Risk Management in Software Security

Questions and Answers

The three pillars of software security are Applied Risk Management, Software Security Touchpoints, and ______.

Knowledge

Which of the following is NOT a step in the "Visualize" stage of risk management?

Collect

Evaluate (correct)

Compose

Identify

Risk assessment involves determining both the likelihood and impact of a risk.

True (A)

Match the following risk management stages with their corresponding descriptions:

Identification = Identifying potential threats and vulnerabilities Synthesis = Analyzing and prioritizing risks Mitigation = Implementing measures to reduce or eliminate risks Measuring and Reporting = Tracking the effectiveness of mitigation measures and reporting results

What are two standards that are commonly used in risk management?

Orange Book and Common Criteria

Patches themselves can sometimes introduce new vulnerabilities.

True (A)

Which of the following factors can influence the risk associated with a patch?

The trustworthiness of the patch provider. (A), The amount of time the patch has been in circulation. (B), The severity of the vulnerability being patched. (C)

A security ______ provides a numerical representation of the security of a computer system or network.

score

Name three levels of security scores.

Individual vulnerability score, computer score with multiple vulnerabilities, network score with multiple computers.

What is the main purpose of a security score in the context of mission-awareness?

To assess the impact of security changes on various missions. (C)

Match the following security metrics with their descriptions:

Criticality = A combination of factors that evaluate a computer's importance in a network. Time Series = Show the evolution of security over a period. NVD/CVSS = A database providing information on vulnerabilities and their severity scores.

What are the two main types of security metrics discussed in the content?

Vulnerability and network reachability.

Gathering security metrics about vulnerabilities and network reachability always relies on manual processes.

False (B)

Which of the following is NOT a consequence of a business risk?

Unexpected system calls (C)

Prioritizing risks based on business goals is a crucial step in risk management.

True (A)

What are the two primary types of risks discussed in the content?

Business risks and technical risks

Risk ____ involves identifying, analyzing, and responding to potential threats that could impact the organization's ability to achieve its objectives.

management

Match the following risk mitigation strategies with their corresponding descriptions:

Risk Avoidance = Taking steps to eliminate or reduce the likelihood of a risk occurring. Risk Transfer = Shifting the financial burden of a risk to another party. Risk Mitigation = Implementing strategies to reduce the impact of a risk if it occurs. Risk Acceptance = Deciding to accept the potential consequences of a risk without taking any action.

Which of the following is NOT a factor considered when allocating resources to mitigate risks?

Customer satisfaction (B)

Risk mitigation strategies should always be validated to ensure their effectiveness in addressing identified risks.

True (A)

What key factors should be considered when selecting a risk mitigation strategy?

Available technology and resources, and the business context (budget, integration, and understanding).

Which Evaluation Assurance Level (EAL) indicates a system has been formally verified and tested?

EAL7 (A)

EAL1 provides the highest level of assurance for security systems.

False (B)

List two classes of assurance mentioned in the content.

configuration management, delivery and operation

The risk associated with applying patches to software is known as ________.

Patch Risk

Match the following Evaluation Assurance Levels (EAL) with their descriptions:

EAL2 = Structurally tested EAL4 = Methodologically designed, tested and reviewed EAL5 = Semi-formally designed and tested EAL6 = Semi-formally verified and tested

Which of the following is NOT a class of assurance?

network management (A)

What is a challenge in defining meaningful security metrics?

Difficulty in defining, analyzing, composing, and using security metrics intelligently.

______ refers to the collection and analysis of metrics to assess system security.

Security Metrics

What is the severity score for the vulnerability identified as CVE-2009-0022?

6.3 (B)

The vulnerability CVE-2009-0022 affects Samba versions 3.2.0 to 3.2.6.

True (A)

Which analysis method is used to decide different weights for exploitability and impact in security scoring?

Analytic hierarchy process

The network reachability captures interactions among all attack possibilities in a ______.

network

Match the components of network reachability with their descriptions:

Network topology = Design layout of the network Router Configuration = Settings for routing traffic Firewall Rules = Controls traffic access Exploitability = Risk factors for attacks

Which factor contributes the most to the impact score according to the security scoring system?

Confidentiality (D)

The limitations of security metrics assume that vulnerabilities are correlated to each other.

False (B)

What is the access vector score for the vulnerability CVE-2009-0022?

0.13333

What is the alternative name for the Trusted Computer System Evaluation Criteria?

Orange Book (C)

The Common Criteria were developed solely in the United States.

False (B)

What year was the National Computer Security Center (NCSC) established?

