1. Introduction

This article introduces two types of risk analysis (quantitative, qualitative) and presents how to perform qualitative risk analysis with the DREAD model [1]. Finally, the Common Vulnerability Scoring System is briefly described as another approach for qualitative risk analysis [2].

2. Quantitative vs. Qualitative Risk Analysis

Quantitative risk analysis is about assigning monetary values to risk components. It’s composed of:

I. Assessing value of the asset (AV)

II. Calculating single loss expectancy (SLE), where SLE = AV x EF. EF is exposure factor (expressed as percentage value)

III. Calculating annualized loss expectancy (ALE), where ALE = SLE x ARO. ARO is annual rate of occurrence.

The countermeasure should not cost annually more than ALE. This is basically how cost/benefit analysis works. Here you can read more about quantitative risk analysis [3].

Qualitative risk analysis is opinion based. It uses rating values to evaluate the risk level. The DREAD model can be used to perform qualitative risk analysis. Another approach is the Common Vulnerability Scoring System (briefly described in section 5 of this article).

3. The DREAD Model

It takes into account the following items:

  • Damage potential (How much are the assets affected?)
  • Reproducibility (How easily the attack can be reproduced?)
  • Exploitability (How easily the attack can be launched?)
  • Affected users (What’s the number of affected users?)
  • Discoverability (How easily the vulnerability can be found?)

The threat is rated by answering the aforementioned questions and assigning rating values for every item (high, medium, low). The rating values represent the severity and are expressed as numbers (3-high, 2-medium, 1-low).

The risk rating is obtained by adding rating values for all items and comparing the results with the following table:

Risk rating Result
High 12 – 15
Medium 8 -11
Low 5 – 7

4. Case Analysis with the DREAD Model

An exemplary vulnerability in web applications is provided to better understand how DREAD works in practice. Please keep in mind, that DREAD is not limited to web application vulnerabilities.

Cross-site request forgery in the admin panel allows us to add a new user and delete an existing user or all users.

Let’s analyze the ratings for the items in the DREAD model.

Item Rating
Damage potential 2
Reproducibility 2
Exploitability 3
Affected users 3
Discoverability 3

Let’s add all ratings to get the risk rating. The sum is 13 (risk rating: high).

Explanation:

The admin has to visit the attacker’s website so that the vulnerability is exploited. That’s why the reproducibility is medium.

The attacker can delete all users, making the system unavailable for them. Thus the rating for affected users is high.

Deleting all users doesn’t delete all data in the system. That’s why the impact on integrity is partial. Finally, there is no impact on the confidentiality of the system, provided that added user doesn’t have read permissions on default. Thus the rating for damage potential is medium.

The vulnerability can be easily discovered (no CSRF token, no authorization password) and exploited. That’s why the ratings for discoverability and exploitability are high.

5. Common Vulnerability Scoring System (CVSS) Version 2.0

Let’s discuss briefly another approach for qualitative risk analysis. CVSS Version 2.0 is an open framework for scoring IT vulnerabilities. It’s composed of three metric groups:

I. Base (used to describe the fundamental information about the vulnerability – its exploitability and impact).

II. Temporal (time is taken into account when severity of the vulnerability is assessed; for example the severity decreases when the official patch is available).

III. Environmental (environmental issues are taken into account when severity of the vulnerability is assessed; for example the more systems affected by the vulnerability, the higher the severity).

Let’s focus on base metrics, which are composed of:

  • Exploitability metrics: Access Vector (AV), Access Complexity (AC), Authentication (Au)
  • Impact metrics: Confidentiality (C), Integrity (I), Availability (A)

Metric values are assigned to these metrics. Then the base score is calculated (exploitability and impact subscores are taken into account). It ranges from 0 to 10, where 10 means the highest severity. This is how CVSS Version 2.0 basically works. Here you can read more about the Common Vulnerability Scoring System [4].

6. Summary

Two types of risk analysis were introduced (quantitative, qualitative). It was presented how to perform qualitative risk analysis with the DREAD model. Finally, the Common Vulnerability Scoring System was briefly described as another approach for qualitative risk analysis.

References:

[1] DREAD model

http://msdn.microsoft.com/en-us/library/aa302419.aspx#c03618429_011 (access date: 16 May 2014)

[2] A Complete Guide to the Common Vulnerability Scoring System Version 2.0

http://www.first.org/cvss/cvss-guide.html (access date: 16 May 2014)

[3] Quantitative risk analysis

http://resources.infosecinstitute.com/quantitative-risk-analysis/ (access date: 16 May 2014)

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.

[4] Common Vulnerability Scoring System

http://resources.infosecinstitute.com/common-vulnerability-scoring-system/ (access date: 16 May 2014)