Chapter 8 Using Risk Management Tools

Question 1

___ is the likelihood that a threat will exploit a vulnerability

Answer 1

Risk

Question 2

A _____ is a weakness

Answer 2

Vulnerability

Question 3

A ____ is a potential danger

Answer 3

Threat

Question 4

____ refers to the magnitude of harm that can be caused if a threat exercises a vulnerability

Answer 4

Impact

Question 5

A system without up-to-date antivirus software is vulnerable to ______

Answer 5

Malware

Question 6

Malware written by malicious attackers is the ______

Answer 6

Threat

Question 7

The likelihood that the malware will reach a vulnerable system represents the ____

Answer 7

Risk

Question 8

Within the context of risk management, a ____ is any circumstance or event that can compromise the confidentiality, integrity, or availability of data or a system

Answer 8

Threat

Question 9

List different forms of threats

Answer 9

Malicious human threats - script kiddies, apts, network, system, malware attacks
Accidental human threats - accidentally delete or corrupt data, or accidentally access data they shouldn’t. Unintentionally cause outages.
Environmental threats - Power failure, mother nature

Question 10

A _____ ____ helps an organization identify and categorize threats.

Answer 10

Threat assessment

Question 11

Organizations have limited ____ so it’s not possible to protect against all threats.

Answer 11

Resources

Question 12

List some common types of threat assessments

Answer 12

Environmental - evaluates the likelihood of an environmental threat occurring.

Manmade - evaluates all threats from humans

Internal - evaluates threats from within an organization. Threats from malicious employees and accidents

External - evaluates threats from outside an organization. External attackers and natural threats

Question 13

A ___ is a flaw or a weakness in software or hardware, or a weakness in a process that a threat could exploit, resulting in a security breach.

Answer 13

Vulnerability

Question 14

List some examples of vulnerabilities

Answer 14

Lack of updates - not up to date on patches, hotfixes, and service packs
Default configurations - hardening includes changing systems from their default hw and sw configurations, including changing default usernames and passwords
Lack of malware protection or updated definitions
Lack of firewalls
Lack of organizational policies

Question 15

___ _____ is the practice of identifying, monitoring, and limiting risks to a manageable level.

Answer 15

Risk management

Question 16

True or False Risk management eliminates risks

Answer 16

False. It identifies methods to limit or mitigate them.

Question 17

The amount of risk that remains after managing risk is ____ ___

Answer 17

Residual risk

Question 18

True or False: The primary goal of risk management is not to reduce risk to a level that the organization will accept.

Answer 18

False it IS to reduce risk to a level that the organization will accept

Question 19

_______ must choose a level of acceptable risk based on their organizational goals.

Answer 19

Management

Question 20

List some risk response techniques

Answer 20

Avoid - by not providing a service or not participating in a risky activity.
Transfer - to another entity i.e. purchasing insurance or outsourcing
Mitigate - implement controls to reduce risk i.e. up to date antivirus software
Accept - when the cost of a control outweighs a risk, an organization will often accept the risk

Question 21

A ____ ____/____ is an important task in risk management

Answer 21

Risk assessment/analysis

Question 22

True or False: Risk assessment quantifies/qualifies risks based on different values or judgments

Answer 22

True

Question 23

What does a risk assessment first identify?

Answer 23

Assets and asset values

Question 24

An ____ includes any product, system, resource, or process that an organization values.

Answer 24

Asset

Question 25

The ____ ___ identifies the worth of the asset to the organization.

Answer 25

Asset value

Question 26

True or False: The asset value helps an organization focus on the high-value assets and avoid wasting time on low-value assets.

Answer 26

True

Question 27

True or False: A risk assessment attempts to identify the impact of potential threats and identify the potential harm, and prioritizes risks based on the likelihood of occurrence and impact.

Answer 27

True

Question 28

True or False: A risk assessment includes recommendations on what controls to implement to mitigate risks.

Answer 28

True

Question 29

True or False: A risk assessment is a point-in-time assessment or a snapshot.

