Chapter 8 Using Risk Management Tools Flashcards
1
Q
___ is the likelihood that a threat will exploit a vulnerability
A
Risk
2
Q
A _____ is a weakness
A
Vulnerability
3
Q
A ____ is a potential danger
A
Threat
4
Q
____ refers to the magnitude of harm that can be caused if a threat exercises a vulnerability
A
Impact
5
Q
A system without up-to-date antivirus software is vulnerable to ______
A
Malware
6
Q
Malware written by malicious attackers is the ______
A
Threat
7
Q
The likelihood that the malware will reach a vulnerable system represents the ____
A
Risk
8
Q
Within the context of risk management, a ____ is any circumstance or event that can compromise the confidentiality, integrity, or availability of data or a system
A
Threat
9
Q
List different forms of threats
A
Malicious human threats - script kiddies, apts, network, system, malware attacks
Accidental human threats - accidentally delete or corrupt data, or accidentally access data they shouldn’t. Unintentionally cause outages.
Environmental threats - Power failure, mother nature
10
Q
A _____ ____ helps an organization identify and categorize threats.
A
Threat assessment
11
Q
Organizations have limited ____ so it’s not possible to protect against all threats.
A
Resources
12
Q
List some common types of threat assessments
A
Environmental - evaluates the likelihood of an environmental threat occurring.
Manmade - evaluates all threats from humans
Internal - evaluates threats from within an organization. Threats from malicious employees and accidents
External - evaluates threats from outside an organization. External attackers and natural threats
13
Q
A ___ is a flaw or a weakness in software or hardware, or a weakness in a process that a threat could exploit, resulting in a security breach.
A
Vulnerability
14
Q
List some examples of vulnerabilities
A
Lack of updates - not up to date on patches, hotfixes, and service packs
Default configurations - hardening includes changing systems from their default hw and sw configurations, including changing default usernames and passwords
Lack of malware protection or updated definitions
Lack of firewalls
Lack of organizational policies
15
Q
___ _____ is the practice of identifying, monitoring, and limiting risks to a manageable level.
A
Risk management
16
Q
True or False Risk management eliminates risks
A
False. It identifies methods to limit or mitigate them.
17
Q
The amount of risk that remains after managing risk is ____ ___
A
Residual risk
18
Q
True or False: The primary goal of risk management is not to reduce risk to a level that the organization will accept.
A
False it IS to reduce risk to a level that the organization will accept
19
Q
_______ must choose a level of acceptable risk based on their organizational goals.
A
Management
20
Q
List some risk response techniques
A
Avoid - by not providing a service or not participating in a risky activity.
Transfer - to another entity i.e. purchasing insurance or outsourcing
Mitigate - implement controls to reduce risk i.e. up to date antivirus software
Accept - when the cost of a control outweighs a risk, an organization will often accept the risk
21
Q
A ____ ____/____ is an important task in risk management
A
Risk assessment/analysis
22
Q
True or False: Risk assessment quantifies/qualifies risks based on different values or judgments
A
True
23
Q
What does a risk assessment first identify?
A
Assets and asset values
24
Q
An ____ includes any product, system, resource, or process that an organization values.
A
Asset
25
The ____ ___ identifies the worth of the asset to the organization.
Asset value
26
True or False: The asset value helps an organization focus on the high-value assets and avoid wasting time on low-value assets.
True
27
True or False: A risk assessment attempts to identify the impact of potential threats and identify the potential harm, and prioritizes risks based on the likelihood of occurrence and impact.
True
28
True or False: A risk assessment includes recommendations on what controls to implement to mitigate risks.
True
29
True or False: A risk assessment is a point-in-time assessment or a snapshot.
