Chapter 8: Using Risk Management Tools Flashcards

1
Q

Types & catagories of threats

A

Human (Accidental/malicious), environmental. Internal/external/IP theft/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Examples of vulnerabilities

In systems and organizational

A

default configs/weak configs, improper patch management, lack of antivirus/malware software & firewalls, poor policies (both software and organizational.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the different types of risk definitions? A.I.R.C.A

A

Awareness - KNowing that risks exist and must be addressed

Inherent risk - the risks that exist before controls are placed.

Residual risk - risks remaining after controls are placed. Need to choose an acceptable amount of risk.

Control risk - if in-place controls don’t manage it, what additional controls need to be in place?

Risk appetite - the amount of risk an organization is willing to accept

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are some risk management strategies companies might use? A.M.A.T.I

A

Avoidance - avoiding risk by not implementing a service that poses risk. I.e service requires additional ports to be open.

Mitigation - Implementing controls to reduce risks or reduce impact.

Acceptance - accepting a certain level of risk. Might occur if the cost of a control is more than it is worth.

Transference - Risk handled by third party or is shared with that third party.

Insurance -

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Give a description of how a risk assessment might look?

A

First identifying assets and their values (objective and/or subjective).

Then threats & vulnerabilities are determined. How likely are they to occur?

Lastly, recommendations on what controls would reduce these threats and vulnerabilities.

It is a snapshot based on current threats, vulnerabilities, controls.

The overall goal is to assess impact of potential incidents, their likelihood and then prioritize assets and controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

When does a risk control assessment come into play? how does it differ from a risk control self-assessment?

A

This occurs to examine the potential risks based on current controls. If a risk assessment is in play it will use that to check if they adequately mitigate known risks.

self-assessment is performed by employees. The control assessment by a third party.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is SLE, ALE and ARO? how do you work out ALE?

A

Single loss expectancy - cost of any single loss (one occurrence of that loss)

Annual loss expectancy - cost of single loss x how many times per year it has happened.

Annual rate of occurrence - Times per year something is expected to happen. Represented as a percentage (50% = 0.5).

ALE = AROxSLE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

In a subjective or qualitative risk assessment how can you perform a calculation?

A

Using a scale of 1-10, 1 being low 10 being high. This can be applied to both the probability, and impact. Probably = 7, impact = 10. Then, you could say 7x10 = an overall risk is 70.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the final process and briefly those leading up to it of risk assessment ?

A

documenting the assessment. The report. Essentially just recommendations. Leading up to this, identifying assets, identifying threats/vulnerabilities, implementing controls. Assets need to be valued quantitatively or qualitatively, SLE, ALE and ARO come into play. Strategies should be considered. Avoidance, mitigation, acceptance, transference and insurance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Risk assessments use a variety of tools/frameworks give a brief description of each

A

Risk register - Usually a table of known risks, risk owner, mitigation measures, likelihood of occurrence, risk score.

Risk matrix - A graph or a chart likelihood vs rate of occurrence,

Heat map - Similar to a risk matrix but uses colours

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Give some examples of what a network scan for vulnerabilities might want to achieve and using what?

A

The use of NMAP -
May perform an ARP ping scan to see if a system is operational (and its IP address).

Syn Stealth scan - sends out a syn, but no ack, it resets connection. Same as arp ping reason.

Port scan - checkcing for any open ports. Giving hints about what protocols and services are running.

Service scan - Will send a command to a known open port to verify that that service is running.

OS detection - Analyze packets from an IP address to identify the OS. Different OS use different sizes of TCP windows as an example.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are a few things a vulnerability scanner aims to do?

A

Identify any vulnerabilities/misconfigurations/passively test security controls and identify a lack of security controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How does a vulnerability scanner know what to look for?

A

Through the use of a database / known vulnerabilities it tests systems against these. There is a common vulnerability scoring system (0-10) that assesses and assigns priorities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Give a list of some basic misconfigurations and vulnerability scanner might pick up on

A
  1. Unused/open ports
  2. Unsecured root accounts
  3. Default accounts & passwords
  4. Default settings
  5. Unpatched systems
  6. Open permissions (Files available to everybody)
  7. Unsecure protocols
  8. Weak encryption and passwords
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Vulnerability vs penetration test?

A

it does not exploit any vulnerabilities. Only passively searches for them. Whereas a penetration test will try to exploit all vulnerabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Credentialed vs non credentialed scans

A

Credentialed uses an account, has some access to the system with privilege’s of an administrator. Provides deeper insight.

Non credentialed, like an attacker typically, unless they use priviledge escalation to gain more access to the system.

17
Q

A configuration scanner uses what to perform its function?

A

A configuration baseline file searching systems to match this. Often run automatically via tools.

18
Q

An important thing to do for penetration tests?

A

Define boundaries, as penetration tests are invasive. Also develop a replica system on a test system.

19
Q

Passive vs active foot printing (reconnaissance )

A

Passive - OSINT, no engagement with target, not illegal.
Active - Use of tools, more invasive

20
Q

What are some tools used in active reconnaissance

A

may use IPscanners (ping), Nmap, Netcat (identify OS, open ports, transfer files, info about apps), scanless (portscan), Dnsenum (DNS record list), Nessus (vulnerability scanner), hping (send pings icmp, tcp, udp), Sn1per vulnerability testing & exploiter, Curl (transfer and recieve data from servers and webservers),

21
Q

How does a penetration tester create persistance?

A

After exploiting a vulnerability, creating a backdoor to maintain entry into the system

22
Q

What is lateral movement?

A

The process of moving through the network, typically looking for other systems vulnerabilities and exploiting them as well. By doing this, it increases persistence.

23
Q

What is it called when a penetration tester uses one exploited system to target another?

A

Pivoting.

24
Q

What occurs in the last step of a penetration test?

A

Clean up, removing all traces. User accounts, scripts, logs, settings reverted. Etc.

25
Q

Team colours, give a decription

A

red - attackers, hackers, internal or third parties.
blue - defenders usually employees
purple - can do either red or blue activities.
white - oversee testing and establish rules of engagement.

26
Q

If you had to capture traffic how would you go about it? Also list 2 packet analyzers.

A

You could install an unauthorized switch, send the traffic to a protocol analyzer such as wireshark, modify and send back the edited packet. TCPdump can also be used to capture packets from the command line.

27
Q

You need to use Netflow, what might you look for?

A

It is statistics based, rather that viewing details within packets, it gives an overview of traffic, packet number, protocol used, identifer (router/switch), IP, port number etc. You would use it for monitoring network traffic flow and volume.

28
Q

27001 vs 27002

A

Information security management 27001 - requirements to become certifed. (The first step)
27002 provides best practice (think, second step, after being certified now best practice).

29
Q

27701

A

Framework dealing with sensitive data , managing and protecting PII.

30
Q

31000

A

standard framework for risk management

31
Q

Briefly describe the 7 steps of the RMF

A

risk management framework
1. Prepare (identify key roles for implementation, identify risk tolerance strategies, update/create risk assessment, and identify in-place controls
2. Categorize information systems (impact of event, on loss of confidentiality, integrity and availability) allowing for prioritization
3. Select security controls
4. Implement security controls
5. Assess security controls (are they producing desired outcome? are they implemented correctly)
6. Authorize - are they authorized to operate
7. Monitor , assess changes, periodic assessments of all of the above.

32
Q

List a few of the exploitation frameworks

A

used by pen testers,

Metasploit - open source, runs on linux, methods to develop, test and use exploit code.
BeEF - Browser exploitation framework, open source, focused on web exploits,
w3af - web application attack and audit framework - open source for exploits on web applications

33
Q
A