Chapter 8: Using Risk Management Tools

Question 1

Types & catagories of threats

Answer 1

Human (Accidental/malicious), environmental. Internal/external/IP theft/

Question 2

Examples of vulnerabilities

In systems and organizational

Answer 2

default configs/weak configs, improper patch management, lack of antivirus/malware software & firewalls, poor policies (both software and organizational.

Question 3

What are the different types of risk definitions? A.I.R.C.A

Answer 3

Awareness - KNowing that risks exist and must be addressed

Inherent risk - the risks that exist before controls are placed.

Residual risk - risks remaining after controls are placed. Need to choose an acceptable amount of risk.

Control risk - if in-place controls don’t manage it, what additional controls need to be in place?

Risk appetite - the amount of risk an organization is willing to accept

Question 4

What are some risk management strategies companies might use? A.M.A.T.I

Answer 4

Avoidance - avoiding risk by not implementing a service that poses risk. I.e service requires additional ports to be open.

Mitigation - Implementing controls to reduce risks or reduce impact.

Acceptance - accepting a certain level of risk. Might occur if the cost of a control is more than it is worth.

Transference - Risk handled by third party or is shared with that third party.

Insurance -

Question 5

Give a description of how a risk assessment might look?

Answer 5

First identifying assets and their values (objective and/or subjective).

Then threats & vulnerabilities are determined. How likely are they to occur?

Lastly, recommendations on what controls would reduce these threats and vulnerabilities.

It is a snapshot based on current threats, vulnerabilities, controls.

The overall goal is to assess impact of potential incidents, their likelihood and then prioritize assets and controls.

Question 6

When does a risk control assessment come into play? how does it differ from a risk control self-assessment?

Answer 6

This occurs to examine the potential risks based on current controls. If a risk assessment is in play it will use that to check if they adequately mitigate known risks.

self-assessment is performed by employees. The control assessment by a third party.

Question 7

What is SLE, ALE and ARO? how do you work out ALE?

Answer 7

Single loss expectancy - cost of any single loss (one occurrence of that loss)

Annual loss expectancy - cost of single loss x how many times per year it has happened.

Annual rate of occurrence - Times per year something is expected to happen. Represented as a percentage (50% = 0.5).

ALE = AROxSLE

Question 8

In a subjective or qualitative risk assessment how can you perform a calculation?

Answer 8

Using a scale of 1-10, 1 being low 10 being high. This can be applied to both the probability, and impact. Probably = 7, impact = 10. Then, you could say 7x10 = an overall risk is 70.

Question 9

What is the final process and briefly those leading up to it of risk assessment ?

Answer 9

documenting the assessment. The report. Essentially just recommendations. Leading up to this, identifying assets, identifying threats/vulnerabilities, implementing controls. Assets need to be valued quantitatively or qualitatively, SLE, ALE and ARO come into play. Strategies should be considered. Avoidance, mitigation, acceptance, transference and insurance.

Question 10

Risk assessments use a variety of tools/frameworks give a brief description of each

Answer 10

Risk register - Usually a table of known risks, risk owner, mitigation measures, likelihood of occurrence, risk score.

Risk matrix - A graph or a chart likelihood vs rate of occurrence,

Heat map - Similar to a risk matrix but uses colours

Question 11

Give some examples of what a network scan for vulnerabilities might want to achieve and using what?

Answer 11

The use of NMAP -
May perform an ARP ping scan to see if a system is operational (and its IP address).

Syn Stealth scan - sends out a syn, but no ack, it resets connection. Same as arp ping reason.

Port scan - checkcing for any open ports. Giving hints about what protocols and services are running.

Service scan - Will send a command to a known open port to verify that that service is running.

OS detection - Analyze packets from an IP address to identify the OS. Different OS use different sizes of TCP windows as an example.

Question 12

What are a few things a vulnerability scanner aims to do?

Answer 12

Identify any vulnerabilities/misconfigurations/passively test security controls and identify a lack of security controls.

Question 13

How does a vulnerability scanner know what to look for?

