Chapter Seven

Risk Management Frameworks and Processes

Fundamental of Software Security

(SE7431)

1 Compiled by Alemu w., ([email protected]) , 15 May 2015

 Risk Related Definitions
 Risk: Likelihood that a threat will exploit a vulnerability in an asset.
 Threat: Has the potential to harm an asset
 An asset provides value to the organization and can be tangible, like
hardware, or intangible like an organization’s reputation.
 Vulnerability: A weakness; a lack of safeguard
 Exploit: Instance of compromise
 Controls: Protective mechanisms to secure vulnerabilities
 Safeguards: Proactive (Deters and/or Prevents)
 Countermeasures: Reactive mechanism (Detects and/or Corrects)

 Secondary Risk: Risk event that comes as a result of another risk

2 response.
 Risk Related Definitions
 Residual Risk:The amount of risk left over after a risk response.
 Fallback plan: “Plan B “.
 Workaround: Unplanned Response (for unidentified risk or when other
responses don’t work.
 Total Risk:The risk that exists before any control is implemented.
 Risk Calculations
 Threats * vulnerability * AssetValue = Total Risk
 Total Risk * Controls Gap = Residual Risk

3
 Risk Assessment
 Risk Management:
 Risk Assessment: Identity Assets,Threats, vulnerabilities
 Risk Analysis:Value of potential Risks
 Risk Mitigation: responding to Risk
 Risk Monitoring: Risk is FOREVER

Assessment:
 Identify and valuate assets
 Identify threats and vulnerabilities
 Methodologies: OCTAVE, NIST 800-30 and FRAP
The assessment process can be represented as follow:

4
 Risk Assessment
 Assessment process:
 System characterization andThreat identification
 Vulnerability identification and Control analysis
 Likelihood determination and Impact analysis
 Risk determination and Control recommendations
 Results Documentation

Risk Analysis:
 Qualitative Analysis:
 Subjective analysis to help prioritize probability and impact of risk events.
 May use Delphi Technique
 Objective approach to seek in depth description in narrative form
 Used words like” high”,” medium”,” low” to describe likelihood and severity
5
(or probability and impact) of a threat exposing a vulnerability.
 Risk Assessment
 Quantitative Analysis:
 Providing a dollar value to a particular risk event
 Much more sophisticated in nature, a quantitative analysis if much more
difficult and requires a special skill set
 Business decisions are made on a quantitative analysis
 Can’t exist on its own - depends on qualitative information
 Objective approach to seek precise measurement in numerical form

 Risk Mitigation and Review:

 Quantitative analysis leads to the proper risk mitigation
 Cost/benefit Analysis will help me decide the correct mitigation strategy
 Rarely do we focus on eliminating risks, as it can be too costly and very unlikely
to be successful.
6
 We can however, eliminate single risks, but no risk in general.
 Risk Assessment
 Reduce: lessens the probability and/or impact of a risk. The ultimate risk
reduction is risk avoidance.
 Accept: a logical solution when the cost of mitigation is greater than the potential
for loss.
 Transfer: shares the risk with someone else. Insurance or SLAs would be risk
transference
 Avoidance
 Rejection

7
 Chapter Eight
Security System Assessment and Evaluation

Fundamental of Software Security

(SE7431)

8 Compiled by Alemu w., ([email protected]) , 15 May 2015

 Introduction
 The bigger the networks, the bigger the security problems involving the
system resources on these networks.
 Many companies, businesses, and institutions whose systems work in
coordination and collaboration with other systems as they share each others’
resources and communicate with each other

 The risks and potential of someone intruding into these systems for
sabotage, vandalism, and resource theft are high.
 For security assurance of networked systems, such risks must be assessed
 To determine the adequacy of existing security measures and safeguards
 To determine if improvement in the existing measures is needed

9
 Security Assessment
 An assessment process consists of a comprehensive and continuous
analysis of the security threat risk to the system that involves:
 An auditing of the system
 Assessing the vulnerabilities of the system
 Maintaining a creditable security policy and
 A vigorous regime for the installation of patches and security
updates.
 In addition, there must also be a standard process to minimize the risks
associated with nonstandard security implementations across shared
infrastructures and end systems.
10
 Security Assessment Process
 The process to achieve all these and more consists of several tasks
including:
 A system security policy
 Security requirements specification
 Identification of threat and threat analysis
 Vulnerability assessment
 Security certification and
 The monitoring of vulnerabilities and auditing

