Ch.2 - Risk Management

Question 1

Threat Source

Answer 1

• Adversarial
• Accidental
• Structural
• Environmental

*These threats don’t exist in isolation – One can lead to another

Question 2

Adversarial

Answer 2

Attacks from malicious users, inside or outside the organization.

Question 3

Accidental

Answer 3

Errors made by users who did not intend to hurt organizational security.

Question 4

Structural

Answer 4

Failures of hardware, software, or other equipment such as environmental controls which are directly controlled by the organization.

Question 5

Environmental

Answer 5

Natural disasters, or structural failures to resources the organization depends on but does not control, such as power or network access.

Question 6

About Hackers

Answer 6

People bypassing security measures

Question 7

Unauthorized (Black Hat)

Answer 7

Criminal hackers
o Break computer security for personal gain or other malicious purposes
o Steal/destroy information, spread malware, or damage your computing assets

Question 8

Authorized (White Hat)

Answer 8

Security experts
o Practice hacking for legal purposes (finding countermeasures against hackers)
o Ethical hackers

Question 9

Semi-Authorized (Grey Hat)

Answer 9

Hackers who are not unauthorized/authorized
o Research security flaws as recreational exercise
o No intentional harm, but don’t care if they violate law

Question 10

Attacker Qualities

Answer 10

• Intent/Motivation: Motivated by any number of reasons (personal/financial/political)
• Sophistication/Capability Level: Some are inexperienced, relying on automated tools or simple vulnerabilities. Others are more subtle/personalized (threats).
• Resource/Funding: Attackers can be in groups working to a common cause or alone to launch a major and powerful attacks on security.
• Location: Some requires physical proximity to your computing resources, others can be anywhere in the world. Can be outside/inside your org.
• Target Information: Some can hack randomly until they find something vulnerable. Others know your assets/vulnerabilities. Others use open-source intelligence.

Question 11

Common Attacker Types

Answer 11

• Script Kiddies: Unskilled hackers relying on available attack tools (malicious scripts)
  o Deface websites, spread malware, or interrupt services,
  o Against poorly secured networks, they can do even more damage
• Hacktivists: Hackers who attack organizations to further a political or ideological message
• Criminal Syndicates: Criminal hackers seeking financial gain (work as part of a larger org)
  o Target resources they can sell to others
• Insiders: Employees (or former ones) who have retained network access/knowledge
  o Inside thieves/embezzlers target financial resources/valuable intellectual property
  o Disgruntled employees motivated by revenge want to sabotage systems/data
  o Employees misusing resources (hurt performance/security)
  o Employees wanting to keep their job creating problems to fix
• Nation-states: Nations employing intelligence agencies to attack rivals (orgs/business/political)
  o Have unparalleled attack resources
• APT (Advanced Persistent Threat): Ongoing series of sophisticated attacks against an org
  o Target orgs with high-value data
  o Used by nation-states or most capable criminal groups
• Shadow IT: Many orgs have IT resources that are not managed by the IT department
  o Not an attack, but can compromise org’s security

Question 12

Threat Vectors

Answer 12

Technical methods used to enter your org and target your resources.
- AKA “Tactics, Techniques, and Procedures” (TTPs)

▪ Direct Access: Comes from source that can directly contact your resources (insiders)
▪ Wired and wireless networks: No direct access, but still affect your local network
o Remote access, data breaches, network service outages
▪ Email/Personal Communications: Email, internet messaging, telephone, other comm tools
o Mainly emails – spread malware, credential theft, phishing
▪ Social Media: Become part of how businesses comms with their customers/public
o Scanning postings for sensitive info, spreading misinfo, perform social engineering
▪ Supply Chains: Org’s vendors, outside contractors, customers
o Malicious trusted partner gaining direct access, business partner leaking data
▪ Removable media and mobile devices: Any kind of electronic device which can be connected to your computing/network infrastructure
▪ Cloud Services: Service on someone else’s computer
o Can be attacked by cloud service provider, other tenants on same cloud

Question 13

Artificial Intelligence (AI) Risks

Answer 13

• Most AI use ML (Machine Learning) which uses algorithms to analyze data and learn to recognize existing patterns and map relationships*
  1. If training data for AI is tainted or non-representative, the trained algorithm will not respond appropriately to real-world data.
  2. If ML algorithms have unknown biases or oversights introduced during development, AI will not behave appropriately regardless of how well-designed training data set was (undetected harms).
  3. attacker who knows enough about the AI “thinking” can game the system by meddling with real-world data to obscure own activities or create false alarms that keep security analysts busy.

