OWASP includes a risk assessment for each of the top 10 risks. Here is how they develop those assessments. This diagram introduces the basic security concepts. We use this in the first course of the specialization. Now, OWASP assessments use pretty much the same terms, but a few of them are different. The attacker is called the Threat Agent, OWASP bland. And vulnerabilities are called weaknesses. The terms attack and attack vector retained their meaning. Yeah, and a successful attack damages or destroys an asset or a process. We install a defense to block attacks on one of our weaknesses. OWASP refers to these defenses as controls. To summarize, threat agents, weaknesses and controls. OWASP structures the risk process or risks and how they manifest through the system as a flow. A successful attack passes through all of these elements In their model threat, agents expose attack, exploit attack vectors. The OWASP Top 10 does not explicitly address either threat agents or attack vectors. Those depend a little too much on the specific technical environment that you're operating in. So they're focusing for the general, not the specific. The attack vector exploits a weakness. The OWASP Top 10 focuses on assessing weaknesses. It assesses each risk for exploitability, prevalence and detectability. Effective controls block attacks. But not all controls block all attacks. OWASP provides a summary of recommended controls to address each risk. The Top 10 also estimates the effect of an attack on technical assets and functions quantified by technical impacts. And the final piece is business impact, that is the effect of the damage on the business. This varies with the enterprise and how technology is used. The OWASP assessment is in a three part scale, and you can see you've got your exploitability, prevalence, detectability and impacts, and each one has essentially the same 3, 2, 1 scale. Each risk rating is based on technical analysis of the corresponding weakness. Relevant CVE reports provide the details to assess technical impact, detectability and exploitability. OWASP collected and analyzed vulnerabilities statistics from several organizations to assess the prevalence of these various weaknesses. OWASP aggregates these four factors for each risk to assign an overall rating. The Top 10 list appears in order of the highest to lowest risk rating. This example calculates the overall rating for the sixth risk security misconfiguration. And you can see it's essentially a matter of taking the average of the exploitability, prevalence and detectability and then multiplying it by the technical impact. Now let's look at these four factors individually. The first factor, exploitability is also called work factor. It assesses how hard the threat agent must work to exploit the weakness. Easier weaknesses have lower work factors and thus pose higher risks. This factor shows how likely the weakness might appear in a system. If a weakness is well known and often patched, hopefully, it's uncommon. Others might be widespread because there aren't easy fixes or because people just don't fix them. Detectability indicates how easily a threat agent can detect a weakness' presence in a potential target. For example, can threat agents perform simple network scans to detect the weakness in a site software. If weakness is tied to a particular software version and it's easy to identify the different versions of that software, then the weakness is easier to detect. In the first course of the specialization, we estimated technical impacts in terms of the CIA properties, confidentiality, integrity and availability. OWASP combines these properties when rating the technical impact factor. Now, we have these nice numbers we can use for calculating, for comparing the different risks. But the OWASP model also has incorporated the notion that threat agents and business impacts can affect how bad a particular risk might affect your particular situation. So we could also come up with our own way of numbering and calculating relative to threat agents and business impacts. But OWASP permitted them from their work. Maybe we can leave it off of ours too, let's think about that for a minute. Well, we start by asking about wholesale versus focused attacks. A wholesale attack is the type that everybody on the Internet faces. These involved threat agents who systematically scan the Internet for sites with detectable vulnerabilities, sites containing the weakness they're looking for, then get attacked. Focused attacks, often identify an enterprise first or particular individuals in the enterprise and then look for weaknesses to attack that individual or people in the enterprise. Well, let's look at some famous examples. Here's a list of focused attacks mentioned earlier in the specialization. In 2011, the Certificate Authority Diginotar was broken into through one of their resellers, and the result was issuing bogus certificates for over 500 websites, including Google. Earlier that same year, 2011 SecurID was hacked in that, the attacker managed to go in and steal a lot of the internal credentials that go inside those SecurID authentication tokens. So if you know what the credential value is, it's inside a given token. You can generate the legitimate token values yourself, so this was bad for them. And then in 2015, the Office of Personnel Management was hacked and 22 million personnel records were compromised, and these were mostly for people with security clearances. So, it's not a matter of finance so much as it's a matter of national security. And then 2017 we had the Equifax problem, where their software had an unpatched flaw and that led to the compromised credit records of 147 million people. Here's an overview of when and how you might integrate threat agents or business impacts into your assessment. I'll call the first option qualitative assessment. It's probably best for organizations that seem less likely targets for focused attacks and that amidst the threat agent assessment. First, you review the Top 10 risks and consider their technical relevance, given your system environment. For example, if you don't use serialized data resources, you can omit the risks associated with them, then for each relevant risk, look at the impact on your business activities if the system suffers from this attack. The impact indicates how seriously you should look at this risk. So it's more of a qualitative thing. You assume that all the, you don't look at threat agents because you assume that the threat agents are probably going to treat you about the same as they treat any other business. Now, the second type I called quantitative assessment, and in this case, what you're doing is developing numerical estimates for the potential impact from the different threat agents and the different attacks on your business activities. This is best covered in more detail in a different course, but I just want to make sure you understand that a lot of people like to do quantitative assessments like that, and there are some really good capabilities out there, really good strategies for doing that. [SOUND]