 The completion of these tasks marks a completion of a security

milestone on the road to a system’s security assurance.
 Security assurance is a continuous security state of the security process.
11
 Security Evaluation
 There are several approaches to deal with this new security problem:
 Standardization and Security evaluation of products
 Standardization leads into security evaluation, meaning that product security
evaluation is done based on established standards

 Security evaluation of computer products by independent and impartial

bodies creates and provides security assurance to the customers of the
product.
 The job of the security evaluators is to provide an accurate assessment of the
strength of the security mechanisms in the product and systems based upon a
criterion.
 Based on these evaluations, an acceptable level of confidence in the product or
12 system is established for the customer.
 Security Evaluation
 The process of product security evaluation for certification consists of
two components:
 The criteria against which the evaluations are performed and
 The schemes or methodologies which govern how and who can perform such
security evaluations

 There are several criteria and methods used internationally:

 The process of security evaluation, based on criteria, consists of a series
of tests based on a set of levels where each level may test for a specific
set of standards.
 The process starts by establishing:
 Purpose, Criteria, Structure/elements and Outcome/benefit
13
 Security Evaluation
 Purpose of Security Evaluation:
 Certification – to certify that a given product meets the stated security criteria
and therefore is suitable for a stated application.
 Accreditation – to decide whether a given computer product, usually certified,
meets stated criteria for and is suitable to be used in a given application.
 Evaluation – to assess whether the product meets the security requirements and
criteria for the stated security properties as claimed.
 Potential market benefit, if any for the product – if the product passes the
certification, it may have a big market potential.

 Security Evaluation Criteria:

 A collection of security standards that define several degrees of rigor acceptable
at each testing level of security in the certification of a computer product.
14
 Security Evaluation
 Basic Elements of an Evaluation:
 The structure of an effective evaluation process, whether product oriented or
process oriented, must consider the following basic elements:
 Functionality: The acceptance of a computer security product depends on what
and how much it can do.
 Effectiveness: After assuring that the product has enough functionalities to meet
the needs of the buyer, the next key question is always whether the product
meets the effectiveness threshold set by the buyer in all functionality areas.
 Assurance: To give the buyer enough confidence in the product, the buyer must
be given an assurance, a guarantee, that the product will meet nearly all, if not
exceed, the minimum stated security requirements.

15
 Security Evaluation
 Outcome/Benefits:
 The goal of any product producer and security evaluator is to have a
product that gives the buyer the best outcome and benefits within a
chosen standard or criteria.
 Evaluation Process:
 Product oriented: This is an investigative process to thoroughly examine and test
every state security criteria and determine to what extent the product meets
these stated criteria in a variety of situations.
 Process oriented: This is an audit process that assesses the developmental process
of the product and the documentation done along the way, looking for security

loopholes and other security vulnerabilities.

16
 Security Evaluation
 Product Security Evaluation Processes:
Proposal review
Technical assessment
Advice
Intensive preliminary technical review
Evaluation
Rating Maintenance Phase
Major Security Evaluation Criteria:
ICC, FIPS,TCSEC,
17
 Chapter Nine
Code Review Using Static Analysis Tools

Fundamental of Software Security

(SE7431)

18 Compiled by Alemu w., ([email protected]) , 15 May 2015

 Secure Software Coding
 Why is software Unsecure:
Lack of training and Lack of funding
No prioritization of security
Security as an afterthought
Ipv4 has no inherent security. It was designed for transmission
across secure physical links, so designing security into these
systems seemed unnecessary
Ipv6 is inherently secured by IPsec, which is a secure
framework for IP traffic including the support for encryption,
19 authentication, authorization, and integrity.
 Secure Software Coding
 Defensive Coding:
 The form of proactive, secure coding intended to ensure the
continuing function the software under unforeseen circumstances.
 Defensive programming techniques are used especially when a
piece of software is likely to be misused.
 Benefits of defense coding generally improve:
 General quality – reducing the number if bugs and flaws associated with the
software
 Making the source code comprehensible – the source code should be
readable and understandable, so it is approved in a code review.
 Making the software behave in a predictable manner despite unexpected
20
inputs or user actions.
 Secure Software Coding
 Defensive programming design:
 Thorough and complete design
 Design for testability
 Design for security by identifying, preventing and testing for unsecure conditions
 Design test methods into the systems
 Test during the development process.
 Keep a log describing the testing process
 Maintain testing tools in addition to product
 Code Analysis: Inspect code for quality and weaknesses
 Static code analysis involves the inspection of the code without executing the
code (or software program)
 Dynamic code analysis is the inspection of the code when it is being executed
21
(run as a program)
 Secure Software Coding
 Code Review:
 It is a systematic evaluation of the source code with the goal of finding out syntax
issues and weaknesses in the code that can impact the performance and security
of the software.
 Inspect for: Insecure code and Inefficient code

