Chapter 8 - Using Risk Management Tools Flashcards
SLE
Single Loss Expectancy
The cost of any single loss
ARO
Annual Rate of Occurrence
Indicates how many times the loss will occur in a year. If ARO is less than 1, the ARO is represented as a percentage (ie .5 = once every 2 years)
ALE
Annual Loss Expectancy
SLE x ARO
Risk register
Lists all known risks for a system or an organization, often in table format and also known as a risk log. Is a living document.E
Risk matrix
Plots risks onto a graph or chart. Can plot things like the likelihood of occurrence data against the impact of a risk. Includes marking acceptable risk vs unacceptable risk
Heat map
Similar to a risk matrix, except uses colors such as green and red.
Supply chain risk
Supply chain = all the elements required to produce and sell a product. Supply chain can become an attack vector if an attacker can disrupt the supply chain.
Threat hutning
The process of actively looking for threats within a network before an automated tool detects and reports on the threat.
-Gathering data on the threat through threat intelligence, ie info on the threat’s capabilities, motives, goals and resources coming from both internal and external sources.
OSINT
Open Source Intelligence.
Includes anything available on the internet such as blogs from researchers and vendors, media reports and more.
Threat feeds
Provide subscribers with up-to-date information on current threats. Many security organizations publish feeds and anyone with an email address can subscribe to them.
TTP
Tactics, techniques and procedures used by adversaries.
Refers to attacker methods when exploiting a target. Commonly included in threat feeds.
intelligence fusion
Combines all this intelligence data to create a pictures of likely threats and risks for an organization.
Password crackerth`
attempts to discover a password. PWs are normally hashed, some hashing algos are strong than others, such as MD5 which is now vulnerable.
Done online or offline.
Network scanner
Use various techniques to gather info about hosts within a network, ie nmap which is a popular scanning tool that gives you a lot of info about hosts within a network. Network scanners usually use the following methods:
-Arp ping scan
Any host that receives an ARP packet with its IP address responds with its MAC address. If the host responds, the network scanner knows that a host is operational with that IP address.
-Syn stealth can
Sends a single SYN packet to each IP address in the scan range. If a host responds, the scanner knows that a host is operational with that IP address. The scanner normally responds with a RST reply to close the connection instead of an ACK.
-Port scan
Checks for open ports on a system, each indicating the underlying protocol is running on the system, ie if port 443 is open we know the host is running HTTPS, meaning it’s probably a web server. A port scan normally uses the ports identified as well-known ports by the IANA.
-Service scan
Like a port scan, but goes a step further and verifies the protocol or service, ie is a port scan shows 443 is open, a service scan will send a HTTPS command such as “GET/.” If HTTPS is running on port 443, it will respond to the Get command verifying that it is a web server.
-OS detection
OS detection techniques analyze packets from an IP address to identify the OS. This is often referred to as TCP/IP fingerprinting.
EX: TCP window size (the size of the receive window in the first packet of the TCP session) is not fixed. Different OSs use different sizes, ie Linux uses 5,840 bytes, Cisco routers 4,128 bytes, Windows 8,192 and 65,535. OS detection techniques don’t rely on a single value but typically evaluate multiple values included in systems responses.
Identifying Vulnerabilities and Misconfigurations
-open ports and services
-unsecure root accounts
-default accounts and passwords
-default settings
-unpatched systems
-errors
-open permissions
-unsecure protocols
-weak encryption
-weak passwords
-sensitive data
Credentialed vs Non-credentialed
Vulnerability scanners can run as credentialed scan using an account’s credentials or as non-credentialed without any user credentials. Attackers typically do not have an internal account’s credentials, so when they run scans against systems, they run non-credentialed scans.
Admins can run credentialed scans with admin privileges to check security issues at a much deeper level, ie listing the software versions of installed programs, and also have fewer false positives.
Penetration testing
Actively assesses deployed security controls within a system or network. Includes:
-Rules of engagement (authorization outlining the boundaries of the test)
-Reconnaissance/footprinting (tester/attacker attempts to learn as much as possible about a network)
Passive recon = collecting info about a targeted system using OSINT
Active recon = uses tools to engage targets
Network reconnaissance and discovery methods
Using tools to send data to systems and analyze the responses. This phase typically starts by using various scanning tools such as network scanners and vulnerability scanners. Is technically illegal so you need explicit authorization ahead of time
Some tools include:
-IP Scanner (or a ping scanner)
Searches a network for active IP addresses, sending ICMP ping to a range of IP addresses in a network. Ping s are often blocked by firewalls, so can be inconsistent
-Nmap
Network scanner that you can run from command prompt that can identify all active hosts on a network, their IP addresses, the protocols and services running on each of the hosts, and the host’s OS. Can include scan type, options, and target specifications when running the command.
-Scanless
Python-based CLI utility to perform port scans, uses an online website so doesn’t come from the tester’s IP address, instead appearing to originate from the website’s IP address.
-dnsenum
Command that enumerates (or list) DNS records for domains, including the servers holding the records, and identifying the mail servers (if they exist) by listing the mx records. Also attempts AXFR transfer to download all DNS records from DNS servers, but those normally fail
-Nessus
Vulnerability scanner developed by Tenable that uses plugins to perform various scans on Windows and Linux alike, and is often used for configuration reviews. AutoNessus is a free tool that can be used to automate Nessus scans.
-hping
Used to send pings using TCP, UDP or ICMP, and also to scan systems for open ports on remote sytems.
