Chapter 4 divides vulnerabilities into different five categories

User Generated

fenizrqv

Computer Science

Description

Chapter 4 divides vulnerabilities into different five categories: physical, technical, operational, procedural, and personnel vulnerabilities. Find an article and provide reference that talks about a vulnerability and write about what category the vulnerability would fall under, what happened (or could happen) as a result, and what you would do to help mitigate the risk. Need atleast 2 pages.

NOTE: NO PLAGIARISM

NEED 2 REFERENCES WITH APA FORMAT

Unformatted Attachment Preview

 Threats ◦ Insider – Recently demoted, fired, laid off contractor. Intimate knowledge of operations and how to use PLCs and a MODBUS connection. ◦ Outsider – Someone with a rifle shooting at a substation. ◦ Accidents – Homer sleeping at the nuclear power plant. ◦ Malware – Lives on networks. ◦ Governments. ◦ Terrorists. ◦ Competitors – Espionage, deny business. ◦ Activists. Chapter 2 – Cont. Isolate networks using protocols, firewalls, encryption, and physical air gaps but a “network” is inherently vulnerable by definition.  IPv6 – Enough addressable space to network everything, IoT.  Most ICS can’t talk IPv6 - Requiring modified sockets.  Chapter 3 – Threat Vectors  FERC & NERC – CIP  NIST – SP 800-82, Guide to ICS Security  Stuxnet – Designed to cause centrifuge failures.  Flame – Designed to collect intelligence. ◦ http://www.nerc.com/pa/CI/Comp/Pages/default.as px ◦ http://csrc.nist.gov/publications/nistpubs/80082/SP800-82-final.pdf Chapter 3 – Cont.  Point to point communication of SCADA Master Stations, DCSs, PLCs, RTUs, must not be left to default off-the-shelf implementations of Bluetooth, 802.x, infrared, and other network layer protocols.  Talent – 65% human skills, 35% technical solutions. Chapter 3 – Cont.  Defense is about successfully sustaining critical operations while running in a degraded status.  Vendors need to allows APIs that share information and alerts in real-time so defenders may close the time gap from detection to reaction. Chapter 3 – Cont.  Exploit Operations ◦ National legislation takes years. ◦ International cooperation takes decades. ◦ Exhaustive digital analysis of malware, code structure reviews, behavioral analysis, and digital forensics of an exploited ICS provide details of the exploiter. ◦ Engaging in offensive operations could subject the defender to legal action. How? A proxy server, etc. Example, the Aussie furniture store. ◦ True defense – Learn about your attacker. ◦ Collecting digital intelligence on code assembly reveals patterns used to identify and correlate families of malware attributable to certain hacker groups or governments or activists. ◦ To become proficient an analyst has to learn Unicode, many coding languages, file compression techniques, encryption schemes, hexadecimal encoding, byte offsets, file signatures, code bit shifting, file formats, encapsulation protocols, encryption algorithms, etc. Chapter 3 – Cont.  Sources of Digital Intelligence ◦ Is it memory resident malware that lives in a process? Use a memory-imaging tool to preserve the entire memory space, including the kernel-protected area.  Methods ◦ Malware authors will encrypt their code, pack it to obfuscate it.  Analyze the system while it’s infected. Chapter 3 – Cont. Collecting more intelligence – TOR, VPS, Tails, Proxies, all leave a trail of IPs.  The Honeynet Project  https://www.honeynet.org/  Some malware recognizes virtualization and will self-eradicate, or has routines to invoke a harmless signature. Cloud virtualization is changing this.  Malware droppers such as PDFs often reveal the IP where the payload is coming from but it’s usually a proxy.  Other delivery methods are USB sticks, social engineering – The most successful method.  Chapter 3 – Cont.    ICS incident responders will deploy to isolated environments and need to create VLANs and use firewalls to ensure the safety and operability of the rest of the ICS systems, while allowing the malware to call home, check Twitter C&C. – This is tough because down-range devices (sensors) may need a heartbeat. They need kits, rapid response procedures, equipment staging locations. Forensically sterile software exists that will reach end-points and preserve and analyze data until incident responders arrive. Chapter 3 – Cont.    Incident responders should be able to pass back malware to specialized labs that will reverse engineer. Remote access to repository of evidence. Emerging threats – Same as IT: lack of patching leads to vulns that are exploited, SQL injection, buffer overflows, default username/passwords, logic flaws, bypassing authentication and authorization, escalating privileges, exploit traffic being sent as a DNS query during peak traffic. Chapter 3 – Cont.  Know your ICS ◦ Authority to operate: ◦ Document all devices, version of firmware/OS/software, make, model, patch level, open ports & protocols used, gather documentation from manufacturer, run Wireshark, Snort IDS, pen test device. ◦ Change management. Chapter 3 – Cont.  Risk Assessments: ◦ What do you do? (Business Mission) ◦ What assets make that happen? ◦ What threatens those assets? ◦ Analysts compare threats to vulnerabilities. ◦ Vulnerability gaps are addressed by risk management techniques. ◦ Residual risk is treated. Chapter 4 – Risk Management  Uncertainties/risks that impact ICS systems must be identified, analyzed, assessed, and treated to reduce them to an acceptable level to both senior management and ICS control engineers.  