Answer 29

True

Question 30

True or False: Risk assessments use quantitative measurements or qualitative measurements

Answer 30

True

Question 31

______ ____ use numbers, such as monetary figure representing cost and asset values.

Answer 31

Quantitative measurements

Question 32

______ _____ use judgements

Answer 32

Qualitative measurements

Question 33

True or False: The asset value is an important element in a qualitative risk assessment

Answer 33

False it is an important element for quantitative risk assessment

Question 34

The cost of any single loss is _____

Answer 34

Single Loss Expectancy (SLE)

Question 35

How many times the loss will occur in a year is the _____

Answer 35

Annual Rate of Occurrence (ARO)

Question 36

The product of the Single loss expectancy and the annual rate of occurrence is _____

Answer 36

Annual loss expectancy (ALE) = SLE X ARO

Question 37

List two simple guidelines managers use for most risk assessment decisions

Answer 37

1. If the cost of the control is less than the savings, purchase it.
2. If the cost of the control is greater than the savings, accept the risk.

Question 38

A _____ ____ ____ uses judgement to categorize risks based on probability and impact

Answer 38

Qualitative Risk Assessment

Question 39

The probability that an event will occur is _______

Answer 39

Likelihood of occurrence

Question 40

Quality is often a matter of _______

Answer 40

Judgement

Question 41

One of the challenges with a qualitative risk assessment is gaining ______ on the probability and impact.

Answer 41

Consensus

Question 42

True or False: A final risk assessment report is highly protected

Answer 42

True. The information that is contained such as management decisions on what controls and measures are to be implemented are valuable esp to an attacker. Normally, only executive management and security professionals will have access to these reports.

Question 43

True or False: There are different definitions for a risk register depending on which standard you are following.

Answer 43

True.

ISO 73:2009 defines as a record of information about identified risks

Projects IN Controlled Environments defines as a repository for all risks identified and includes additional information about each risk

Question 44

List some fields that are defined in a risk register

Answer 44

Category
Specific Risk
Likelihood of occurrence
Impact
Risk score
Security controls or mitigation steps
Contingencies
Risk score with security controls
Action assigned to
Action deadline

Question 45

A _____ ____ _____ evaluates the raw materials supply sources and all the processes required to create, sell, and distribute a product

Answer 45

Supply chain assessment

Question 46

List two common tools used by security administrators to test networks

Answer 46

1. Vulnerability scanners

2. Penetration tests

Question 47

True or False: By reducing vulnerabilities you can reduce risks

Answer 47

True

Question 48

What is the overall goal of a vulnerability assessment?

Answer 48

To assess the security posture of systems and networks.

Question 49

List some sources that vulnerability assessments include information from

Answer 49

1. Security policies
2. Logs
3. Interviewing personnel
4. Testing systems

Question 50

List the high-level steps for a vulnerability assessment

Answer 50

1. Identify assets and capabilities
2. Prioritize assets based on value
3. Identify vulnerabilities and prioritize them
4. Recommend controls to mitigate serious vulnerabilities

Question 51

True or False: Many organizations do not perform vulnerability assessments internally

Answer 51

False

Question 52

True or False: Organizations hire external security professionals to complete external assessments

Answer 52

True

Question 53

A ____ ____ attempts to discover a password

Answer 53

Password cracker

Question 54

True or False: Password crackers are one of the tools security administrators use during a vulnerability assessment

Answer 54

True

Question 55

An _____ password cracker attempts to discover passwords by analyzing a database or file containing passwords.

Answer 55

Offline

Question 56

True or False: A key benefit of an offline password cracking attack is that attackers have unlimited time to analyze the passwords

Answer 56

True

Question 57

An _____ password cracker attempts to discover passwords by guessing them in a brute force attack.

Answer 57

Online

Question 58

A _____ _____ uses various techniques to gather information about hosts within a network.

