Management, compliance & auditing

Qualitative risk analysis with the DREAD model

Dawid Czagan
May 21, 2014 by
Dawid Czagan

This article introduces two types of risk analysis (quantitative, qualitative) and presents how to perform qualitative risk analysis with the DREAD model. Finally, the Common Vulnerability Scoring System is briefly described as another approach for qualitative risk analysis.

Quantitative vs. qualitative risk analysis

Quantitative risk analysis is about assigning monetary values to risk components. It's composed of:

I. Assessing value of the asset (AV)

II. Calculating single loss expectancy (SLE), where SLE = AV x EF. EF is exposure factor (expressed as percentage value)

III. Calculating annualized loss expectancy (ALE), where ALE = SLE x ARO. ARO is annual rate of occurrence.

The countermeasure should not cost annually more than ALE. This is basically how cost/benefit analysis works. Here you can read more about quantitative risk analysis.

Qualitative risk analysis is opinion based. It uses rating values to evaluate the risk level. The DREAD model can be used to perform qualitative risk analysis. Another approach is the Common Vulnerability Scoring System (briefly described in section 5 of this article).

The DREAD model

It takes into account the following items:

  • Damage potential (How much are the assets affected?)
  • Reproducibility (How easily the attack can be reproduced?)
  • Exploitability (How easily the attack can be launched?)
  • Affected users (What's the number of affected users?)
  • Discoverability (How easily the vulnerability can be found?)

The threat is rated by answering the aforementioned questions and assigning rating values for every item (high, medium, low). The rating values represent the severity and are expressed as numbers (3-high, 2-medium, 1-low).

The risk rating is obtained by adding rating values for all items and comparing the results with the following table:

Risk rating Result

High 12 - 15

Medium 8 -11

Low 5 - 7

Case analysis with the DREAD model

An exemplary vulnerability in web applications is provided to better understand how DREAD works in practice. Please keep in mind, that DREAD is not limited to web application vulnerabilities.

Cross-site request forgery in the admin panel allows us to add a new user and delete an existing user or all users.

Let's analyze the ratings for the items in the DREAD model.

Item Rating

Damage potential 2

Reproducibility 2

Exploitability 3

Affected users 3

Discoverability 3

Let's add all ratings to get the risk rating. The sum is 13 (risk rating: high).

Explanation:

The admin has to visit the attacker's website so that the vulnerability is exploited. That's why the reproducibility is medium.

The attacker can delete all users, making the system unavailable for them. Thus the rating for affected users is high.

Deleting all users doesn't delete all data in the system. That's why the impact on integrity is partial. Finally, there is no impact on the confidentiality of the system, provided that added user doesn't have read permissions on default. Thus the rating for damage potential is medium.

The vulnerability can be easily discovered (no CSRF token, no authorization password) and exploited. That's why the ratings for discoverability and exploitability are high.

Common vulnerability scoring system (CVSS) version 2.0

Let's discuss briefly another approach for qualitative risk analysis. CVSS Version 2.0 is an open framework for scoring IT vulnerabilities. It's composed of three metric groups:

I. Base (used to describe the fundamental information about the vulnerability - its exploitability and impact).

II. Temporal (time is taken into account when severity of the vulnerability is assessed; for example the severity decreases when the official patch is available).

III. Environmental (environmental issues are taken into account when severity of the vulnerability is assessed; for example the more systems affected by the vulnerability, the higher the severity).

Let's focus on base metrics, which are composed of:

  • Exploitability metrics: Access Vector (AV), Access Complexity (AC), Authentication (Au)
  • Impact metrics: Confidentiality (C), Integrity (I), Availability (A)

Metric values are assigned to these metrics. Then the base score is calculated (exploitability and impact subscores are taken into account). It ranges from 0 to 10, where 10 means the highest severity. This is how CVSS Version 2.0 basically works. Here you can read more about the Common Vulnerability Scoring System.

Summary

Two types of risk analysis were introduced (quantitative, qualitative). It was presented how to perform qualitative risk analysis with the DREAD model. Finally, the Common Vulnerability Scoring System was briefly described as another approach for qualitative risk analysis.

Sources

Dawid Czagan
Dawid Czagan

Dawid Czagan (@dawidczagan) has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter, BlackBerry and other companies. Due to the severity of many bugs, he received numerous awards for his findings.

Dawid is founder and CEO at Silesia Security Lab, which delivers specialized security auditing services with a results-driven approach. He also works as Security Architect at Future Processing.

Dawid shares his bug hunting experience in his workshop entitled "Hacking web applications - case studies of award-winning bugs in Google, Yahoo, Mozilla and more". To find out about the latest in Dawid's work, you are invited to visit his blog (https://silesiasecuritylab.com/blog) and follow him on Twitter (@dawidczagan).