CALCULATE THE WINDOW OF VULNERABILITY A security breach has been identified within a small Microsoft workgroup LAN. The workgroup consists of three primary workgroups which contain group membership lists of users within the Active Directory infrastructure that currently exists on the SMB Server that is located within the confines of the LAN structure.
The security breach, which is defined as any event that results in a violation of any of the CIA (confidentiality, integrity, availability) security principles, was caused by the SMB server being accessed by an unauthorized user due to a security hole that was detected by the server software manufacturer the previous day. The security patch will not be available until possible as long as three days, but hopefully within that timeframe. In addition, the LAN administrator needs at least one week (minimum) to download, test, and install the patch.
To calculate the Window of Vulnerability (WoV) for this security breach, the following timeline will be used as a guideline to determine the basis for calculation: However, first it is important to understand the variables considered in this timeline formula. The WoV is the period within which defensive measures are reduced, compromised, or lacking. The WoV covers a timeline from the moment a vulnerability is discovered and identified by the vendor.
It also includes the time taken to create, publish, and finally apply a fix to the vulnerability. It is also important to explore the device(s) that were targeted by the attack. In this instance, being the SMB server within the LAN. The SMB server utilizes an application layer network protocol, which can run atop the session layer. It provides shared access to files, printers, serial ports, and network nodes (workstations, laptops, desktops, etc. ) and provides a client/server relationship throughout the network.
This means that every domain layer of the IT Infrastructure can possibly be affected at some level by this security breach that has occurred, which must be considered in the timeframe analysis of the WoV as well. In addition, it is important to consider exactly how this security breach occurred, when determining counter-measures to contain and reduce the likelihood of any such occurrences from happening again. However, these factors are not actually part of the timeline for calculating the WoV, but should be addressed when understanding the WoV.
The security hole that was detected by the server software manu-facturer the previous day gave the unauthorized user a window of opportunity/vulnerability by discovering the backdoor (security hole) to access resources and bypass existing security controls, password encryption, and access controls that were put in place to protect the IT infrastructure. It is possible that a utility such as netcat was used or a rootkit or some type of Trojan horse backdoor software or device. Calculation of Window of Vulnerability: Factors to consider in the timeline: * 1 Day Ago = Security Hole Detected by Manufacturer * 3 Days = A patch will be Available 1 Week = Minimum time for LAN admin to download/test/install patch Therefore, Day 0 = 09/28/12; + 3 days = 10/01/12; + 7 days = 10/08/12 (min) *[+ 2 days extra for any potential problems] 10/10/12 = Day n . This can be depicted in the following graphical display: Day n = a total of 13 days have elapsed from Day 0 . In conclusion, the WoV would be 13 days based on this timeframe. *You could conceivably calculate the WoV to be 11 days without including the additional 2 days I figured in for margin of error/potential problems. However, it is best to always calculate on a worst-case scenario basis when calculating the Window of Vulnerability