Answer 58

Network scanner

Question 59

True or False: Nmap is an unpopular network scanning tool

Answer 59

False. It is popular

Question 60

True or False: Other popular network scanners are netcat and nessus

Answer 60

True

Question 61

A _____ ___ sends an ICMP ping to a range of IP addresses in a network

Answer 61

Ping scan

Question 62

True or False: A problem with ping scans is that firewalls often block ICMP, so it can give inconsistent results.

Answer 62

True

Question 63

___ ___ ___ sends an ARP packet with an IP address to a host and the corresponding host responds with its MAC address

Answer 63

ARP ping scan

Question 64

____ ___ _____ sends a single SYN packet to each IP address in the scan range. If a host responds, the scanner knows that a host is operational with that IP address.

Answer 64

Syn stealth scan

Question 65

True or False: In a syn stealth scan once a host IP address is confirmed a RST (reset) response is sent to close the connection

Answer 65

True

Question 66

___ ___ checks for open ports on a system

Answer 66

Port scan

Question 67

True or False: A port scan typically uses the ports identified as well-known ports by the Internet Assigned Numbers Association (IANA)

Answer 67

True

Question 68

____ ___ is like a port scan but verifies the protocol or service.

Answer 68

Service scan

Question 69

___ ___ _____ techniques analyze packets from an IP address to identify the OS.

Answer 69

Operating System (OS) Detection

Question 70

OS Detection is often referred to as ____ _______

Answer 70

TCP/IP fingerprinting

Question 71

True or False: OS Detection techniques don’t rely on a single value but typically evaluate multiple values included in responses from systems

Answer 71

True

Question 72

____ ____ discovers devices on the network and how they are connected with each other.

Answer 72

Network mapping

Question 73

True or False: Network mapping is often done with a network scan but only focuses on connectivity

Answer 73

True

Question 74

A ____ ____ ___ also includes additional scans to identify open ports, running services, and OS details.

Answer 74

Full network scan

Question 75

_______ _____ can typically use both passive and active scans.

Answer 75

Wireless scanners

Question 76

When using a _____ ____, a scanner just listens to all the traffic being broadcast on known channels within the 2.4 GHz and 5 GHz frequency ranges

Answer 76

Passive scan

Question 77

When using an _____ ____ a wireless scanner acts like a scanner/cracker and can gain more information about an AP by sending queries to it.

Answer 77

Active scan

Question 78

True or False: As long as an administrator knows what APs are authorized, it’s easy to discover rogue APs with a wireless scan.

Answer 78

True

Question 79

The _____ ____ ___ ______ (RSSI) shows the strength of the signal

Answer 79

Received Signal Strength Indicator

Question 80

True or False: A lower negative number is stronger than a higher negative number for signal strength

Answer 80

True

Question 81

True or False: As you move closer to a rogue AP, the signal becomes stronger and vice versa as you move further away.

Answer 81

True

Question 82

______ _____ is a technique used to gain information about remote systems and many network scanners use it.

Answer 82

Banner grabbing

Question 83

True or False: Banner grabbing is often used to identify the operating system along with information about some applications.

Answer 83

True

Question 84

True or False: If a banner grab is successful the server returns an HTML banner providing information on the server.

Answer 84

True

Question 85

_______ ____ identify a wide range of weaknesses and known security issues that attackers can exploit

Answer 85

Vulnerability scanners

Question 86

A vulnerability scan often includes what actions?

Answer 86

1. Identify vulnerabilities
2. Identify misconfigurations
3. Passively test security controls
4. Identify lack of security controls

Question 87

True or False: Vulnerability scanners utilize a database/dictionary of known vulnerabilities and test systems against this database.

Answer 87

True

Question 88

The _____ _____ ___ ______ list is a dictionary of publicly known security vulnerabilities and exposures.

Answer 88

Common Vulnerabilities and Exposures

Question 89

True or False: The CVE list is publicly funded by the U.S. government

Answer 89

True

Question 90

____ ____ ____ ____ utilizes the National Vulnerability Database (NVD) which includes lists of common misconfigurations, security-related software flaws, and impact ratings or risk scores.

