SlideShare ist ein Scribd-Unternehmen logo

Risk Analysis Report review

L
Larry Yurdin
1 von 10
Downloaden Sie, um offline zu lesen
Washington State Patrol NCIC 2000 ACCESS Encryption Project Task Order 2 – Design Task 2a – Risk Assessment Report August 16, 2005
Background The National Crime Information Center (NCIC), originally established in 1967, is the most extensive criminal justice information system in the US and is maintained by the FBI. Its successor, NCIC 2000 now includes requirements for all CJIS data to be encrypted between regional sites and the WSP ACCESS messaging system. In accordance with the FBI’s Criminal Justice Information Service (CJIS) Division Security Policy v4.1, all CJIS data transmitted through any public network segment or Internet connections shall be encrypted by a pair of secret keys, each with a minimum of 128 bits. Each cryptographic module, used for this purpose, must be certified by the National Institute of Standards and Technology’s (NIST) Computer Systems Laboratory to ensure that it meets the standards set forth in Federal Information Processing Standards (FIPS) Publication 140-2, “Security Requirements for Cryptographic Modules”. I. Scope Statement This report deals entirely with risks relating to the deployment and maintenance of an encryption structure, designed to secure communication from regional sites to the WSP ACCESS messaging system. The implementation of the encryption-decryption architecture will introduce new potential threats and vulnerabilities, both physical and procedural. These issues will be addressed in this document. II. Vulnerability and Threat Identification This section is concerned with the process used to identify threats, issues, concerns, risks etc. Risk is defined as the possibility of a threat exploiting a vulnerability and thereby causing harm to an asset. The threat will exploit the vulnerability to compromise one or more of the principles previously mentioned: • Confidentiality means that information is protected from being read or copied by anyone who does not have permission of the owner of that information. • Integrity means that information is not deleted or altered in a way that will cause damage or disruption. • Availability means that information should be protected so that it is readily available to those with proper authorization. • Non-repudiation means that an individual should not be able to deny having received or sent information. The following formula is one way of measuring risk: • Risk = threat × vulnerability × impact The key terms are risk, threat, vulnerability and impact. Without a threat agent, a vulnerability, or an impact, there is no risk. There must be a threat agent to exploit a vulnerability, and this exploitation must cause an impact for there to be a risk to the organization. Relevant definitions include:
• Threat - The capabilities and intentions of adversaries to exploit an information system; or any natural or unintentional event with the potential to cause harm to an information system, resulting in a degradation of an organization’s ability to fully perform its mission. • Vulnerability - A characteristic of an information system or its components that could be exploited by an adversary, or harmed by a natural act or an act unintentionally caused by human activity • Impact – The result of a particular threat exploiting a particular vulnerability. • Risk – The probability that a particular threat will exploit a particular vulnerability. • Safeguard – Any protective action, device, procedure, technique, or other measure that reduces exposures. Safeguard, in this context, is synonymous with countermeasure. There are three types of device interfaces referred to in this section: • Public Interface points to any untrusted network. • Private Interface points to any trusted network • Management Interface can either be the console or a private Ethernet interface. This section is devoted to identifying vulnerabilities that might be present in the NCIC 2000 Encryption Project and the potential of a given threat agent exploiting one of these vulnerabilities, thereby constituting a risk. These include: • Network Latency and Jitter– Latency indicates that the network is prone to delay. Jitter refers to an unpredictable variation in the time between packets arriving. Network congestion is, in this instance, the risk agent, which, when it exploits latency or jitter, could lead to the dropping of packets, jeopardizing availability. • Single Point of Failure – The absence of redundant modules and/or devices could be threatened by equipment failure whose impact could be unanticipated downtime, again posing a risk to the availability of the infrastructure. • Lax Physical Security – Poor physical security could make it possible for an intruder, or even a disgruntled employee, to remove or damage an encryption device. This could be the concentrator located at the WSP head end or a hardware client located at a regional site. This would enable the thief to, at the least, sabotage the encryption process and, at the worst, use the secret keys obtained to access or tamper with sensitive information. • Insecure Password Changing Mechanism – Cisco has pointed out that it is relatively easy for any person with possessing the administrative password and physical access to the console to change any password on a Cisco concentrator or hardware client. Combine this vulnerability with the lax physical security mentioned earlier, and the threat agent, in this case, a malicious person could effectively sabotage the encryption system.
• Password Non-recoverable Cisco warns that, for the VPN 3000 Series Concentrator and the 3002 hardware client, there is no way to recover your system if you forget the administrator password. In such a situation, the crypto- officer who forgets the password is the threat agent. The impact is that the concentrator or client has to be returned to Cisco so that the password can be recovered. This could render the encryption system inoperable for an unspecified period of time. • Network Complexity – An increase in complexity between regional sites and the WSP Data Center will make it more difficult to troubleshoot outages. The troubleshooting problem can be seen as the threat agent causing an increase in the Mean Time to Repair (MTTR). This could negatively impact the availability of the ACCESS messaging system. • Lax Access Control Mechanism – Access to the private interface could compromise the data integrity of the messaging system. This vulnerability could allow an unauthorized person, whether an intruder or an employee, to access, block or tamper with sensitive data. • Inadequate Crypto Officer Backup Mechanism - The role of Crypto Officer is responsible for the configuration and maintenance of the concentrator. When the person who usually assumes the Crypto Officer role is unavailable, it is essential that the person designated as the replacement be fully trained and familiar with the role. The threat agent, in this instance, in the unprepared person suddenly cast into the role. The resulting risk is that this person could inadvertently compromise the encryption system. • Failure to Enforce the Policy of Least Privilege – Least privilege is a policy that limits both the system’s users and processes to access only those resources necessary to perform assigned functions. Ensuring least privilege requires identifying what each user’s job is, outlining the minimum set of privileges required to perform that job, and restricting the user to only those privileges on a system/network. Changing the role of a process or user, without changing the rights associated with the role, is one manner of failing to enforce the policy of least privilege that a threat agent can exploit. The more users or processes sharing these same rights, the greater the chance that access by an uninformed or unscrupulous user or an inappropriate process can result in denial of service, loss of confidentiality or compromise of data. Another failure to enforce the policy of least privilege can result from a breakdown in communications between IT and HR. In such an instance, the privileges of a former employee may not be removed in a timely fashion. In this case, the threat agent is the former employee whose continued privileges could result in deliberate sabotage of the encryption structure and the messaging system (or in an unauthorized sharing of access information). • Lack of Adequate Training – This is a vulnerability where the threat agent is a new employee or an employee assigned an unfamiliar role. This could result in mistakes that could put the ACCESS messaging system at risk. This also opens
the possibility of social engineering where a nefarious intruder is able to obtain a password or other information from the inexperienced user. • Elevation of Privileges – This vulnerability is similar to the previous two. The abrupt increase in privileges without proper preparation, even when essential to the functioning of a process or a user, can result in both mistakes and in deliberate misuse of authority, either or which can put the system at risk. • Unsecured Access to Management Interface – This vulnerability is the result of weak control over the access to management interfaces. The threat agent is an attack that could be mounted, resulting in unauthorized configuration changes. • Misconfiguring the Assignment of Users to Groups presents a vulnerability that can serve as an invitation to access the messaging system for a nefarious purpose (Denial of Service (DoS) attack and compromise of sensitive data.) • Inadequate or No Log Auditing. This is a vulnerability than can be exploited by a threat agent, unauthorized access attempts. Such attempts may remain undetected due to the failure to maintain adequate logs and could serve to precede a brute force attack. • Power Failure – The vulnerability of a facility power failure can be exploited by the threat agent, the lack of an Uninterrupted Power Supply (UPS). This results in the unavailability of the messaging and encryption systems on the 3030 concentrator and the 3002 client. • Limited scalability – The internal database in the 3030 concentrator can support a maximum of 100 groups and users. The threat agent, in this instance, is the need to grow beyond the 100 group and user limit. Unless an external authentication server is used, it will not be possible to add any more groups or users. • FIPS Standards Limiting WSP and Regional Sites to Firmware Known to be Vulnerable In order to adhere to FIPS 140-2 standards, firmware for either the 3030 or the 3002 cannot be updated beyond the 3.6.7.F release. The threat agent here is the exploits known to exist in the 3.6.7.F release. The result is a device running firmware known to be vulnerable. • Lack of Bandwidth – The threat agent that can exploit this vulnerability is an increase in traffic. This will result in the loss of data. • No Backup Configuration File in the 3030 Concentrator- The threat agent that can exploit this vulnerability is data corruption caused by a device failure or other difficulties. This results in excessive downtime brought about by the concentrator’s inability to restore damaged files.