Question 14

Third-Party Risks

Answer 14

Any business relationship with a third party introduces risks apart from anyone attacking you.

Question 15

Incident Impact

Answer 15

Impact if a threat acted on a given vulnerability

• Availability Loss: Disabled/compromised resource can prevent your org from achieving goals like producing goods/providing services
• Recovery Costs: Equipment/labor cost required to repair/replace asset harmed by a threat

o System is down, reduced operating capacity
• Data Loss: Damage done to data itself

• Information Disclosure: Damage done when sensitive data is exposed to untrusted parties
o Data exposure: Human error causes sensitive data to be placed in untrusted environment
o Data breach: Situation where unauthorized party accesses sensitive data
o Data exfiltration: Breach where data is copied without affecting the source data

• Identity Theft: Use of private data (personal info) at victim’s expense (can impersonate)
• Other Financial Costs: Theft of financial resources, physical assets, valuable intellectual property
• Public/Professional Reputation: Loss of customers/business partners with loss of reputation
• Legal Consequences: Failure to comply with laws/regulations leads to fines/charges

Question 16

Threat Awareness

Answer 16

Know who will attack, asset vulnerabilities and how to mitigate threats

• Known Threats: Long-established threats (variant) can breach weak security
  o Rely on heavy internal monitoring
• Current Vulnerabilities: Documented vulnerabilities in hardware, software, or procedures are continually changing (stay aware)
  o Use cybersecurity resources, penetration tests, vulnerability scans
• Trending Attacks: New strategies (defenses and vulnerabilities change) – Spearphishing
  o Recognize and prioritize those threats
• Emerging Threat Sources: Ongoing changes in technologies/business practices
  o Adapt to them – Training, update security controls, complete rethinking
• Zero-Day Vulnerabilities: Newly discovered vulnerabilities (before we know they exist)
  o Need software patch or alternative mitigation strategy

Question 17

Intelligence Gathering

Answer 17

Intelligence cycle practiced by military and gov intelligence agencies

1) Define intelligence requirements – Goals/priorities
2) Collect and process info likely to meet your requirements (process raw data)
3) Analyze processed info to turn into actionable intelligence
4) Disseminate intelligence to decision makers who can act on it
5) Generate feedback to improve next cycle

Question 18

Intelligence Source Types

Answer 18

• Open-Source Intelligence (OSINT): Free to use and available to anyone
  o Ex: public threat feeds released by security orgs, news media, websites, forums
• Closed-Source/Proprietary Intelligence: Only available to paying/exclusive customers
  o Ex: Commercial treat feeds from security vendors, advice from consultants, private orgs

Question 19

Threat Intelligence Types

Answer 19

• Strategic Intelligence: Non-technical, high-level info – focuses on big picture – slow
• Operational Intelligence: Adversaries and their actions – changes rapidly
• Tactical Intelligence: Immediate, specific threats – Short-term, highly technical
• Counterintelligence: Active security strategy – offensively, expensive (illegal)

Question 20

Cybersecurity Information Sources

Answer 20

• Social Media: Twitter – excellent source for instant alerts, FB/LinkedIn – in-dept discussions
• Vendor Websites: Strong interest to keep customers updated on threats and mitigating them
• Academic Journals: Detailed knowledge of some field (technical and theoretical)
• Conferences: Excellent place to meet security professionals, expert advice, demonstrations
• Threat Actor Activities: Studying (un)successful attacks or reviewing incidents on your own
• Request for Comments (RFC): Set of IETF publications – standards, practices, protocols

Question 21

Threat Intelligence Organizations

Answer 21

A. Computer Emergency Response Teams (CERT)
a. Expert groups that respond to security incidents or coordinate responses to widespread threats (Computer Emergency Readiness Teams)
b. Publish general-purpose security docs, alerts, tips about current threats
B. Information Sharing and Analysis Center (ISAC)
a. Organizations/communities related to CERTs, aka Information Sharing and Analysis Organizations (ISAO)
b. Each is gov or private non-profit to gather/share info – cybersecurity and threats
C. MITRE
a. US-based non-profit corporation that manages federally funded research and development centers to support government agencies such as NIST and DHS

