MyCERT 3rd Quarter 2011 Summary Report - CyberSAFE Malaysia

More documents

Recommendations

Info

32Vulnerability Analysis Using CommonCriteria Attack Potential (Part 3-Final)By | Ahmad Dahari Bin JarnoContinuity of Part 1 and Part 2Looking back at Part 1 and Part 2 of thisarticle, each of them provided detailsof explanation and elaboration on howvulnerability assessment or penetrationtesting analysis are conducted in differentways that are commonly referred to bysecurity analysts or penetration testers.Thus, in reference, in general terms, thesearticles are not meant to show weaknessesor flaws of other methodologies that areout there and those already being used andimplemented.Yet, this piece is more about providingsuggestions on improving current practisesthat has been implemented and movingthem forward towards better use of testfindings and producing the best analysisof those findings in ways that are morepractical and considerable under variousforms of measurements. This is to providea significant answer to the question, “Howdefinitive and applicable each vulnerabilityand/or risks are by looking at the findingsof vulnerability assessments or penetrationtests deliberately from vulnerability analysistechniques?”Therefore, part three (3) of this articlewill show how Common Criteria AttackPotential produced results in the formof vulnerability analysis by referring tovulnerability assessments and penetrationtesting activities according to its phases ofexecutions, plans and deliverables.Key Points of Common CriteriaAttack Potential Merits andCalculationsCommon Criteria Attack Potential is definedunder the AVA scope of work (CommonCriteria Vulnerability Assessment WorkUnits), which is specifically conducted underthe evaluation assurance of vulnerabilityassessments. Looking at the point of viewof Common Criteria evaluation processes,Attack Potential are used as a main referencein calculating values of each vulnerabilityassessment or penetration testing scenariosin determining if each of those proposedapproaches are applicable based on the levelof evaluation assurance (EAL), where theproduct will then proceed to be evaluatedand certified. Yet, by looking from theother perspectives of general concept forvulnerability assessment and penetrationtesting, attack potential defined by CommonCriteria in CEM can be used further inseveral areas of vulnerability assessmentsor penetration tests, by implementing it ineach phase of those activities.In a recap of Part Two (2), Common CriteriaAttack Potential is forms of ratings andcomponents categorised according tocalculations (Refer to Table 2 and Table 3 inPart 2). In comparison with other approachesof vulnerability assessment and penetrationtesting in performing vulnerability analysis;commonly security analysts/penetrationtesters use details of that specificvulnerability patent and its behaviour indetermining the level of damage that it cancause. However, there are certain methodsand approaches of the vulnerability tests orpenetration tests that need to be executed inthe first place. An experience security analystand/or penetration tester will considerbetter coverage of vulnerability analysis, byputting considerations of justifications andmethods from planning phases towards theactual analysis that are being conducted. Thereasons behind these actions are basicallyto ensure decisions are properly taken,ensuring confidence in results and mostimportant of all, the vulnerability actuallyexisted, catered, proven and able to be fixedaccordingly based on recommendations offurther improvements. Therefore, Commone-Security | Cyber Security Malaysia | Vol: 28-(Q3/2011)© CyberSecurity Malaysia 2011 - All Rights Reserved
Criteria is in a better spot to provide securityanalysts/penetration testers guidance thatthey need in achieving better testing coverageand providing justifications in the preliminarystages.Leveraging CC Attack PotentialCoverage in Vulnerability Test& AnalysisQuestions; How far can a security analyst/pen-tester leverage on the situation bycovering up most of the vulnerability testingresults and analysis? Most of us will saythat it depends on the analyst/pen-testerexperience, knowledge and hands-on skills.Yet, a better answer can be given by allowingCC Attack Potential to provide an interestingoutlook into the test planning, executionsand analysis processes.To simulate this justification, the followingis an example that illustrates how CCAttack Potential has been used as part ofvulnerability assessment or penetrationtesting; from the starting point to the mainevents of vulnerability analysis. A shortbrief about the example given here, whichis basically an execution of penetrationtest activities, project based, conductedupon a prototype of smartcard contactlessapplets that has the ability to store crucialinformation by segregating and enforcingaccess controls through defined randomkeys exchange procedures upon informationrequested from proprietary software desktopapplications through a smartcard reader.33Justifications of Preliminary Test Scenarios.Test TitleConfidentialityAvailability & Integrity(CIA) HypothesisTest ObjectiveObjectives DetailsTest ApproachesAttack PotentialCalculationIdentify information transacted between the card reader and sample card viacontactless channels.Examine the key transacted between the card reader and sample card cannot bebypassed in aspects of its processes.Examine the key transacted between the card reader and sample card to beconfidential, whilst maintaining the secrecy of keys that are exchanged betweenboth origins.Performing identification of keys transacted between the smartcard reader andsample card embedded inside a contactless chip.To meet CIA hypothesis, analysts shall perform tests on the key transactionprocesses by monitoring and simulating processes of key exchanges between thesmartcard reader and sample card via contactless channels.These tests are to validate the processes, in a way that it could not be bypassedand could not be compromised in the middle through a man-in-the-middle attack.Test 0 (Control): By using smartcard reader and sample card, perform basicchallenge and response to scenarios with basic commands.Test 1: Generating random keys in short intervals.Test 2: Generating random keys in long intervals.Test 3 and 4: Using USB sniffer to monitor all key exchange transactions betweenSAM and reader. This identifies the location from which key exchanges areinitiated; either from the software or the reader.Test 5: Using USB sniffer to monitor the transition communications betweenSoftware Application Desktop and reader.Elapsed Time: Less than one week (1)Expertise: Proficient (3)Knowledge of TOE: Sensitive (7)Windows of Opportunity: Unlimited Access (0)Equipment: Standard (0)Calculation and Attack Potential Level: Total: 11 (Basic)Table 1: Preliminary Justification using CC Attack Potentiale-Security | Cyber Security Malaysia | Vol: 28-(Q3/2011)© CyberSecurity Malaysia 2011 - All Rights Reserved
Page 3: MyCERT 3 rd Quarter 2011 Summary Re
Page 6 and 7: 4compared to the previous quarter.
Page 8 and 9: 6Based on the statistics, there was
Page 10 and 11: 8Legal Restriction on CryptographyB
Page 12 and 13: 10Wassenaar Agreement “will not i
Page 14 and 15: 12transactions, electronically thro
Page 16 and 17: 14deciding if software is considere
Page 18 and 19: 16SPAM, the Annoying Culprit on the
Page 20 and 21: 18Figure 4: The distribution of spa
Page 23 and 24: “wire-once” settings pool bare-
Page 25 and 26: San Francisco, CA. McKesson has dou
Page 27 and 28: 3. Consistency:It means that the be
Page 29 and 30: Mathematics Operations in BinaryNum
Page 31 and 32: compare the difference between a bi
Page 33: divided, it will remain as remainde
Page 37 and 38: ASPECTS PLAN EXECUTE ANALYSISObject

MyCERT 3rd Quarter 2011 Summary Report - CyberSAFE Malaysia

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?