scripting (XSS) XSS flaws occur whenever an
application takes user supplied data and sends it to a web browser without first
validating or encoding that content. XSS allows attackers to execute script in the
victim's browser which can hijack user sessions, deface web sites, possibly
introduce worms, etc.
A2 - Injection Flaws Injection flaws, particularly SQL injection, are
common in web applications. Injection occurs when user-supplied data is sent to
an interpreter as part of a command or query. The attacker's hostile data tricks
the interpreter into executing unintended commands or changing data.
A3 - Malicious File Execution
Top 10 owasp.org (2)
A4 - Insecure Direct Object Reference A direct object
reference occurs when a developer exposes a reference to an internal
implementation object, such as a file, directory, database record, or key, as a
URL or form parameter. Attackers can manipulate those references to access
other objects without authorization.
A5 - Cross Site Request Forgery (CSRF) A CSRF attack forces
a logged-on victim's browser to send a pre-authenticated request to a vulnerable
web application, which then forces the victim's browser to perform a hostile
action to the benefit of the attacker. CSRF can be as powerful as the web
application that it attacks.
A6 - Information Leakage and Improper Error Handling
Top 10 owasp.org (3)
A7 - Broken Authentication and Session Management
A8 - Insecure Cryptographic Storage
A9 - Insecure Communications
A10 - Failure to Restrict URL Access
References More readings
'Secret and Lies', Bruce Schneier
RISKS DIGEST
Forum on Risks to the Public in Computers and Related
Systems
http://catless.ncl.ac.uk/Risks
Tutoring
Exercise 2
Investigate and present an existing attack or
incident from the vulnerability to exploitation
amongst the following categories
Virus/Worm (ex: stuxnet)
Priviledge escalation
Use of weak cryptography
Social Engineering
...
Outline
Introduction
Concepts
Risks and Threats
Methods and standards
ISO2700x, OCTAVE, Ebios, Mehari,
Tools
Nessus, nmap, wireshark, ntop, ...
Hand-on Labs
Cartography of InfoSec
Set of documentation, questionnaires and
knowledge bases.
Allow to measure existing practices and to
compare to a reference guide of good
practices.
Identify important processes within organization
and propose metrics in order to calculate impacts
of potential losses (Risk Analysis).
Purpose of InfoSec Standards
Protection of informational assets
Sign (if not Proof) of Trust
Potential Differentiatior (from Competition)
Profitability
Respect of Legislation and Rules
Public Image
Legislation
Sarbanes-Oxley (USA)
HIPAA Heath Information Protection Assurance
Act (USA)
FOIA Freedom Of Information Act (USA)
Access to Information and Privacy Acts (Canada)
Bale2 (EU)
LCEN (FR)
Standards : Guide of Good
Practices
Define a set of good pratices for Information Security, used as
reference and able to insure third party with an acceptable and
recognized level of security.
Specify requirements for
Implementation
Operation
Improvement of documented ISMS (Information Security
Management System)
Specify requirements to implement security measures that are
:
Adapted to the needs of the enterprise or organisation
Appropriate
Well Suited / Commensurate
Sprechen sich esperanto ?
www.cert.org
PSSI Guide Mthodologique ANSSI
TDBSSI Guide Mthodologique ANSSI NIST :
csrc.nist.gov
RMF Guide Mthodologique NIST
SP800-60 Guide Mthodologique NIST CNRS :
www.sg.cnrs.fr/fsd
ITIL Guide de bonnes pratiques OGC BSI
COBIT Guide de bonnes pratiques ISACA ISACA :
www.isaca.org
ITSEC Norme d'exigences UE ANSSI
ISO 15408 Norme d'exigences ISO ITIL :
NF Z 42-013 Norme d'exigences AFNOR www.itil.co.uk
BS7799-3:2005
ISO 27001:2005 ISO17799:2005
ISMS - Requirements
ISO 27005
Risk Management for Information Sec
2009 2008
Processes of ISRM
Annex : Method for Risk Mgt
ISO 27000
Glossary
ISO 27007
Guidance for ISMS audit ISO 27008
Guidance for auditing metrics of ISMS
Annexes for ISMS auditing
Antoine Rojat / Florent Autrau
ISO 27000 Standards
Covers :
Risk Assessment
Security policy - management direction
Organization / Governance of InfoSec
Asset management
Human resources security
Physical and environmental security
ISO 27000 Standards (cont.)
Communications and operations management -
management of technical security controls in
systems and networks
Access control
Information systems acquisition, development and
maintenance - building security into applications
InfoSec incident management
ISO 27000 Standards (cont.)
Business continuity management
Compliance/conformance with policies, standards,
laws and regulations
ISO 27000 Series
ISO 27000
Glossary
ISO 27001 (2005)
Code of practice
Security Measures
1st part of BS7799.
ISO 27003
Implementation Guide
ISO 27004 (2007 ou2008)
Business Assets
Mapping of existing measures
Infrastructure
PC DB Server Servers
Data Center
Informational Assets
Probability RSK-10
4 RSK-07
RSK-08 RSK-09
Insure coherence of
metrics/scale over the
perimeter
ISO 27005
Step 2 : Identify Assets
Identification of assets
actifs to insure :
That no asset has been
ignored or forgotten ;
That the perimeter of risk
analysis is clearly defined.
Based on interviews of
stakeholders, quantify
needs/requirements for the
security of assets.
Workstation
A I C P
User 4 4 1 ?
Risk Scenario :
exploitation, by a threat Menace : Phishing ;
of existing vulnerability
Vulnerability : uneducated user ;
on given asset.
Asset : information owned or
manipulated by user.
From the list of
scenarios and used
Scenario 10 : User clicks on link
scales : that drives to malicious code
Quantify impact;
Quantify likelihood Impact :
4 compromise of
confidential data ;
Likelihood :
2 moderated by mail
What is likelihood ? filtering solution
ISO 27005
Step 7 : Classify Risk Scenarios
Evaluate criticality of
scenarios :
Scenario 10 : User clicks on link
Criticality = Likelihood x Impact that drives to malicious code
Classify scenarios to
identify remaining
risks.
Methods and ad-hoc standards
Complexity of methods for risk analysis
Hence ad-hoc methods and standards for specific
environment
As an example, Comit Franais d'Organisation et de
Normalisation Bancaire defined a profile of minimum
set of protection to cover precise needs of banking
sector.
Methods
MEHARI