Chapter 8 - Using Risk Management Tools

Question 1

SLE

Answer 1

Single Loss Expectancy

The cost of any single loss

Question 2

ARO

Answer 2

Annual Rate of Occurrence

Indicates how many times the loss will occur in a year. If ARO is less than 1, the ARO is represented as a percentage (ie .5 = once every 2 years)

Question 3

ALE

Answer 3

Annual Loss Expectancy

SLE x ARO

Question 4

Risk register

Answer 4

Lists all known risks for a system or an organization, often in table format and also known as a risk log. Is a living document.E

Question 5

Risk matrix

Answer 5

Plots risks onto a graph or chart. Can plot things like the likelihood of occurrence data against the impact of a risk. Includes marking acceptable risk vs unacceptable risk

Question 6

Heat map

Answer 6

Similar to a risk matrix, except uses colors such as green and red.

Question 7

Supply chain risk

Answer 7

Supply chain = all the elements required to produce and sell a product. Supply chain can become an attack vector if an attacker can disrupt the supply chain.

Question 8

Threat hutning

Answer 8

The process of actively looking for threats within a network before an automated tool detects and reports on the threat.

-Gathering data on the threat through threat intelligence, ie info on the threat’s capabilities, motives, goals and resources coming from both internal and external sources.

Question 9

OSINT

Answer 9

Open Source Intelligence.

Includes anything available on the internet such as blogs from researchers and vendors, media reports and more.

Question 10

Threat feeds

Answer 10

Provide subscribers with up-to-date information on current threats. Many security organizations publish feeds and anyone with an email address can subscribe to them.

Question 11

TTP

Answer 11

Tactics, techniques and procedures used by adversaries.

Refers to attacker methods when exploiting a target. Commonly included in threat feeds.

Question 12

intelligence fusion

Answer 12

Combines all this intelligence data to create a pictures of likely threats and risks for an organization.

Question 13

Password crackerth`

Answer 13

attempts to discover a password. PWs are normally hashed, some hashing algos are strong than others, such as MD5 which is now vulnerable.

Done online or offline.

Question 14

Network scanner

Answer 14

Use various techniques to gather info about hosts within a network, ie nmap which is a popular scanning tool that gives you a lot of info about hosts within a network. Network scanners usually use the following methods:

-Arp ping scan
Any host that receives an ARP packet with its IP address responds with its MAC address. If the host responds, the network scanner knows that a host is operational with that IP address.

-Syn stealth can
Sends a single SYN packet to each IP address in the scan range. If a host responds, the scanner knows that a host is operational with that IP address. The scanner normally responds with a RST reply to close the connection instead of an ACK.

-Port scan
Checks for open ports on a system, each indicating the underlying protocol is running on the system, ie if port 443 is open we know the host is running HTTPS, meaning it’s probably a web server. A port scan normally uses the ports identified as well-known ports by the IANA.

-Service scan
Like a port scan, but goes a step further and verifies the protocol or service, ie is a port scan shows 443 is open, a service scan will send a HTTPS command such as “GET/.” If HTTPS is running on port 443, it will respond to the Get command verifying that it is a web server.

-OS detection
OS detection techniques analyze packets from an IP address to identify the OS. This is often referred to as TCP/IP fingerprinting.
EX: TCP window size (the size of the receive window in the first packet of the TCP session) is not fixed. Different OSs use different sizes, ie Linux uses 5,840 bytes, Cisco routers 4,128 bytes, Windows 8,192 and 65,535. OS detection techniques don’t rely on a single value but typically evaluate multiple values included in systems responses.

Question 15

Identifying Vulnerabilities and Misconfigurations

Answer 15

-open ports and services
-unsecure root accounts
-default accounts and passwords
-default settings
-unpatched systems
-errors
-open permissions
-unsecure protocols
-weak encryption
-weak passwords
-sensitive data

Question 16

Credentialed vs Non-credentialed

Answer 16

Vulnerability scanners can run as credentialed scan using an account’s credentials or as non-credentialed without any user credentials. Attackers typically do not have an internal account’s credentials, so when they run scans against systems, they run non-credentialed scans.