1981

The Orange Book focuses on three main categories, including security policy, ______, and assurance.

accountability

Match the security levels of the Orange Book with their corresponding descriptions.

A1 = Verified protection, the highest security level B3 = Security Domains B2 = Structured Protection B1 = Labeled Security Protections C2 = Controlled Access Protection C1 = Discretionary Security Protection D = Minimal Protection No Security = No security features

Which of the following is NOT an objective of the Orange Book?

Promoting the use of encryption for data security (A)

The Common Criteria separate functionality from assurance.

True (A)

What does TCB stand for in the context of the Orange Book?

Trusted Computing Base

Flashcards

Risk Management

The process of identifying, assessing, and mitigating risks within software security.

Risk Identification

The first step in risk management where potential risks are recognized.

Mitigation

Actions taken to reduce the severity or impact of identified risks.

Software Security Touchpoints

Key areas in the software development process where security measures can be implemented.

Metrics in Risk Management

Data points used to assess the effectiveness of risk management strategies.

Vulnerability in Patches

Patches may contain vulnerabilities needing further patching.

Security Score

A numerical representation to assess the security of a system or network.

CVSS Score

A security score specifically assessing individual vulnerabilities.

Combined Metric of Criticality

Measures the importance of a computer based on factors like location and role.

Time Series in Security

A method to show changes in security over time, indicating improvements or declines.

Factors Affecting Security Changes

Multiple triggers can impact security metrics such as vulnerabilities and training.

Collecting Security Metrics

The process of gathering data on vulnerabilities and network configuration automatically.

NVD/CVSS Database

A source providing XML data on CVSS scores and vulnerabilities.

CVE-2009-0022

A vulnerability in Samba 3.2.0 to 3.2.6 allowing remote access via blank share name.

Score of CVE-2009-0022

The vulnerability has a score of 6.3, indicating medium severity.

Network Reachability

Describes interactions in a network affecting security scores.

Components of Network Reachability

Includes network topology, router configuration, and firewall rules.

AHP

Analytic Hierarchy Process used to determine weights for security score components.

Exploitability Factors

Components are access vector, access complexity, and authentication in scoring.

Impact Factors

Concerns confidentiality, integrity, and availability in vulnerability scoring.

Limitations in Assessing Vulnerabilities

Assumes vulnerabilities are independent, which may not reflect reality.

Assurance Classes

Seven classes ensuring software security: configuration management, delivery and operation, development, guidance documents, life cycle support, tests, and vulnerability assessment.

EAL1

Evaluation Assurance Level 1: functionally tested with minimal assurance of security.

EAL4

Evaluation Assurance Level 4: methodologically designed, tested, and reviewed, providing moderate assurance.

Three Pillars of Software Security

Key components for software security: risk management, standards evaluation, and security analysis with metrics.

Security Metrics

Quantitative measures to analyze security status and effectiveness of systems.

Patch Risk

Risk associated with applying patches to software that may affect its future functionality.

Meaningful Security Metrics

Critical metrics that provide insight into the actual security posture of a system.

Security Metrics Visualization

Tools for displaying security metrics in an understandable manner, highlighting important insights.

Trusted Computer System Evaluation Criteria (TCSEC)

A set of standards for evaluating computer security, also known as the 'Orange Book'.

National Computer Security Center (NCSC)

An organization established by the NSA in 1981 to enhance computer security across agencies.

Objectives of the Orange Book

Provides guidelines for building security into products and a way to measure their security features.

Trusted Computing Base (TCB)

The combination of hardware, software, and firmware that enforces security policies and is critical to system security.

Orange Book Security Levels

A hierarchy of security levels ranging from A1 (highest) to D (minimal) based on protection offered.

Common Criteria (ISO 15408)

An international framework for computer security certification that separates functionality from assurance.

Common Criteria Classes of Functionality

Nine areas of focus including audit, communications, and user data protection within security evaluations.

Business Goals

Objectives that a business aims to achieve, such as increasing revenue.

Technical Risks

Risks related to technology that may hinder project implementation.

Risk Prioritization

The process of ranking identified risks based on business goals and impact.

Risk Metrics

Quantitative measures such as likelihood, impact, and severity of risks.

Risk Mitigation Strategy

A plan to reduce identified risks using available resources and technology.

Validation Techniques

Methods used to ensure that risk mitigation efforts are effective.

Measuring Risks

Continuously evaluating risks over time through established metrics.

Reporting Risk Information

Documenting and communicating details about risks and mitigation efforts.

