GCGA Ch. 8 Using Risk Management Tools

Question 1

Risk

Answer 1

the likelihood that a threat will exploit a vulnerability. A threat is a potential danger that can compromise confidentiality, integrity, or availability. A vulnerability is a weakness in software or hardware or a weakness in a process that a threat could exploit, resulting in a security breach.

Question 2

Risk evaluation

Answer 2

Risks are evaluated using the criteria of impact and probability/likelihood. Impact refers to the magnitude of harm that can be caused if a threat exploits a vulnerability. Probability/likelihood tells us how often we expect the risk to occur.

Question 3

Risk management

Answer 3

attempts to reduce risk to a level that an organization can accept, and the remaining risk is known as residual risk. Senior management is responsible for managing risk and the losses associated from residual risk.

Question 4

Avoiding risk

Answer 4

You can avoid a risk by not providing a service or participating in a risky activity. Purchasing insurance, such as fire insurance, transfers the risk to another entity.

Question 5

Cybersecurity controls

Answer 5

mitigate or reduce risks. When the cost of a control outweighs a risk, it is common to accept the risk.

Question 6

Risk appetite

Answer 6

refers to the amount of risk an organization is willing to accept. This varies between organizations based on their goals and strategic objectives. An organization’s risk appetite may be expansionary, conservative, or neutral. Risk tolerance refers to the organization’s ability to withstand risk.

Question 7

Risk assessment

Answer 7

quantifies or qualifies risks based on different values or judgments. It starts by identifying asset values and prioritizing high-value items.

Question 8

Quantitative risk assessments

Answer 8

use numbers, such as costs and asset values. You begin a quantitative analysis by identifying the asset value (AV) of each asset. Next, you determine the percentage of an asset that would be damaged by the risk each time it occurs, which is known as the exposure factor (EF).

Question 9

SLE

Answer 9

The single loss expectancy (SLE) is the cost of any single loss and it is calculated by multiplying the AV by the EF. The annual rate of occurrence (ARO) indicates how many times the loss will occur annually. You can calculate the annual loss expectancy (ALE) as SLE × ARO.

Question 10

Qualitative risk assessments

Answer 10

use judgments to prioritize risks based on likelihood of occurrence and impact. These judgments provide a subjective ranking.

Question 11

Risk assessment access

Answer 11

risk assessment results are sensitive. Only executives and security professionals should be granted access to risk assessment reports.

Question 12

Risk register

Answer 12

a detailed document listing information about risks. It typically includes risk scores along with recommended security controls to reduce the risk scores. A risk matrix plots risks on a graph.

Question 13

Supply chain assessment

Answer 13

evaluates a supply chain needed to produce and sell a product. It includes raw materials and all the processes required to create and distribute a finished product. Supply chain risk analyses should look at hardware providers, software providers, and service providers.

Question 14

Port scanner

Answer 14

scans systems for open ports and attempts to discover what services and protocols are running on a system.

Question 15

Vulnerability scanners

Answer 15

test security controls to identify vulnerabilities, a lack of security controls, and common misconfigurations. They are effective at discovering systems susceptible to an attack without exploiting the systems.

Question 16

CVE

Answer 16

The Common Vulnerabilities and Exposures (CVE) is a dictionary of publicly known security vulnerabilities and exposures. The Common Vulnerability Scoring System (CVSS) assesses vulnerabilities and assigns severity scores in a range of 0 to 10, with 10 being the most severe.

Question 17

Vulnerability scan false positive

Answer 17

a false positive from a vulnerability scan indicates the scan detected a vulnerability, but the vulnerability doesn’t exist. A false negative indicates a vulnerability exists, but the scanner did not detect it.

Question 18

How should vulnerabilities be prioritized?

Answer 18

Vulnerabilities should be prioritized using a number of criteria, including vulnerability classification, environmental variables, industry/organizational impact, and risk tolerance/threshold.

Question 19

Credentialed scans

Answer 19

run under an account’s context and can get more detailed information on targets, such as the software versions of installed applications. They are also more accurate than non-credentialed scans, giving fewer false positives.