III. Risk Factor Determination This section is concerned with the process used to determine the probability that a specific threat might occur as well as its impact on the deployment and maintenance of the encryption structure designed to secure the ACCESS messaging system Each of the risks described in the section, “Vulnerability and Threat Identification” fall into one or more of these categories: • Policies and Procedures Risk, in this context, is dependent upon the degree to which policies and procedures, relating to the encryption-decryption process between regional sites and ACCESS, are clearly defined and effectively implemented. To some degree, every one of the risks characterized in the previous section is impacted by policies and procedures. • Physical Access This involves the determination and enforcement of just who is able to gain physical entry to the place where an encryption device is located. Related risks include:  Theft of an encryption device by an intruder or an employee  Sabotaging the encryption system by changing the admin password. This is fairly easy to accomplish if one has physical access to the encryption device console or management interface. • Configuration Issues This relates to risks created by poorly planned or implemented encryption equipment or infrastructure configuration. These include:  The dropping of packets due to network congestion. This can be a result of not taking latency and jitter issues into account in configuration planning and implementation.  Unavailability of the encryption infrastructure caused by unanticipated downtime. This can be avoided by designing a structure with redundant and failover capabilities, minimizing single points of failure.  Unavailability of the ACCESS messaging system due to troubleshooting problems brought about by an increase in complexity between the regional site clients and the WSP head end.  The unauthorized accessing, blocking or tampering with sensitive data due a poorly configured access control mechanism.  Unauthorized configuration changes can be made by an attacker exploiting unsecured access to management interfaces.  The uninvited accessing of the ACCESS messaging system could be the result of a configuration error in the assignment of users to groups. Such an error could be exploited by a would-be intruder. IV. Safeguard Recommendations All of the risks discussed previously are, to one degree or another, issues of policy and procedure. When it comes to establishing sound policies and enforcing appropriate procedures, those relating directly to the operation of the head end concentrator are the responsibility of the WSP. However, while WSP can suggest procedures to be
implemented by the regional sites, it is up to those sites to implement those procedures in keeping with their own security policies. Regional sites are responsible for setting and maintaining their own policies and procedures. Anything other than broad recommendations by WSP would be out of scope for this document. This section is concerned with specifying possible safeguards, or countermeasures, and how they relate to WSP’s decision to either mitigate the perceived risk or accept it. Security safeguards are measured in terms of its cost, functionality and effectiveness. Areas that need to be addressed include: • Network Latency and Jitter - Communication between a regional site and the head end, which pass over network segments affected by traffic congestion, will result in unacceptable packet loss. This can adversely affect IPSec tunnels. The WSP will need to monitor the Cisco 3030 logs to identify problem sites. When problems exist, the WSP will need to work with the DIS, and the regional site to determine what options are available to mitigate network congestion. • Single Point of Failure – The risk of unanticipated downtime can be mitigated by identifying potential single points of failure and applying redundant solutions. This might mean, for example, adding a second encryption module to the concentrator. Another option would be installation of a redundant 3030 concentrator. If the active concentrator were to fail, Cisco’s Virtual Router Redundancy Protocol (VRRP) could enable a seamless failover to the standby device. To make a decision as to which (if either) of the above two options makes the most sense, WSP management would need to weigh the cost of each solution against the likelihood and consequences of module or device failure and come to a decision. High availability service contracts should also be considered. It must be kept in mind that another weak link in the WSP network (a non- redundant firewall for example) could mean that a redundant concentrator or module solution would not adequately mitigate the risk. • Lax Physical Security – The risk of someone stealing or damaging the head end concentrator can be mitigated by establishing a secured area within the data center that only the crypto-officer and perhaps a second trusted person would have physical access to. Ideally, similar measures should be put in place at each of the regional sites, but this is clearly the responsibility of each regional site and is out of scope for WSP’s NCIC 2000 Encryption Project risk mitigation strategy. The most serious consequence of the theft on such an encryption device is not the cost of replacement, but the possibility that the intruder will gain access to the private and secret keys held by the device. • Insecure Password Changing Mechanism – As pointed out earlier, it’s relatively easy for anyone possessing the administrative password and physical access to the concentrator or hardware client console to change any other password. This could invite the possibility of encryption system sabotage. As with the previous recommendation, risk mitigation here takes the form of creating a secured area within the presumably secured area of the data center. Again, no more than two trusted persons would have access to the secured area within a secured area.
• Password Non-recoverable In this situation, the Crypto Officer who forgets the password serves as the threat agent. The only way the password can be recovered is by returning the concentrator or the hardware client to Cisco. The encryption system is inoperable until Cisco is able to solve the problem. There is a series of steps that must be followed to mitigate this risk. 1. The Crypto Officer creates the password and only that person should ever know it. It should be a word or phrase (FIPS requires a minimum password length of 6 characters) that has some meaning to the Crypto Officer but is obscure enough that it can withstand a brute force or dictionary attack. 2. The Crypto Officer writes down the password only once and immediately places the paper the password is written on in a secure off-site facility such as a safety deposit box. 3. The administration of the off-site facility is instructed that only the Crypto Officer is to have access to the stored document. The only exception is that if the Crypto Officer is incapacitated, the person designated as back- up Crypto Officer will have access to the paper the password is written on. • Network Complexity – The threat of difficulty troubleshooting and the consequent risk of an unavailable messaging system can be mitigated through the development of new troubleshooting techniques which expand upon existing troubleshooting techniques as well as additional training of personnel. • Lax Access Control Mechanism – The threat of an unauthorized person accessing the private interface of either the 3030 concentrator at the head end or the 3002 client at a regional site could result in the compromise of sensitive data. Risk mitigation, in such an instance, would call for securing traffic between the private interface and its termination interface (i.e. firewall). In the case of the 3030 concentrator, this is the responsibility of WSP. In the case of the 3002 client, this is the responsibility of the regional site. • Inadequate Crypto Officer Backup Mechanism – The threat agent is an unqualified person cast in the role of Crypto Officer. This can result in a compromise of the encryption system. This risk can be mitigated by the creation of thoroughly documented procedures defining the role and responsibilities of the Crypto Officer. • Failure to Enforce the Policy of Least Privilege – The threat agent in this scenario is any person with privileges not required for the job. This could be someone with elevated privileges left over from a previous position. It could be someone no longer employed by the organization but still holding the privileges of a previous position. Again the result could be the compromise of the sensitive or the deliberate or accidental disruption of the messaging or encryption system. These risks can be mitigated by rigorous enforcement of the principle of least privilege. No one should be assigned privileges not required for the position. Anyone ceasing to work for WSP or any regional organization should have all privileges revoked immediately. Anyone granted new privileges should be thoroughly familiar with the procedures related to those privileges.
• Assignment or Elevation of Privileges Without Adequate Training – Here the threat agent is anyone unfamiliar with the procedures necessary to accomplish an assigned set of tasks. This can result in unintentional errors that could put the messaging or encryption system at risk. It can also leave the inexperienced employee susceptible to manipulation by someone with questionable intentions. This risk can be mitigated by an appropriate amount of training, not so much as to overwhelm the employee but enough so that the employee can assume a new role with a thorough understanding of the procedures necessary to do the job. • Unsecured Access to Management Interface – The threat agent here is an attack resulting in undesirable configuration changes. This risk can be addressed by a meticulously designed and carefully implemented secure management interface access scheme. When carefully executed, these procedures can significantly reduce the chances of an intruder mounting a successful brute force or other attack against the management interface of either the head end concentrator or the regional site 3002 hardware client. • Misconfiguring the Assignment of Users to Groups – Poor planning and implementation can result in the assignment of users to inappropriate groups. Again, the threat agent is the person (whether employee or intruder) who can exploit this vulnerability by either mounting an attack or making an innocent mistake that could place the encryption and messaging systems in jeopardy. In this situation, risk mitigation calls for carefully constructed procedures designed to minimize human error when assigning users to groups. • Inadequate or No Log Auditing. In this environment, the threat agent is an intruder who can mount a passive attack undetected. Passive attacks are done by monitoring a system performing its tasks and collecting information. In general, it is very hard to detect passive attacks since they do not interact or disturb normal system functions. Examples of passive attacks are monitoring network traffic, CPU and disk usage. Passive attacks often serve to precede a brute force attack. This risk can be mitigated through the maintenance of adequate logs and a system of real time monitoring. This action will not be successful however unless the logs are carefully audited and the monitoring is performed rigorously and at regular intervals. • Power Failure – The threat agent is the absence of a UPS. During a power failure, the messaging and encryption systems could be rendered inoperable. This risk can be mitigated by means of the installation and careful maintenance of a UPS designed to provide uninterrupted power until a longer term solution can be employed. • Limited Scalability – The threat agent, is the need to grow beyond the 100 group and user limit. The risk can be mitigated by through the use of an external authentication server. • FIPS Standards Limiting WSP and Regional Sites to Firmware Known to be Vulnerable. The known vulnerabilities constitute the threat agent and the risk is a device running firmware known to be vulnerable. Due to Criminal Justice
Information Service (CJIS) Security Policy requirements to adhere to FIPS standards, it is necessary to accept this risk until a newer firmware release is validated and then to proceed with a firmware upgrade after careful testing. • Lack of Bandwidth – The risk, loss of data, brought about by an increase in traffic, can be mitigated by the addition of more bandwidth capacity. • No Backup Configuration File in the 3030 Concentrator- The risk, in this case, excessive downtime caused by the concentrator’s inability to restore damaged files, can be mitigated through the implementation of proper backup and restore procedures.