The ICS policy should be aligned with the business rules. Chapter 4 – Cont.  Elements of risk management. ◦ Mission analysis – What business is trying to do? ◦ Scope – How much you are trying to do? ◦ Asset valuation – What you are using to do what you do? ◦ Threat assessment – Who are the “bad guys” and their tools and their motivations and objectives? ◦ Vulnerability assessment – What are the holes in security? ◦ Risk analysis – How bad is it if the vulnerabilities are exploited? ◦ *Final – Risk assessment – How bad is it for the business? Chapter 4 – Cont.  AP&S – Addresses risk in all industries. Of note, SCADA AIC vs. traditional IT CIA.  AP&S formula – Calculates the exposure of an organization to losses that result from a threat agent exploiting a vulnerability to cause injury to an asset.  R = f (M, AV, T, V)  R – risk, M – mission importance, AV – asset values, T – threats, V – vulnerabilities.  Any increase in one of these factors leads to an increase in risk.  Is a qualitative process. Chapter 4 – Cont.    Risk – Defined as the likelihood of a threat exploiting a vulnerability supporting the AIC of assets supporting business activities. Probability – Defined as the number of times a specific outcome occurs given a total number of events. AP&S risk management is based on an accurate assessment of probabilities of negative events occurring, and taking mitigative action. Chapter 4 – Cont.      Risk assessment information gathering methodology: 1. What does mission success mean? – What good or service do we provide? To whom? Where? How important is it? How reliable are we? 2. How do we provide this good or service? 3. Is this all reflected in the mission statement? 4. Business lines should emerge: Manufacturing, distributing, marketing, sales, customer support, etc. Chapter 4 – Cont.  5. ICS assets needing AIC should emerge. They support the business lines. ◦ For example:  Manufacturing – Supply chain ICS, materials handling, etc.  Build product – Assembly line ICS.  Deliver the product – Packaging, loading ICS.  *There are a lot more IT related risk needs like protecting the customer database. Chapter 4 – Cont.     Risk ethics – Don’t overlay the reason why an organization exists with morals, ethics, principals. They exist to be profitable. Safeguards must map to residual risk levels approved by senior management and be consistent with industry best practices, training, and education. Ethical considerations become irreconcilable when protections become too ineffective for the risk manager to tolerate. – Fracking ICS risk management ultimately falls under ERM – Senior management. Chapter 4 – Cont.  Risk factor – The public relies on ICSs to provide water, power, heat, traffic lights, filtered air, etc but most critical infrastructure is privately owned and not accountable to the populace for highquality uninterrupted service.  The government has compliance programs for accountability. Chapter 4 – Cont.  4 step risk communication process: ◦ 1. Express risk at the equipment level. Loss of functions. Gets buy-in of control engineers in order to convince managers. ◦ 2. Extrapolate how loss of function effects operations and reporting to headquarters/main office. ◦ 3. Move risk into the strategic level by communicating how negatively impacted operations effects corporate business. ◦ 4. Identify how corporate loss effects community, regional, or national level. Chapter 4 – Cont. Asset valuation – The process of determining how important (qualitatively or quantitatively) an asset is to mission success in terms of AIC, also how important an asset is to an adversary.  Quantitative asset valuation – Total cost of ownership through lifecycle.  Qualitative asset valuation – Focuses on what the asset does and how critical it is to completing a process.  Chapter 4 – Cont.  Critical Infrastructure Protection (CIP) organizes assets into these categories: ◦ ◦ ◦ ◦ Personnel Materiel Infrastructure and Facilities Activities Chapter 4 – Cont.  The value of assets must be directly linked to business processes. ◦ How does the loss of an asset effect the availability of a service? ◦ What are the confidentiality concerns associated with unauthorized disclosure of info? ◦ How would these losses affect the larger system, community, or corporate? ◦ *For example: The monetary cost may be negligible but have an impact: GE’s ignition switch. Chapter 4 – Cont. Threat – Defined as any condition or action, typically negative, which causes injury to the AIC of an asset by exploiting some vulnerability.  Threats within the AP&S domain are usually grouped into: Deliberate, accidental, natural, or deterioration.  The determining factors are: Capability, opportunity, and intent.  Chapter 4 – Cont.  Insider threat. ◦ ◦ ◦ ◦ ◦ 70% of SCADA attacks are internal. Conduct background checks. Separation of duties. Classify data and have safeguards. Limit physical access to buildings. Chapter 4 – Cont. Threat analysis – How bad is it?  3 important threat analysis elements:  ◦ The threat itself in terms of the nature of the injury. – The What? ◦ The threat agent. The Who? ◦ The threat vector. – The How? Chapter 4 – Cont.  