Answer 90

Security Content Automation Protocol (SCAP)

Question 91

True or False: Attackers often look for systems that are misconfigured and vulnerability scanners can detect some common misconfiguration settings

Answer 91

True

Question 92

_____ ___ can signal a vulnerability, especially if administrators aren’t actively managing the services associated with these ports

Answer 92

Open ports

Question 93

___ ______ can be discovered with the use of vulnerability scanners and/or password crackers

Answer 93

Weak passwords

Question 94

True or False: Scanners are able to detect default accounts and passwords for applications such as SQL database systems

Answer 94

True

Question 95

True or False: Some scanners include data loss prevention (DLP) techniques to detect sensitive data sent over the network.

Answer 95

True

Question 96

True or False: Vulnerability scans can also check the system against a configuration or security baseline to identify unauthorized changes.

Answer 96

True

Question 97

Is a vulnerability scan an active or passive scan?

Answer 97

Passive scan since it does not attempt to exploit any vulnerabilities

Question 98

Is a penetration test an active or passive attempt?

Answer 98

Active attempt that attempts to exploit vulnerabilities

Question 99

True or False: Vulnerability scanners can also identify missing security controls, such as the lack of up-to-date patches or the lack of antivirus software

Answer 99

True

Question 100

True or False: Vulnerability scanners can report false positives

Answer 100

True

Question 101

True or False: False positives can result in higher administrative overhead because administrators have to investigate them

Answer 101

True

Question 102

True or False: Security administrators often run credentialed scans with the privileges of an administrator account

Answer 102

True

Question 103

True or False: Attackers typically start with a non-credentialed vulnerability scan but use privilege escalation techniques to gain administrative access.

Answer 103

True

Question 104

A _______ __________ _______ verifies that systems are configured correctly

Answer 104

Configuration compliance scanner

Question 105

True or False: Configuration compliance scans typically need to be run as credentialed scans.

Answer 105

True

This helps ensure they can accurately read the configuration of systems during the scan.

Question 106

A penetration test without consent is an _______

Answer 106

Attack

Question 107

______ _____ actively assesses deployed security controls within a system or network

Answer 107

Penetration testing

Question 108

True or False: Security testers typically perform a penetration test to demonstrate the actual security vulnerabilities within a system

Answer 108

True

Question 109

A penetration test starts with a _____ _____

Answer 109

Vulnerability scan

Question 110

______ ______ collects information about a targeted system, network, or organization using open-source intelligence.

Answer 110

Passive reconnaissance

Question 111

True or False: if an organization has wireless networks, passive reconnaissance can include collecting information from the network such as network SSIDs

Answer 111

True

Question 112

True or False: Passive reconnaissance is not illegal

Answer 112

True

Because it does not engage a target

Question 113

True or False: You can use whois lookup site and domain name system servers to gain information about a domain name holder

Answer 113

True

Question 114

_____ ______ includes using tools to send data to systems and analyzing the responses

Answer 114

Active reconnaissance

Question 115

True or False: Active reconnaissance typically starts by using various scanning tools such as network scanners and vulnerability scanners

Answer 115

True

Question 116

True or False: Active reconnaissance is almost always illegal

Answer 116

True

Because it engages a target

Question 117

Active reconnaissance should never be started without first getting _____ ______ to do so

Answer 117

Explicit authorization

Question 118

True or False: After scanning, tester discover vulnerabilities and look for ways to exploit them.

Answer 118

True

Question 119

______ is the process of using various tools to gain additional information.

Answer 119

Pivoting

Question 120

True or False: A common technique used to maintain persistence is to create a backdoor back into the network.

