Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
3/2017
Sergiu SECHEL
Bucharest University of Economic Studies
sergiu.sechel@gmail.com
The aim of this research is to propose a quantitative risk modeling method that reduces the
guess work and uncertainty from the vulnerability and risk assessment activities of web based
applications while providing users the flexibility to assess risk according to their risk appetite
and tolerance with a high degree of assurance. The research method is based on the research
done by the OWASP Foundation on this subject but their risk rating methodology needed de-
bugging and updates in different in key areas that are presented in this paper. The modified
risk modeling method uses Monte Carlo simulations to model risk characteristics that can’t be
determined without guess work and it was tested in vulnerability assessment activities on real
production systems and in theory by assigning discrete uniform assumptions to all risk charac-
teristics (risk attributes) and evaluate the results after 1.5 million rounds of Monte Carlo sim-
ulations.
Keywords: Vulnerabilities, Quantitative Risk, Web Applications, Monte Carlo, Stochastic Sys-
tems, Cybersecurity
1 Introduction
Web based business applications are be-
coming the preferred way of conducting day
while providing users the flexibility to assess
risk according to their risk appetite and toler-
ance with a high degree of assurance. The re-
to day business activities as part of a digital search method is based on the research done
business model. As such, there is a growing by the OWASP Foundation on this subject but
concern related to data breaches that affected their risk rating methodology needed debug-
major digital businesses in the past years. An ging and updates in different in key areas that
updated list of the world biggest data breaches are presented in this paper. The modified risk
is available at World's Biggest Data Breaches modeling method uses Monte Carlo simula-
[1]. An cybersecurity report published by tions to model risk characteristics that can’t be
Ernst & Young in 2017 shows that poor risk determined without guess work and it was
assessment and management practices are a tested in vulnerability assessment activities on
big cause for data breaches and cyberattacks: real production systems and in theory by as-
“With the quality of reporting being so low, it signing discrete uniform assumptions to all
is no surprise that 52% of responders think risk characteristics (risk attributes) and evalu-
their boards are not fully knowledgeable about ate the results after 1.5 million rounds of
the risks the organization is taking and the Monte Carlo simulations.
measures that are in place. In other words, our
survey suggests that about half of all 2 Methodology
boards.”[2] Most organizations are using su- We utilized the OWASP Risk Rating Method-
perficial qualitative risk management method- ology [3] as a starting point for the risk mod-
ologies when they are assessing IT related eling activities because is widespread use
risks using formulas that require a lot of guess among web application cybersecurity special-
work and allow for high level of uncertainty ists. The OWASP [4] is a community driven
with low assurance. The aim of this research not for profit group that aims to improve the
is to propose a quantitative risk modeling security of web based applications, and they
method that reduces the guess work and un- periodically publish the classification report
certainty from the vulnerability and risk as- OWASP Top 10 Most Critical Web Applica-
sessment activities of web based applications tion Security Risks, summarized in Table 1.
DOI: 10.12948/issn14531305/21.3.2017.02
Informatica Economică vol. 21, no. 3/2017 17
Table 1. OWASP Top 10 Most Critical Web Application Security Risks Summary
OWASP ID Description
Injection flaws, such as SQL, OS, XXE, and LDAP injection occur when
A1 untrusted data is sent to an interpreter as part of a command or query. The
Injection attacker’s hostile data can trick the interpreter into executing unintended
commands or accessing data without proper authorization.
A2 Application functions related to authentication and session management are
Broken Au- often implemented incorrectly, allowing attackers to compromise passwords,
thentication keys, or session tokens, or to exploit other implementation flaws to assume
and Session other users’ identities (temporarily or permanently).
Management
XSS flaws occur whenever an application includes untrusted data in a new
A3
web page without proper validation or escaping, or updates an existing web
Cross-Site
page with user supplied data using a browser API that can create JavaScript.
Scripting
XSS allows attackers to execute scripts in the victim’s browser which can
(XSS)
hijack user sessions, deface web sites, or redirect the user to malicious sites.
