Chapter 8 Using Risk Management Tools Flashcards
___ is the likelihood that a threat will exploit a vulnerability
Risk
A _____ is a weakness
Vulnerability
A ____ is a potential danger
Threat
____ refers to the magnitude of harm that can be caused if a threat exercises a vulnerability
Impact
A system without up-to-date antivirus software is vulnerable to ______
Malware
Malware written by malicious attackers is the ______
Threat
The likelihood that the malware will reach a vulnerable system represents the ____
Risk
Within the context of risk management, a ____ is any circumstance or event that can compromise the confidentiality, integrity, or availability of data or a system
Threat
List different forms of threats
Malicious human threats - script kiddies, apts, network, system, malware attacks
Accidental human threats - accidentally delete or corrupt data, or accidentally access data they shouldn’t. Unintentionally cause outages.
Environmental threats - Power failure, mother nature
A _____ ____ helps an organization identify and categorize threats.
Threat assessment
Organizations have limited ____ so it’s not possible to protect against all threats.
Resources
List some common types of threat assessments
Environmental - evaluates the likelihood of an environmental threat occurring.
Manmade - evaluates all threats from humans
Internal - evaluates threats from within an organization. Threats from malicious employees and accidents
External - evaluates threats from outside an organization. External attackers and natural threats
A ___ is a flaw or a weakness in software or hardware, or a weakness in a process that a threat could exploit, resulting in a security breach.
Vulnerability
List some examples of vulnerabilities
Lack of updates - not up to date on patches, hotfixes, and service packs
Default configurations - hardening includes changing systems from their default hw and sw configurations, including changing default usernames and passwords
Lack of malware protection or updated definitions
Lack of firewalls
Lack of organizational policies
___ _____ is the practice of identifying, monitoring, and limiting risks to a manageable level.
Risk management
True or False Risk management eliminates risks
False. It identifies methods to limit or mitigate them.
The amount of risk that remains after managing risk is ____ ___
Residual risk
True or False: The primary goal of risk management is not to reduce risk to a level that the organization will accept.
False it IS to reduce risk to a level that the organization will accept
_______ must choose a level of acceptable risk based on their organizational goals.
Management
List some risk response techniques
Avoid - by not providing a service or not participating in a risky activity.
Transfer - to another entity i.e. purchasing insurance or outsourcing
Mitigate - implement controls to reduce risk i.e. up to date antivirus software
Accept - when the cost of a control outweighs a risk, an organization will often accept the risk
A ____ ____/____ is an important task in risk management
Risk assessment/analysis
True or False: Risk assessment quantifies/qualifies risks based on different values or judgments
True
What does a risk assessment first identify?
Assets and asset values
An ____ includes any product, system, resource, or process that an organization values.
Asset
The ____ ___ identifies the worth of the asset to the organization.
Asset value
True or False: The asset value helps an organization focus on the high-value assets and avoid wasting time on low-value assets.
True
True or False: A risk assessment attempts to identify the impact of potential threats and identify the potential harm, and prioritizes risks based on the likelihood of occurrence and impact.
True
True or False: A risk assessment includes recommendations on what controls to implement to mitigate risks.
True
True or False: A risk assessment is a point-in-time assessment or a snapshot.
True
True or False: Risk assessments use quantitative measurements or qualitative measurements
True
______ ____ use numbers, such as monetary figure representing cost and asset values.
Quantitative measurements
______ _____ use judgements
Qualitative measurements
True or False: The asset value is an important element in a qualitative risk assessment
False it is an important element for quantitative risk assessment
The cost of any single loss is _____
Single Loss Expectancy (SLE)
How many times the loss will occur in a year is the _____
Annual Rate of Occurrence (ARO)
The product of the Single loss expectancy and the annual rate of occurrence is _____
Annual loss expectancy (ALE) = SLE X ARO
List two simple guidelines managers use for most risk assessment decisions
- If the cost of the control is less than the savings, purchase it.
- If the cost of the control is greater than the savings, accept the risk.
A _____ ____ ____ uses judgement to categorize risks based on probability and impact
Qualitative Risk Assessment
The probability that an event will occur is _______
Likelihood of occurrence
Quality is often a matter of _______
Judgement
One of the challenges with a qualitative risk assessment is gaining ______ on the probability and impact.
Consensus
True or False: A final risk assessment report is highly protected
True. The information that is contained such as management decisions on what controls and measures are to be implemented are valuable esp to an attacker. Normally, only executive management and security professionals will have access to these reports.
True or False: There are different definitions for a risk register depending on which standard you are following.
True.
