OSSIM-based Information System Security Risk Assessment Implementation Guide

OSSIM-based Information System Security Risk Assessment Implementation Guide

OSSIM-based Information System Security Risk Assessment Implementation Guide

Some people will think that the risk assessment is not just scanning hosts, but scanning the whole network with some famous foreign security tools. This behavior is a risk assessment, and the effect is definitely not good, nowadays, many companies have automatic patch distribution systems and anti-virus systems in their Intranets. The most important problem is that what you scan is what you care about? In fact, to carry out risk assessment, we must first conduct a survey on network assets. The following basic concepts must be understood.

1. Relationship between risk elements

Information is an asset. asset owners should protect information assets. By analyzing the vulnerability of information assets, they can determine which vulnerabilities a threat may exploit to undermine their security. Risk assessment should identify the relationship between the relevant elements of assets to determine the risks faced by assets.

Figure 1 Relationship between risk elements

The content of the box in Figure 1 is the basic element of risk assessment, and the content of the elliptical part is the attributes related to these elements. Risk assessment focuses on its basic elements, during the evaluation of these elements, you must fully consider the various attributes related to these basic elements, such as business strategy, asset value, security requirements, security events, and residual risks. The risk elements and attributes in Figure 1 have the following relationships: (1) Business Strategy depends on assets; (2) assets are valuable, the higher the business strategy of an organization depends on assets, the greater the asset value. (3) The greater the asset value, the greater the risk it faces. (4) The risk is caused by a threat, the more threats the assets face, the greater the risks and the security events may evolve. (5) The more vulnerabilities, the higher the possibility of security events caused by threat exploitation of vulnerabilities. (6) vulnerability is an unfulfilled security requirement. Threats must use vulnerabilities to harm assets to form risks. (7) Existence of risks and awareness of risks export security requirements. (8) security requirements can be met through security measures, and implementation costs need to be taken into account based on asset values; (9) security measures can defend against threats, reduce the likelihood of security incidents and reduce impacts; (10) risks cannot be reduced to zero and there is still a residual risk after security measures are implemented. Some residual risks come from improper or ineffective security measures and need to be further controlled in the future. Some residual risks are uncontrolled risks after comprehensive consideration of security costs and benefits, is acceptable;

2. In asset classification risk assessment, most assets belong to different information systems, such as the OA system, network management system, and business production system. In addition, for organizations that provide a variety of services, the number of systems that support continuous business operation may be larger. At this time, the information system and related assets need to be properly classified to carry out the next risk assessment based on this. In actual work, the specific asset classification method can be flexibly grasped by the evaluators based on the specific evaluation objects and requirements. Assets can be divided into data, software, hardware, documents, services, and personnel based on their manifestations.

 

3. The assignment of asset values should not only consider the value of assets, but also the importance of the security status of assets to the Organization, that is, the degree of fulfillment of assets in the three security attributes is determined. To ensure consistency and accuracy of asset value assignment, the Organization should establish an asset value evaluation scale to guide asset value assignment. The process of asset assignment is to analyze the fulfillment degree of assets in terms of confidentiality, integrity, and availability, and to generate a comprehensive result. The degree of achievement can be expressed by the impact caused by the lack of security attributes. Such impact may cause damage to some assets and even endanger the information system, it may also lead to economic benefits, market share, or loss of organizational image.

The asset assignment in the OSSIM system is shown in.

After assigning values to assets, we can easily filter out important assets among the numerous assets.

 

4. Reasonably group assets

Asset groups are used to precisely manage assets.