 What to look for in code reviews:

 Injection flaws and Non-Repudiation Mechanisms
 Spoofing Attacks and Errors and Exception Handling
 Cryptographic Strength and Unsafe and Unused Functions
 Reversible Code and Privilege Code
 Maintenance Hooks and Logic Bombs
 Timing And Synchronization and Implementations
22
 Cyclomatic Complexity
 Network Security Testing
 Primary methods for testing a network’s security:
 Audits,Vulnerability Scans and PenetrationTesting

 Audits:
 An audit is usually a check of documentation.
 In fact, this is the key to an audit: an audit is a check for compliance.
 Reviewing incident response plans, disaster recovery plans, and security policies.
 Checking past incident response reports to ensure compliance with the
established plans and policies.
 Involve a review of system logs: firewall logs, intrusion detection system logs, or
any other system logs
 The primary focus of an audit is to evaluate if the target network complies with the
appropriate policies, regulations, and, in some cases, laws that are applicable to that
23
organization.
 Network Security Testing
 Vulnerability Scans:
 Vulnerability scanning services provide a comprehensive security review of the
system, including both the perimeter and system internals.
 Spot critical vulnerabilities and gaps in the system’s security practices.
 Scanning is used to:
 Map the environment
 Identify server versions, open ports and running services
 Inventory and validate asset management databases
 Identify patch levels
 Prove due care and due diligence for compliance issues

24
 Network Security Testing
 Vulnerability Scans - Types of Scanning:
 Vulnerability Scanning: performed with the goal of providing detection &
identification of security flaws and weaknesses in the software/system
 Content Scanning: analyzes the actual contents of the document (web pages, files,
etc.) for malicious content in macros, embedded scripts, etc.
 Privacy Scanning: Performed to detect violations of privacy policies

 Penetration Testing:
 A penetration test is an ongoing cycle of research and attack against a target or
boundary.
 The attack should be structured, calculated, and, when possible, verified in a lab
before being implemented on a live target.
 Whereas scanning is passive, pen-testing looks to actively exploit a weakness
25
 Network Security Testing
 Penetration Testing:
 Reconnaissance (Enumeration and Discovery) which allows learning and listing
information about the network, often from publicly available sources like the
internet.
 Resiliency Attack: Attempt to exploit the potential vulnerabilities from the
reconnaissance
 Removal of Evidence: Clean up any evidence of the compromise
 Reporting and Recommendations: Should include technical vulnerabilities as well
as non-compliance with organizational processes and policies.
 A penetration cyber attack provides a successful unauthorized access to:
 A protected system resource or an automated system, or
 A successful act of bypassing the security mechanisms of a computing system.
26
 Network Security Testing
 Application Security
 A penetration cyber attack can also be defined as any attack that violates the
integrity and confidentiality of a computing system’s host.
 Penetration attacks involve breaking into systems using known security
vulnerabilities to gain access to any cyberspace resource.
 Full penetration Attack:
 Provides an intruder full access to all of a system’s cyberspace resources
 Allows an intruder to alter data files, change data, plant viruses, or install Trojan
horse programs into the system.
 Allows intruders to use the victim computer on a network, to use a penetration
attack as a launching pad to attack other network resources.

27
 Network Security Testing
 There are three broad categories of penetration testing.
 Black Box,White Box, and Gray Box
 These designations are a description of how much information the penetration
tester is given prior to the test.