Question 22

Threat Intelligence Sources

Answer 22

• Data Repositories: Databases of known vulnerabilities, threat, security controls
• Vulnerability Feeds: Regularly updated/distributed sources of info about new vulnerabilities
• Threat Intelligence Feeds: Similar to vulnerability feeds, but with info about known threats
• Threat Maps: Visual maps showing real-time/recently reported cyberattacks on world map
• Predictive Analytics: App of ML that analyzes existing data to predict future trends

Question 23

Threat Indicators

Answer 23

Info used to describe security vulnerability, attack, its impact, or some other aspect

Question 24

Reputational Indicator

Answer 24

Indicator of attack (IoA) associated with known/likely threat source
o IP address/email associated with attackers, URLs to phishing, or files to malware

Question 25

Behavioural Indicator

Answer 25

IoA associated with a known or suspected action performed by attackers
o Unauthorized network scans, failed login attempts, phishing attempts, human behaviors

Question 26

Indicator of Compromise (IoC)

Answer 26

Forensic data associated with malicious activity on sys or net
o Unusual login behaviors, unexpected outbound net traffic, unauthorized config change

An IoA or IoC can indicate more than the presence of an attack; it can explicitly suggest a specific threat actor or threat actor category.

Question 27

Vulnerability

Answer 27

Weakness in system/network which can be exploited by threat actor
o Its target, how to exploit it, and potential impact of exploitation

Question 28

Attack Framework

Answer 28

Systematic threat modeling processes to map how threats, vulnerabilities, and security controls in a system are likely to interact

• Defensive modeling: Begins with threats and uses them to identify potential vulnerabilities
• Attack modeling: Begins with vulnerability and finds attack path that can compromise it

Question 29

Cyber Kill Chain

Answer 29

Model real-world network intrusions conducted by APTs

• Consists of several phases linked in sequence to represent necessary steps of successful attack
• By blocking any of those steps, you can defend against the threat as a whole
• Interrupting any one of these steps will interrupt the entire attack.
• Useful to model many attacks and teach defenders how to think about them proactively

Question 30

Cyber Kill Chain Phases

Answer 30

1. Reconnaissance
2. Weaponization
3. Delivery
4. Exploitation
5. Installation
6. Command and Control
7. Actions of objectives

Question 31

Risk Assessment

Answer 31

To determine security needs

1) Identify assets potentially at risk.
2) Conduct a threat assessment for each asset.
3) Analyze the business impact of each threat.
4) Determine the likelihood of a given threat doing damage.
5) Prioritize risks by weighing the likelihood vs. potential impact of each threat.
6) Create a risk mitigation strategy to shape future security policies.

Question 32

Risk Registers

Answer 32

Formal document of risks you’ve discovered, correlated, calculated

• For each risk you identify, the risk register should have a variety of fields, with details corresponding to the process you’re using
• Ex: Unique ID and description, category, Likelihood, Business impact, Priority, Mitigation

Question 33

Identifying Assets

Answer 33

First need to identify assets with their value

- Ex: Information/data, Hardware/Software, Business inventory, buildings, cash

Question 34

Threat Assessments

Answer 34

Consider all bad things that could happen to assets

• Accidents and disasters: Anything in physical environment that can damage assets
o Fire, earthquakes, war, terrorism, utility failure

• Equipment failure: Threat of equipment along with what happens if failures happen
o Computing hardware, network devices, storage media

• Supply chain failure: Failure of goods, services, people, info (resources to do business with)
o Defective/sabotaged goods and info, malicious contractors/employee in a project

• Human error and negligence: Accidental human behaviors
o Accidentally access/distribute data, create new issues without knowing while fixing

• Malicious outsiders: Outside attacks harming assets and used to gain access within org
o Physical intrusion, unauthorized network access, distribution of malware

• Malicious insiders: Attackers who already have trust/access within org
o Motivated by greed, revenge, ideology, boredom