Admins can run credentialed scans with admin privileges to check security issues at a much deeper level, ie listing the software versions of installed programs, and also have fewer false positives.

Question 17

Penetration testing

Answer 17

Actively assesses deployed security controls within a system or network. Includes:

-Rules of engagement (authorization outlining the boundaries of the test)
-Reconnaissance/footprinting (tester/attacker attempts to learn as much as possible about a network)

Passive recon = collecting info about a targeted system using OSINT
Active recon = uses tools to engage targets

Question 18

Network reconnaissance and discovery methods

Answer 18

Using tools to send data to systems and analyze the responses. This phase typically starts by using various scanning tools such as network scanners and vulnerability scanners. Is technically illegal so you need explicit authorization ahead of time

Some tools include:

-IP Scanner (or a ping scanner)
Searches a network for active IP addresses, sending ICMP ping to a range of IP addresses in a network. Ping s are often blocked by firewalls, so can be inconsistent

-Nmap
Network scanner that you can run from command prompt that can identify all active hosts on a network, their IP addresses, the protocols and services running on each of the hosts, and the host’s OS. Can include scan type, options, and target specifications when running the command.

-Scanless
Python-based CLI utility to perform port scans, uses an online website so doesn’t come from the tester’s IP address, instead appearing to originate from the website’s IP address.

-dnsenum
Command that enumerates (or list) DNS records for domains, including the servers holding the records, and identifying the mail servers (if they exist) by listing the mx records. Also attempts AXFR transfer to download all DNS records from DNS servers, but those normally fail

-Nessus
Vulnerability scanner developed by Tenable that uses plugins to perform various scans on Windows and Linux alike, and is often used for configuration reviews. AutoNessus is a free tool that can be used to automate Nessus scans.

-hping
Used to send pings using TCP, UDP or ICMP, and also to scan systems for open ports on remote sytems.

-Sn1per
A robust automated scanner user for vulnerability assessments and to gather info on targets during pen testing, combining features of many common tools into a single app. Comes in 2 additions: Community (performs vulnerability assessments, listing all discovered vulnerabilities and detailed info on the targets), and Professional which also includes the ability to exploit the vulnerabilities.

-Curl
Client URL command (curl) is used to transfer and retrieve data to and from servers, such as web servers. The URL is the address of a webpage. Pen testers can use scripts to identify all of the URLs of a website and then use curl to retrieve all of the pages.
Most websites prevent unauthorized personnel from posting data to them, but blocking curl requests isn’t easy.

Question 19

Footprinting vs. fingerprinting

Answer 19

Network footprinting provides a big-picture view of a network, including the IP addresses active on a target network.

Fingerprinting then hones in on individual systems to provide details of each.

Question 20

Persistence

Answer 20

An attacker’s ability to maintain a presence in a network for a week, month or even years without being detected.

Once they discover a vulnerability they can research and find known exploits to remotely access a system or install malware.

Question 21

Lateral movement

Answer 21

Refers to the way attackers maneuver throughout a network.
EX: Windows Management Instrumentation (WMI) and Powershell are frequently used to scan a Windows network. After discovering other systems, the attacker looks for vulnerabilities and exploits them if possible. By exploiting multiple systems, the attacker has a better chance of maintaining persistence in a network.

Question 22

Privilege escalation

Answer 22

Gaining access to a low-level system/account then using techniques to gain more and more privileges on a user’s computer and network, attempting to gain administrator access.

Question 23

Pivoting

Answer 23

the process of using various tools to gain additional information, ie getting into one user’s computer then using that user’s computer to gather information on other computers.

Question 24

Known / Unknown / Partially Known testing environment

Answer 24

• Unknown: testers have zero knowledge of environment prior to starting (black box test), instead they use the same knowledge as an attacker
• Known: testers have full knowledge of the environment before starting, ie access to product documentation, source code, possibly even logon details (white box test).
• Partially known: testers have some knowledge (gray box), like having access to some network documentation but not the full network layout.