Question 20

Penetration test

Answer 20

an active test that attempts to exploit discovered vulnerabilities. It starts with a vulnerability scan and then bypasses or actively tests security controls to exploit vulnerabilities. Penetration tests may be focused on physical, offensive, or defensive objectives or they may use integrated approaches that combine these techniques. Penetration testers should gain consent prior to starting a penetration test. A rules of engagement document identifies the boundaries of the test.

Question 21

Passive reconnaissance

Answer 21

gathers information from opensource intelligence. Active network reconnaissance and discovery uses scanning techniques to gather information. After initial exploitation, a penetration tester uses privilege escalation techniques to gain more access. Pivoting during a penetration test is the process of using an exploited system to access other systems.

Question 22

Unknown, known, and partially known environment testing

Answer 22

testers perform a penetration test with zero prior knowledge of the environment. Known environment testing indicates that the testers have full knowledge of the environment, including documentation and source code for tested applications. Partially known environment testing indicates testers have some knowledge of the environment.

Question 23

Penetration testing vs vulnerability testing

Answer 23

Scans can be either intrusive or non-intrusive. Penetration testing is intrusive (also called invasive) and can potentially disrupt operations. Vulnerability testing is non-intrusive (also called non-invasive).

Question 24

Responsible disclosure programs for vulnerabilities

Answer 24

enable individuals and organizations to report security vulnerabilities or weaknesses they have discovered to the appropriate parties. Bug bounty programs are a type of responsible disclosure program that incentivizes individuals or organizations to report vulnerabilities by offering monetary or other rewards for valid submissions. The most common way to remediate a vulnerability is to apply a patch. In cases where patches are not possible, you may use a compensating control, segmentation, or grant an exception. After correcting a vulnerability, you should rescan the affected system to validate that the remediation was effective and that the vulnerability no longer exists.

Question 25

Protocol analyzers (sniffers)

Answer 25

can capture and analyze data sent over a network. Testers (and attackers) use protocol analyzers to capture cleartext data sent across a network. Administrators use protocol analyzers for troubleshooting communication issues by inspecting protocol headers to detect manipulated or fragmented packets.

Question 26

Captured packets

Answer 26

show the type of traffic (protocol), source and destination IP addresses, source and destination MAC addresses, and flags.

Question 27

Tcpreplay

Answer 27

a suite of utilities used to edit packet captures and then send the edited packets over the network.

Question 28

Tcpdump

Answer 28

a command-line protocol analyzer. Captured packet files can be analyzed in a graphical protocol analyzer such as Wireshark.

Question 29

NetFlow

Answer 29

captures IP traffic statistics on routers and switches and sends them to a NetFlow collector.

Question 30

Frameworks

Answer 30

references that provide a foundation.

Question 31

Cybersecurity frameworks

Answer 31

typically use a structure of basic concepts and provide guidance on how to implement security.

Question 32

The International Organization for Standardization (ISO)

Answer 32

maintains a set of common cybersecurity standards. ISO 27001 covers information security management. ISO 27002 covers information security techniques. ISO 27701 covers privacy information management. ISO 31000 covers risk management.

Question 33

PCI DSS compliance

Answer 33

Organizations that handle credit cards typically comply with the Payment Card Industry Data Security Standard (PCI DSS).

Question 34

NIST

Answer 34

The National Institute of Standards and Technology (NIST) publishes very popular frameworks, including their Risk Management Framework (RMF) and Cybersecurity Framework (CSF). Vendor-specific guides should be used when configuring specific systems.

Question 35

Audits

Answer 35

a formal evaluation of an organization’s policies, procedures, and operations. In the world of cybersecurity, audits confirm that the organization has put security controls in place that are adequate and are effectively protecting critical assets.

Question 36

Assessments

Answer 36

less formal reviews of an organization’s cybersecurity defenses. Assessments may include vulnerability scans, penetration tests, and reviews of cybersecurity controls. Many of the techniques used in an assessment may also play a role in an audit.

Question 37

External audits

Answer 37

formal examinations performed by an independent auditing firm. Internal audits are performed by an auditing team within the organization itself.

Question 38

Outcome of an audit

Answer 38

an attestation made by the auditor. This is a formal statement that specific security controls and processes are in place and operating effectively within an organization.