-Sn1per
A robust automated scanner user for vulnerability assessments and to gather info on targets during pen testing, combining features of many common tools into a single app. Comes in 2 additions: Community (performs vulnerability assessments, listing all discovered vulnerabilities and detailed info on the targets), and Professional which also includes the ability to exploit the vulnerabilities.
-Curl
Client URL command (curl) is used to transfer and retrieve data to and from servers, such as web servers. The URL is the address of a webpage. Pen testers can use scripts to identify all of the URLs of a website and then use curl to retrieve all of the pages.
Most websites prevent unauthorized personnel from posting data to them, but blocking curl requests isn’t easy.
Footprinting vs. fingerprinting
Network footprinting provides a big-picture view of a network, including the IP addresses active on a target network.
Fingerprinting then hones in on individual systems to provide details of each.
Persistence
An attacker’s ability to maintain a presence in a network for a week, month or even years without being detected.
Once they discover a vulnerability they can research and find known exploits to remotely access a system or install malware.
Lateral movement
Refers to the way attackers maneuver throughout a network.
EX: Windows Management Instrumentation (WMI) and Powershell are frequently used to scan a Windows network. After discovering other systems, the attacker looks for vulnerabilities and exploits them if possible. By exploiting multiple systems, the attacker has a better chance of maintaining persistence in a network.
Privilege escalation
Gaining access to a low-level system/account then using techniques to gain more and more privileges on a user’s computer and network, attempting to gain administrator access.
Pivoting
the process of using various tools to gain additional information, ie getting into one user’s computer then using that user’s computer to gather information on other computers.
Known / Unknown / Partially Known testing environment
- Unknown: testers have zero knowledge of environment prior to starting (black box test), instead they use the same knowledge as an attacker
- Known: testers have full knowledge of the environment before starting, ie access to product documentation, source code, possibly even logon details (white box test).
- Partially known: testers have some knowledge (gray box), like having access to some network documentation but not the full network layout.
Cleanup
One of the last steps of a pen test, includes removing all traces of the pen test activities, such as:
-removing user accounts created in a system in a network
-removing any scripts or apps added or installed on systems
-removing any files, such as logs or temporary files, created on systems
-reconfiguring all settings modified by testers during the pen test
Intrusive vs. non-intrusive testing
Intrusive = invasive, tools used can potentially disrupt the operations of a system.
Non-intrusive = will not compromise a system (like basic vuln scanning)
Protocol analyzer
Used to capture packets, meaning capturing network packets transmitted over a network. Also called sniffing or using a sniffer.
Provide amins and attackers with the ability to analyze and modify packet headers and their payloads, typically before sending them back out as a packet replay. Can also be used to troubleshoot communication issues between network systems or identify potential attacks using manipulated or fragmented packets.
Packet replay refers to sending packets back out over the network.
Wireshark - protocol analyzer. A caputr shows info such as the type of traffic (protocol), flags, source and destination IP addresses, and source and destination MAC addresses.
The NIC must be configured to use promiscuous mode to capture all traffic.
Tcpreply and tcpdump
Tcpreplay - a suite of utilities used to edit packet captures and send the edited packets over the network. Includes tcpreplay,tcprep, tcprewrite and more, often used for testing network devices.
tcpdump command is a command-line protocol analyzer that allows you to capture packets like you can in Wireshark, used by many admins to capture the packets and later use Wireshark to analyze the packet capture.
-c = count (number of packets to capture_
-C = file size (millions of bytes)
NetFlow, sFlow, IPFIX
-NetFlow
Feature available on many routers and switches that can collect IP traffic statistics and send them to a NetFlow collector, which receives the data and stores it, and analysis software on the NetFlow collector allows admins to view and analyze network activity.
-sFlow
a sampling protocol and alternative to NetFlow that provides traffic information based on a preconfigured sample rate, ie capturing 1 of every 10 packets it receives, and thus it is less likely to impact the device’s performance, allowing it to work on devices with a high volume of data.
-IPFIX
IP Flow Information Export is similar to NetFlow v9, analysis software installed on collectors typically support both protocols, IPFIX is a proposed standard as a replacement for NetFlow.
ISO
International Organization for Standardization (ISO), an independent organization that establishes standards.
-ISO 27001: Information Security Management
-ISO 27002: Information Technology Security Techniques
-ISO 27701: Privacy Information Management Systems (PIMS)
-ISO 31000: a family of standards related to risk management
SOC 2 Report
System and Organizational Control (SOC) 2 report covers organizational cybersecurity controls.
-SOC 2 Type I: describes an organization’s systems and covers the design effectiveness of security controls on a specific date, ie how well the security controls address the risks.
-SOC 2 Type II: describe an organization’s systems and security controls operational effectiveness over a wide range of dates such as 12 months.
Other orgs: NIST, CIS
PCI DSS
Payment Card Industry Data Security Standard (PCI DSS)
Specifies compliance requirements for companies handling credit card data.
RMF and CMF
Risk Management Framework (RMF) and Cybersecurity Framework (CMF), published by NIST, are used by orgs tgo identify and mitigate risks.
Reference architecture
a document or set of documetsn that provides a set of standards such as software reference architecture.
Exploitation frameworks
a tool used to store information about security vulnerabilities, often used by pen testers to detect and exploit software. Examples include:
-Metasploit
Open source project that runs on Linux, has data on over 1,600 exploits and includes methods to develop, test and exploit code. Acquired by Rapid7.
-BeEF (Browser Exploitation Framework)
Open source web browser exploitation framework focused on identifying web browser vulnerabilities.
-w3af (Web Application Attack and Audit Framework)
Open source framework focused on web appl vulnerabilities.