1
00:00:02,420 --> 00:00:07,460
Expendability is the third vector to assess exploit ability.

2
00:00:07,790 --> 00:00:12,470
You have to answer the question How easy is it to conduct the attack.

3
00:00:14,400 --> 00:00:20,940
As it was the case with reproducibility if the attack requires expert knowledge or lots of money we

4
00:00:20,940 --> 00:00:22,680
estimate the risk is zero.

5
00:00:24,470 --> 00:00:31,790
If it can be conducted by an average trained attacker the risk failure would be five.

6
00:00:31,850 --> 00:00:39,420
If the attack was fully automatic We would estimate its risk at 10.

7
00:00:39,420 --> 00:00:44,920
The fourth factor concerns affected users this issue is very often ignored.

8
00:00:46,610 --> 00:00:51,690
I.T. specialists usually work in small teams where everyone is well acquainted with new technologies

9
00:00:53,800 --> 00:00:59,800
working in such an environment makes it hard to imagine the consequences of a situation in which a small

10
00:00:59,800 --> 00:01:03,920
malfunction affects 500 or 1000 users at the same time.

11
00:01:05,680 --> 00:01:11,050
Let's imagine that the attacker tried to defeat passwords of a thousand users through an algorithm that

12
00:01:11,050 --> 00:01:19,010
automatically tries out well known phrases multiple unsuccessful attempts will block the user's accounts

13
00:01:20,740 --> 00:01:26,140
such a simple large scale attack creates a huge problem for the whole department or for the whole company.

14
00:01:29,930 --> 00:01:34,680
As before we should assign the fourth factor a certain value zero.

15
00:01:34,690 --> 00:01:43,580
If the attack affected a small group of users 5 if it affected one department 10 if a considerable group

16
00:01:43,580 --> 00:01:45,640
of users of in-system were affected

17
00:01:54,640 --> 00:02:00,260
discoverability factor allows us to assess how hard it is to say with certainty that the system has

18
00:02:00,260 --> 00:02:01,540
been compromised.

19
00:02:03,850 --> 00:02:07,890
Some viruses and noisy port scanning methods are easily discovered.

20
00:02:08,850 --> 00:02:14,130
Every administrator could detect them while reviewing event logs or when users point out a specific

21
00:02:14,130 --> 00:02:16,770
problem such as a system slowdown

22
00:02:21,250 --> 00:02:26,220
discoverability of such an attack would be assigned a value of zero.

23
00:02:26,280 --> 00:02:30,770
It should be given a 5 if the attacker requires additional operations to be discovered.

24
00:02:32,400 --> 00:02:40,550
Such operations may include reviewing the cycle of operations of a user or the attacker.

25
00:02:40,760 --> 00:02:46,520
If the attack doesn't get discovered at all or it requires specialist tools to do so the risk would

26
00:02:46,520 --> 00:02:57,290
be assigned the value of 10.

27
00:02:57,330 --> 00:03:02,280
In practice assessing a threat using the dreaded model allows us to create a table similar to the one

28
00:03:02,280 --> 00:03:03,790
you can see in the slide.

29
00:03:06,620 --> 00:03:11,570
We add the values we assign to the individual risk factors for every kind of threat from the list we

30
00:03:11,570 --> 00:03:13,820
prepared in previous modules.

31
00:03:16,160 --> 00:03:23,270
The list was created on the basis of analysis of system resource system access points and the possibility

32
00:03:23,270 --> 00:03:25,760
of resource loss.

33
00:03:25,790 --> 00:03:27,170
We divide the sums by 5.

34
00:03:27,170 --> 00:03:35,560
And in our case the results we get are 8 5 and 7 on the basis of these numbers we assign each threat

35
00:03:35,620 --> 00:03:37,180
a different priority level.

36
00:03:38,740 --> 00:03:43,930
One of the threats to our computer system comes from the fuel injection which could give the attacker

37
00:03:43,930 --> 00:03:48,520
access to confidential information in the database.

38
00:03:48,570 --> 00:03:51,880
It's a frequent attack and many applications are susceptible to it.

39
00:03:53,190 --> 00:03:59,490
In our simulation using the drug model I assigned this threat the highest level of risk and priority

40
00:04:01,170 --> 00:04:04,300
such an attack would be characterized by high exploit ability.

41
00:04:06,140 --> 00:04:12,050
Reproducibility is also considerable because in order to prevent the attack in the future you would

42
00:04:12,050 --> 00:04:15,920
have to modify the application which administrators can't do.

43
00:04:17,960 --> 00:04:21,910
A firewall doesn't provide much protection against the attack.

44
00:04:22,020 --> 00:04:24,780
The number of the affected users is considerable.

45
00:04:25,170 --> 00:04:31,000
Because this is an application layer attack far above the level our security solutions pertain to.

46
00:04:31,040 --> 00:04:38,590
It's discoverability is low resigned to the threat the highest level of risk and give it a corresponding

47
00:04:38,590 --> 00:04:39,470
priority.

48
00:04:40,420 --> 00:04:46,060
The threat from an attack that consists of hijacking the HTP session between the browser and the web

49
00:04:46,060 --> 00:04:49,720
server was assessed as low.

50
00:04:49,740 --> 00:04:52,910
This is a hypothetical situation that should be easily discovered

51
00:04:55,570 --> 00:05:00,320
you can detect it by checking the validity of the certificate of the web server.

52
00:05:00,410 --> 00:05:04,720
The only high risk factor for this threat is reproducibility.

53
00:05:04,850 --> 00:05:10,040
If somebody has found a vulnerability that makes the attack possible it won't be difficult to repeat

54
00:05:10,040 --> 00:05:10,420
it.

55
00:05:11,540 --> 00:05:17,740
The dread model helps us to assess threat risk it entails susceptibility to attacks.

56
00:05:17,750 --> 00:05:20,990
The point is not to avoid risk but to manage it.