True
30
True or False: Risk assessments use quantitative measurements or qualitative measurements
True
31
______ ____ use numbers, such as monetary figure representing cost and asset values.
Quantitative measurements
32
______ _____ use judgements
Qualitative measurements
33
True or False: The asset value is an important element in a qualitative risk assessment
False it is an important element for quantitative risk assessment
34
The cost of any single loss is _____
Single Loss Expectancy (SLE)
35
How many times the loss will occur in a year is the _____
Annual Rate of Occurrence (ARO)
36
The product of the Single loss expectancy and the annual rate of occurrence is _____
Annual loss expectancy (ALE) = SLE X ARO
37
List two simple guidelines managers use for most risk assessment decisions
1. If the cost of the control is less than the savings, purchase it.
2. If the cost of the control is greater than the savings, accept the risk.
38
A _____ ____ ____ uses judgement to categorize risks based on probability and impact
Qualitative Risk Assessment
39
The probability that an event will occur is _______
Likelihood of occurrence
40
Quality is often a matter of _______
Judgement
41
One of the challenges with a qualitative risk assessment is gaining ______ on the probability and impact.
Consensus
42
True or False: A final risk assessment report is highly protected
True. The information that is contained such as management decisions on what controls and measures are to be implemented are valuable esp to an attacker. Normally, only executive management and security professionals will have access to these reports.
43
True or False: There are different definitions for a risk register depending on which standard you are following.
True.
ISO 73:2009 defines as a record of information about identified risks
Projects IN Controlled Environments defines as a repository for all risks identified and includes additional information about each risk
44
List some fields that are defined in a risk register
```
Category
Specific Risk
Likelihood of occurrence
Impact
Risk score
Security controls or mitigation steps
Contingencies
Risk score with security controls
Action assigned to
Action deadline
```
45
A _____ ____ _____ evaluates the raw materials supply sources and all the processes required to create, sell, and distribute a product
Supply chain assessment
46
List two common tools used by security administrators to test networks
1. Vulnerability scanners
| 2. Penetration tests
47
True or False: By reducing vulnerabilities you can reduce risks
True
48
What is the overall goal of a vulnerability assessment?
To assess the security posture of systems and networks.
49
List some sources that vulnerability assessments include information from
1. Security policies
2. Logs
3. Interviewing personnel
4. Testing systems
50
List the high-level steps for a vulnerability assessment
1. Identify assets and capabilities
2. Prioritize assets based on value
3. Identify vulnerabilities and prioritize them
4. Recommend controls to mitigate serious vulnerabilities
51
True or False: Many organizations do not perform vulnerability assessments internally
False
52
True or False: Organizations hire external security professionals to complete external assessments
True
53
A ____ ____ attempts to discover a password
Password cracker
54
True or False: Password crackers are one of the tools security administrators use during a vulnerability assessment
True
55
An _____ password cracker attempts to discover passwords by analyzing a database or file containing passwords.
Offline
56
True or False: A key benefit of an offline password cracking attack is that attackers have unlimited time to analyze the passwords
True
57
An _____ password cracker attempts to discover passwords by guessing them in a brute force attack.
Online
58
A _____ _____ uses various techniques to gather information about hosts within a network.
Network scanner
59
True or False: Nmap is an unpopular network scanning tool
False. It is popular
60
True or False: Other popular network scanners are netcat and nessus
True
61
A _____ ___ sends an ICMP ping to a range of IP addresses in a network
Ping scan
62
True or False: A problem with ping scans is that firewalls often block ICMP, so it can give inconsistent results.
True
63
___ ___ ___ sends an ARP packet with an IP address to a host and the corresponding host responds with its MAC address
ARP ping scan
64
____ ___ _____ sends a single SYN packet to each IP address in the scan range. If a host responds, the scanner knows that a host is operational with that IP address.
Syn stealth scan
65
True or False: In a syn stealth scan once a host IP address is confirmed a RST (reset) response is sent to close the connection
True
66
___ ___ checks for open ports on a system
Port scan
67
True or False: A port scan typically uses the ports identified as well-known ports by the Internet Assigned Numbers Association (IANA)
True
68
____ ___ is like a port scan but verifies the protocol or service.
Service scan
69
___ ___ _____ techniques analyze packets from an IP address to identify the OS.
Operating System (OS) Detection
70
OS Detection is often referred to as ____ _______
TCP/IP fingerprinting
71
True or False: OS Detection techniques don't rely on a single value but typically evaluate multiple values included in responses from systems
True
72
____ ____ discovers devices on the network and how they are connected with each other.
Network mapping
73
True or False: Network mapping is often done with a network scan but only focuses on connectivity
True
74
A ____ ____ ___ also includes additional scans to identify open ports, running services, and OS details.