 A black box test involves the penetration tester having as little

information about the target network as possible, perhaps only the
organization’s name and URL or IP address of their gateway router.
 The goal of such tests is to simulate an external attacker attempting
to breach the network.

28
 Network Security Testing
 A white box penetration testing involves the tester having extensive
knowledge of the target system.
 IP addresses of workstations and servers, switches and routers
 Operating system information for computers
 Information regarding security devices such as firewalls and
intrusion detection systems
 Gray Box penetration testing:
This is a rather generic term without specific boundaries
The tester is given some network information but not all
As a practical matter, this is often the easiest to initiate
29
 Chapter Eleven and Twelve

Buffer Overflow Attack and Abuse Case

Developments in Software Security

Fundamental of Software Security

(SE7431)

30 Compiled by Alemu w., ([email protected]) , 15 May 2015

 Abuse Cases in Software Security
 Abuse case studies in computer network and information security are
detailed analyses of specific instances or patterns of abuse that occurred
in a computer network or system, or involved the use of information
technology.
 They usually describe the context, causes, consequences, and responses to the
abuse, as well as the lessons learned and recommendations for prevention or
intervention.
 Examples:
 The case of phishing and malware attacks that exploit the weaknesses of controls in
software features to attack an application.
 The case of computer crime and abuse that involves illegal or unethical acts in which
computers are the primary tool.
 The case of data breaches caused by insider threats that involve authorized users who
misuse their access to harm an organization or its data.
31
 Buffer Overflow Attack
 A buffer overflow attack is a type of abuse that occurs when an attacker
sends more data to a buffer than it can store, causing the excess data to
overwrite adjacent memory locations.
 This can corrupt or modify the data in those locations, or allow the
attacker to execute arbitrary code or commands on the affected system.
 Buffer overflow attacks can exploit the weaknesses of controls in
software features, such as input validation, error handling, or memory
management. They can also target common or vulnerable packages,
libraries, or frameworks that are used by applications
 Buffer overflow attacks can occur in various ways and affect different
parts of the system memory, such as the stack, the heap, or the
instruction pointer. They can also involve different techniques, such as
injecting shellcode, manipulating pointers, or using return-oriented
programming

32
 Abuse Cases in Software Security
 Buffer overflow attacks can have serious consequences, such as stealing
data, compromising systems, damaging files, or performing denial-of-
service attacks. They can also enable attackers to bypass security
mechanisms, escalate privileges, or gain remote access
 You can read further about the abuse cases:
 https://cheatsheetseries.owasp.org/cheatsheets/Abuse_Case_Cheat_Sheet.html
 7 Real-Life Data Breaches Caused by InsiderThreats | Ekran System

33
 Lab Practices

Basics of Networking Commands

Fundamental of Software Security

(SE7431)