Question 35

Impact Analysis

Answer 35

Potential costs/other impacts ((in)direct) associated to damage (qualitative metrics)

Question 36

Supply Chain Assessments

Answer 36

Maps outs supply chains and how they cause risk to business operations
- Areas of interest should be ways that a supply chain disruption can cause failures in critical business operations and ways that supply chain relationships can cause data breaches

Question 37

Privacy Impact Assessments

Answer 37

Analyzes privacy risks, evaluates security controls which can minimize them, and ensures compliance with privacy policies and regulations

Question 38

Threat Probability

Answer 38

Calculate how likely threats are to happen

• Mean Time To Failure (MTTF): Average time for newly installed device to fail (to be replaced)
• Mean Time To Repair (MTTR): Average time to repair serviceable device (bring it back online)
• Mean Time Between Failures (MTBF): Average uptime between failures on serviceable device (excluding time needed for repairs)
• Mean Time Between Service Incidents (MTBSI): Average time between failures (including time needed for repairs) – MTBF + MTTR

Question 39

Vulnerability Assessment

Answer 39

How resistant your org is against likely threats

Question 40

Risk Measurement

Answer 40

Determine if you need to apply security controls first

Question 41

Quantitative risk assessment

Answer 41

An objective value (monetary figure) to each risk based on the probability and impact cost of the associated threat (objective numbers)

Question 42

Qualitative risk assessment

Answer 42

Begins with probability and impact cost of each threat and uses human judgment to calculate and assign a priority to the associated risk (quick and easy)

Question 43

Risk Control Assessments

Answer 43

Evaluating presence and effectiveness of existing security controls so you can identify and correct shortcomings

1) Identify business objectives - whether they represent organizational milestones/process metrics
2) Identify risks which get in the way of achieving those objectives
3) Identify security controls already in place to control risks and intended effect of each
4) Perform gap analysis combining current effectiveness of each control (their own effectiveness)

Question 44

Risk Management Strategies

Answer 44

Risk avoidance
Risk transference
Risk mitigation
Risk deterrence
Risk acceptance

Question 45

Risk avoidance

Answer 45

o Choosing not to engage in activities that could expose your org to risk

Question 46

Risk transference

Answer 46

o Transferring risk to another party that will assume responsibility (include costs)
o Most common risk transference is purchasing insurance for expensive assets

Question 47

Risk mitigation

Answer 47

o Applying security controls to reduce risk
o Aims to limit risk of an activity without preventing the activity outright
o Several Mitigation Strategies:
▪ Technology controls
• Intended to protect physical assets, personnel, valuable data
▪ Policies and procedures
• Administrative and operational controls
▪ Routine audits
• Periodically reviews to look for unnoticed changes/problems
▪ Incident management
• Determine what harm was done, minimize or repair damage, and restore system to a secure state (preserve evidence)
▪ Change management
• Assesses security impact and makes necessary adjustments (if changes)

Question 48

Risk deterrence

Answer 48

o Applying visible controls to discourage attacks/human error from occurring

Question 49

Risk acceptance

Answer 49

o Hoping for the best without changing anything
o Good strategy when no other solution seems cost-effective
▪ Particularly when the risk is very unlikely or very low impact

Question 50

Residual Risk

Answer 50

Risks that remain (cannot eliminate everything)

Question 51

Cost Calculations

Answer 51

Risk determination relies heavily on costs

Question 52

Total Cost of Ownership

Answer 52

o Full life cycle cost of anything org owns/operates - initial investment, administration, maintenance, insurance premiums, or anything else associated (Low TCO is better)

Question 53

Return on Investment (ROI)

Answer 53

o Basic measure of profitability, describing expected reward associated with investment (high ROI is better)

Question 54

Choosing a Strategy by Risk Type

Answer 54

▪ Risks internal to org - Workplace accidents, equipment failures, and regulatory liability, come from factors under your control
▪ Often well-suited to effective risk avoidance, deterrence, and mitigation strategies

▪ External risks - Natural disasters and supply chain failures are much less under your control
▪ More challenging to forecast
▪ Rely on transferring or accepting risks you cannot reduce

▪ Multi-party risks that you share with other organizations are always complicated
▪ Multi-party cybersecurity incidents tend to be large and damaging
▪ Can control how to calculate the risk or define responsibilities