Answer 120

True

Question 121

List the three types of testing for penetration testing

Answer 121

1. Black box testing
2. White box testing
3. Gray box testing

Question 122

____ ____ ____ is where testers have zero knowledge of the environment prior to starting

Answer 122

Black box testing

Question 123

____ ___ _____ is where testers have full knowledge of the environment prior to starting

Answer 123

White box testing

Question 124

_____ ___ ______ is where testers have some knowledge of the environment prior to starting

Answer 124

Gray box testing

Question 125

____ ___ attacker is a malicious attacker performing criminal activities

Answer 125

Black hat

Question 126

_____ ___ attackers are security professionals working with the law

Answer 126

White hat

Question 127

___ ___ attackers are those who have good intentions, but their activities may cross ethical lines.

Answer 127

Gray hat

Question 128

_____ can be either intrusive/invasive or non-intrusive./non-invasive

Answer 128

Scans

Question 129

True or False: Vulnerability scanning is intrusive and more invasive than penetration testing

Answer 129

False

It is the reverse

Question 130

A ____ ___ tests systems in a non-intrusive manner and has little possibility of compromising a system.

Answer 130

Passive tool

Question 131

An _____ ____ uses intrusive and invasive methods and can potentially affect the operations of a system.

Answer 131

Active tool

Question 132

An _____ _______ is a tool used to store information about security vulnerabilties

Answer 132

Exploitation framework

Question 133

True or False: Exploitation frameworks are often used by penetration testers (and attackers) to detect and exploit software.

Answer 133

True

Question 134

A _____ _____ can capture and analyze packets on a network.

Answer 134

Protocol analyzer

Question 135

The process of using a protocol analyzer is sometimes referred to as _______

Answer 135

Sniffing

Question 136

True or False: Both administrators and attackers can use a protocol analyzer to view IP headers and examine packets.

Answer 136

True

Question 137

True or False: When using a protocol analyzer, you need to configure the network interface card (NIC) on the system to use promiscuous mode.

Answer 137

True

Question 138

True or False: normally a NIC uses non-promiscuous mode and only processes packets addressed directly to its IP address

Answer 138

True

Question 139

True or False: A protocol analyzer is useful when troubleshooting communications problems between systems.

Answer 139

True

Question 140

A _____ shows information such as the type of traffic (protocol), flags, source and destination IP address, and source and destination MAC addresses.

Answer 140

Capture

Question 141

_____ is a command-line packet analyzer (or protocol analyzer) that allows you to capture packets.

Answer 141

Tcpdump

Question 142

____ is a network scanner that includes many capabilities, including identifying all the active hosts and their IP addresses in a network, the protocols and services running on each of these hosts, and the operating system of the host.

Answer 142

Nmap (Zenmap is the graphical side)

Question 143

_____ can easily be used for banner grabbing

Answer 143

Netcat

Question 144

Other uses of netcat include

Answer 144

1. Transferring files

2. Port scanner

Question 145

True or False: For windows event logs, application logs record events by applications or programs running on the system

Answer 145

True

Question 146

True or False: The OS uses the System log to record events related to the functioning of the OS. This can include when it starts, shuts down, info on services starting and stopping, drivers loading or failing, or any other system component event deemed important by the system developers.

Answer 146

True

Question 147

Linux logs commands

Answer 147

Authentication log - cat /var/log/auth.log
General system messages /var/log/messages
System boot - /var/log/boot.log
Failed logon - /var/log/fail.log
System kernel - /var/log/kern.log
Apache web server - /var/log/httpd

Question 148

Authentication logs and files

Answer 148

1. utmp - maintains information on the current status of the system, including who is currently logged in. The who command queries this file to display a list of users currently logged in.
2. wtmp - archive of the utmp file
3. btmp - records failed login attempts. The lastb command shows the last failed login attempts

Question 149

Other Linux logs

Answer 149

1. Antivirus logs
2. Application logs
3. Performance logs

Question 150

A ____ ____ ___ ____ ______ system provides a centralized solution for collecting, analyzing, and managing data from multiple sources.

Answer 150

Security information and event management (SIEM)

Question 151

A ____ ____ _____ provides real-time monitoring, analysis, and notification of security events, such as suspected security incidents.

