Ch8: Using Risk Management Tools Flashcards
Threat
a potential danger
Threat assessment
evaluates potential threats
Environmental threats
include natural threats such as weather events
Manmade threats
any potential dangers from people and can be either malicious or accidental
Internal threats
typically refers to employees within an organization
External threats
any source outside an organization
Handling risk…
It is not possible to eliminate risk, but you can take steps to manage it
An organization can avoid risk by
not providing a service or not participating in a risky activity
Insurance
transfers the risk to another entity
You can mitigate risk by
implementing controls. But when the cost of implementing the controls exceeds the cost of the risk, an organization accepts the remaining (residual) risk
Quantitative risk assessment
uses specific monetary amounts to identify cost and asset values
SLE
Single loss expectancy identifies the amount of each loss
ARO
Annual rate of occurence identifies the number of failures in a year
ALE
Annual loss expectancy identifies the expected annual loss
ALE equation
ALE = SLE x ARO
Qualitative risk assessment
uses judgment to categorize risks based on likelihood of occurrence and impact
Risk register
a comprehensize document listing known information about risks. Typically includes risk scores along with recommended security controls to reduce the risk scores
Supply chain assessment
evaluates everything needed to produce and sell a product. It includes all the raw materials and processes required to create and distribute a finished product
Password crackers
attempt to discover passwords and can identify weak passwords or poorly protected passwords
Network scanners
can detect all the hosts on a network, including the OS and services or protocols running on each host
Wireless scanners
can detect rogue access points on a network and sometimes crack passwords used by access points
Netcat
can be used for banner grabbing on remote systems or to remotely administer systems
Vulnerability scanner
can identify vulnerabilities, misconfigured systems, and the lack of security controls such as up-to-date patches.
Vulnerability scans vs penetration tests
Vulnerability scans are passive and have little impact on a system during a test. Penetration tests are intrusive and can potentially compromise a system
False positive from a vulnerability scan
indicates the scan detected a vulnerability, but the vulnerability doesn’t exist
Credentialed scans
run under the context of a valid account and are typically more accurate than non-credentialed scans
Penetration test
is an active test that can assess deployed security controls and determine the impact of a threat. It starts with a vulnerability scan and then tries to exploit vulnerabilities by actually attacking or simulating an attack
Pen tests usually include
both passive and active reconnaissance
Passive reconnaissance
uses open-source intelligence such as social media and an organization’s web site
Active reconnaissance
uses tools such as network scanners to gain information on the target
After exploiting a system, pen testers..
use privilege escalation techniques to gain more access to target systems
Pivoting
the process of using an exploited system to target other systems
Black box testers
have zero prior knowledge of the system prior to a penetration test. Often use fuzzing
White box testers
have full knowledge of a system
Gray box testers
have some knowledge of a system
Admins use a protocol analyzer to
capture, display, and analyze packets sent over a network
Protocol analyzers are useful to
troubleshoot communications problems between systems and detect attacks that manipulate or fragment packets
A network capture shows information including
type of traffic (protocol), flags, source and destination IP addresses, source and destination MACs
To capture all traffic, configure..
the NIC to use promiscuous mode
Tcpdump
a command-line protocol analyzer. It can create packet captures that can then be viewed in wireshark
Nmap
a sophisticated network scanner that runs from the command line
Logs record…
what happened, when it happened, where it happened, and who did it
By monitoring logs, admins can detect…
event anomalies
By reviewing logs, security personnel can create…
an audit trail
SIEM system
A security information and event management system provides a centralized solution for collecting, analyzing, and managing data from multiple sources. Typically includes aggregation and correlation to collect and organize log data from multiple sources. Provides continuous monitoring with automated alerts and triggers
Usage auditing
records user activity in logs
Usage auditing review
looks at the logs to see what users are doing and can be used to re-create an audit trail
Permission auditing reviews
help ensure that users have only the access they need and no more, and can detect privilege creep issues