ISO 73:2009 defines as a record of information about identified risks
Projects IN Controlled Environments defines as a repository for all risks identified and includes additional information about each risk
List some fields that are defined in a risk register
Category Specific Risk Likelihood of occurrence Impact Risk score Security controls or mitigation steps Contingencies Risk score with security controls Action assigned to Action deadline
A _____ ____ _____ evaluates the raw materials supply sources and all the processes required to create, sell, and distribute a product
Supply chain assessment
List two common tools used by security administrators to test networks
- Vulnerability scanners
2. Penetration tests
True or False: By reducing vulnerabilities you can reduce risks
True
What is the overall goal of a vulnerability assessment?
To assess the security posture of systems and networks.
List some sources that vulnerability assessments include information from
- Security policies
- Logs
- Interviewing personnel
- Testing systems
List the high-level steps for a vulnerability assessment
- Identify assets and capabilities
- Prioritize assets based on value
- Identify vulnerabilities and prioritize them
- Recommend controls to mitigate serious vulnerabilities
True or False: Many organizations do not perform vulnerability assessments internally
False
True or False: Organizations hire external security professionals to complete external assessments
True
A ____ ____ attempts to discover a password
Password cracker
True or False: Password crackers are one of the tools security administrators use during a vulnerability assessment
True
An _____ password cracker attempts to discover passwords by analyzing a database or file containing passwords.
Offline
True or False: A key benefit of an offline password cracking attack is that attackers have unlimited time to analyze the passwords
True
An _____ password cracker attempts to discover passwords by guessing them in a brute force attack.
Online
A _____ _____ uses various techniques to gather information about hosts within a network.
Network scanner
True or False: Nmap is an unpopular network scanning tool
False. It is popular
True or False: Other popular network scanners are netcat and nessus
True
A _____ ___ sends an ICMP ping to a range of IP addresses in a network
Ping scan
True or False: A problem with ping scans is that firewalls often block ICMP, so it can give inconsistent results.
True
___ ___ ___ sends an ARP packet with an IP address to a host and the corresponding host responds with its MAC address
ARP ping scan
____ ___ _____ sends a single SYN packet to each IP address in the scan range. If a host responds, the scanner knows that a host is operational with that IP address.
Syn stealth scan
True or False: In a syn stealth scan once a host IP address is confirmed a RST (reset) response is sent to close the connection
True
___ ___ checks for open ports on a system
Port scan
True or False: A port scan typically uses the ports identified as well-known ports by the Internet Assigned Numbers Association (IANA)
True
____ ___ is like a port scan but verifies the protocol or service.
Service scan
___ ___ _____ techniques analyze packets from an IP address to identify the OS.
Operating System (OS) Detection
OS Detection is often referred to as ____ _______
TCP/IP fingerprinting
True or False: OS Detection techniques don’t rely on a single value but typically evaluate multiple values included in responses from systems
True
____ ____ discovers devices on the network and how they are connected with each other.
Network mapping
True or False: Network mapping is often done with a network scan but only focuses on connectivity
True
A ____ ____ ___ also includes additional scans to identify open ports, running services, and OS details.
Full network scan
_______ _____ can typically use both passive and active scans.
Wireless scanners
When using a _____ ____, a scanner just listens to all the traffic being broadcast on known channels within the 2.4 GHz and 5 GHz frequency ranges
Passive scan
When using an _____ ____ a wireless scanner acts like a scanner/cracker and can gain more information about an AP by sending queries to it.
Active scan
True or False: As long as an administrator knows what APs are authorized, it’s easy to discover rogue APs with a wireless scan.
True
The _____ ____ ___ ______ (RSSI) shows the strength of the signal
Received Signal Strength Indicator
True or False: A lower negative number is stronger than a higher negative number for signal strength
True
True or False: As you move closer to a rogue AP, the signal becomes stronger and vice versa as you move further away.
True
______ _____ is a technique used to gain information about remote systems and many network scanners use it.
Banner grabbing
True or False: Banner grabbing is often used to identify the operating system along with information about some applications.
True
True or False: If a banner grab is successful the server returns an HTML banner providing information on the server.
True
_______ ____ identify a wide range of weaknesses and known security issues that attackers can exploit
Vulnerability scanners
A vulnerability scan often includes what actions?
- Identify vulnerabilities
- Identify misconfigurations
- Passively test security controls
- Identify lack of security controls
True or False: Vulnerability scanners utilize a database/dictionary of known vulnerabilities and test systems against this database.
True
The _____ _____ ___ ______ list is a dictionary of publicly known security vulnerabilities and exposures.