Full network scan
75
_______ _____ can typically use both passive and active scans.
Wireless scanners
76
When using a _____ ____, a scanner just listens to all the traffic being broadcast on known channels within the 2.4 GHz and 5 GHz frequency ranges
Passive scan
77
When using an _____ ____ a wireless scanner acts like a scanner/cracker and can gain more information about an AP by sending queries to it.
Active scan
78
True or False: As long as an administrator knows what APs are authorized, it's easy to discover rogue APs with a wireless scan.
True
79
The _____ ____ ___ ______ (RSSI) shows the strength of the signal
Received Signal Strength Indicator
80
True or False: A lower negative number is stronger than a higher negative number for signal strength
True
81
True or False: As you move closer to a rogue AP, the signal becomes stronger and vice versa as you move further away.
True
82
______ _____ is a technique used to gain information about remote systems and many network scanners use it.
Banner grabbing
83
True or False: Banner grabbing is often used to identify the operating system along with information about some applications.
True
84
True or False: If a banner grab is successful the server returns an HTML banner providing information on the server.
True
85
_______ ____ identify a wide range of weaknesses and known security issues that attackers can exploit
Vulnerability scanners
86
A vulnerability scan often includes what actions?
1. Identify vulnerabilities
2. Identify misconfigurations
3. Passively test security controls
4. Identify lack of security controls
87
True or False: Vulnerability scanners utilize a database/dictionary of known vulnerabilities and test systems against this database.
True
88
The _____ _____ ___ ______ list is a dictionary of publicly known security vulnerabilities and exposures.
Common Vulnerabilities and Exposures
89
True or False: The CVE list is publicly funded by the U.S. government
True
90
____ ____ ____ ____ utilizes the National Vulnerability Database (NVD) which includes lists of common misconfigurations, security-related software flaws, and impact ratings or risk scores.
Security Content Automation Protocol (SCAP)
91
True or False: Attackers often look for systems that are misconfigured and vulnerability scanners can detect some common misconfiguration settings
True
92
_____ ___ can signal a vulnerability, especially if administrators aren't actively managing the services associated with these ports
Open ports
93
___ ______ can be discovered with the use of vulnerability scanners and/or password crackers
Weak passwords
94
True or False: Scanners are able to detect default accounts and passwords for applications such as SQL database systems
True
95
True or False: Some scanners include data loss prevention (DLP) techniques to detect sensitive data sent over the network.
True
96
True or False: Vulnerability scans can also check the system against a configuration or security baseline to identify unauthorized changes.
True
97
Is a vulnerability scan an active or passive scan?
Passive scan since it does not attempt to exploit any vulnerabilities
98
Is a penetration test an active or passive attempt?
Active attempt that attempts to exploit vulnerabilities
99
True or False: Vulnerability scanners can also identify missing security controls, such as the lack of up-to-date patches or the lack of antivirus software
True
100
True or False: Vulnerability scanners can report false positives
True
101
True or False: False positives can result in higher administrative overhead because administrators have to investigate them
True
102
True or False: Security administrators often run credentialed scans with the privileges of an administrator account
True
103
True or False: Attackers typically start with a non-credentialed vulnerability scan but use privilege escalation techniques to gain administrative access.
True
104
A _______ __________ _______ verifies that systems are configured correctly
Configuration compliance scanner
105
True or False: Configuration compliance scans typically need to be run as credentialed scans.
True
| This helps ensure they can accurately read the configuration of systems during the scan.
