20-CS-5156 Security Vulnerability Assessment Spring 2018
Lab 1

Authentication, Availability, Confidentiality, Integrity, Defense Principles, Intrusion Detection, Attack vectors, more

Perform risk assessments for two adversaries
(submit instructions)

Lab 1 Aggregate Results

You are assessing the vulnerabilities in the current state vs. upgrading your network's Microsoft Office or Adobe Acrobat Reader installations. You only have the staffing for one project at a time, so you will need to use the techniques described in the OWASP model, as well as the provided data below, to rate the risk to your business in two scenarios, for each upgrade option, and make and explain your recommendation.

The two threat scenarios are as follows:
1) An advanced adversary with limited staff surgically targets your business for the purpose of stealing sensitive intellectual property which could be sold off to a competitor for a profit to the adversary, and would eliminate your firm's competitve edge.
2) Opportunistic attacker steals and might encrypt (for ransom) some PII for your end-users, including social media access, personal banking, etc. They stand to profit from this, but the value of the information to your business is negligible

Assignment: You must calculate the risk ratings (critical/high/medium/low/note) for each upgrade/no-upgrade option. You are only able to upgrade one software package with the project, so you don't need to perform all permutations. You need to make a recommendation, for each of the two threat adversary scenarios, as to which one of the packages should be upgraded and which version it should be upgraded to (for a tie-breaker, favor the newer version of the software). Use the OWASP Risk Rating Methodology as discussed in class, and we will be making one simplification to the description, and that is that all impact factors will contribute to a single impact metric, rather than the separate "technical" and "business" impacts that are discussed in the external link. Write up a report and submit it via blackboard, no later than 11:59PM, 2016-Jan-25 (Monday night - OK, if you can't make it, let me know). See this link for submission instructions. If you write any supporting programs or spreadsheets, upload those as well. Any and all supporting code/notes/documentation will asssist in grading if your conclusions/results differ from the grader's.

You've contracted a consulting firm to provide base impact & likelihood values for these two scenarios.
Scenario 1 LikelihoodScenario 1 Impact Scenario 2 LikelihoodScenario 2 Impact
  • Skill: 9
  • Motive: 9
  • Opportunity: 4
  • Size: 3
  • Discovery: 9
  • Awareness: 6
  • Confidentiality: 9
  • Integrity: 2
  • Availability: 3
  • Financial damage: 6
  • Skill: 7
  • Motive: 9
  • Opportunity: 7
  • Size: 6
  • Discovery: 9
  • Awareness: 6
  • Confidentiality: 6
  • Integrity: 3
  • Availability: 1
  • Financial damage: 3

The present state is as follows:
All systems have installed the following software versions

  • Microsoft Office XP
  • Adobe Acrobat Reader 8
In addition to the impact constants above, there is also an impact factor for Upgrading, as that requires staff, and must include risk to compatibility and user experience that results in efficiency loss as well. The costs to upgrade from the current state to newer versions is below, and the cost to not upgrade is 0:
  • Microsoft Office 2003: 1
  • Microsoft Office 2007: 5
  • Microsoft Office 2010: 6
  • Adobe Reader 9.3: 5
  • Adobe Reader 9.4: 5
  • Adobe Reader 10: 8
  • Adobe Reader 11: 9

Each version of software comes with its own vulnerabilities which contribute as a likelihood factor. As a heuristic, your team will be assessing the vulnerability of each package based upon a set of metasploit modules available. It will be assumed that any vulnerability in a version of the software also exists in all earlier versions as well.
From analyzing the module set, we identified that the following file format vulnerabilities are to be considered for the Adobe Acrobat package:
ExploitRankAcrobat 8Acrobat 9.0-9.3Acrobat 9.4-9.9Acrobat 10Acrobat 11

From analyzing the module set, we identified that the following file format vulnerabilities are to be considered for the Microsoft Office software suite:
ExploitRankOffice XPOffice 2003Office 2007Office 2010

Metasploit uses a ranking system to identify the probability with which exploits will succeed. Since exploits are typically operating in a variable state environment, some exploits will periodically crash the program prior to establishing desired access, while others may always succeed. This also informs likelihood, and we will use the following rank values for the likelihood of each exploit, to convert from Metasploit's concept to ours:
Manual = 0 | Low = 1 | Average = 3 | Normal = 5 | Good = 6 | Great = 7 | Excellent = 9

You'll want to determine this likelihood masurement of each version of the software packages. Where the vulnerability is not exploitable under a particular version of the software, use the Manual = 0 rank to measure likeihood. All exploits should be weighed equally when calculating their contribution to the overall "exploitability" / "ease" likeihood factor. In actuality, their ranking is what impacts their weighting. In other words, you will want to average together the supported exploits as well as the non-functional ones (as zeros) to establish the measurement for this exploitability factor on a per software basis.