Empfohlen

Distributed network security management
Distributed network security managementDistributed network security management
Distributed network security managementSwati Sinha
 
dos attacks
dos attacksdos attacks
dos attacksAMAL PERUMPALLIL
 
Network security-S.Karthika II-M.Sc computer science,Bon Securous college for...
Network security-S.Karthika II-M.Sc computer science,Bon Securous college for...Network security-S.Karthika II-M.Sc computer science,Bon Securous college for...
Network security-S.Karthika II-M.Sc computer science,Bon Securous college for...karthikasivakumar3
 
Network Security Risk
Network Security RiskNetwork Security Risk
Network Security RiskDedi Dwianto
 
Network srcurity
Network srcurityNetwork srcurity
Network srcuritysheikhparvez4
 
Chapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamananChapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamanannewbie2019
 
Introduction to cyber security i
Introduction to cyber security iIntroduction to cyber security i
Introduction to cyber security iEmmanuel Gbenga Dada (BSc, MSc, PhD)
 
AN ISP BASED NOTIFICATION AND DETECTION SYSTEM TO MAXIMIZE EFFICIENCY OF CLIE...
AN ISP BASED NOTIFICATION AND DETECTION SYSTEM TO MAXIMIZE EFFICIENCY OF CLIE...AN ISP BASED NOTIFICATION AND DETECTION SYSTEM TO MAXIMIZE EFFICIENCY OF CLIE...
AN ISP BASED NOTIFICATION AND DETECTION SYSTEM TO MAXIMIZE EFFICIENCY OF CLIE...IJNSA Journal
 

Empfohlen

Distributed network security management
Distributed network security managementDistributed network security management
Distributed network security managementSwati Sinha
 
dos attacks
dos attacksdos attacks
dos attacksAMAL PERUMPALLIL
 
Network security-S.Karthika II-M.Sc computer science,Bon Securous college for...
Network security-S.Karthika II-M.Sc computer science,Bon Securous college for...Network security-S.Karthika II-M.Sc computer science,Bon Securous college for...
Network security-S.Karthika II-M.Sc computer science,Bon Securous college for...karthikasivakumar3
 
Network Security Risk
Network Security RiskNetwork Security Risk
Network Security RiskDedi Dwianto
 
Network srcurity
Network srcurityNetwork srcurity
Network srcuritysheikhparvez4
 
Chapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamananChapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamanannewbie2019
 
Introduction to cyber security i
Introduction to cyber security iIntroduction to cyber security i
Introduction to cyber security iEmmanuel Gbenga Dada (BSc, MSc, PhD)
 
AN ISP BASED NOTIFICATION AND DETECTION SYSTEM TO MAXIMIZE EFFICIENCY OF CLIE...
AN ISP BASED NOTIFICATION AND DETECTION SYSTEM TO MAXIMIZE EFFICIENCY OF CLIE...AN ISP BASED NOTIFICATION AND DETECTION SYSTEM TO MAXIMIZE EFFICIENCY OF CLIE...
AN ISP BASED NOTIFICATION AND DETECTION SYSTEM TO MAXIMIZE EFFICIENCY OF CLIE...IJNSA Journal
 
Chapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamananChapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamanannewbie2019
 
S.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavur
S.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavurS.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavur
S.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavurvkarthi314
 
Security Holes and Vulnerabilities in Corporate Network_Pre Null Meet Kolkata
Security Holes and Vulnerabilities in Corporate Network_Pre Null Meet KolkataSecurity Holes and Vulnerabilities in Corporate Network_Pre Null Meet Kolkata
Security Holes and Vulnerabilities in Corporate Network_Pre Null Meet Kolkataamiyadutta
 
Euro mGov Securing Mobile Services
Euro mGov Securing Mobile ServicesEuro mGov Securing Mobile Services
Euro mGov Securing Mobile ServicesMiguel Ponce de Leon @ TSSG / Waterford Institute of Technology
 
C02
C02C02
C02newbie2019
 
NSA and PT
NSA and PTNSA and PT
NSA and PTRahmat Suhatman
 
Network security chapter 1,2
Network security chapter 1,2Network security chapter 1,2
Network security chapter 1,2Education
 