106
A penetration test without consent is an _______
Attack
107
______ _____ actively assesses deployed security controls within a system or network
Penetration testing
108
True or False: Security testers typically perform a penetration test to demonstrate the actual security vulnerabilities within a system
True
109
A penetration test starts with a _____ _____
Vulnerability scan
110
______ ______ collects information about a targeted system, network, or organization using open-source intelligence.
Passive reconnaissance
111
True or False: if an organization has wireless networks, passive reconnaissance can include collecting information from the network such as network SSIDs
True
112
True or False: Passive reconnaissance is not illegal
True
| Because it does not engage a target
113
True or False: You can use whois lookup site and domain name system servers to gain information about a domain name holder
True
114
_____ ______ includes using tools to send data to systems and analyzing the responses
Active reconnaissance
115
True or False: Active reconnaissance typically starts by using various scanning tools such as network scanners and vulnerability scanners
True
116
True or False: Active reconnaissance is almost always illegal
True
| Because it engages a target
117
Active reconnaissance should never be started without first getting _____ ______ to do so
Explicit authorization
118
True or False: After scanning, tester discover vulnerabilities and look for ways to exploit them.
True
119
______ is the process of using various tools to gain additional information.
Pivoting
120
True or False: A common technique used to maintain persistence is to create a backdoor back into the network.
True
121
List the three types of testing for penetration testing
1. Black box testing
2. White box testing
3. Gray box testing
122
____ ____ ____ is where testers have zero knowledge of the environment prior to starting
Black box testing
123
____ ___ _____ is where testers have full knowledge of the environment prior to starting
White box testing
124
_____ ___ ______ is where testers have some knowledge of the environment prior to starting
Gray box testing
125
____ ___ attacker is a malicious attacker performing criminal activities
Black hat
126
_____ ___ attackers are security professionals working with the law
White hat
127
___ ___ attackers are those who have good intentions, but their activities may cross ethical lines.
Gray hat
128
_____ can be either intrusive/invasive or non-intrusive./non-invasive
Scans
129
True or False: Vulnerability scanning is intrusive and more invasive than penetration testing
False
| It is the reverse
130
A ____ ___ tests systems in a non-intrusive manner and has little possibility of compromising a system.
Passive tool
131
An _____ ____ uses intrusive and invasive methods and can potentially affect the operations of a system.
Active tool
132
An _____ _______ is a tool used to store information about security vulnerabilties
Exploitation framework
133
True or False: Exploitation frameworks are often used by penetration testers (and attackers) to detect and exploit software.
True
134
A _____ _____ can capture and analyze packets on a network.
Protocol analyzer
135
The process of using a protocol analyzer is sometimes referred to as _______
Sniffing
136
True or False: Both administrators and attackers can use a protocol analyzer to view IP headers and examine packets.
True
137
True or False: When using a protocol analyzer, you need to configure the network interface card (NIC) on the system to use promiscuous mode.
True
138
True or False: normally a NIC uses non-promiscuous mode and only processes packets addressed directly to its IP address
True
139
True or False: A protocol analyzer is useful when troubleshooting communications problems between systems.
True
140
A _____ shows information such as the type of traffic (protocol), flags, source and destination IP address, and source and destination MAC addresses.
Capture
141
_____ is a command-line packet analyzer (or protocol analyzer) that allows you to capture packets.
Tcpdump
142
____ is a network scanner that includes many capabilities, including identifying all the active hosts and their IP addresses in a network, the protocols and services running on each of these hosts, and the operating system of the host.
Nmap (Zenmap is the graphical side)
143
_____ can easily be used for banner grabbing
Netcat
144
Other uses of netcat include
1. Transferring files
| 2. Port scanner
145
True or False: For windows event logs, application logs record events by applications or programs running on the system
True
146
True or False: The OS uses the System log to record events related to the functioning of the OS. This can include when it starts, shuts down, info on services starting and stopping, drivers loading or failing, or any other system component event deemed important by the system developers.