A4 Restrictions on what authenticated users are allowed to do are not properly
Broken Ac- enforced. Attackers can exploit these flaws to access unauthorized function-
cess ality and/or data, such as access other users' accounts, view sensitive files,
Control modify other users’ data, change access rights, etc.
Good security requires having a secure configuration defined and deployed
A5
for the application, frameworks, application server, web server, database
Security
server, platform, etc. Secure settings should be defined, implemented, and
Misconfigu-
maintained, as defaults are often insecure. Additionally, software should be
ration
kept up to date.
Many web applications and APIs do not properly protect sensitive data, such
A6
as financial, healthcare, and PII. Attackers may steal or modify such weakly
Sensitive
protected data to conduct credit card fraud, identity theft, or other crimes.
Data
Sensitive data deserves extra protection such as encryption at rest or in
Exposure
transit, as well as special precautions when exchanged with the browser.
The majority of applications and APIs lack the basic ability to detect, pre-
A7
vent, and respond to both manual and automated attacks. Attack protection
Insufficient
goes far beyond basic input validation and involves automatically detecting,
Attack Pro-
logging, responding, and even blocking exploit attempts. Application owners
tection
also need to be able to deploy patches quickly to protect against attacks.
A CSRF attack forces a logged-on victim’s browser to send a forged HTTP
A8
request, including the victim’s session cookie and any other automatically
Cross-Site
included authentication information, to a vulnerable web application. Such
Request For-
an attack allows the attacker to force a victim’s browser to generate requests
gery (CSRF)
the vulnerable application thinks are legitimate requests from the victim.
A9 Components, such as libraries, frameworks, and other software modules, run
Using Com- with the same privileges as the application. If a vulnerable component is ex-
ponents with ploited, such an attack can facilitate serious data loss or server takeover. Ap-
Known plications and APIs using components with known vulnerabilities may un-
Vulnerabili- dermine application defenses and enable various attacks and impacts.
ties
Modern applications often involve rich client applications and APIs, such as
A10
JavaScript in the browser and mobile applications that connect to an API of
Under pro-
some kind (SOAP/XML, REST/JSON, RPC, GWT, etc.). These APIs are
tected API’s
often unprotected and contain numerous vulnerabilities.
DOI: 10.12948/issn14531305/21.3.2017.02
18 Informatica Economică vol. 21, no. 3/2017
The OWASP Risk Rating Methodology as- the measures descriptions and although argu-
sumes that a discovered vulnerability will im- ments can be made for and against how each
pact a web application on 2 main areas: tech- measures description was chosen in the end
nical and business; and to determine the prob- the OWASP community reached a consensus.
ability that a vulnerability will be exploited it The risk modeling methodology used in this
measures the likelihood of an attack by deter- research is based on OWASP Risk Rating
mining the vulnerability profile (vulnerability Methodology (presented above) with the fol-
assessment) and the threat agent profile (what lowing modifications to eliminate inherited
type of agent will use that vulnerability in an errors and bias:
attack. By design the OWASP Risk Rating the scale score presented in Table 2 uses
Methodology ask the cybersecurity specialist only the 1-9 scored scale, while the origi-
do determine by itself or with help of peers nal OWASP Risk Rating Methodology
how a discovered vulnerability should score uses a 0-9 scored scale, which in my opin-
on each of the 4 risk subcomponents. Each of ion is not needed since the discovery of a
the 4 risk subcomponents has 4 attributes cat- vulnerability can’t have a 0 score from
egories that are presented in the Table 7 any risk methodology perspective;
through Table 22, and each attributes category the classification rational between the 4
has 1-9 scored scale that measures the severity risk subcomponents is changed from the
of that attribute. For each attributes category OWASP Risk Rating Methodology by as-
the global OWASP community collectively suming that the Threat Agent Profile and
determined how many positions to be meas- the Business Impact subcomponent are
ured. Each category attribute receives a score difficult to determine for a discovered
from 1(0.125) to 9 (1.125), and then the risk vulnerability without bias, Table 3;
subcomponents and risk components are all the attributes that are difficult to deter-
quantitatively determined using the formulas mine through human rational thinking
from Table 4 while the qualitative scale is pre- and experience are determined using
sented in Table 5 and the qualitative risk ma- Monte Carlo simulations using the Oracle
trix is presented in Table 7. For each attribute Crystal Ball software [5].