A technical review and comparative analysis of machine learning techniques fo...
A technical review and comparative analysis of machine learning techniques fo...A technical review and comparative analysis of machine learning techniques fo...
A technical review and comparative analysis of machine learning techniques fo...IJECEIAES
 
PACE-IT: Physical Network Security Control
PACE-IT: Physical Network Security ControlPACE-IT: Physical Network Security Control
PACE-IT: Physical Network Security ControlPace IT at Edmonds Community College
 
IMPROVED IDS USING LAYERED CRFS WITH LOGON RESTRICTIONS AND MOBILE ALERTS BAS...
IMPROVED IDS USING LAYERED CRFS WITH LOGON RESTRICTIONS AND MOBILE ALERTS BAS...IMPROVED IDS USING LAYERED CRFS WITH LOGON RESTRICTIONS AND MOBILE ALERTS BAS...
IMPROVED IDS USING LAYERED CRFS WITH LOGON RESTRICTIONS AND MOBILE ALERTS BAS...IJNSA Journal
 
Lect13 security
Lect13 securityLect13 security
Lect13 securityUmang Gupta
 
Computer Security Chapter 1
Computer Security Chapter 1Computer Security Chapter 1
Computer Security Chapter 1Temesgen Berhanu
 
International Journal of Computational Science and Information Technology (I...
International Journal of Computational Science and Information Technology (I... International Journal of Computational Science and Information Technology (I...
International Journal of Computational Science and Information Technology (I...ijcsity
 
A REVIEW ON DDOS PREVENTION AND DETECTION METHODOLOGY
A REVIEW ON DDOS PREVENTION AND DETECTION METHODOLOGYA REVIEW ON DDOS PREVENTION AND DETECTION METHODOLOGY
A REVIEW ON DDOS PREVENTION AND DETECTION METHODOLOGYijasa
 
Eidws 107 information assurance
Eidws 107 information assuranceEidws 107 information assurance
Eidws 107 information assuranceIT2Alcorn
 
Security communication
Security communicationSecurity communication
Security communicationSay Shyong
 
PACE-IT: Common Threats (part 2)
PACE-IT: Common Threats (part 2)PACE-IT: Common Threats (part 2)
PACE-IT: Common Threats (part 2)Pace IT at Edmonds Community College
 
Enhanced method for intrusion detection over kdd cup 99 dataset
Enhanced method for intrusion detection over kdd cup 99 datasetEnhanced method for intrusion detection over kdd cup 99 dataset
Enhanced method for intrusion detection over kdd cup 99 datasetijctet
 
Honey Pot Intrusion Detection System
Honey Pot Intrusion Detection SystemHoney Pot Intrusion Detection System
Honey Pot Intrusion Detection SystemInternational Journal of Engineering Inventions www.ijeijournal.com
 
Current Studies On Intrusion Detection System, Genetic Algorithm And Fuzzy Logic
Current Studies On Intrusion Detection System, Genetic Algorithm And Fuzzy LogicCurrent Studies On Intrusion Detection System, Genetic Algorithm And Fuzzy Logic
Current Studies On Intrusion Detection System, Genetic Algorithm And Fuzzy Logicijdpsjournal
 
2.13 latihan
2.13 latihan2.13 latihan
2.13 latihanchiki153
 
Diapositivas compu
Diapositivas compuDiapositivas compu
Diapositivas compuDaniela Godoy
 

Weitere ähnliche Inhalte

Was ist angesagt?

Chapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamananChapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamanannewbie2019
 
S.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavur
S.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavurS.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavur
S.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavurvkarthi314
 
Security Holes and Vulnerabilities in Corporate Network_Pre Null Meet Kolkata
Security Holes and Vulnerabilities in Corporate Network_Pre Null Meet KolkataSecurity Holes and Vulnerabilities in Corporate Network_Pre Null Meet Kolkata
Security Holes and Vulnerabilities in Corporate Network_Pre Null Meet Kolkataamiyadutta
 
Network security chapter 1,2
Network security chapter 1,2Network security chapter 1,2
Network security chapter 1,2Education
 
A technical review and comparative analysis of machine learning techniques fo...
A technical review and comparative analysis of machine learning techniques fo...A technical review and comparative analysis of machine learning techniques fo...
A technical review and comparative analysis of machine learning techniques fo...IJECEIAES
 
IMPROVED IDS USING LAYERED CRFS WITH LOGON RESTRICTIONS AND MOBILE ALERTS BAS...
IMPROVED IDS USING LAYERED CRFS WITH LOGON RESTRICTIONS AND MOBILE ALERTS BAS...IMPROVED IDS USING LAYERED CRFS WITH LOGON RESTRICTIONS AND MOBILE ALERTS BAS...
IMPROVED IDS USING LAYERED CRFS WITH LOGON RESTRICTIONS AND MOBILE ALERTS BAS...IJNSA Journal
 
Computer Security Chapter 1
Computer Security Chapter 1Computer Security Chapter 1
Computer Security Chapter 1Temesgen Berhanu
 
International Journal of Computational Science and Information Technology (I...
International Journal of Computational Science and Information Technology (I... International Journal of Computational Science and Information Technology (I...
International Journal of Computational Science and Information Technology (I...ijcsity
 
A REVIEW ON DDOS PREVENTION AND DETECTION METHODOLOGY
A REVIEW ON DDOS PREVENTION AND DETECTION METHODOLOGYA REVIEW ON DDOS PREVENTION AND DETECTION METHODOLOGY
A REVIEW ON DDOS PREVENTION AND DETECTION METHODOLOGYijasa
 
Eidws 107 information assurance
Eidws 107 information assuranceEidws 107 information assurance
Eidws 107 information assuranceIT2Alcorn
 
Security communication
Security communicationSecurity communication
Security communicationSay Shyong
 
Enhanced method for intrusion detection over kdd cup 99 dataset
Enhanced method for intrusion detection over kdd cup 99 datasetEnhanced method for intrusion detection over kdd cup 99 dataset
Enhanced method for intrusion detection over kdd cup 99 datasetijctet
 
Current Studies On Intrusion Detection System, Genetic Algorithm And Fuzzy Logic
Current Studies On Intrusion Detection System, Genetic Algorithm And Fuzzy LogicCurrent Studies On Intrusion Detection System, Genetic Algorithm And Fuzzy Logic
Current Studies On Intrusion Detection System, Genetic Algorithm And Fuzzy Logicijdpsjournal
 

Was ist angesagt? (20)

Chapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamananChapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamanan
 
S.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavur
S.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavurS.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavur
S.Karthika,II-M.sc(Computer Science),Bon Secours college for women,thanjavur
 
Security Holes and Vulnerabilities in Corporate Network_Pre Null Meet Kolkata
Security Holes and Vulnerabilities in Corporate Network_Pre Null Meet KolkataSecurity Holes and Vulnerabilities in Corporate Network_Pre Null Meet Kolkata
Security Holes and Vulnerabilities in Corporate Network_Pre Null Meet Kolkata
 
Euro mGov Securing Mobile Services
Euro mGov Securing Mobile ServicesEuro mGov Securing Mobile Services
Euro mGov Securing Mobile Services
 
C02
C02C02
C02
 
NSA and PT
NSA and PTNSA and PT
NSA and PT
 
Network security chapter 1,2
Network security chapter 1,2Network security chapter 1,2
Network security chapter 1,2
 
A technical review and comparative analysis of machine learning techniques fo...
A technical review and comparative analysis of machine learning techniques fo...A technical review and comparative analysis of machine learning techniques fo...
A technical review and comparative analysis of machine learning techniques fo...
 