34 Compiled by Alemu w., ([email protected]) , 15 May 2015

 Basic Networking Commands
 Ping Networking Command
 Used to test the network connectivity between a source computer and a
destination computer or device.
 It works by sending packets of data to the destination and measuring the time it
takes for them to return.
 It can also show if there is any packet loss or delay in the network.
 Common options for the ping command are:
 -t: Ping the destination until stopped by Ctrl+C
 -a: Resolve the hostname of the destination IP address
 -n count: Specify the number of packets to send
 -l size: Specify the size of the packets in bytes
 -f: Prevent the packets from being fragmented by routers
35
 Basic Networking Commands
 Ipconfig Networking Command
 Displays and modifies the basic TCP/IP configuration for all adapters on a Windows
device.
 It can also refresh Dynamic Host Configuration Protocol (DHCP) and Domain
Name System (DNS) settings.
 Some of the most common ipconfig commands are:
 ipconfig: Displays the IPv4 and IPv6 addresses, subnet mask, and default gateway for all
adapters.
 ipconfig /all: Displays the full TCP/IP configuration for all adapters, including physical
and logical interfaces.
 ipconfig /release: Releases the current DHCP configuration and discards the IP address
for either all adapters or a specific adapter.
 ipconfig /renew: Renews the DHCP configuration for either all adapters or a specific
36
adapter.
 Basic Networking Commands
 Ipconfig Networking Command
 ipconfig /flushdns: Flushes and resets the contents of the DNS client resolver
cache.
 ipconfig /displaydns: Displays the contents of the DNS client resolver cache.
 ipconfig /registerdns: Initiates manual dynamic registration for the DNS names
and IP addresses configured at a computer.
 ipconfig /showclassid: Displays all valid DHCP class identifiers for an adapter.
 ipconfig /setclassid: Modifies the DHCP class ID for an adapter.
 ipconfig /release6: Releases the current DHCPv6 configuration and discards the
IPv6 address for either all adapters or a specific adapter.
 ipconfig /renew6: Renews the DHCPv6 configuration for either all adapters or a
specific adapter.
37
 Basic Networking Commands
 Tracert Networking Commands
 Determines the path taken by a network packet from the source to destination
 Send ICMP echo Request messages with incrementally increasing Time to Live
(TTL) values and examine the ICMP time Exceeded and echo Reply messages
returned by intermediate routers and the destination.
 Some of the common tracert commands are:
 tracert <targetname>: Displays the path and transit times of packets to the
specified destination (either an IP address or hostname).
 tracert /d <targetname>: Prevents tracert from resolving IP addresses to
hostnames, resulting in faster results.
 tracert /h <maximumhops> <targetname>: Specifies the maximum
number of hops in the path to search for the destination. The default is 30
38
hops.
 Basic Networking Commands
 Tracert Networking Command
 tracert /w <timeout> <targetname>: Specifies the amount of time in
milliseconds to wait for a response for each hop. The default is 4000 milliseconds
(4 seconds).
 tracert /4 <targetname>: Forces tracert to use IPv4 only.
 tracert /6 <targetname>: Forces tracert to use IPv6 only.

 Nslookup Networking Command

 Displays information that you can use to diagnose Domain Name System (DNS)
infrastructure.
 It can query a DNS server for domain name or IP address mapping or any other
specific DNS record.
 It can also be used to troubleshoot DNS-related problems.
39
 Basic Networking Commands
 Common nslookup commands:
 nslookup <targetname>: Displays the default DNS server and its IP address,
and the IP address of the specified target (either a domain name or an IP
address).
 nslookup /d <targetname>: Prevents nslookup from resolving IP addresses
to hostnames, resulting in faster results.
 nslookup /set type=<recordtype> <targetname>: Changes the resource
record type for the query, such as A, MX, NS, PTR, SOA, etc. and displays
the corresponding information for the target.
 nslookup /set debug: Turns on debugging mode, which shows detailed
information about the query and the response.
 nslookup /set recurse: Tells the DNS server to query other servers if it does
40 not have the information.
 Lab Practices

Packet Tracer

Fundamental of Software Security

(SE7431)

41 Compiled by Alemu w., ([email protected]) , 15 May 2015

 Basic Switch Configuration
 SSH:
 Secure Shell is a protocol that provides a secure and encrypted management
connection to a remote device. It should replace Telnet for management
connections. SSH is assigned to TCP port 22.

 Port security:
 Port security allows you to restrict ingress traffic on a switch port by limiting the
MAC addresses that are allowed to send traffic into the port. You can also
configure the action to be taken when a violation occurs, such as shutting down
the port or sending a notification2.

 DHCP snooping:
 DHCP snooping is a feature that filters DHCP messages between untrusted hosts
and trusted DHCP servers. It prevents rogue DHCP servers from offering IP
42 addresses or other network parameters to hosts.
 Basic Switch Configuration
 Rapid PVST PortFast and BPDU Guard:
 Rapid Per-VLAN Spanning Tree (Rapid PVST) is a version of Spanning Tree
Protocol (STP) that provides faster convergence and loop prevention for VLANs.
PortFast is a feature that allows a switch port to transition directly to the
forwarding state when connected to an end device, bypassing the STP states.
BPDU Guard is a feature that disables a PortFast-enabled port if it receives a
Bridge Protocol Data Unit (BPDU), which indicates a loop in the network

 Activate port security on all the active access ports on switch SW-1
 SW-1(config)#interface range FastEthernet0/1, FastEthernet0/2,
FastEthernet0/10,FastEthernet0/24
 SW-1(config-if-range)#switchport mode access
 SW-1(config-if-range)#switchport port-security
43
 Basic Switch Configuration