category the OWASP community determined
DOI: 10.12948/issn14531305/21.3.2017.02
Informatica Economică vol. 21, no. 3/2017 19
DOI: 10.12948/issn14531305/21.3.2017.02
20 Informatica Economică vol. 21, no. 3/2017
DOI: 10.12948/issn14531305/21.3.2017.02
Informatica Economică vol. 21, no. 3/2017 21
DOI: 10.12948/issn14531305/21.3.2017.02
22 Informatica Economică vol. 21, no. 3/2017
Table 23. Methodology validation results using 1.500.000 rounds of Monte Carlo simulations
Statistics Risk Score Percentiles Risk Score
Trials 1500000 0% 0.4922
Base Case 0.0000 5% 1.8594
Mean 3.2641 10% 2.1191
Median 3.1992 15% 2.3125
Mode 3.2813 20% 2.4609
Standard Deviation 0.9262 25% 2.6016
Variance 0.8578 30% 2.7344
Skewness 0.3991 35% 2.8477
Kurtosis 3.10 40% 2.9648
Coefficient of Variation 0.2837 45% 3.0938
Minimum 0.4922 50% 3.1992
Maximum 8.8984 55% 3.3203
Range Width 8.4063 60% 3.4434
Mean Std. Error 0.0008 65% 3.5801
70% 3.6953
75% 3.8594
80% 4.0332
85% 4.2227
DOI: 10.12948/issn14531305/21.3.2017.02
Informatica Economică vol. 21, no. 3/2017 23
90% 4.4922
95% 4.8809
100% 8.8984
100000
80000
60000
40000
20000
0
0,6595055
2,0047745
1,33214
2,677409
3,3500435
4,022678
4,6953125
5,367947
6,0405815
6,713216
7,3858505
8,058485
8,7311195
0,99582275
1,66845725
2,34109175
3,01372625
3,68636075
4,35899525
5,03162975
5,70426425
6,37689875
7,04953325
7,72216775
8,39480225
Fig. 1. Methodology validation distribution graph
DOI: 10.12948/issn14531305/21.3.2017.02
24 Informatica Economică vol. 21, no. 3/2017
penetration testing activities for each of the 3 available data and which needed Monte Carlo
entities in the past 6 months. The automated simulations to determine a correct risk score.
tool Acunetix Web Vulnerability Scanner [6] For all 3 vulnerabilities 12 attribute categories
was used to perform initial vulnerability dis- were accurately determine while 6 attribute
covery and Kali Linux [7] with Metasploit [8] categories needed Monte Carlo simulations to
was used to manually validate in what circum- determine the correct risk score. In Table 24
stances each vulnerability can be exploited. all attribute categories marked with M.C. were
The assumptions presented in Table 24 were calculated using Monte Carlo (M.C.) simula-
used to determine which of the attribute cate- tions.
gories can be determined accurately using
Table 24. The risk score template that was used for the risk modeling experiments
Risk
Risk Subcomponent Score Risk Subcomponent Score
Component
Threat Actor Skill Level M.C. Motive M.C.
Profile Opportunity 0 Relationship 0
Vulnerability Ease of discovery 0 Ease of exploit 0
Profile Awareness 0 Intrusion detection 0
Technical Loss of confidentiality 0 Loss of integrity 0
Impact Loss of availability 0 Loss of accountability 0
Business Financial damage M.C. Reputation damage M.C.
Impact Non-compliance M.C. Privacy violation M.C.