Study Notes

Risk Management Overview

• Risk management is a core element of software security
• Three pillars underpin this approach: Risk, Touchpoints, and Knowledge. This framework guides the whole software development lifecycle (SDLC)
• Risk management involves assessing and evaluating the effort needed for security measures, factoring in consequences of security breaches, and establishing acceptable security levels. This analysis impacts tracking and mitigating risk throughout the SDLC.
• Risk assessment is calculated as: Risk = probability x impact
• Standards are utilized as guidelines for evaluation, such as the Orange Book and Common Criteria (ISO 15408)
• Metrics form an essential part of risk management, for data collection and analysis. This involves identifying, collecting, composing, and visualizing meaningful data for analysis

Three Pillars of Software Security

• Applied Risk Management
  • Assessing the effort for security investments
  • Evaluating the consequences of security breaches
  • Determining acceptable security levels
  • Tracking and mitigating risk throughout the Software Development Life Cycle (SDLC)
• Software Security Touchpoints
  • System-wide action from design through feedback to testing
  • Touchpoints like code review, architectural risk analysis, penetration testing, risk-based security testing, abuse cases, security requirements, and security operations
• Knowledge
  • Collecting, encapsulating, and sharing security knowledge
  • Knowledge Catalogs, including established principles, guidelines, rules, vulnerabilities, exploits, attack patterns, and historical risk
  • Knowledge categories include prescriptive knowledge, diagnostic knowledge and historical knowledge
  • Knowledge is applicable throughout the SDLC

Standards on Evaluating Secure Systems

• Trusted Computer System Evaluation Criteria (TCSEC, or Orange Book)

  • Establishes criteria for evaluating computer security
  • Focuses on building security features into new products and evaluating system security

• Common Criteria (ISO 15408)

  • A standard for evaluating security, replacing TCSEC, which separates functionality from assurance.
  • Includes nine classes of functionality: audit, communications, user data protection, identification and authentication, privacy, protection of trusted functions, resource utilization, establishing user sessions, and trusted path.
  • Includes seven classes of assurance: configuration management, delivery and operation, development, guidance documents, life-cycle support, testing, and vulnerability assessment

National Computer Security Center (NCSC)

• Established in 1981 within the NSA, offering technical and reference assistance for government agencies.
• Aims to define security evaluation criteria, encourage research, develop and provide security analysis tools, and increase awareness within both private and governmental sectors.
• TCSEC was later superseded by Common Criteria.

Objectives of Orange Book

• Guiding the design of new products with established security features
• Providing a framework for security system evaluation
• Serving as a basis for outlining security requirements within systems and networks

Orange Book Levels

• The Orange Book divides security systems into graded levels
• A1 is at the pinnacle of protection to D is the lowest level of protection, representing varied levels of protection
  • A1, B3, B2, B1, C2, C1, D represent various levels of security protection

Common Criteria (ISO 15408)

• Launched in 1996, a joint project with global collaboration, improving on existing standards for measuring system security. - Establishes a standardized approach to security, separating functionality from assurance.
• Nine classes outline different functional aspects for security evaluation.
• Seven classes cover assurance, encompassing many aspects of lifecycle support, management and testing.

Evaluation Assurance Levels (EAL)

• The EAL levels within the Common Criteria specify detailed assurance and testing methodologies for different security implementations.
  • EAL1 to EAL7 represent increasing levels of security system evaluation.

Security Analysis Using Security Metrics

• Introduction: Quantifying and displaying software security can be challenging for networked systems
• Challenges: Establishing meaningful security metrics, gathering data, structuring enterprise metrics, and presentation form
• System Architecture: developing a toolkit for security metric gathering, analysis, and visualization
• Step 1: Identifying Metrics, summarizing current security metrics and creating new ones for security scoring, vulnerability and risk measures
• Step 2: Collecting Metrics, automatic vulnerability scanning, NVD/CVSS score extraction, and Network Reachability data collection.
• Step 3: Composing Metrics, combining elements of exploitability, access complexity, and authentication with metrics on confidentiality, integrity, and availability. Using AHP (Analytic Hierarchy Process).
• Step 4: Visualizing Metrics, providing dashboard visualization
• Limitations: vulnerabilities are often not entirely independent of each other; need to explore correlated vulnerabilities and how they impact final security scores, and the method of summarizing security scores across numerous systems.

Description

This quiz covers the fundamentals of risk management as it relates to software security. It delves into the three pillars that support effective risk management, along with techniques for assessing and evaluating security measures across the software development lifecycle. Additionally, key standards and metrics employed in this process are examined.