PACE-IT: Physical Network Security Control
PACE-IT: Physical Network Security ControlPACE-IT: Physical Network Security Control
PACE-IT: Physical Network Security Control
 
IMPROVED IDS USING LAYERED CRFS WITH LOGON RESTRICTIONS AND MOBILE ALERTS BAS...
IMPROVED IDS USING LAYERED CRFS WITH LOGON RESTRICTIONS AND MOBILE ALERTS BAS...IMPROVED IDS USING LAYERED CRFS WITH LOGON RESTRICTIONS AND MOBILE ALERTS BAS...
IMPROVED IDS USING LAYERED CRFS WITH LOGON RESTRICTIONS AND MOBILE ALERTS BAS...
 
Lect13 security
Lect13 securityLect13 security
Lect13 security
 
Computer Security Chapter 1
Computer Security Chapter 1Computer Security Chapter 1
Computer Security Chapter 1
 
International Journal of Computational Science and Information Technology (I...
International Journal of Computational Science and Information Technology (I... International Journal of Computational Science and Information Technology (I...
International Journal of Computational Science and Information Technology (I...
 
A REVIEW ON DDOS PREVENTION AND DETECTION METHODOLOGY
A REVIEW ON DDOS PREVENTION AND DETECTION METHODOLOGYA REVIEW ON DDOS PREVENTION AND DETECTION METHODOLOGY
A REVIEW ON DDOS PREVENTION AND DETECTION METHODOLOGY
 
Eidws 107 information assurance
Eidws 107 information assuranceEidws 107 information assurance
Eidws 107 information assurance
 
Security communication
Security communicationSecurity communication
Security communication
 
PACE-IT: Common Threats (part 2)
PACE-IT: Common Threats (part 2)PACE-IT: Common Threats (part 2)
PACE-IT: Common Threats (part 2)
 
Enhanced method for intrusion detection over kdd cup 99 dataset
Enhanced method for intrusion detection over kdd cup 99 datasetEnhanced method for intrusion detection over kdd cup 99 dataset
Enhanced method for intrusion detection over kdd cup 99 dataset
 
Honey Pot Intrusion Detection System
Honey Pot Intrusion Detection SystemHoney Pot Intrusion Detection System
Honey Pot Intrusion Detection System
 
Current Studies On Intrusion Detection System, Genetic Algorithm And Fuzzy Logic
Current Studies On Intrusion Detection System, Genetic Algorithm And Fuzzy LogicCurrent Studies On Intrusion Detection System, Genetic Algorithm And Fuzzy Logic
Current Studies On Intrusion Detection System, Genetic Algorithm And Fuzzy Logic
 

Andere mochten auch

2.13 latihan
2.13 latihan2.13 latihan
2.13 latihanchiki153
 
The Human Side of the Web
The Human Side of the WebThe Human Side of the Web
The Human Side of the WebTanya Moushi
 
B. soal praktek (107)
B. soal praktek (107)B. soal praktek (107)
B. soal praktek (107)chiki153
 
B. soal praktek bab ii ipdf
B. soal praktek bab ii ipdfB. soal praktek bab ii ipdf
B. soal praktek bab ii ipdfchiki153
 
2.13 latihan
2.13 latihan2.13 latihan
2.13 latihanchiki153
 
Richards-CV-word 2003 format updated
Richards-CV-word 2003 format updatedRichards-CV-word 2003 format updated
Richards-CV-word 2003 format updatedRichard Cope
 
Rootin’ Around Show 29 Script
Rootin’ Around Show 29 ScriptRootin’ Around Show 29 Script
Rootin’ Around Show 29 ScriptLarry Yurdin
 
One Way Out - Chapter 1
One Way Out - Chapter 1One Way Out - Chapter 1
One Way Out - Chapter 1Larry Yurdin
 
B. soal praktek bab ii ipdf
B. soal praktek bab ii ipdfB. soal praktek bab ii ipdf
B. soal praktek bab ii ipdfchiki153
 
CelluonMarketingProspectus041414
CelluonMarketingProspectus041414CelluonMarketingProspectus041414
CelluonMarketingProspectus041414Larry Yurdin
 
Statistical Methods to Handle Missing Data
Statistical Methods to Handle Missing DataStatistical Methods to Handle Missing Data
Statistical Methods to Handle Missing DataTianfan Song
 
Design engineering report
Design engineering reportDesign engineering report
Design engineering reportimshahbaz
 
Design report
Design report Design report
Design report yash patel
 
4 guia limpieza_unidades_rehidratacion
4 guia limpieza_unidades_rehidratacion4 guia limpieza_unidades_rehidratacion
4 guia limpieza_unidades_rehidratacionHoracio Segura Abanto
 
Report on design engineering
Report on design engineeringReport on design engineering
Report on design engineeringRavi Patel
 
The Human Side of the Web PPT
The Human Side of the Web PPTThe Human Side of the Web PPT
The Human Side of the Web PPTTanya Moushi
 

Andere mochten auch (19)

2.13 latihan
2.13 latihan2.13 latihan
2.13 latihan
 
Diapositivas compu
Diapositivas compuDiapositivas compu
Diapositivas compu
 
The Human Side of the Web
The Human Side of the WebThe Human Side of the Web
The Human Side of the Web
 
B. soal praktek (107)
B. soal praktek (107)B. soal praktek (107)
B. soal praktek (107)
 
B. soal praktek bab ii ipdf
B. soal praktek bab ii ipdfB. soal praktek bab ii ipdf
B. soal praktek bab ii ipdf
 
2.13 latihan
2.13 latihan2.13 latihan
2.13 latihan
 
Richards-CV-word 2003 format updated
Richards-CV-word 2003 format updatedRichards-CV-word 2003 format updated
Richards-CV-word 2003 format updated
 
Infosys
InfosysInfosys
Infosys
 
Rootin’ Around Show 29 Script
Rootin’ Around Show 29 ScriptRootin’ Around Show 29 Script
Rootin’ Around Show 29 Script
 
One Way Out - Chapter 1
One Way Out - Chapter 1One Way Out - Chapter 1
One Way Out - Chapter 1
 
B. soal praktek bab ii ipdf
B. soal praktek bab ii ipdfB. soal praktek bab ii ipdf
B. soal praktek bab ii ipdf
 
CelluonMarketingProspectus041414
CelluonMarketingProspectus041414CelluonMarketingProspectus041414
CelluonMarketingProspectus041414
 
Statistical Methods to Handle Missing Data
Statistical Methods to Handle Missing DataStatistical Methods to Handle Missing Data
Statistical Methods to Handle Missing Data
 
Fotografia ambiental (1)
Fotografia ambiental (1)Fotografia ambiental (1)
Fotografia ambiental (1)
 
Design engineering report
Design engineering reportDesign engineering report
Design engineering report
 
Design report
Design report Design report
Design report
 
4 guia limpieza_unidades_rehidratacion
4 guia limpieza_unidades_rehidratacion4 guia limpieza_unidades_rehidratacion
4 guia limpieza_unidades_rehidratacion
 
Report on design engineering
Report on design engineeringReport on design engineering
Report on design engineering
 
The Human Side of the Web PPT
The Human Side of the Web PPTThe Human Side of the Web PPT
The Human Side of the Web PPT
 

Ähnlich wie Risk Analysis Report review

attack vectors by chimwemwe.pptx
attack vectors by chimwemwe.pptxattack vectors by chimwemwe.pptx
attack vectors by chimwemwe.pptxJenetSilence
 
SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4Rodrigo Piovesana
 
Data information and security unit 1.pdf
Data information and security unit 1.pdfData information and security unit 1.pdf
Data information and security unit 1.pdfdeepakbharathi16
 
Client server network threat
Client server network threatClient server network threat
Client server network threatRaj vardhan
 
information security (network security methods)
information security (network security methods)information security (network security methods)
information security (network security methods)Zara Nawaz
 
Information security ist lecture
Information security ist lectureInformation security ist lecture
Information security ist lectureZara Nawaz
 
What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...Alisha Henderson
 
Secure Architecture and Incident Management for E-Business
Secure Architecture and Incident Management for E-BusinessSecure Architecture and Incident Management for E-Business
Secure Architecture and Incident Management for E-BusinessMarc S. Sokol
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochQA or the Highway
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochQA or the Highway
 
Running head NETWORK INFRASTRUTCTURE AND SECURITYNETWORK INFR.docx
Running head NETWORK INFRASTRUTCTURE AND SECURITYNETWORK INFR.docxRunning head NETWORK INFRASTRUTCTURE AND SECURITYNETWORK INFR.docx
Running head NETWORK INFRASTRUTCTURE AND SECURITYNETWORK INFR.docxtoltonkendal
 
Medical facility network design
Medical facility network designMedical facility network design
Medical facility network designnephtalie
 
Security in Computing and IT
Security in Computing and ITSecurity in Computing and IT
Security in Computing and ITKomalah Nair
 
OPERATING SYSTEM SECURITY
OPERATING SYSTEM SECURITYOPERATING SYSTEM SECURITY
OPERATING SYSTEM SECURITYRohitK71
 

Ähnlich wie Risk Analysis Report review (20)

attack vectors by chimwemwe.pptx
attack vectors by chimwemwe.pptxattack vectors by chimwemwe.pptx
attack vectors by chimwemwe.pptx
 
SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4SegurançA Da InformaçãO Faat V1 4
SegurançA Da InformaçãO Faat V1 4
 
Data information and security unit 1.pdf
Data information and security unit 1.pdfData information and security unit 1.pdf
Data information and security unit 1.pdf
 
Client server network threat
Client server network threatClient server network threat
Client server network threat
 
Chapter- I introduction
Chapter- I introductionChapter- I introduction
Chapter- I introduction
 
Chapter-I introduction
Chapter-I introductionChapter-I introduction
Chapter-I introduction
 
CNS - Chapter1
CNS - Chapter1CNS - Chapter1
CNS - Chapter1
 
3-UnitV_security.pptx
3-UnitV_security.pptx3-UnitV_security.pptx
3-UnitV_security.pptx
 
Ethical hacking
Ethical hacking Ethical hacking
Ethical hacking
 
information security (network security methods)
information security (network security methods)information security (network security methods)
information security (network security methods)
 
Information security ist lecture
Information security ist lectureInformation security ist lecture
Information security ist lecture
 
What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...What is penetration testing and why is it important for a business to invest ...
What is penetration testing and why is it important for a business to invest ...
 
Secure Architecture and Incident Management for E-Business
Secure Architecture and Incident Management for E-BusinessSecure Architecture and Incident Management for E-Business
Secure Architecture and Incident Management for E-Business
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
 
Running head NETWORK INFRASTRUTCTURE AND SECURITYNETWORK INFR.docx
Running head NETWORK INFRASTRUTCTURE AND SECURITYNETWORK INFR.docxRunning head NETWORK INFRASTRUTCTURE AND SECURITYNETWORK INFR.docx
Running head NETWORK INFRASTRUTCTURE AND SECURITYNETWORK INFR.docx
 
Medical facility network design
Medical facility network designMedical facility network design
Medical facility network design
 
Security in Computing and IT
Security in Computing and ITSecurity in Computing and IT
Security in Computing and IT
 
OPERATING SYSTEM SECURITY
OPERATING SYSTEM SECURITYOPERATING SYSTEM SECURITY
OPERATING SYSTEM SECURITY
 
Aspects of Network Security
Aspects of Network SecurityAspects of Network Security
Aspects of Network Security
 