▪ Intellectual property risks can be complicated - Best strategy depends on the nature of the IP and how rigorously relevant laws are enforced where thieves are
▪ Better case for strong technical controls or outright avoidance

▪ Respect IP of other orgs - Software licensing compliance is a systematic risk in the enterprise
▪ Use strict software inventory and license management controls

▪ Some risks are a tradeoff between short term and long-term strategies
▪ Cost of replacing legacy systems/software in short term can be very high, so acceptance or limited mitigation might be necessary temporarily

Question 55

Automated Security

Answer 55

Scripts used automate procedures and tools to enact technical controls, audit compliance, document security-related events, and anything else that can be done programmatically

• Script: Special programs designed to emulate what user could do with sequential manual actions

Question 56

Securing the Security Assessment

Answer 56

Any kind of security assessment needs to be treated as sensitive information and distributed on a need-to-know basis
- Different security documents need to be distributed or secured in different ways

Question 57

About Vulnerability Assessments

Answer 57

Search for vulnerabilities that might otherwise go unnoticed

▪ Determining the attack surface: All software and services installed that are subject to attack (use config review, vulnerability scanning and penetration tests to help)
▪ Code review: Security of software should be validated before installation, reviewed after updates, when there’s a reason to suspect a problem, or during periodic review process
▪ Architecture review: Ensure that network hosts and devices have an architecture that meets their required security level
▪ Configuration review: Ensure new systems, apps and other solution doesn’t introduce unacceptable risks (includes security policies and procedures)
▪ Log review: Once system is up/operating, review activity logs to determine security problems
▪ Baseline review: Comparing actual performance (events/usage) to baseline settings and logs

Question 58

Vulnerability Scans

Answer 58

Broad and fundamentally passive scan that examines entire system, network, or organization, checking for specific list of known vulnerabilities

• Scan can be passive/invisible to security systems

Question 59

Penetration Test

Answer 59

Simulated attack designed to determine whether an adversary could compromise an asset (if test fails, then system has passed)
- Test is active and intrusive, but more focused

Question 60

Reconnaissance Tools

Answer 60

TCP/IP tools, shells/scripting env, network scanners, accounts, other elements

• Want to know as much of you can about the network’s structure, services, and exposed OSINT before trying to discover vulnerabilities
• Know Command line tools and scripts that you might execute on a security workstation, a system you want to secure, or a system you’re trying to exploit
  o Linux – “bash” and “csh” for command-line management and scripting
  o PowerShell – Most powerful tool for command-line management and scripting
  o Programming languages – Python, Ruby, Perl

Question 61

Goals of Vulnerability Assessments

Answer 61

✓ Missing security controls
o Scan can detect standard security measures that aren’t installed/have been disabled
✓ Open ports and services
o If service is appropriately secured and serves important function – No problem
o If insecure, unauthorized, unnecessary, it’s a potential vulnerability
✓ Unsecure network protocols
o Network protocols with no/weak security measures are vulnerable (need replacement)
✓ Weak encryption
o Can be cracked and give false sense of security
✓ Unsecure accounts
o If automated scan can find user credentials for a resource, an attacker can
o Have weak controls
✓ Open permissions
o Acc/App with broad permissions has higher security impact when compromised and can be the target of privilege escalation attacks
✓ Misconfigured security controls
o Look for particular common mistakes on hosts, devices, apps
o Compare settings against a standard baseline and look for deviations
✓ Unsecured data
o Data stored in wrong place on network or without adequate security controls (Use DLP software to solve problem)
✓ Compromised systems
o Rogue servers, malware infection, unauthorized user accounts, or deliberately sabotaged security controls
✓ Exploitable vulnerabilities
o Many scanners are designed to check target systems against known common exploits so that you can patch/secure them
✓ Unpatched firmware and software
o Security updates can contain patches for vulnerabilities in device firmware, OS, App software
✓ Errors
o Can be a compromised system, misconfigured control, other underlying problem that will impact security or availability
o Errors detected during assessment should be passed along to troubleshooting process

Question 62

Vulnerability Scan Types

Answer 62

Intrusive: Use larger traffic volumes, unusual messages, or attempts to gain system permissions - more likely to trigger security alarms, disrupt or crash vulnerable/unstable systems as side effect

