|20-CS-5156||Security Vulnerability Assessment||Spring 2017|
Perform risk assessments for two adversaries
Lab 1 Aggregate Results
You are assessing the vulnerabilities in the current state vs. upgrading your network's Microsoft Office or Adobe Acrobat Reader installations. You only have the staffing for one project at a time, so you will need to use the techniques described in the OWASP model, as well as the provided data below, to rate the risk to your business in two scenarios, for each upgrade option, and make and explain your recommendation.
The two threat scenarios are as follows:
Assignment: You must calculate the risk ratings (critical/high/medium/low/note) for each upgrade/no-upgrade option. You are only able to upgrade one software package with the project, so you don't need to perform all permutations. You need to make a recommendation, for each of the two threat adversary scenarios, as to which one of the packages should be upgraded and which version it should be upgraded to (for a tie-breaker, favor the newer version of the software). Use the OWASP Risk Rating Methodology as discussed in class, and we will be making one simplification to the description, and that is that all impact factors will contribute to a single impact metric, rather than the separate "technical" and "business" impacts that are discussed in the external link. Write up a report and submit it via blackboard, no later than 11:59PM, 2016-Jan-25 (Monday night - OK, if you can't make it, let me know). See this link for submission instructions. If you write any supporting programs or spreadsheets, upload those as well. Any and all supporting code/notes/documentation will asssist in grading if your conclusions/results differ from the grader's.
You've contracted a consulting firm to provide base impact & likelihood values for these two scenarios.
The present state is as follows:
Each version of software comes with its own vulnerabilities which
contribute as a likelihood factor. As a heuristic, your
team will be assessing the vulnerability of each package based upon
a set of
modules available. It will be assumed that any vulnerability in a
version of the software also exists in all earlier versions as well.
From analyzing the module set, we identified that the following file format vulnerabilities are to be considered for the Microsoft Office software suite:
Metasploit uses a ranking system to identify the probability with which exploits will succeed. Since exploits are typically operating
in a variable state environment, some exploits will periodically crash the program prior to establishing desired access, while others may
always succeed. This also informs likelihood, and we will use the following rank values for the likelihood of each exploit, to
convert from Metasploit's concept to ours:
You'll want to determine this likelihood masurement of each version of the software packages. Where the vulnerability is not exploitable under a particular version of the software, use the Manual = 0 rank to measure likeihood. All exploits should be weighed equally when calculating their contribution to the overall "exploitability" / "ease" likeihood factor. In actuality, their ranking is what impacts their weighting. In other words, you will want to average together the supported exploits as well as the non-functional ones (as zeros) to establish the measurement for this exploitability factor on a per software basis.