Threat Community ◦ ICS security information sharing is necessary. ◦ FBI Infraguard ◦ Conferences  *Improves analysis.  Information may be stripped of names, agency notes, locations, etc – Anonymized. Chapter 4 – Cont.  Once a threat analyst understands the threats they may compare them to vulnerabilities to determine the likelihood of a threat event exploiting a vulnerability. Chapter 4 – Cont. Vulnerabilities – Described as a gap or weakness.  Many times a vulnerability is not seeing ICS systems as unsecure.  Not all risk may be mitigated. Senior management has to accept some risk as part of doing business.  Chapter 4 – Cont. Taxonomy of vulnerabilities:  Physical – Improper physical control, no defense in depth, no physical locking of systems to maintain positive control.  Technical – Systems not hardened, no integrated management of systems, no configuration management, wrong clipping levels (false alarms), infrequent maintenance.  Operational – Conflicting processes, lack of training, inadequate safety, silos between business lines, no OPSEC.  Procedural – Lack of or no security policy or procedures.  Personnel – Lack of clearance, training, egos, poor supervision, no security awareness program. Chapter 4 – Cont. Mitigative threat factors:  Span of control – AP&S analysts have approval to make change.  Span of influence – AP&S analysts create a MOU and SLA.  Span of awareness – Bulletins, technical advisories.  No influence – Enterprise relies on assets belonging to someone else. Chapter 4 – Cont.  Risk Management – The application of safeguards by security professionals and the assumption of residual risk by senior management. Once risks have been assessed they must be treated. Ask these questions:  1. What options are available?  2. What are the trade-offs in terms of costs, benefits, and risks.  3. What are the impacts of current management decisions on future options?   Remember – All risks map to some loss of the AIC of valued assets. Chapter 4 – Cont.   Risk Taxonomy: Personnel – Injuries, absenteeism, etc.  Technical – Incorrect sequencing of processes, disclosure of info, modification of systems, etc. ◦ Fix: HR department, OSHA standards. ◦ Fix: Certification and Accreditation program, IT security best practices.  Procedural – Processing line stoppages.  Physical – Unauthorized access leading to threats to assets and personnel. ICS systems needing repair from use. ◦ Fix: Process mapping, formally documented procedures. ◦ Fix: Access control program (badges), facilities management for maintenance.  Operational – Disclosure of trade secrets, intellectual property. ◦ Fix: Data leakage protection tools. Employee indoctrination and awareness. ◦ *There should be an overall risk management program that includes security intelligence and incident investigations. Chapter 4 – Cont. Selling Risk Management  “If it hasn’t happened yet, why worry?”  Once an incident takes place the organization goes on a marketing campaign to regain trust.  Competitors try to take your customers, employees, vendor contracts, and finally buy you out.  Provide reasonable risk forecasts based on strong situational awareness and use of threat and intelligence information. Chapter 4 – Cont.  Effective Risk Management: ◦ Mapping mission, asset, threat, and vulnerability to the operations of the organization. ◦ Using the mapping consistently. ◦ Getting management’s buy-in for the metrics. ◦ Finding out management risk tolerance early on. ◦ Communicating regulatory compliance. Chapter 4 – Cont.  Risk Treatment Options ◦ ◦ ◦ ◦ ◦ ◦ Mitigating risk. Sharing risk. Transferring risk. Accepting risk. Avoiding risk. Ignoring risk. Chapter 4 – Cont.   Risk-Based Penetration Testing/Thinking Like an Adversary (Reconn, Information Gathering, Vulnerability Identification, Exploitation) ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ ◦ Where is system and can I access it? What is level of protection and does it change over time? Are there cameras, fences, guards? I must get past controlled doors, secretaries, staff members, and gain access to a restricted area. I must remain undetected for 15 minutes. I must turn on a system and use tools to crack into it. I must create a persistent presence on the system or grab files or modify files. I must be able to leave with my tools and files. I must download the files to my system. I must decrypt those files. Chapter 4 – Cont.
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

Let me know whether you need any correction

Surname 1
Name:
Institution:
Instructor:
Date:
Computing vulnerability
Classification
The article analyzes the cloud computing vulnerability. It can be classified as an
operational vulnerability. It is classified under the category because it affects the operations of
the system. The model of action is interfering with the way things like computer software are
working by affecting the documents and also the programs which the computers on a daily basis.
The cloud computing through its delta model affect the way systems are working in case it is
affected by any vulnerability (Chou, n.p.). In this case, the cloud computing vulnerability works
with introducing security specific reference which is built in the system to alter the operations of
the sys...


Anonymous
Just what I needed. Studypool is a lifesaver!

Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4

Related Tags