Chapter 8 - Using Risk Management Tools Flashcards

1
Q

What are inherent risks?

A

Inherent risks are risks that exist before controls are put in place.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are residual risks?

A

Residual risks are risks that exist after the controls are put in place.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are control risks?

A

Control risks are risks that require additional control to be implemented because the current controls are not appropriately addressing the rest.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is a risk avoidance management strategy?

A

The risk avoidance strategy mitigates risk by avoiding the activity or action that causes the risk in the first place.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is a risk mitigation management strategy?

A

The risk mitigation strategy mitigates risk by implementing controls to either reduce risk, by reducing vulnerabilities, and or by reducing the impact of the threat.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is a risk transference management strategy?

A

The risk transference strategy mitigates risk by transferring risk to another entity, such as an insurance company, or cybersecurity insurance (data loss, network damage).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are risk control assessments?

A

Risk control assessments aim to assess controls and their ability to adequately address a risk. This is normally done by a third party.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is a risk control self-assessment?

A

A risk control self-assessment is the same as a risk control assessment except for it is performed by employees internally. This can pose a conflict of interest if the same employee that installed the control is asked to assess it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is SLE and how is it calculated?

A

Single loss expectancy is the cost of any single loss.

SLE = ALE/ARO
Single Loss Expectancy = Annual Loss Expectancy / Annual Rate of Occurrence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is ARO and how is it calculated?

A

Annual Rate of Occurrence is how often a loss occurs in a year. Important to note, if the ARO is less than 1, it is treated as a percentage. (ARO is .5 if the ARO is once every 2 years).

ARO=ALE/SLE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is ALE and how is it calculated?

A

Annual Loss Expectancy is the amount that can be expected to be lost in a year.

ALE=SLE*ARO

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is a risk register?

A

A risk register is a living document that lists all known risks for a system or an organization. It will either present as a table or a log.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is a risk matrix?

A

A risk matrix is a graphical or chart representation of risk. The same goes for a risk heat map, except they use colors to represent risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the two types of reports that threat feeds use?

A

Structured Threat Information eXpression (STIX)

Unstructured Reports (White papers, word documents, pdf)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is TTP?

A

Tactics, Techniques, and Procedures refer to an attacker’s method when exploiting a target.

Tactics: High-level descriptions of behavior
Techniques: A more detailed description of behavior in the context of the tactics.
Procedures: Are even more granular description in the context of techniques

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is intelligence fusion?

A

Intelligence fusion is the combining of internal intelligence data (logs, historical data), and external data (threat feed, OSINT) to create a picture of likely threats and the risk they pose.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is ARP ping scan?

A

ARP ping is used in network scans, if a host responds to the ARP ping it is then known that a host is available at the IP address.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is a Syn stealth scan?

A

A Syn stealth scan sends an SYN packet to a range of IP addresses in a network. Any host that responds to this initial SYN packet is then known that a host is available at the IP address. The scan closes out the TCP 3-way handshake with a rest packet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Why would you run a port scan?

A

Port scans are run to identify which ports are open and hints
at the protocol running on the machine.

For example, if port 21 is open you know that this maybe a file server and it’s allowing unencrypted traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Why use a service can?

A

A service scan is used to verify what protocol or service is actually running on the system.

After running a port scan, you would then run a service can to verify the service running on the port.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is TCP/IP fingerprinting?

A

TCP/IP fingerprinting also known as OS detection is used to verify the OS that is running on a machine. This is done by analyzing packets form a n IP address.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What are the actions that a vulnerability scan often includes?

A

Identifying vulnerabilities
Identifying misconfigurations
Passively test security controls
Identify lack of security control

23
Q

What is the range for CVSS and what do they indicate?

A

The range for the common vulnerability scoring system (CVSS) is 0-10 with 10 being the most severe vulnerabilities.

24
Q

Is vulnerability scanning active or passive recon?

A

Passive. Vulnerability scans do not look to exploit the vulnerability, just identify them which does not interfere with normal operations.

However, Pen testing, on the other hand, looks to identify and exploit vulnerabilities which makes it active recon.

25
Q

What is the difference between a credentialed and a non-credentialed vulnerability scan?

A

Credentialed scans are done with admin-level privileges and usually go in-depth to provide deeper levels of insight. Non-credentialed does not use any account level to preform a vulnerability scan. Most attackers will start out non-credentialed and gain access to an account and escalate their privilege

26
Q

What is footprinting?

A

Footprinting is also known as reconnaissance, Pen-testers, and attackers use active and passive footprinting to learn as much as they can about their target.

27
Q

What is an IP Scanner?

A

An IP scanner aims to identify active hosts in a network by sending ICMP pings (traffic) to a range of IP addresses on the next work. Whichever IP address responds indicates activeness.

Keep in mind because of this most firewall block ICMP traffic.

28
Q

What is Nmap used for?

A

Nmap is a network scanning tool that is capable of idetnifying active hosts on a network, their IP address, Open ports, the services and applications running, the operating systems, and even down to the firewalls and packet filtering

29
Q

What is Netcat?

A

Netcat is a command line tool that is used to remotely access Linux systems. It can be used to banner, which helps identify the OS and applications, scan for open ports, and transfer files.