Answer 13

Through the use of a database / known vulnerabilities it tests systems against these. There is a common vulnerability scoring system (0-10) that assesses and assigns priorities

Question 14

Give a list of some basic misconfigurations and vulnerability scanner might pick up on

Answer 14

1. Unused/open ports
2. Unsecured root accounts
3. Default accounts & passwords
4. Default settings
5. Unpatched systems
6. Open permissions (Files available to everybody)
7. Unsecure protocols
8. Weak encryption and passwords

Question 15

Vulnerability vs penetration test?

Answer 15

it does not exploit any vulnerabilities. Only passively searches for them. Whereas a penetration test will try to exploit all vulnerabilities.

Question 16

Credentialed vs non credentialed scans

Answer 16

Credentialed uses an account, has some access to the system with privilege’s of an administrator. Provides deeper insight.

Non credentialed, like an attacker typically, unless they use priviledge escalation to gain more access to the system.

Question 17

A configuration scanner uses what to perform its function?

Answer 17

A configuration baseline file searching systems to match this. Often run automatically via tools.

Question 18

An important thing to do for penetration tests?

Answer 18

Define boundaries, as penetration tests are invasive. Also develop a replica system on a test system.

Question 19

Passive vs active foot printing (reconnaissance )

Answer 19

Passive - OSINT, no engagement with target, not illegal.
Active - Use of tools, more invasive

Question 20

What are some tools used in active reconnaissance

Answer 20

may use IPscanners (ping), Nmap, Netcat (identify OS, open ports, transfer files, info about apps), scanless (portscan), Dnsenum (DNS record list), Nessus (vulnerability scanner), hping (send pings icmp, tcp, udp), Sn1per vulnerability testing & exploiter, Curl (transfer and recieve data from servers and webservers),

Question 21

How does a penetration tester create persistance?

Answer 21

After exploiting a vulnerability, creating a backdoor to maintain entry into the system

Question 22

What is lateral movement?

Answer 22

The process of moving through the network, typically looking for other systems vulnerabilities and exploiting them as well. By doing this, it increases persistence.

Question 23

What is it called when a penetration tester uses one exploited system to target another?

Answer 23

Pivoting.

Question 24

What occurs in the last step of a penetration test?

Answer 24

Clean up, removing all traces. User accounts, scripts, logs, settings reverted. Etc.

Question 25

Team colours, give a decription

Answer 25

red - attackers, hackers, internal or third parties.
blue - defenders usually employees
purple - can do either red or blue activities.
white - oversee testing and establish rules of engagement.

Question 26

If you had to capture traffic how would you go about it? Also list 2 packet analyzers.

Answer 26

You could install an unauthorized switch, send the traffic to a protocol analyzer such as wireshark, modify and send back the edited packet. TCPdump can also be used to capture packets from the command line.

Question 27

You need to use Netflow, what might you look for?

Answer 27

It is statistics based, rather that viewing details within packets, it gives an overview of traffic, packet number, protocol used, identifer (router/switch), IP, port number etc. You would use it for monitoring network traffic flow and volume.

Question 28

27001 vs 27002

Answer 28

Information security management 27001 - requirements to become certifed. (The first step)
27002 provides best practice (think, second step, after being certified now best practice).

Question 29

27701

Answer 29

Framework dealing with sensitive data , managing and protecting PII.

Question 30

31000

Answer 30

standard framework for risk management

Question 31

Briefly describe the 7 steps of the RMF

Answer 31

risk management framework
1. Prepare (identify key roles for implementation, identify risk tolerance strategies, update/create risk assessment, and identify in-place controls
2. Categorize information systems (impact of event, on loss of confidentiality, integrity and availability) allowing for prioritization
3. Select security controls
4. Implement security controls
5. Assess security controls (are they producing desired outcome? are they implemented correctly)
6. Authorize - are they authorized to operate
7. Monitor , assess changes, periodic assessments of all of the above.

Question 32

List a few of the exploitation frameworks

Answer 32

used by pen testers,

Metasploit - open source, runs on linux, methods to develop, test and use exploit code.
BeEF - Browser exploitation framework, open source, focused on web exploits,
w3af - web application attack and audit framework - open source for exploits on web applications