Risk Analysis

CHAPTER 2
Risk Analysis
 The objective of a security program is to mitigate risks

 Mitigating risks does not mean eliminating them; it means reducing them
to an acceptable level

 To ensure security controls are effectively controlling the, you need to

anticipate what kinds of incidents may occur

 Identify what you are protecting? From Whom?

 risk analysis, threat definition, and vulnerability analysis

Threat Definition
 Evaluating threats is an important part of risk analysis
 By identifying threats, you can give your security strategy focus and reduce the
chance of overlooking important areas of risk
 Security strategy must be comprehensive enough to manage the most significant
threats
How do you know you’re defending against the right threats? For example, if an
organization were to simply purchase and install a firewall (and do nothing else)
without identifying and ranking the various threats to their most important assets,
would they be secure? Probably not. Consider the statistics shown in Figure below.
These statistics are from Verizon’s 2010 Data Breach Investigations Report
(DBIR), the result of a collaboration between Verizon and the U.S. Secret Service.
This is a breakdown of “threat agents,” which are defined in the report as “entities
that cause or contribute to an incident.”
Cont…

Sources of actual losses, based on Verizon’s 2010 Data Breach Investigations Report
Cont…

 Security professionals know that many real-world threats come from

inside the organization

 you need to make sure your security controls focus on the right threats

 To avoid overlooking important threat sources, you need to consider all

types of threats
Various aspects of threats
 Threat vectors
 Threat sources and targets
 Types of attacks
 Malicious mobile code
 Advanced Persistent Threats (APTs)
 Manual attacks
Threat Vectors
 A threat vector is a term used to describe where a threat originates and
the path it takes to reach a target

 Ex: An example of a threat vector is an e-mail message sent from

outside the organization to an inside employee, containing an
irresistible subject line along with an executable attachment that
happens to be a Trojan program, which will compromise the recipient’s
computer if opened

 A good way to identify potential threat vectors is to create a table

containing a list of threats you are concerned about, along with sources
and targets
Sample Threat Vector Elements
Cont..
 Every environment may dictate different list
 Choosing different combinations of sources, threats, and targets
produces interesting varieties of threat vectors
 Which helps with the process of brainstorming and enumeration
 You can put together my different combination together, example:
 “employee theft of intellectual property”
 “malware causing outages on networks”
 “competitor espionage of e-mail”?
 “cleaning staff theft of trade secrets”?
 “software bugs leading to corruption of financial data”?
 There are things you can do to defend against these threats, detect
them, or even deter them
Cont..
 Many different analyses of threat vectors are routinely published
 One reputable source for conducting and publishing the results of this type of
survey is the Computer Security Institute (CSI), which identifies particular
threat vectors and their frequency
 It is important to understand and consider threat vectors while designing
security controls to appropriately scrutinise possible rout of attack
 Insider threat vectors take many forms like Trojan and viruses
 Trojan programs are covertly installed pieces of software that perform
functions with the privileges of authorized users, but unknown to those users
 Common functions of Trojans include stealing data, passwords, providing
remote access, monitoring to someone outside the trusted network, or
spamming
Computer Security Institute (CSI) attack-type statistics from 2010
survey
Cont…
 Viruses typically arrive in documents, executable files, and e-mail
 They may include Trojan components
 Viruses usually capture and send password keystrokes as well

 Example: the girlfriend exploit. This term, which was coined by early
attackers in the late 1980s, refers to a Trojan program planted by an
unsuspecting employee who runs a program provided by a trusted
friend from a storage device like a disk or USB stick, that plants a
back door (also known as trap door) inside the network. Since this
attack takes advantage of personal trust in the attacker, it can be very
effective
Threat Sources and Targets
Security controls can be logically grouped into several categories:

 Preventative Block security threats before they can exploit a vulnerability

 Detective Discover and provide notification of attacks or misuse when they
happen
 Deterrent Discourage outsider attacks and insider policy violations
 Corrective Restore the integrity of data or another asset
 Recovery Restore the availability of a service
 Compensative In a layered security strategy, provide protection even when
another control fails
Cont..
Each category of security control may have a variety of implementations to
protect against different threat vectors:

 • Physical Controls that are physically present in the “real world”

 • Administrative Controls defined and enforced by management

 • Logical/technical Technology controls performed by machines

 • Operational Controls that are performed in person by people

 • Virtual Controls that are triggered dynamically when certain circumstances arise
Security Controls for Different Threat Vectors
Types of Attacks

 Malicious mobile code

 Advanced Persistent Threats (APTs)

 Manual attacks
Malicious Mobile Code
 There are three generally recognized variants of malicious mobile
code: viruses, worms, and Trojans. In addition, many malware
programs have components that act like two or more of these types,
which are called hybrid threats or mixed threats.
The lifecycle of malicious mobile code looks like this:
1. Find
2. Exploit
3. Infect
4. Repeat
Cont…
 Unlike a human counterpart, malware doesn’t need to rest or eat. It just goes
on every second of every day churning out replication cycles. Automated
attacks are often very good at their exploit and only die down over time as
patches close holes and technology passes them by. But if given the chance
to spread, they will.

 The Code Red worm, which attacks unpatched Microsoft Internet

Information Services (IIS) servers, was released on July 16, 2001. Does that
seem like a long time ago? Millions of Code Red–compromised systems still
exist on the Internet, years later. There are even frequent reports of floppy
disk boot sector viruses from the late 1980s and early 1990s still spreading
today even though you won’t find a floppy disk on most computers anymore.
You can still find boot sector viruses originally released in 1993 and 1994
Computer Viruses
 A virus is a self-replicating program that uses other host files or code to
replicate.

 Most viruses infect files so that every time the host file is executed, the
virus is executed too.

 A virus infection is simply another way of saying the virus made a copy of
itself (replicated) and placed its code in the host in such a way that it will
always be executed when the host is executed.

 Viruses can infect program files, boot sectors, hard drive partition tables,
data files, memory, macro routines, and scripting files.
Anatomy of a Virus
 The damage routine of a virus (or really of any malware program) is called the payload.
 The vast majority of malicious program files do not carry a destructive payload beyond
the requisite replication. This means they aren’t intentionally designed by their creators
to cause damage. However, their very nature requires that they modify other files and
processes without appropriate authorization, and most end up causing program crashes
of one type or another.
 Error-checking routines aren’t high on the priority list for most attackers.
 At the very least, a “harmless” virus takes up CPU cycles and storage space. The
payload routine may be mischievous in nature, generating strange sounds, unusual
graphics, or pop-up text messages. One virus plays Yankee-Doodle Dandy on PC
speakers at 5 p.m. and admonishes workers to go home. Another randomly inserts
keystrokes, making the keyboard user think they’ve recently become more inaccurate at
typing.
Cont…
 Payloads can be intentionally destructive, deleting files, corrupting data, copying
confidential information, formatting hard drives, and removing security settings.
 Some viruses are devious. Many send out random files from the user’s hard drive to
everyone in the user’s e-mail address list. Confidential financial statements and business
plans have been sent out to competitors by malware.
 People’s illicit affairs have been revealed by a private interoffice love letter to a coworker
being sent to the spouse and all their relatives.
 There are even viruses that infect spreadsheets, changing numeric zeros into letter O’s,
making the cell’s numeric contents become text and, consequently, have a value of zero.
The spreadsheet owner may think the spreadsheet is adding up the figures correctly, but the
hidden O will make column and row sums add up incorrectly. Some viruses randomly
change two bytes in a file every time the file is copied or opened. This slowly corrupts all
files on the hard drive, and many times has meant that all the tape backups contained only
infected, corrupted files, too. Viruses have been known to encrypt hard drive contents in
such a way that if you remove the virus, the files become unrecoverable.
Cont…
 Nonresident Virus: It is the virus that executes, does its damage, and terminates until
the next time it is executed.