Risk Analysis Report review

  • 1. Washington State Patrol NCIC 2000 ACCESS Encryption Project Task Order 2 – Design Task 2a – Risk Assessment Report August 16, 2005
  • 2. Background The National Crime Information Center (NCIC), originally established in 1967, is the most extensive criminal justice information system in the US and is maintained by the FBI. Its successor, NCIC 2000 now includes requirements for all CJIS data to be encrypted between regional sites and the WSP ACCESS messaging system. In accordance with the FBI’s Criminal Justice Information Service (CJIS) Division Security Policy v4.1, all CJIS data transmitted through any public network segment or Internet connections shall be encrypted by a pair of secret keys, each with a minimum of 128 bits. Each cryptographic module, used for this purpose, must be certified by the National Institute of Standards and Technology’s (NIST) Computer Systems Laboratory to ensure that it meets the standards set forth in Federal Information Processing Standards (FIPS) Publication 140-2, “Security Requirements for Cryptographic Modules”. I. Scope Statement This report deals entirely with risks relating to the deployment and maintenance of an encryption structure, designed to secure communication from regional sites to the WSP ACCESS messaging system. The implementation of the encryption-decryption architecture will introduce new potential threats and vulnerabilities, both physical and procedural. These issues will be addressed in this document. II. Vulnerability and Threat Identification This section is concerned with the process used to identify threats, issues, concerns, risks etc. Risk is defined as the possibility of a threat exploiting a vulnerability and thereby causing harm to an asset. The threat will exploit the vulnerability to compromise one or more of the principles previously mentioned: • Confidentiality means that information is protected from being read or copied by anyone who does not have permission of the owner of that information. • Integrity means that information is not deleted or altered in a way that will cause damage or disruption. • Availability means that information should be protected so that it is readily available to those with proper authorization. • Non-repudiation means that an individual should not be able to deny having received or sent information. The following formula is one way of measuring risk: • Risk = threat × vulnerability × impact The key terms are risk, threat, vulnerability and impact. Without a threat agent, a vulnerability, or an impact, there is no risk. There must be a threat agent to exploit a vulnerability, and this exploitation must cause an impact for there to be a risk to the organization. Relevant definitions include:
  • 3. • Threat - The capabilities and intentions of adversaries to exploit an information system; or any natural or unintentional event with the potential to cause harm to an information system, resulting in a degradation of an organization’s ability to fully perform its mission. • Vulnerability - A characteristic of an information system or its components that could be exploited by an adversary, or harmed by a natural act or an act unintentionally caused by human activity • Impact – The result of a particular threat exploiting a particular vulnerability. • Risk – The probability that a particular threat will exploit a particular vulnerability. • Safeguard – Any protective action, device, procedure, technique, or other measure that reduces exposures. Safeguard, in this context, is synonymous with countermeasure. There are three types of device interfaces referred to in this section: • Public Interface points to any untrusted network. • Private Interface points to any trusted network • Management Interface can either be the console or a private Ethernet interface. This section is devoted to identifying vulnerabilities that might be present in the NCIC 2000 Encryption Project and the potential of a given threat agent exploiting one of these vulnerabilities, thereby constituting a risk. These include: • Network Latency and Jitter– Latency indicates that the network is prone to delay. Jitter refers to an unpredictable variation in the time between packets arriving. Network congestion is, in this instance, the risk agent, which, when it exploits latency or jitter, could lead to the dropping of packets, jeopardizing availability. • Single Point of Failure – The absence of redundant modules and/or devices could be threatened by equipment failure whose impact could be unanticipated downtime, again posing a risk to the availability of the infrastructure. • Lax Physical Security – Poor physical security could make it possible for an intruder, or even a disgruntled employee, to remove or damage an encryption device. This could be the concentrator located at the WSP head end or a hardware client located at a regional site. This would enable the thief to, at the least, sabotage the encryption process and, at the worst, use the secret keys obtained to access or tamper with sensitive information. • Insecure Password Changing Mechanism – Cisco has pointed out that it is relatively easy for any person with possessing the administrative password and physical access to the console to change any password on a Cisco concentrator or hardware client. Combine this vulnerability with the lax physical security mentioned earlier, and the threat agent, in this case, a malicious person could effectively sabotage the encryption system.
  • 4. • Password Non-recoverable Cisco warns that, for the VPN 3000 Series Concentrator and the 3002 hardware client, there is no way to recover your system if you forget the administrator password. In such a situation, the crypto- officer who forgets the password is the threat agent. The impact is that the concentrator or client has to be returned to Cisco so that the password can be recovered. This could render the encryption system inoperable for an unspecified period of time. • Network Complexity – An increase in complexity between regional sites and the WSP Data Center will make it more difficult to troubleshoot outages. The troubleshooting problem can be seen as the threat agent causing an increase in the Mean Time to Repair (MTTR). This could negatively impact the availability of the ACCESS messaging system. • Lax Access Control Mechanism – Access to the private interface could compromise the data integrity of the messaging system. This vulnerability could allow an unauthorized person, whether an intruder or an employee, to access, block or tamper with sensitive data. • Inadequate Crypto Officer Backup Mechanism - The role of Crypto Officer is responsible for the configuration and maintenance of the concentrator. When the person who usually assumes the Crypto Officer role is unavailable, it is essential that the person designated as the replacement be fully trained and familiar with the role. The threat agent, in this instance, in the unprepared person suddenly cast into the role. The resulting risk is that this person could inadvertently compromise the encryption system. • Failure to Enforce the Policy of Least Privilege – Least privilege is a policy that limits both the system’s users and processes to access only those resources necessary to perform assigned functions. Ensuring least privilege requires identifying what each user’s job is, outlining the minimum set of privileges required to perform that job, and restricting the user to only those privileges on a system/network. Changing the role of a process or user, without changing the rights associated with the role, is one manner of failing to enforce the policy of least privilege that a threat agent can exploit. The more users or processes sharing these same rights, the greater the chance that access by an uninformed or unscrupulous user or an inappropriate process can result in denial of service, loss of confidentiality or compromise of data. Another failure to enforce the policy of least privilege can result from a breakdown in communications between IT and HR. In such an instance, the privileges of a former employee may not be removed in a timely fashion. In this case, the threat agent is the former employee whose continued privileges could result in deliberate sabotage of the encryption structure and the messaging system (or in an unauthorized sharing of access information). • Lack of Adequate Training – This is a vulnerability where the threat agent is a new employee or an employee assigned an unfamiliar role. This could result in mistakes that could put the ACCESS messaging system at risk. This also opens
  • 5. the possibility of social engineering where a nefarious intruder is able to obtain a password or other information from the inexperienced user. • Elevation of Privileges – This vulnerability is similar to the previous two. The abrupt increase in privileges without proper preparation, even when essential to the functioning of a process or a user, can result in both mistakes and in deliberate misuse of authority, either or which can put the system at risk. • Unsecured Access to Management Interface – This vulnerability is the result of weak control over the access to management interfaces. The threat agent is an attack that could be mounted, resulting in unauthorized configuration changes. • Misconfiguring the Assignment of Users to Groups presents a vulnerability that can serve as an invitation to access the messaging system for a nefarious purpose (Denial of Service (DoS) attack and compromise of sensitive data.) • Inadequate or No Log Auditing. This is a vulnerability than can be exploited by a threat agent, unauthorized access attempts. Such attempts may remain undetected due to the failure to maintain adequate logs and could serve to precede a brute force attack. • Power Failure – The vulnerability of a facility power failure can be exploited by the threat agent, the lack of an Uninterrupted Power Supply (UPS). This results in the unavailability of the messaging and encryption systems on the 3030 concentrator and the 3002 client. • Limited scalability – The internal database in the 3030 concentrator can support a maximum of 100 groups and users. The threat agent, in this instance, is the need to grow beyond the 100 group and user limit. Unless an external authentication server is used, it will not be possible to add any more groups or users. • FIPS Standards Limiting WSP and Regional Sites to Firmware Known to be Vulnerable In order to adhere to FIPS 140-2 standards, firmware for either the 3030 or the 3002 cannot be updated beyond the 3.6.7.F release. The threat agent here is the exploits known to exist in the 3.6.7.F release. The result is a device running firmware known to be vulnerable. • Lack of Bandwidth – The threat agent that can exploit this vulnerability is an increase in traffic. This will result in the loss of data. • No Backup Configuration File in the 3030 Concentrator- The threat agent that can exploit this vulnerability is data corruption caused by a device failure or other difficulties. This results in excessive downtime brought about by the concentrator’s inability to restore damaged files.