True
147
Linux logs commands
Authentication log - cat /var/log/auth.log
General system messages /var/log/messages
System boot - /var/log/boot.log
Failed logon - /var/log/fail.log
System kernel - /var/log/kern.log
Apache web server - /var/log/httpd
148
Authentication logs and files
1. utmp - maintains information on the current status of the system, including who is currently logged in. The who command queries this file to display a list of users currently logged in.
2. wtmp - archive of the utmp file
3. btmp - records failed login attempts. The lastb command shows the last failed login attempts
149
Other Linux logs
1. Antivirus logs
2. Application logs
3. Performance logs
150
A ____ ____ ___ ____ ______ system provides a centralized solution for collecting, analyzing, and managing data from multiple sources.
Security information and event management (SIEM)
151
A ____ ____ _____ provides real-time monitoring, analysis, and notification of security events, such as suspected security incidents.
Security event management (SEM)
152
A ___ ____ ____ provides long term storage of data, along with methods of analyzing the data looking for trends, or creating reports needed to verify compliance of laws or regulations
Security information management (SIM)
153
True or False: SIEMs are very useful in large enterprises that have massive amounts of data and activity to monitor.
True
154
True or False: The SIEM provides continuous monitoring and provides real-time reporting.
True
155
True or False: The SIEM collects log data from devices throughout the network and stores these logs in the database.
True
156
_______ refers to combining several dissimilar items into a single item.
Aggregation
157
True or False: A SIEM can collect data from multiple sources, such as firewalls, intrusion detection systems, proxy servers, and more.
True
158
True or False: An SIEM can aggregate device logs in different formats and store it in such a way that it is easy to analyze and search.
True
159
A ____ _____ is a software component used to collect and analyze event log data from various systems within the network
Correlation engine
160
True or False: A correlation engine typically aggregates the data looking for common attributes and then uses advanced analytic tools to detect patterns of potential security events and raises alerts.
True
161
True or False: An SIEM typically comes with predefined alerts, which provide notifications of suspicious events.
True
162
____ cause an action in response to a predefined number of repeated events.
Triggers
163
True or False: An SIEM includes the ability to modify predefined triggers and create new ones.
True
164
True or False: All servers sending data to the SIEM should be synchronized with the same time.
True
165
True or False: One method to ensure time is synchronized is to convert all log times to Greenwich Mean Team (GMT), which is the time at the Royal Observatory in Greenwich, London
True
166
______ is the process of removing duplicate entries.
Deduplication
167
True or False: An SIEM will only store a single copy of any duplicate log entries but also ensure that the entries are associated with the different devices.
True
168
True or False: An SIEM typically includes methods to prevent anyone from modifying log entries.
True
169
What does WORM stand for?
Write once read many
170
True or False: Security professionals must continuously monitor their environment for emerging threats and new vulnerabilities.
True
171
_____ ____ ____ includes monitoring all relevant security controls, with the goal of ensuring that they help an organization maintain a strong security posture.
Continuous security monitoring
172
____ ____ refers to logging information on what users do.
Usage auditing
173
True or False: Configuring logging of logon attempts is an important security step for system monitoring.
True
174
True or False: When users access a resource over a network such as a file server, it is also recorded as a logon action.
True
175
A _____ ____ ____ looks at the logs to see what users are doing
Usage auditing review
176
True or False: Logs create an audit trail of what happened.
True
177
True or False: Usage auditing reviews are often done to re-create the audit trail, or reconstruct what happened in the past.
True
178
A ______ _____ _____ looks at the rights and permissions assigned to users and helps ensure the principle of least privilege is enforced.
Permission auditing review
179
True or False: Permission auditing reviews identify the privileges (rights and permissions) granted to users, and compares them against what the users need.
True
180
______ ____ occurs when a user is granted more and more privileges due to changing job requirements, but unneeded privileges are never removed.
Privilege creep (permission bloat)
181
True or False: Organizations commonly use a role based access control model with group based privileges.
True
182
True or False: An organization should also have account management controls in place to ensure that administrators remove user accounts when there is a change in employement.
True