 Memory-resident virus: It is the virus that stays in memory after it is executed

 Memory-resident viruses insert themselves as part of the operating system or application and
can manipulate any file that is executed, copied, moved, or listed. Memory-resident viruses
are also able to manipulate the operating system in order to hide from administrators and
inspection tools. These are called stealth viruses. Stealth can be accomplished in many ways.
The original IBM boot sector virus, Brain, was a stealth virus. It redirected requests for the
compromised boot sector to the original boot sector, which was stored elsewhere on the disk.
Other stealth viruses will hide the increase in file size and memory incurred because of the
infection, make the infected file invisible to disk tools and virus scanners, and hide file
modification attributes. Memory-resident viruses have also been known to disinfect files on
the fly, while they are being inspected by antivirus scanners, and then reinfect the files after
the scanner has given them a clean bill of health Many viruses today use the System Restore
feature of Microsoft Windows to keep themselves alive.
Cont…
 Overwriting Virus: If the virus overwrites the host code with its own code, effectively
destroying much of the original contents, it is called an overwriting virus

Example of an overwriting virus

 Parasitic Virus: If the virus inserts itself into the host code, moving the original code
around so the host programming still remains and is executed after the virus code, the
virus is called a parasitic virus
Cont…
 Prepending Virus: Viruses that copy themselves to the beginning of the file are called
prepending viruses

Example of a prepending parasitic virus

 Appending Virus: Viruses placing themselves at the end of a file are called
appending viruses.
 Mid-infecting Virus: Viruses appearing in the middle of a host file are Called mid-
infecting viruses
Cont…

 The modified host code doesn’t always have to be a file—it can be a

disk boot sector or partition table, in which case the virus is called a
boot sector or partition table virus, respectively.
 In order for a pure boot sector virus to infect a computer, the computer
must have booted, or attempted to boot, off an infected disk.
 If you see the “Non-system disk or disk” error, the PC attempted to
boot from the infected disk, and that’s enough activity to pass a boot
sector virus.
 If you don’t boot with an infected floppy disk, then the boot sector virus
is not activated and cannot infect the computer.
Computer Worms
 A computer worm uses its own coding to replicate, although it may rely on the existence of
other related code to do so.
 The key to a worm is that it does not directly modify other host code to replicate.
 A worm may travel the Internet trying one or more exploits to compromise a computer,
and if successful, it then writes itself to the computer and begins replicating again.
 An example of an Internet worm is Bugbear. Bugbear was released in June 2003, arriving as a file
attachment in a bogus e-mail. In unpatched Outlook Express systems, it can execute while the user
is simply previewing the message. In most cases, it requires that the end user execute the file
attachment. Once launched, it infects the PC, harvests e-mail addresses from the user’s e-mail
system, and sends itself out to new recipients. It adds itself into the Windows startup group so it
gets executed each time Windows starts. Bugbear looks for and attempts to gain access to weakly
password-protected network shares and terminates antivirus programs. It also drops off and
activates a keylogging program, which records users’ keystrokes in an attempt to capture
passwords. The captured keystrokes, and any cached dial-up passwords that are found, are then e-
mailed to one of ten predefined e-mail addresses. Lastly, Bugbear opens up a back door service on
port 1080 to allow attackers to manipulate and delete files. Bugbear was one of the most successful
worms of 2003.
E-Mail Worms
 E-mail worms are a curious intersection of social engineering and automation.
 They appear in people’s inboxes as messages and file attachments from friends,
strangers, and companies.
 They pose as pornography, cute games, official patches from Microsoft, or
unofficial applications found in the digital marketplace.
 There cannot be a computer user in the world who has not been warned multiple
times against opening unexpected e-mail attachments, but often the attachments are
simply irresistible.
 The worm first modifies the PC in such a way that it makes sure it is always loaded
into memory when the machine.
 Then it looks for additional e-mail addresses to send itself to. It might use
Microsoft’s Messaging Application Programming Interface (MAPI) or use the
registry to find the physical location of the address book file.
Cont…
 The following is example code taken from a Visual Basic e-mail worm that uses Outlook’s
MAPI interface to grab addresses and send itself:

CreateObject("Outlook.Application")
GetNameSpace("MAPI")
For Each X In AddressLists
For 1 To AddressEntries.Count
AddressEntries(Y)
If Z = 1 Then Address
Else End If
Next
Subject = "Re: You g0tta see th1s!"
Body = "I can't believe I have these pictures."
Attachments.Add WScript.ScriptFullName
Send
Trojans
 Trojan horse programs, or Trojans, work by posing as legitimate programs that
are activated by an unsuspecting user.
 After execution, the Trojan may attempt to continue to pose as the other
legitimate program (such as a screensaver) while doing its malicious actions in
the background.
 Many people are infected by Trojans for months and years without realizing it. If
the Trojan simply starts its malicious actions and doesn’t pretend to be a
legitimate program, it’s called a direct-action Trojan.
 Direct-action Trojans don’t spread well because the victims notice the
compromise and are unlikely, or unable, to spread the program to other
unsuspecting users.
Cont…

 An example of a direct-action Trojan is JS.ExitW. It can be downloaded and

activated when unsuspecting users browse malicious web sites. In one case,
this Trojan posed as a collection of Justin Timberlake pictures and turned up
in a search using Google. The link, instead of leading to the pictures,
downloaded and installed the JS.ExitW Trojan. When activated, JS.ExitW
installs itself in the Windows startup folder as an HTML application (.hta) that
shuts down Windows. Because it is in the startup folder, this has the
consequence of putting infected PCs in a never-ending loop of starts and
shutdowns.
Cont…
 Remote Access Trojans : A powerful type of Trojan program called a remote
access Trojan (RAT) is very popular in today’s attacker circles.
 Once installed, a RAT becomes a back door into the compromised system and allows
the remote attackers to do virtually anything they want to the compromised PC. RATs
are often compared to Symantec’s pcAnywhere program in functionality. RATs can
delete and damage files, download data, manipulate the PC’s input and output
devices, and record keystroke’s screenshots.
 Zombie Trojans and DDoS Attacks: Zombie Trojans infect a host and wait for
their originating attacker’s commands telling them to attack other hosts. The attacker
installs a series of zombie Trojans, sometimes numbering in the thousands. With one
predefined command, the attacker can cause all the zombies to begin to attack
another remote system with a distributed denial of service (DDoS) attack.
 DDoS attacks flood the intended victim computer with so much traffic, legitimate or
malformed, that it becomes overutilized or locks up, denying legitimate connections
Example DDoS attack scenario
Malicious HTML
 The Internet allows for many different types of attacks, many of which are HTML-based.
 Pure HTML coding can be malicious when it breaks browser security zones or when it
can access local system files.
 For example, the user may believe they are visiting a legitimate web site, when in fact an
attacker has hijacked their browser session and the user is inputting confidential
information into an attacker site. Malicious HTML has often been used to access files on
local PCs, too. Specially crafted HTML links can download files from the user’s
workstation, retrieve passwords, and delete data.
 HTML coding often includes script languages with more functionality and complex
active content.
 Script languages, like JavaScript and VBScript, can easily access local resources without
a problem. That’s why most e-mail worms are coded in VBScript. Active content
includes
 ActiveX controls, Java applets, and media files. ActiveX controls and Java applets can be
almost any type of hostile program, including Trojans and viruses.
Advanced Persistent Threats (APTs)
 The use of sophisticated malware for targeted cybercrime is known as advanced persistent
threats (APTs)
 Usually targeted at businesses (especially high-tech businesses with juicy intellectual property
and trade secrets desired by competitors) and governments that have political adversaries
 APTs are created and directed by hostile governments and organized criminals for financial or
political gain
 APTs are intentionally stealthy and difficult to find and remove—they may hide for months
on an organization’s network doing nothing, until they are called upon by their controllers