Chapter 8: Using Risk Management Tools Flashcards
Types & catagories of threats
Human (Accidental/malicious), environmental. Internal/external/IP theft/
Examples of vulnerabilities
In systems and organizational
default configs/weak configs, improper patch management, lack of antivirus/malware software & firewalls, poor policies (both software and organizational.
What are the different types of risk definitions? A.I.R.C.A
Awareness - KNowing that risks exist and must be addressed
Inherent risk - the risks that exist before controls are placed.
Residual risk - risks remaining after controls are placed. Need to choose an acceptable amount of risk.
Control risk - if in-place controls don’t manage it, what additional controls need to be in place?
Risk appetite - the amount of risk an organization is willing to accept
What are some risk management strategies companies might use? A.M.A.T.I
Avoidance - avoiding risk by not implementing a service that poses risk. I.e service requires additional ports to be open.
Mitigation - Implementing controls to reduce risks or reduce impact.
Acceptance - accepting a certain level of risk. Might occur if the cost of a control is more than it is worth.
Transference - Risk handled by third party or is shared with that third party.
Insurance -
Give a description of how a risk assessment might look?
First identifying assets and their values (objective and/or subjective).
Then threats & vulnerabilities are determined. How likely are they to occur?
Lastly, recommendations on what controls would reduce these threats and vulnerabilities.
It is a snapshot based on current threats, vulnerabilities, controls.
The overall goal is to assess impact of potential incidents, their likelihood and then prioritize assets and controls.
When does a risk control assessment come into play? how does it differ from a risk control self-assessment?
This occurs to examine the potential risks based on current controls. If a risk assessment is in play it will use that to check if they adequately mitigate known risks.
self-assessment is performed by employees. The control assessment by a third party.
What is SLE, ALE and ARO? how do you work out ALE?
Single loss expectancy - cost of any single loss (one occurrence of that loss)
Annual loss expectancy - cost of single loss x how many times per year it has happened.
Annual rate of occurrence - Times per year something is expected to happen. Represented as a percentage (50% = 0.5).
ALE = AROxSLE
In a subjective or qualitative risk assessment how can you perform a calculation?
Using a scale of 1-10, 1 being low 10 being high. This can be applied to both the probability, and impact. Probably = 7, impact = 10. Then, you could say 7x10 = an overall risk is 70.
What is the final process and briefly those leading up to it of risk assessment ?
documenting the assessment. The report. Essentially just recommendations. Leading up to this, identifying assets, identifying threats/vulnerabilities, implementing controls. Assets need to be valued quantitatively or qualitatively, SLE, ALE and ARO come into play. Strategies should be considered. Avoidance, mitigation, acceptance, transference and insurance.
Risk assessments use a variety of tools/frameworks give a brief description of each
Risk register - Usually a table of known risks, risk owner, mitigation measures, likelihood of occurrence, risk score.
Risk matrix - A graph or a chart likelihood vs rate of occurrence,
Heat map - Similar to a risk matrix but uses colours
Give some examples of what a network scan for vulnerabilities might want to achieve and using what?
The use of NMAP -
May perform an ARP ping scan to see if a system is operational (and its IP address).
Syn Stealth scan - sends out a syn, but no ack, it resets connection. Same as arp ping reason.
Port scan - checkcing for any open ports. Giving hints about what protocols and services are running.
Service scan - Will send a command to a known open port to verify that that service is running.
OS detection - Analyze packets from an IP address to identify the OS. Different OS use different sizes of TCP windows as an example.
What are a few things a vulnerability scanner aims to do?
Identify any vulnerabilities/misconfigurations/passively test security controls and identify a lack of security controls.
How does a vulnerability scanner know what to look for?
Through the use of a database / known vulnerabilities it tests systems against these. There is a common vulnerability scoring system (0-10) that assesses and assigns priorities
Give a list of some basic misconfigurations and vulnerability scanner might pick up on
- Unused/open ports
- Unsecured root accounts
- Default accounts & passwords
- Default settings
- Unpatched systems
- Open permissions (Files available to everybody)
- Unsecure protocols
- Weak encryption and passwords
Vulnerability vs penetration test?
it does not exploit any vulnerabilities. Only passively searches for them. Whereas a penetration test will try to exploit all vulnerabilities.