44
 Basic Switch Configuration

1. Enters the global configuration mode

2. Configures a hostname and IP domain
name for your switch.
3. Configures a host domain for your
switch.
4. Enables the SSH server for local and
remote authentication on the switch and
generates an RSA key pair. Generating
an RSA key pair for the switch
automatically enables SSH.
5. Returns to privileged EXEC mode
45
 Basic Switch Configuration
 Configure the active ports to allow a maximum of 4 MAC addresses:
 SW-1(config)#interface range FastEthernet0/1, FastEthernet0/2,
FastEthernet0/10,FastEthernet0/24
 SW-1(config-if-range)#switchport port-security maximum 4

 Other tasks
 Statically configure the MAC address of the PC using port security
 Configure the port security violation mode to drop packets from MAC addresses
that exceed the maximum
 Move all unused switch ports to the BlackHole VLAN
 Shutdown all unused switch ports

46
 Basic Router Configuration
 Security features that can be configured on routers:
 SSH: Secure Shell is a protocol that provides a secure and encrypted management
connection to a remote device. SSH is assigned to TCP port 22.
 AAA: Authentication, Authorization, and Accounting (AAA) network security
services provide the primary framework through which you set up access control
on your router. Authentication provides the method of identifying users,
authorization provides the method for remote access control, and accounting
provides the method for collecting and sending security server information1.
 AutoSecure: AutoSecure is a feature that secures a router by using a single CLI
command to disable common IP services that can be exploited for network
attacks, enable IP services and features that can aid in the defense of a network
when under attack, and simplify and harden the security configuration of the
47
router.
 Basic Router Configuration
 Security features that can be configured on routers:
 Access Lists: Access lists are used to filter traffic based on a variety of criteria,
such as source and destination IP addresses, protocols, ports, and packet
contents. Access lists can be applied to interfaces or routing protocols to control
the flow of traffic.
 Cisco IOS Firewall: Cisco IOS Firewall is a feature set that provides stateful
packet inspection (SPI) firewall capabilities on a router. It can inspect traffic at
the application layer, block malicious traffic, and prevent unauthorized access to
network resources.
 Cisco IOS IPS: Cisco IOS Intrusion Prevention System (IPS) is a feature that
enables a router to detect and prevent network attacks by analyzing traffic
patterns and signatures. It can block malicious traffic, generate alerts, and log
48
events.
 Basic Router Configuration
 Security features that can be configured on routers:
 VPN: Virtual Private Network (VPN) is a technology that creates a secure tunnel
between two or more devices over a public network, such as the Internet. VPNs
can provide confidentiality, integrity, and authentication for data transmission.
There are different types of VPNs, such as site-to-site VPNs, remote access VPNs,
Dynamic Multipoint VPNs (DMVPN), and Group Encrypted Transport VPNs
(GETVPN).

49
 Lab Practices

Wireshark

Fundamental of Software Security

(SE7431)

50 Compiled by Alemu w., ([email protected]) , 15 May 2015

 Wireshark GUI and Packet Analysis
 Sniffing Packet
Packet Analysis

51
 Lab Practices

NMAP

Fundamental of Software Security

(SE7431)

52 Compiled by Alemu w., ([email protected]) , 15 May 2015

 Scanning
 Application Security

53
  Scan IP address (Targets): Scanning
 nmap 10.0.0.1 Scan a single host IP
 nmap 192.168.10.0/24 Scan a Class C subnet range
 nmap 10.1.1.5-100 Scan the range of IPs between 10.1.1.5 up to 10.1.1.100
 nmap -iL hosts.txt Scan the IP addresses listed in text file “hosts.txt”
 nmap 10.1.1.3 10.1.1.6 10.1.1.8 Scan the 3 specified IPs only
 nmap www.somedomain.com Resolve the IP and then scan its IP address
 Port Related Commands:
 nmap -p80 10.1.1.1 Scan only port 80 for specified host
 nmap -p20-23 10.1.1.1 Scan ports 20 up to 23 for specified host
 nmap -p80,88,8000 10.1.1.1 Scan ports 80,88,8000 only
 nmap -p- 10.1.1.1 Scan ALL ports for specified host
 nmap -sS -sU -p U:53,T:22 10.1.1.1 Scan ports UDP 53 and TCP 22
54  nmap -p http,ssh 10.1.1.1 Scan http and ssh ports for specified host