Chapter 8 - Using Risk Management Tools

Question 1

What are inherent risks?

Answer 1

Inherent risks are risks that exist before controls are put in place.

Question 2

What are residual risks?

Answer 2

Residual risks are risks that exist after the controls are put in place.

Question 3

What are control risks?

Answer 3

Control risks are risks that require additional control to be implemented because the current controls are not appropriately addressing the rest.

Question 4

What is a risk avoidance management strategy?

Answer 4

The risk avoidance strategy mitigates risk by avoiding the activity or action that causes the risk in the first place.

Question 5

What is a risk mitigation management strategy?

Answer 5

The risk mitigation strategy mitigates risk by implementing controls to either reduce risk, by reducing vulnerabilities, and or by reducing the impact of the threat.

Question 6

What is a risk transference management strategy?

Answer 6

The risk transference strategy mitigates risk by transferring risk to another entity, such as an insurance company, or cybersecurity insurance (data loss, network damage).

Question 7

What are risk control assessments?

Answer 7

Risk control assessments aim to assess controls and their ability to adequately address a risk. This is normally done by a third party.

Question 8

What is a risk control self-assessment?

Answer 8

A risk control self-assessment is the same as a risk control assessment except for it is performed by employees internally. This can pose a conflict of interest if the same employee that installed the control is asked to assess it.

Question 9

What is SLE and how is it calculated?

Answer 9

Single loss expectancy is the cost of any single loss.

SLE = ALE/ARO
Single Loss Expectancy = Annual Loss Expectancy / Annual Rate of Occurrence

Question 10

What is ARO and how is it calculated?

Answer 10

Annual Rate of Occurrence is how often a loss occurs in a year. Important to note, if the ARO is less than 1, it is treated as a percentage. (ARO is .5 if the ARO is once every 2 years).

ARO=ALE/SLE

Question 11

What is ALE and how is it calculated?

Answer 11

Annual Loss Expectancy is the amount that can be expected to be lost in a year.

ALE=SLE*ARO

Question 12

What is a risk register?

Answer 12

A risk register is a living document that lists all known risks for a system or an organization. It will either present as a table or a log.

Question 13

What is a risk matrix?

Answer 13

A risk matrix is a graphical or chart representation of risk. The same goes for a risk heat map, except they use colors to represent risks.

Question 14

What are the two types of reports that threat feeds use?

Answer 14

Structured Threat Information eXpression (STIX)

Unstructured Reports (White papers, word documents, pdf)

Question 15

What is TTP?

Answer 15

Tactics, Techniques, and Procedures refer to an attacker’s method when exploiting a target.

Tactics: High-level descriptions of behavior
Techniques: A more detailed description of behavior in the context of the tactics.
Procedures: Are even more granular description in the context of techniques

Question 16

What is intelligence fusion?

Answer 16

Intelligence fusion is the combining of internal intelligence data (logs, historical data), and external data (threat feed, OSINT) to create a picture of likely threats and the risk they pose.

Question 17

What is ARP ping scan?

Answer 17

ARP ping is used in network scans, if a host responds to the ARP ping it is then known that a host is available at the IP address.

Question 18

What is a Syn stealth scan?

Answer 18

A Syn stealth scan sends an SYN packet to a range of IP addresses in a network. Any host that responds to this initial SYN packet is then known that a host is available at the IP address. The scan closes out the TCP 3-way handshake with a rest packet.

Question 19

Why would you run a port scan?

Answer 19

Port scans are run to identify which ports are open and hints
at the protocol running on the machine.

For example, if port 21 is open you know that this maybe a file server and it’s allowing unencrypted traffic.

Question 20

Why use a service can?

Answer 20

A service scan is used to verify what protocol or service is actually running on the system.

After running a port scan, you would then run a service can to verify the service running on the port.

Question 21

What is TCP/IP fingerprinting?

Answer 21

TCP/IP fingerprinting also known as OS detection is used to verify the OS that is running on a machine. This is done by analyzing packets form a n IP address.

Question 22

What are the actions that a vulnerability scan often includes?

Answer 22

Identifying vulnerabilities
Identifying misconfigurations
Passively test security controls
Identify lack of security control

Question 23

What is the range for CVSS and what do they indicate?

Answer 23

The range for the common vulnerability scoring system (CVSS) is 0-10 with 10 being the most severe vulnerabilities.

Question 24

Is vulnerability scanning active or passive recon?

Answer 24

Passive. Vulnerability scans do not look to exploit the vulnerability, just identify them which does not interfere with normal operations.

However, Pen testing, on the other hand, looks to identify and exploit vulnerabilities which makes it active recon.

Question 25

What is the difference between a credentialed and a non-credentialed vulnerability scan?

Answer 25

Credentialed scans are done with admin-level privileges and usually go in-depth to provide deeper levels of insight. Non-credentialed does not use any account level to preform a vulnerability scan. Most attackers will start out non-credentialed and gain access to an account and escalate their privilege

Question 26

What is footprinting?

Answer 26

Footprinting is also known as reconnaissance, Pen-testers, and attackers use active and passive footprinting to learn as much as they can about their target.

Question 27

What is an IP Scanner?

Answer 27

An IP scanner aims to identify active hosts in a network by sending ICMP pings (traffic) to a range of IP addresses on the next work. Whichever IP address responds indicates activeness.

Keep in mind because of this most firewall block ICMP traffic.

Question 28

What is Nmap used for?

Answer 28

Nmap is a network scanning tool that is capable of idetnifying active hosts on a network, their IP address, Open ports, the services and applications running, the operating systems, and even down to the firewalls and packet filtering

Question 29

What is Netcat?