Answer 151

Security event management (SEM)

Question 152

A ___ ____ ____ provides long term storage of data, along with methods of analyzing the data looking for trends, or creating reports needed to verify compliance of laws or regulations

Answer 152

Security information management (SIM)

Question 153

True or False: SIEMs are very useful in large enterprises that have massive amounts of data and activity to monitor.

Answer 153

True

Question 154

True or False: The SIEM provides continuous monitoring and provides real-time reporting.

Answer 154

True

Question 155

True or False: The SIEM collects log data from devices throughout the network and stores these logs in the database.

Answer 155

True

Question 156

_______ refers to combining several dissimilar items into a single item.

Answer 156

Aggregation

Question 157

True or False: A SIEM can collect data from multiple sources, such as firewalls, intrusion detection systems, proxy servers, and more.

Answer 157

True

Question 158

True or False: An SIEM can aggregate device logs in different formats and store it in such a way that it is easy to analyze and search.

Answer 158

True

Question 159

A ____ _____ is a software component used to collect and analyze event log data from various systems within the network

Answer 159

Correlation engine

Question 160

True or False: A correlation engine typically aggregates the data looking for common attributes and then uses advanced analytic tools to detect patterns of potential security events and raises alerts.

Answer 160

True

Question 161

True or False: An SIEM typically comes with predefined alerts, which provide notifications of suspicious events.

Answer 161

True

Question 162

____ cause an action in response to a predefined number of repeated events.

Answer 162

Triggers

Question 163

True or False: An SIEM includes the ability to modify predefined triggers and create new ones.

Answer 163

True

Question 164

True or False: All servers sending data to the SIEM should be synchronized with the same time.

Answer 164

True

Question 165

True or False: One method to ensure time is synchronized is to convert all log times to Greenwich Mean Team (GMT), which is the time at the Royal Observatory in Greenwich, London

Answer 165

True

Question 166

______ is the process of removing duplicate entries.

Answer 166

Deduplication

Question 167

True or False: An SIEM will only store a single copy of any duplicate log entries but also ensure that the entries are associated with the different devices.

Answer 167

True

Question 168

True or False: An SIEM typically includes methods to prevent anyone from modifying log entries.

Answer 168

True

Question 169

What does WORM stand for?

Answer 169

Write once read many

Question 170

True or False: Security professionals must continuously monitor their environment for emerging threats and new vulnerabilities.

Answer 170

True

Question 171

_____ ____ ____ includes monitoring all relevant security controls, with the goal of ensuring that they help an organization maintain a strong security posture.

Answer 171

Continuous security monitoring

Question 172

____ ____ refers to logging information on what users do.

Answer 172

Usage auditing

Question 173

True or False: Configuring logging of logon attempts is an important security step for system monitoring.

Answer 173

True

Question 174

True or False: When users access a resource over a network such as a file server, it is also recorded as a logon action.

Answer 174

True

Question 175

A _____ ____ ____ looks at the logs to see what users are doing

Answer 175

Usage auditing review

Question 176

True or False: Logs create an audit trail of what happened.

Answer 176

True

Question 177

True or False: Usage auditing reviews are often done to re-create the audit trail, or reconstruct what happened in the past.

Answer 177

True

Question 178

A ______ _____ _____ looks at the rights and permissions assigned to users and helps ensure the principle of least privilege is enforced.

Answer 178

Permission auditing review

Question 179

True or False: Permission auditing reviews identify the privileges (rights and permissions) granted to users, and compares them against what the users need.

Answer 179

True

Question 180

______ ____ occurs when a user is granted more and more privileges due to changing job requirements, but unneeded privileges are never removed.

Answer 180

Privilege creep (permission bloat)

Question 181

True or False: Organizations commonly use a role based access control model with group based privileges.

Answer 181

True

Question 182

True or False: An organization should also have account management controls in place to ensure that administrators remove user accounts when there is a change in employement.

Answer 182

True