  • 6. III. Risk Factor Determination This section is concerned with the process used to determine the probability that a specific threat might occur as well as its impact on the deployment and maintenance of the encryption structure designed to secure the ACCESS messaging system Each of the risks described in the section, “Vulnerability and Threat Identification” fall into one or more of these categories: • Policies and Procedures Risk, in this context, is dependent upon the degree to which policies and procedures, relating to the encryption-decryption process between regional sites and ACCESS, are clearly defined and effectively implemented. To some degree, every one of the risks characterized in the previous section is impacted by policies and procedures. • Physical Access This involves the determination and enforcement of just who is able to gain physical entry to the place where an encryption device is located. Related risks include:  Theft of an encryption device by an intruder or an employee  Sabotaging the encryption system by changing the admin password. This is fairly easy to accomplish if one has physical access to the encryption device console or management interface. • Configuration Issues This relates to risks created by poorly planned or implemented encryption equipment or infrastructure configuration. These include:  The dropping of packets due to network congestion. This can be a result of not taking latency and jitter issues into account in configuration planning and implementation.  Unavailability of the encryption infrastructure caused by unanticipated downtime. This can be avoided by designing a structure with redundant and failover capabilities, minimizing single points of failure.  Unavailability of the ACCESS messaging system due to troubleshooting problems brought about by an increase in complexity between the regional site clients and the WSP head end.  The unauthorized accessing, blocking or tampering with sensitive data due a poorly configured access control mechanism.  Unauthorized configuration changes can be made by an attacker exploiting unsecured access to management interfaces.  The uninvited accessing of the ACCESS messaging system could be the result of a configuration error in the assignment of users to groups. Such an error could be exploited by a would-be intruder. IV. Safeguard Recommendations All of the risks discussed previously are, to one degree or another, issues of policy and procedure. When it comes to establishing sound policies and enforcing appropriate procedures, those relating directly to the operation of the head end concentrator are the responsibility of the WSP. However, while WSP can suggest procedures to be
  • 7. implemented by the regional sites, it is up to those sites to implement those procedures in keeping with their own security policies. Regional sites are responsible for setting and maintaining their own policies and procedures. Anything other than broad recommendations by WSP would be out of scope for this document. This section is concerned with specifying possible safeguards, or countermeasures, and how they relate to WSP’s decision to either mitigate the perceived risk or accept it. Security safeguards are measured in terms of its cost, functionality and effectiveness. Areas that need to be addressed include: • Network Latency and Jitter - Communication between a regional site and the head end, which pass over network segments affected by traffic congestion, will result in unacceptable packet loss. This can adversely affect IPSec tunnels. The WSP will need to monitor the Cisco 3030 logs to identify problem sites. When problems exist, the WSP will need to work with the DIS, and the regional site to determine what options are available to mitigate network congestion. • Single Point of Failure – The risk of unanticipated downtime can be mitigated by identifying potential single points of failure and applying redundant solutions. This might mean, for example, adding a second encryption module to the concentrator. Another option would be installation of a redundant 3030 concentrator. If the active concentrator were to fail, Cisco’s Virtual Router Redundancy Protocol (VRRP) could enable a seamless failover to the standby device. To make a decision as to which (if either) of the above two options makes the most sense, WSP management would need to weigh the cost of each solution against the likelihood and consequences of module or device failure and come to a decision. High availability service contracts should also be considered. It must be kept in mind that another weak link in the WSP network (a non- redundant firewall for example) could mean that a redundant concentrator or module solution would not adequately mitigate the risk. • Lax Physical Security – The risk of someone stealing or damaging the head end concentrator can be mitigated by establishing a secured area within the data center that only the crypto-officer and perhaps a second trusted person would have physical access to. Ideally, similar measures should be put in place at each of the regional sites, but this is clearly the responsibility of each regional site and is out of scope for WSP’s NCIC 2000 Encryption Project risk mitigation strategy. The most serious consequence of the theft on such an encryption device is not the cost of replacement, but the possibility that the intruder will gain access to the private and secret keys held by the device. • Insecure Password Changing Mechanism – As pointed out earlier, it’s relatively easy for anyone possessing the administrative password and physical access to the concentrator or hardware client console to change any other password. This could invite the possibility of encryption system sabotage. As with the previous recommendation, risk mitigation here takes the form of creating a secured area within the presumably secured area of the data center. Again, no more than two trusted persons would have access to the secured area within a secured area.
  • 8. • Password Non-recoverable In this situation, the Crypto Officer who forgets the password serves as the threat agent. The only way the password can be recovered is by returning the concentrator or the hardware client to Cisco. The encryption system is inoperable until Cisco is able to solve the problem. There is a series of steps that must be followed to mitigate this risk. 1. The Crypto Officer creates the password and only that person should ever know it. It should be a word or phrase (FIPS requires a minimum password length of 6 characters) that has some meaning to the Crypto Officer but is obscure enough that it can withstand a brute force or dictionary attack. 2. The Crypto Officer writes down the password only once and immediately places the paper the password is written on in a secure off-site facility such as a safety deposit box. 3. The administration of the off-site facility is instructed that only the Crypto Officer is to have access to the stored document. The only exception is that if the Crypto Officer is incapacitated, the person designated as back- up Crypto Officer will have access to the paper the password is written on. • Network Complexity – The threat of difficulty troubleshooting and the consequent risk of an unavailable messaging system can be mitigated through the development of new troubleshooting techniques which expand upon existing troubleshooting techniques as well as additional training of personnel. • Lax Access Control Mechanism – The threat of an unauthorized person accessing the private interface of either the 3030 concentrator at the head end or the 3002 client at a regional site could result in the compromise of sensitive data. Risk mitigation, in such an instance, would call for securing traffic between the private interface and its termination interface (i.e. firewall). In the case of the 3030 concentrator, this is the responsibility of WSP. In the case of the 3002 client, this is the responsibility of the regional site. • Inadequate Crypto Officer Backup Mechanism – The threat agent is an unqualified person cast in the role of Crypto Officer. This can result in a compromise of the encryption system. This risk can be mitigated by the creation of thoroughly documented procedures defining the role and responsibilities of the Crypto Officer. • Failure to Enforce the Policy of Least Privilege – The threat agent in this scenario is any person with privileges not required for the job. This could be someone with elevated privileges left over from a previous position. It could be someone no longer employed by the organization but still holding the privileges of a previous position. Again the result could be the compromise of the sensitive or the deliberate or accidental disruption of the messaging or encryption system. These risks can be mitigated by rigorous enforcement of the principle of least privilege. No one should be assigned privileges not required for the position. Anyone ceasing to work for WSP or any regional organization should have all privileges revoked immediately. Anyone granted new privileges should be thoroughly familiar with the procedures related to those privileges.
  • 9. • Assignment or Elevation of Privileges Without Adequate Training – Here the threat agent is anyone unfamiliar with the procedures necessary to accomplish an assigned set of tasks. This can result in unintentional errors that could put the messaging or encryption system at risk. It can also leave the inexperienced employee susceptible to manipulation by someone with questionable intentions. This risk can be mitigated by an appropriate amount of training, not so much as to overwhelm the employee but enough so that the employee can assume a new role with a thorough understanding of the procedures necessary to do the job. • Unsecured Access to Management Interface – The threat agent here is an attack resulting in undesirable configuration changes. This risk can be addressed by a meticulously designed and carefully implemented secure management interface access scheme. When carefully executed, these procedures can significantly reduce the chances of an intruder mounting a successful brute force or other attack against the management interface of either the head end concentrator or the regional site 3002 hardware client. • Misconfiguring the Assignment of Users to Groups – Poor planning and implementation can result in the assignment of users to inappropriate groups. Again, the threat agent is the person (whether employee or intruder) who can exploit this vulnerability by either mounting an attack or making an innocent mistake that could place the encryption and messaging systems in jeopardy. In this situation, risk mitigation calls for carefully constructed procedures designed to minimize human error when assigning users to groups. • Inadequate or No Log Auditing. In this environment, the threat agent is an intruder who can mount a passive attack undetected. Passive attacks are done by monitoring a system performing its tasks and collecting information. In general, it is very hard to detect passive attacks since they do not interact or disturb normal system functions. Examples of passive attacks are monitoring network traffic, CPU and disk usage. Passive attacks often serve to precede a brute force attack. This risk can be mitigated through the maintenance of adequate logs and a system of real time monitoring. This action will not be successful however unless the logs are carefully audited and the monitoring is performed rigorously and at regular intervals. • Power Failure – The threat agent is the absence of a UPS. During a power failure, the messaging and encryption systems could be rendered inoperable. This risk can be mitigated by means of the installation and careful maintenance of a UPS designed to provide uninterrupted power until a longer term solution can be employed. • Limited Scalability – The threat agent, is the need to grow beyond the 100 group and user limit. The risk can be mitigated by through the use of an external authentication server. • FIPS Standards Limiting WSP and Regional Sites to Firmware Known to be Vulnerable. The known vulnerabilities constitute the threat agent and the risk is a device running firmware known to be vulnerable. Due to Criminal Justice
  • 10. Information Service (CJIS) Security Policy requirements to adhere to FIPS standards, it is necessary to accept this risk until a newer firmware release is validated and then to proceed with a firmware upgrade after careful testing. • Lack of Bandwidth – The risk, loss of data, brought about by an increase in traffic, can be mitigated by the addition of more bandwidth capacity. • No Backup Configuration File in the 3030 Concentrator- The risk, in this case, excessive downtime caused by the concentrator’s inability to restore damaged files, can be mitigated through the implementation of proper backup and restore procedures.