Answer 29

Netcat is a command line tool that is used to remotely access Linux systems. It can be used to banner, which helps identify the OS and applications, scan for open ports, and transfer files.

Question 30

What is scanless?

Answer 30

Scanless allows you to scan for open ports using a website, which essentially means the scan would be traced back to the website’s Ip address, not the tester or attacker.

Question 31

What is Dnsenum?

Answer 31

It is a command-line tool that lists the DNS servers holding the record. It can also attempt a file transfer (AXFR) request.

Question 32

What is Nessus?

Answer 32

Nessus is a vulnerability scanner that scans against windows and Unix systems. It is often used for configuration reviews.

Question 33

What is Hping?

Answer 33

Hping is used to send ping using TCP, UDP, or ICMP. It can also be used to scan ports for remote systems.

Question 34

What is Sn1per?

Answer 34

Sn1per is a comprehensive vulnerability tool used to gather information and perform vulnerability assessments. It performs a vulnerability scan, list out all vulnerability found (community version), and can list how to exploit those vulnerabilities (professional version).

Question 35

What is Curl?

Answer 35

The client URL (Curl) is used to transfer and retrieve data to and from servers, such as web servers.

Question 36

What is the difference between footprinting and fingerprinting?

Answer 36

Footprinting is big picture, for example, network footprinting aims to identify active IP addresses within the net work. Fingerprinting takes it a step further by actively sending traffic to specific machines on the network and analyzing its response to identify the service it’s running or OS, etc.

Question 37

What is Pivoting?

Answer 37

Pivoting is used once an attacker has access to an account to gather additional information that is then used to further the attack.

Question 38

What are known environments sometimes called?

Answer 38

White Box: The tester has full knowledge of the environment before the test.

Question 39

What are unknown environments sometimes called?

Answer 39

Black Box: The tester has no knowledge of the environment before the test.

Question 40

What are partially known environments sometimes called?

Answer 40

Gray Box: The tester has some knowledge of the environment before the test.

Question 41

What is Tcpreplay?

Answer 41

Tcpreplay is a suite of utilities used to modify captured packets and replay them over the network. It includes tcpreplay, tcpprep, tcprewite, and more.

Question 42

What is tcpdump?

Answer 42

Tcpdump is a command line tool used to capture packets as Wireshark does. You can then use tcpreplay to modify the packet and replay them over the network.

Question 43

What is NetFlow?

Answer 43

Netflow collects IP traffic statistics (sort of metadata), then sends this data to a NetFlow collector where analytics software is used to analyze the data.

NetFlow does not capture packet payload, headers, or anything within the packets

NetFlow will capture data like the source of the IP traffic, its destination, time stamps, input interface (on a router or switch), protocol uses (TCP, UDP, ICMP)

Question 44

What is sFlow?

Answer 44

sFlow is an alternative to NetFlow. sFlow is a sampling protocol that captures packets a sample of the packets. For example, a sample me be configured to 2 out of every 10 packets.

Packet info is sent to a sFlow collector to be analyzed.

Question 45

What is PCI DSS?

Answer 45

Payment Card Industry Data Security Standard (PCI DSS) includes requirements that organizations that handle credit card payments follow to protect credit card data and help reduce the risk associated with credit card fraud.

Question 46

What is ISO 27001?

Answer 46

ISO 27001 provides information on Information Security Management Systems requirements. Orgs can go through a 3-stage certification process to be ISO 27001 compliant, meaning that they meet all the requirements.

Question 47

What is ISO 27002?

Answer 47

ISO 27002 - Information Technology Techniques, compliments 27001 by providing guidance and best practices.

Question 48

What is ISO 27701?

Answer 48

ISO 27701 - Privacy Information Management System (PIMS). This standard outlines a framework for protecting PII and providing guidance for complying with international privacy standards, like the EU GDPR. with

Question 49

What is ISO 31000?

Answer 49

ISO 31000 is a family of standards related to risk management. It provides guidelines orgs can adopt to manage risk.

Question 50

What is SOC2 Type I?

Answer 50

A SOC 2 Type I report addresses how well an org’s security controls are designed/implemented to be able to effectively address risks on a specific date.

SOC 2 Type I basically asks, do you have the appropriate security structures in place to effectively address risks today?

Question 51

What is SOC2 Type II?

Answer 51

A SOC 2 Type II report addresses how effectively an org’s security controls actually address risks over a given period of time.

SOC 2 Type II basically asks, how effective were your security structures at addressing risks over a period of time (3 - 12 months ex).

Question 52

What are the 7 steps in the RMF?

Answer 52

The 7 steps in the Risk Management Framework (RMF) are

• Prepare: Identify current controls, risk tolerance strategies, conduct risk assessments
• Categorize Information System: Prioritize assets based on the impact of loss or to operations.
  Select controls: Select and tailor security controls to best meet the org’s needs.
• Implement Security Controls:
• Assess controls: How effectively are the controls working?
• Authorize Information System to Go Live: Based on security assessments are info systems appropriate to G0-Live?
  Ongoing Monitoring of Sec Controls:

Question 53

What are the 3 cores of the NIST CSF?

Answer 53

The 3 cores of the NIST Cybersecurity Framework (CSF) are
- Framework Core: The core includes 5 desired outcomes - Identify, protect, detect, respond, and recover.
- Framework Implimentatention: Tier 1 - 4. Tier 4 is the most mature risk management program.
- Framework profile: These profiles provide a list of outcomes based on the org’s needs. Current profiles and target profiles help orgs identify gaps.