Non-Intrusive: Focuses on monitoring communications or making routine requests for info that will give info about system and its potential vulnerabilities (no harm)

Credentialed: Requires user credentials for hosts or resources being scanned - give you much more information since you can directly view security configuration data with less traffic

Non-Credentialed: Doesn’t use any special permissions or user credentials - approaches system or network in much the way that an outside visitor would see it

Question 63

Vulnerability Scanners

Answer 63

Passive test of security controls

• Infrastructure Vulnerability Scanner: Checks for vulnerabilities in host OS, services, and third-party applications
• Web Application Scanner: Checks for vulnerabilities common in generic web servers and apps or for problems related to specific products
• Cloud Infrastructure Scanner: Scan cloud-based hosts, services, and apps just like their on-premises counterparts

Question 64

Legacy Platforms

Answer 64

Hardware/software that is old/outdated but not easy to replace
▪ Include outdated computers, operating systems, and applications that are no longer in production or receiving manufacturer updates
▪ Include custom applications developed in-house or by a third party, which predate your current testing process or development environments

Question 65

Assessment Results

Answer 65

Should be compiled in report listing detected vulnerabilities and other findings

Question 66

Validating Scan Results

Answer 66

Scans detect false positive, but not false negative (missed problem)

• Updated feeds help improve scan accuracy – reduces false neg/pos
• Stricter scanning criteria – reduces false neg, but more false pos
• Credentialed scans show vulnerabilities not accessible to outsides– can reduce false pos/neg
• Document false pos for future scans

Question 67

Penetration Testing

Answer 67

Picking one or more expected weak points and trying to hammer them open

• Fundamentally active and intrusive
• Goals: Verify that theoretical threat exists - “Can this attack damage my newly secured system?”
• One thing penetration test don’t do is comprehensively scan for vulnerabilities

Question 68

Penetration Testing Process

Answer 68

1. Planning
2. Discovery
3. Attack
4. Reporting

• If attack doesn’t work, tester can return to discovery phase for new leads instead of giving up
• Better to have a test environment to not disrupt services, crash servers, harm operations

Question 69

Penetration Test Approaches (depending on goals of test)

Answer 69

1. Unknown Environment: Tester is given no knowledge of the system before the test (black-box)
   a. Like a real hacker – need to research public sources, examine network, etc. (research)
2. Known Environment: Tester is given full knowledge of existing security controls, system configurations, policies about the system and its potential vulnerabilities (white box)
   a. Give complete understanding to hit where it’s weakest
3. Partially Known Environment: Tester is given some knowledge of the existing security configuration, but not a complete picture

Question 70

Testing Teams

Answer 70

People separated into team for security exercise

• Red Team: Attackers – perform reconnaissance on network then exploit vulnerabilities
• Blue Team: Defenders – secure assets and monitor network against intrusion
• White Team: Moderators/referees – coordinate exercise and monitor results
• Purple Team: Neutral team – ensure blue and red team collaborate to find vulnerabilities

Question 71

Performing Reconnaissance

Answer 71

• Goal: put together an idea of what assets the target has, how they are arranged, and what ways you can achieve at least an initial foothold on their network (paint a more detailed picture)
• Passive Reconnaissance (footprinting): Gathering wtv info you can about your target without directly sending them any info about your presence
• Active Reconnaissance: Techniques that might tip target off that they’re being targeted, and how – network probes and direct contact via social engineering (can include semi-passive)
• Vulnerability Analysis: Find avenues of attack

Question 72

Penetrating Network (Next Step)

Answer 72

• Perform privilege escalation to get more control over infiltrated system
• Establish persistence, or ways that you can regain access if you lose it
• Pivot to view/access other network systems that you could not reach from starting point
• Perform lateral movement through network to get closer to other goals

Question 73

Bug Bounties

Answer 73

Ongoing formal offer of name recognition or financial rewards to any individual who finds a software bug or security exploit in a specific website, application, or other product

Question 74

Proactive Threat Hunting

Answer 74

Proactively searching network for signs of intrusion which automated systems have missed – proactive practice and mindset

• Begins with assumption attackers are in network and focuses on determining where they are
• Active defense trying to stop the attack