4.1 Case 1 – Electronic Banking System – vulnerability. The mean impact score is 5.21
Time Based SQL Injection Vulnerability (MEDIUM), the mean likelihood score is 6.91
In the web based portal for an electronic bank- (HIGH) and the mean risk score is 4.50 (ME-
ing system a time based SQL Injection vulner- DIUM), as presented in the Table 26. Alt-
ability was discovered and validated using the hough the quantitative analysis calculated a
tool SQLMAP [9]. SQL injection is a vulner- mean risk score of 4.50, using the percentiles
ability that allows an attacker to alter back- assurance values from Table 27 the organiza-
end SQL statements by manipulating the user tion can eliminate or keep a level of uncer-
input. An SQL injection occurs when web ap- tainty depending on their risk appetite. In this
plications accept user input that is directly case the organization had a very low risk ap-
placed into a SQL statement and doesn't petite given the importance of their electronic
properly filter out dangerous characters [10]. banking system to their business model and
The vulnerability was successfully exploited business reputation and they wanted 100% as-
and the client’s database was extracted from surance, meaning that the vulnerability risk
the electronic banking system portal. In the score was officially 6.25 (HIGH) with an im-
Table 25 all the known assumptions for the at- pact score of 6.25 (HIGH) and a likelihood
tributes categories were determined and then score of 8.00 (HIGH). The organization im-
using Oracle Crystal Ball we calculated the mediately allocated the resources, time and
risk profile for the time based SQL injection budget to repair the vulnerability.
DOI: 10.12948/issn14531305/21.3.2017.02
Informatica Economică vol. 21, no. 3/2017 25
DOI: 10.12948/issn14531305/21.3.2017.02
26 Informatica Economică vol. 21, no. 3/2017
4.2 Case 2 – Supply Chain Ordering System score is 6.31 (HIGH), the mean likelihood
– Joomla! Core Remote Code Execution score is 7.03 (HIGH) and the mean risk score
In the web based application for a supply is 5.57 (MEDIUM), as presented in the Table
chain ordering system a Joomla! Core Remote 29. Although the quantitative analysis calcu-
Code Execution (1.5.0 - 3.4.5) vulnerability lated a mean risk score of 5.57, using the per-
was discovered and validated using various centiles assurance values from Table 30 the
Metasploit modules. Joomla! is prone to a re- organization can eliminate or keep a level of
mote code execution vulnerability because it uncertainty depending on their risk appetite.
fails to sufficiently sanitize user-supplied in- In this case the organization had a low risk ap-
put. Successful exploitation may allow attack- petite given the importance of their supply
ers to execute arbitrary commands with the chain ordering system to their business model
privileges of the user running the application, and business reputation and they wanted 80%
to compromise the application or the underly- assurance, meaning that the vulnerability risk
ing database, to access or modify data or to score was officially 6.10 (HIGH) with an im-
compromise a vulnerable system. [11] In the pact score of 6.75 (HIGH) and a likelihood
Table 28 all the known assumptions for the at- score of 7.50 (HIGH). The results were pre-
tributes categories were determined and then sented to the organization’s management who
using Oracle Crystal Ball we calculated the allocated the resources, time and budget to re-
risk profile for the Joomla core remote code pair the vulnerability.
execution vulnerability. The mean impact
DOI: 10.12948/issn14531305/21.3.2017.02
Informatica Economică vol. 21, no. 3/2017 27
4.3 Case 3 – Online E-Commerce Website – or substitute a link to a file, to cause the af-
Drupal Core 8.0.x Multiple Vulnerabilities fected website to consume memory and CPU
In the web based e-commerce application por- resources by blocking file uploads, thus deny-
tal chained Drupal vulnerabilities were dis- ing service to legitimate users, to redirect us-
covered and validated with Kali Linux using a ers to arbitrary web sites and conduct phishing
combination of manual and automated tools. attacks or to obtain sensitive information that
Drupal is prone to multiple vulnerabilities, in- may help in launching further attacks. Drupal
cluding security bypass, denial of service, Core versions 8.0.x ranging from 8.0.0 and up
open redirect and information disclosure vul- to and including 8.0.3 are vulnerable. [12] In
nerabilities. Exploiting these issues could al- the Table 31 all the known assumptions for the
low an attacker to perform otherwise re- attributes categories were determined and
stricted actions and subsequently view, delete then using Oracle Crystal Ball we calculated
DOI: 10.12948/issn14531305/21.3.2017.02
28 Informatica Economică vol. 21, no. 3/2017
the risk profile for the chained Drupal vulner- given the importance of their e-commerce ap-
abilities. The mean impact score is 5.96 (ME- plication portal to their business model and
DIUM), the mean likelihood score is 7.03 business reputation and they wanted 100% as-
(HIGH) and the mean risk score is 5.24 (ME- surance, meaning that the vulnerability risk
DIUM), as presented in the Table 32. Alt- score was officially 7.10 (HIGH) with an im-
hough the quantitative analysis calculated a pact score of 7.00 (HIGH) and a likelihood
mean risk score of 5.96, using the percentiles score of 7.10 (HIGH). The results were pre-
assurance values from Table 33 the organiza- sented to the organization’s management who
tion can eliminate or keep a level of uncer- allocated the resources, time and budget to re-
tainty depending on their risk appetite. In this pair the vulnerability.