5. Risk Analysis 5.1 Risk Calculation Principles after asset identification, threat identification, and vulnerability identification and confirmation of existing security measures are completed, appropriate methods and tools will be used to determine the likelihood of security incidents caused by threat exploitation of vulnerabilities, determine the impact of loss caused by a security event on the organization, that is, the security risk, in the event of a security event, the importance of its assets and the severity of its vulnerabilities. 5.2 calculate the likelihood of a Security Event Based on the frequency and vulnerability of the threat, and calculate the likelihood of a security event caused by the vulnerability, that is, the probability of a security event = L (frequency of occurrence of a threat, vulnerability) = L (T, V) in the specific evaluation, the attacker's technical capabilities (professional technical level, attack equipment, etc.) should be integrated) determine the possibility of a security event based on factors such as the ease of exploits (accessible time, exposure of design and operation knowledge) and the attractiveness of assets. 5.3 calculate the risk value based on the probability of the calculated Security Event and the loss of the security event, that is, the risk value = R (the probability of a security event, loss of Security Events) = R (L (T, V), F (Ia, Va) Evaluators can select the appropriate risk calculation method to calculate the risk value based on their own circumstances. For example, matrix method or phase multiplication. By constructing empirical functions, matrix method can form a two-dimensional relationship between the possibility of a security event and the loss of a security event; using the multiplication method, you can multiply the likelihood of a security event and the loss of a security event to obtain the risk value.

Calculation Method in the OSSIM system:

The OSSIM system combines three parameters: Asset value (Asset), Priority (Priority), and Reliability for risk calculation, use the following formula in the OSSIM system:

Risk = asset * priority * reliability/25 (Risk Model Calculation Formula 4-1)

Asset (Asset, value range: 0 ~ 5)

Priority (Priority, value range: 0 ~ 5)

Reliability (Reliability, value range: 0 ~ 10)

The formula (4-1) calculates the Risk value of each Alert event.

The value range of Asset is 0 ~ 5. The default value of asset is 2. In the OSSIM system, the asset interest level is divided into 5 levels. The values are 1, 2, 3, 4, and 5 respectively. On the surface, the number size determines the Risk value in the Risk calculation formula, but it also has a deep meaning. For example, the asset grade of a common workstation is 1, when it suffers DOS attacks, we only need a simple port network connection. For a database server, its asset level is 5, and the database service needs to be online in real time, therefore, we cannot handle DOS attacks like workstation. Instead, we should automatically enable the backup IP address and direct the attack to the network Honeypot system.

The value range of Priority is 0 ~ 5. The default value is 1. This parameter describes the degree of hazard caused by a successful attack. A greater value indicates a higher level of hazard;

The value range of Reliability or Reliability is 0 ~ 10. The default value is 1. The reliability parameter describes the probability that an attack may succeed. The maximum value is 10, which indicates 100%. Therefore, the higher the value, the less reliable the attack is, you can also think of this as the possibility of being attacked.

5.4 risk results risk levels are classified into five levels. The higher the level, the higher the risk. The evaluator shall set the risk value range for each level based on the risk calculation method used, and process all risk calculation results in a hierarchical manner. The OSSIM system has a set of formulas to comprehensively judge system risks.

 

6. Application of Risk Assessment auxiliary tools in the O & M phase

The purpose of risk assessment in the O & M phase is to understand and control the information system security risks during operation, and to provide a comprehensive risk assessment. The evaluation covers information systems, assets, threats, and vulnerabilities that are actually running. (1) asset assessment: a more detailed assessment of the real environment, including hardware and software assets purchased during implementation, information assets generated during system operation, and related personnel and services. At this stage, asset recognition is a supplement and increase of early-stage asset recognition. (2) Threat Assessment: Threat Analysis in the real environment should comprehensively assess the possibility and extent of threat impact. The evaluation of security incidents caused by unintentional threats can refer to the accident rate; The evaluators should make professional judgments on the various influencing factors of the threat, and take into account existing control measures; (3) vulnerability assessment: it is a comprehensive vulnerability assessment. Vulnerabilities include physical, network, system, application, security equipment, and management in the operating environment. Vulnerability verification, scanning, Case verification, and penetration testing are used to evaluate the vulnerability of technologies. The implementation of security functions and the vulnerability of security measures are considered in the vulnerability assessment of security assurance equipment. Verification of Management vulnerabilities using documents and records; (4) risk calculation: conduct qualitative or quantitative risk analysis on risks of major assets in accordance with the relevant methods of this standard, describes the risks of different assets.

The following describes how the OSSIM System Displays important information in an interface.

 

7. Use OpenVas

Enterprise Network Security Testing and risk assessment are expensive and may not be very effective. This article introduces the free OSSIM system. Are you sure you want to try it? OpenVAS vulnerability scan guide content refer to: http://chenguang.blog.51cto.com/350944/1692490

For more information, see OSSIM best practices.