Common Vulnerabilities and Exposures
True or False: The CVE list is publicly funded by the U.S. government
True
____ ____ ____ ____ utilizes the National Vulnerability Database (NVD) which includes lists of common misconfigurations, security-related software flaws, and impact ratings or risk scores.
Security Content Automation Protocol (SCAP)
True or False: Attackers often look for systems that are misconfigured and vulnerability scanners can detect some common misconfiguration settings
True
_____ ___ can signal a vulnerability, especially if administrators aren’t actively managing the services associated with these ports
Open ports
___ ______ can be discovered with the use of vulnerability scanners and/or password crackers
Weak passwords
True or False: Scanners are able to detect default accounts and passwords for applications such as SQL database systems
True
True or False: Some scanners include data loss prevention (DLP) techniques to detect sensitive data sent over the network.
True
True or False: Vulnerability scans can also check the system against a configuration or security baseline to identify unauthorized changes.
True
Is a vulnerability scan an active or passive scan?
Passive scan since it does not attempt to exploit any vulnerabilities
Is a penetration test an active or passive attempt?
Active attempt that attempts to exploit vulnerabilities
True or False: Vulnerability scanners can also identify missing security controls, such as the lack of up-to-date patches or the lack of antivirus software
True
True or False: Vulnerability scanners can report false positives
True
True or False: False positives can result in higher administrative overhead because administrators have to investigate them
True
True or False: Security administrators often run credentialed scans with the privileges of an administrator account
True
True or False: Attackers typically start with a non-credentialed vulnerability scan but use privilege escalation techniques to gain administrative access.
True
A _______ __________ _______ verifies that systems are configured correctly
Configuration compliance scanner
True or False: Configuration compliance scans typically need to be run as credentialed scans.
True
This helps ensure they can accurately read the configuration of systems during the scan.
A penetration test without consent is an _______
Attack
______ _____ actively assesses deployed security controls within a system or network
Penetration testing
True or False: Security testers typically perform a penetration test to demonstrate the actual security vulnerabilities within a system
True
A penetration test starts with a _____ _____
Vulnerability scan
______ ______ collects information about a targeted system, network, or organization using open-source intelligence.
Passive reconnaissance
True or False: if an organization has wireless networks, passive reconnaissance can include collecting information from the network such as network SSIDs
True
True or False: Passive reconnaissance is not illegal
True
Because it does not engage a target
True or False: You can use whois lookup site and domain name system servers to gain information about a domain name holder
True
_____ ______ includes using tools to send data to systems and analyzing the responses
Active reconnaissance
True or False: Active reconnaissance typically starts by using various scanning tools such as network scanners and vulnerability scanners
True
True or False: Active reconnaissance is almost always illegal
True
Because it engages a target
Active reconnaissance should never be started without first getting _____ ______ to do so
Explicit authorization
True or False: After scanning, tester discover vulnerabilities and look for ways to exploit them.
True
______ is the process of using various tools to gain additional information.
Pivoting
True or False: A common technique used to maintain persistence is to create a backdoor back into the network.
True
List the three types of testing for penetration testing
- Black box testing
- White box testing
- Gray box testing
____ ____ ____ is where testers have zero knowledge of the environment prior to starting
Black box testing
____ ___ _____ is where testers have full knowledge of the environment prior to starting
White box testing
_____ ___ ______ is where testers have some knowledge of the environment prior to starting
Gray box testing
____ ___ attacker is a malicious attacker performing criminal activities
Black hat
_____ ___ attackers are security professionals working with the law
White hat
___ ___ attackers are those who have good intentions, but their activities may cross ethical lines.
Gray hat
_____ can be either intrusive/invasive or non-intrusive./non-invasive
Scans
True or False: Vulnerability scanning is intrusive and more invasive than penetration testing
False
It is the reverse
A ____ ___ tests systems in a non-intrusive manner and has little possibility of compromising a system.
Passive tool
An _____ ____ uses intrusive and invasive methods and can potentially affect the operations of a system.
Active tool
An _____ _______ is a tool used to store information about security vulnerabilties
Exploitation framework
True or False: Exploitation frameworks are often used by penetration testers (and attackers) to detect and exploit software.
True
A _____ _____ can capture and analyze packets on a network.
Protocol analyzer
The process of using a protocol analyzer is sometimes referred to as _______
Sniffing
True or False: Both administrators and attackers can use a protocol analyzer to view IP headers and examine packets.
True
True or False: When using a protocol analyzer, you need to configure the network interface card (NIC) on the system to use promiscuous mode.
True
True or False: normally a NIC uses non-promiscuous mode and only processes packets addressed directly to its IP address
True
True or False: A protocol analyzer is useful when troubleshooting communications problems between systems.