case the organization had a low risk appetite
DOI: 10.12948/issn14531305/21.3.2017.02
Informatica Economică vol. 21, no. 3/2017 29
5 Conclusions http://www.informationisbeauti-
The experimental results show that the pro- ful.net/visualizations/worlds-biggest-
posed web application risk modeling method data-breaches-hacks/
can deliver reliable results related to quantita- [2] EY Global Information Security Survey
tive risk assessment that enable users to take 2016. Available:
better decisions on how to manage their web http://www.ey.com/gl/en/services/advi-
applications risks. The available literature on sory/ey-global-information-security-sur-
this particular subject is very limited, most of vey-2016
the research revolving around comparative [3] OWASP Risk Rating Methodology. Avail-
studies between risk management frameworks able: https://www.owasp.org/in-
like the Core Unified Risk Framework [13] or dex.php/OWASP_Risk_Rating_Method-
on improving the IT risk assessment model ology
proposed by NIST [14]. Since the most wide- [4] OWASP Foundation. Available:
spread risk assessment model relies on the an- https://www.owasp.org/in-
nual loss expectancy (ALE) and single loss dex.php/Main_Page
expectancy (SLE) [15] formulas that in prac- [5] Oracle Crystal Ball. Available:
tice involve accepting a high level of uncer- http://www.oracle.com/us/products/appli-
tainty most organizations are relying solely on cations/crystalball/overview/index.html
the qualitative risk assessment models and are [6] Acunetix Web Vulnerability Scanner.
classifying risk in ranges from low to high or Available: https://www.acunetix.com/
critical. The quantitative risk modeling [7] Kali Linux. Available:
method described in this research is consider- https://www.kali.org/
ably reducing the guess work and uncertainty [8] Rapid 7 Metasploit. Available:
from the risk assessment activities while https://www.metasploit.com/
providing sufficient flexibility to users to [9] SQLMAP. Available: http://sqlmap.org/
model risks according to their risk posture [10] SQL Injection Vulnerability. Available:
(appetite and tolerance) by using high rounds https://www.acunetix.com/vulnerabili-
of Monte Carlo simulations on 1 and up to 16 ties/web/sql-injection
risk attributes. [11] Joomla remote code execution. Availa-
ble: https://www.acunetix.com/vulnera-
7 References bilities/web/joomla-core-remote-code-ex-
[1] World Biggest Data Breaches. Available: ecution-1-5-0-3-4-5
DOI: 10.12948/issn14531305/21.3.2017.02
30 Informatica Economică vol. 21, no. 3/2017
Sergiu SECHEL has graduated the Faculty of Automation and Applied Com-
puter Sciences in 2009. He is a PhD Candidate in Economy Informatics at the
Bucharest University of Economic Sciences and an Advisory Manager at EY
(Ernst & Young). His areas of research are cybersecurity, audit, risk manage-
ment and malware research.
DOI: 10.12948/issn14531305/21.3.2017.02
Reproduced with permission of copyright owner.
Further reproduction prohibited without permission.