30
Q

What is scanless?

A

Scanless allows you to scan for open ports using a website, which essentially means the scan would be traced back to the website’s Ip address, not the tester or attacker.

31
Q

What is Dnsenum?

A

It is a command-line tool that lists the DNS servers holding the record. It can also attempt a file transfer (AXFR) request.

32
Q

What is Nessus?

A

Nessus is a vulnerability scanner that scans against windows and Unix systems. It is often used for configuration reviews.

33
Q

What is Hping?

A

Hping is used to send ping using TCP, UDP, or ICMP. It can also be used to scan ports for remote systems.

34
Q

What is Sn1per?

A

Sn1per is a comprehensive vulnerability tool used to gather information and perform vulnerability assessments. It performs a vulnerability scan, list out all vulnerability found (community version), and can list how to exploit those vulnerabilities (professional version).

35
Q

What is Curl?

A

The client URL (Curl) is used to transfer and retrieve data to and from servers, such as web servers.

36
Q

What is the difference between footprinting and fingerprinting?

A

Footprinting is big picture, for example, network footprinting aims to identify active IP addresses within the net work. Fingerprinting takes it a step further by actively sending traffic to specific machines on the network and analyzing its response to identify the service it’s running or OS, etc.

37
Q

What is Pivoting?

A

Pivoting is used once an attacker has access to an account to gather additional information that is then used to further the attack.

38
Q

What are known environments sometimes called?

A

White Box: The tester has full knowledge of the environment before the test.

39
Q

What are unknown environments sometimes called?

A

Black Box: The tester has no knowledge of the environment before the test.

40
Q

What are partially known environments sometimes called?

A

Gray Box: The tester has some knowledge of the environment before the test.

41
Q

What is Tcpreplay?

A

Tcpreplay is a suite of utilities used to modify captured packets and replay them over the network. It includes tcpreplay, tcpprep, tcprewite, and more.

42
Q

What is tcpdump?

A

Tcpdump is a command line tool used to capture packets as Wireshark does. You can then use tcpreplay to modify the packet and replay them over the network.

43
Q

What is NetFlow?

A

Netflow collects IP traffic statistics (sort of metadata), then sends this data to a NetFlow collector where analytics software is used to analyze the data.

NetFlow does not capture packet payload, headers, or anything within the packets

NetFlow will capture data like the source of the IP traffic, its destination, time stamps, input interface (on a router or switch), protocol uses (TCP, UDP, ICMP)

44
Q

What is sFlow?

A

sFlow is an alternative to NetFlow. sFlow is a sampling protocol that captures packets a sample of the packets. For example, a sample me be configured to 2 out of every 10 packets.

Packet info is sent to a sFlow collector to be analyzed.

45
Q

What is PCI DSS?

A

Payment Card Industry Data Security Standard (PCI DSS) includes requirements that organizations that handle credit card payments follow to protect credit card data and help reduce the risk associated with credit card fraud.

46
Q

What is ISO 27001?

A

ISO 27001 provides information on Information Security Management Systems requirements. Orgs can go through a 3-stage certification process to be ISO 27001 compliant, meaning that they meet all the requirements.

47
Q

What is ISO 27002?

A

ISO 27002 - Information Technology Techniques, compliments 27001 by providing guidance and best practices.

48
Q

What is ISO 27701?

A

ISO 27701 - Privacy Information Management System (PIMS). This standard outlines a framework for protecting PII and providing guidance for complying with international privacy standards, like the EU GDPR. with

49
Q

What is ISO 31000?

A

ISO 31000 is a family of standards related to risk management. It provides guidelines orgs can adopt to manage risk.

50
Q

What is SOC2 Type I?

A

A SOC 2 Type I report addresses how well an org’s security controls are designed/implemented to be able to effectively address risks on a specific date.

SOC 2 Type I basically asks, do you have the appropriate security structures in place to effectively address risks today?

51
Q

What is SOC2 Type II?

A

A SOC 2 Type II report addresses how effectively an org’s security controls actually address risks over a given period of time.

SOC 2 Type II basically asks, how effective were your security structures at addressing risks over a period of time (3 - 12 months ex).

52
Q

What are the 7 steps in the RMF?

A

The 7 steps in the Risk Management Framework (RMF) are

  • Prepare: Identify current controls, risk tolerance strategies, conduct risk assessments
  • Categorize Information System: Prioritize assets based on the impact of loss or to operations.
    Select controls: Select and tailor security controls to best meet the org’s needs.
  • Implement Security Controls:
  • Assess controls: How effectively are the controls working?
  • Authorize Information System to Go Live: Based on security assessments are info systems appropriate to G0-Live?
    Ongoing Monitoring of Sec Controls:
53
Q

What are the 3 cores of the NIST CSF?

A

The 3 cores of the NIST Cybersecurity Framework (CSF) are
- Framework Core: The core includes 5 desired outcomes - Identify, protect, detect, respond, and recover.
- Framework Implimentatention: Tier 1 - 4. Tier 4 is the most mature risk management program.
- Framework profile: These profiles provide a list of outcomes based on the org’s needs. Current profiles and target profiles help orgs identify gaps.