True
A _____ shows information such as the type of traffic (protocol), flags, source and destination IP address, and source and destination MAC addresses.
Capture
_____ is a command-line packet analyzer (or protocol analyzer) that allows you to capture packets.
Tcpdump
____ is a network scanner that includes many capabilities, including identifying all the active hosts and their IP addresses in a network, the protocols and services running on each of these hosts, and the operating system of the host.
Nmap (Zenmap is the graphical side)
_____ can easily be used for banner grabbing
Netcat
Other uses of netcat include
- Transferring files
2. Port scanner
True or False: For windows event logs, application logs record events by applications or programs running on the system
True
True or False: The OS uses the System log to record events related to the functioning of the OS. This can include when it starts, shuts down, info on services starting and stopping, drivers loading or failing, or any other system component event deemed important by the system developers.
True
Linux logs commands
Authentication log - cat /var/log/auth.log
General system messages /var/log/messages
System boot - /var/log/boot.log
Failed logon - /var/log/fail.log
System kernel - /var/log/kern.log
Apache web server - /var/log/httpd
Authentication logs and files
- utmp - maintains information on the current status of the system, including who is currently logged in. The who command queries this file to display a list of users currently logged in.
- wtmp - archive of the utmp file
- btmp - records failed login attempts. The lastb command shows the last failed login attempts
Other Linux logs
- Antivirus logs
- Application logs
- Performance logs
A ____ ____ ___ ____ ______ system provides a centralized solution for collecting, analyzing, and managing data from multiple sources.
Security information and event management (SIEM)
A ____ ____ _____ provides real-time monitoring, analysis, and notification of security events, such as suspected security incidents.
Security event management (SEM)
A ___ ____ ____ provides long term storage of data, along with methods of analyzing the data looking for trends, or creating reports needed to verify compliance of laws or regulations
Security information management (SIM)
True or False: SIEMs are very useful in large enterprises that have massive amounts of data and activity to monitor.
True
True or False: The SIEM provides continuous monitoring and provides real-time reporting.
True
True or False: The SIEM collects log data from devices throughout the network and stores these logs in the database.
True
_______ refers to combining several dissimilar items into a single item.
Aggregation
True or False: A SIEM can collect data from multiple sources, such as firewalls, intrusion detection systems, proxy servers, and more.
True
True or False: An SIEM can aggregate device logs in different formats and store it in such a way that it is easy to analyze and search.
True
A ____ _____ is a software component used to collect and analyze event log data from various systems within the network
Correlation engine
True or False: A correlation engine typically aggregates the data looking for common attributes and then uses advanced analytic tools to detect patterns of potential security events and raises alerts.
True
True or False: An SIEM typically comes with predefined alerts, which provide notifications of suspicious events.
True
____ cause an action in response to a predefined number of repeated events.
Triggers
True or False: An SIEM includes the ability to modify predefined triggers and create new ones.
True
True or False: All servers sending data to the SIEM should be synchronized with the same time.
True
True or False: One method to ensure time is synchronized is to convert all log times to Greenwich Mean Team (GMT), which is the time at the Royal Observatory in Greenwich, London
True
______ is the process of removing duplicate entries.
Deduplication
True or False: An SIEM will only store a single copy of any duplicate log entries but also ensure that the entries are associated with the different devices.
True
True or False: An SIEM typically includes methods to prevent anyone from modifying log entries.
True
What does WORM stand for?
Write once read many
True or False: Security professionals must continuously monitor their environment for emerging threats and new vulnerabilities.
True
_____ ____ ____ includes monitoring all relevant security controls, with the goal of ensuring that they help an organization maintain a strong security posture.
Continuous security monitoring
____ ____ refers to logging information on what users do.
Usage auditing
True or False: Configuring logging of logon attempts is an important security step for system monitoring.
True
True or False: When users access a resource over a network such as a file server, it is also recorded as a logon action.
True
A _____ ____ ____ looks at the logs to see what users are doing
Usage auditing review
True or False: Logs create an audit trail of what happened.
True
True or False: Usage auditing reviews are often done to re-create the audit trail, or reconstruct what happened in the past.
True
A ______ _____ _____ looks at the rights and permissions assigned to users and helps ensure the principle of least privilege is enforced.
Permission auditing review
True or False: Permission auditing reviews identify the privileges (rights and permissions) granted to users, and compares them against what the users need.
True
______ ____ occurs when a user is granted more and more privileges due to changing job requirements, but unneeded privileges are never removed.
Privilege creep (permission bloat)
True or False: Organizations commonly use a role based access control model with group based privileges.
True
True or False: An organization should also have account management controls in place to ensure that administrators remove user accounts when there is a change in employement.
True