Question 25

Cleanup

Answer 25

One of the last steps of a pen test, includes removing all traces of the pen test activities, such as:

-removing user accounts created in a system in a network

-removing any scripts or apps added or installed on systems

-removing any files, such as logs or temporary files, created on systems

-reconfiguring all settings modified by testers during the pen test

Question 26

Intrusive vs. non-intrusive testing

Answer 26

Intrusive = invasive, tools used can potentially disrupt the operations of a system.

Non-intrusive = will not compromise a system (like basic vuln scanning)

Question 27

Protocol analyzer

Answer 27

Used to capture packets, meaning capturing network packets transmitted over a network. Also called sniffing or using a sniffer.

Provide amins and attackers with the ability to analyze and modify packet headers and their payloads, typically before sending them back out as a packet replay. Can also be used to troubleshoot communication issues between network systems or identify potential attacks using manipulated or fragmented packets.

Packet replay refers to sending packets back out over the network.

Wireshark - protocol analyzer. A caputr shows info such as the type of traffic (protocol), flags, source and destination IP addresses, and source and destination MAC addresses.

The NIC must be configured to use promiscuous mode to capture all traffic.

Question 28

Tcpreply and tcpdump

Answer 28

Tcpreplay - a suite of utilities used to edit packet captures and send the edited packets over the network. Includes tcpreplay,tcprep, tcprewrite and more, often used for testing network devices.

tcpdump command is a command-line protocol analyzer that allows you to capture packets like you can in Wireshark, used by many admins to capture the packets and later use Wireshark to analyze the packet capture.
-c = count (number of packets to capture_
-C = file size (millions of bytes)

Question 29

NetFlow, sFlow, IPFIX

Answer 29

-NetFlow
Feature available on many routers and switches that can collect IP traffic statistics and send them to a NetFlow collector, which receives the data and stores it, and analysis software on the NetFlow collector allows admins to view and analyze network activity.

-sFlow
a sampling protocol and alternative to NetFlow that provides traffic information based on a preconfigured sample rate, ie capturing 1 of every 10 packets it receives, and thus it is less likely to impact the device’s performance, allowing it to work on devices with a high volume of data.

-IPFIX
IP Flow Information Export is similar to NetFlow v9, analysis software installed on collectors typically support both protocols, IPFIX is a proposed standard as a replacement for NetFlow.

Question 30

ISO

Answer 30

International Organization for Standardization (ISO), an independent organization that establishes standards.

-ISO 27001: Information Security Management

-ISO 27002: Information Technology Security Techniques

-ISO 27701: Privacy Information Management Systems (PIMS)

-ISO 31000: a family of standards related to risk management

Question 31

SOC 2 Report

Answer 31

System and Organizational Control (SOC) 2 report covers organizational cybersecurity controls.

-SOC 2 Type I: describes an organization’s systems and covers the design effectiveness of security controls on a specific date, ie how well the security controls address the risks.

-SOC 2 Type II: describe an organization’s systems and security controls operational effectiveness over a wide range of dates such as 12 months.

Other orgs: NIST, CIS

Question 32

PCI DSS

Answer 32

Payment Card Industry Data Security Standard (PCI DSS)

Specifies compliance requirements for companies handling credit card data.

Question 33

RMF and CMF

Answer 33

Risk Management Framework (RMF) and Cybersecurity Framework (CMF), published by NIST, are used by orgs tgo identify and mitigate risks.

Question 34

Reference architecture

Answer 34

a document or set of documetsn that provides a set of standards such as software reference architecture.

Question 35

Exploitation frameworks

Answer 35

a tool used to store information about security vulnerabilities, often used by pen testers to detect and exploit software. Examples include:

-Metasploit
Open source project that runs on Linux, has data on over 1,600 exploits and includes methods to develop, test and exploit code. Acquired by Rapid7.

-BeEF (Browser Exploitation Framework)
Open source web browser exploitation framework focused on identifying web browser vulnerabilities.

-w3af (Web Application Attack and Audit Framework)
Open source framework focused on web appl vulnerabilities.