Risk and Controls (Ch. 8,9) Flashcards
risk
_ likelihood that a threat will exploit a vulnerability
Inherent risk
_ risk that exists prior to using risk management controls
Residual risk
_ risk that remains after mitigating risk to an acceptable level
Control risk
_ risks of in-place controls not being sufficient
Risk appetite vs risk tolerance
_ risk willing to accept vs ability to withstand risk
_ even accepting security risk can have rewards
AV
_ asset value
_ value of an asset to the organization
Risk control assessment
_ evaluates in-place controls against known risks
Quantitative risk assessment
_ assigns monetary values to risk
EF
_ risk exposure factor
_ portion of an asset that would be damaged should a risk materialize
SLE
_ single loss expectancy
_ loss expected for a particular asset on exposure
_ SLE = AV x EF
ARO
_ annualized rate of occurrence
_ number of times loss expected to occur in a year (%)
ALE
_ annualized loss expectancy
_ loss expected in a year (per asset?)
_ ALE = SLE x ARO
Qualitative risk assessment
_ uses judgment to assess risk probability
impact
_ magnitude of harm resulting from a risk
Numerical risk
_ probability x impact
KRI
_ key risk indicator
_ metrics for monitoring risk associated with an activity, process, or system
_ e.g. security incidents per month
_ e.g. % of overdue security patches
_ e.g. avg. time to detect and respond to a security incident
Risk register
_ identifies risks
_ indicates likelihood
_ indicates potential impact
_ reports current status
_ assigns risk owners
_ good for prioritizing risks
Risk matrix
_ chart showing likelihood (probability) vs impact of a risk
_ scores the risks
Vulnerability scanner
Creates a vulnerability report but does not address vulnerabilities (aka “passive”):
_ runs either credentialed (shows what an attacker would see) or non-credentialed (which can provide more detail)
_ lists hosts discovered
_ lists apps running on each host
_ lists open ports and services on each host
_ lists vulnerabilities discovered
_ lists recommendations
Penetration test
_ starts with a reconnaissance of vulnerabilities
_ attempts to exploit vulnerabilities
Vulnerability assessment
_ identifies assets and capabilities
_ prioritizes assets based on value
_ identifies vulnerabilities and prioritizes them
_ recommends controls to mitigate vulnerabilities
Network scanner
_ gathers info about hosts
_ nmap
_ typically one of: ARP ping scan, Syn stealth scan, port scan, service scan, OS detection
ARP ping scan
_ address resolution protocol ping scan
_ hosts receiving an ARP packet with its IP address responds with a MAC address
_ response tells scanner that host is operational at an IP address
SYN stealth scan
_ scanner sends a TCP SYN to start a connection
_ looks for SYN/ACK response to know host is capable of connection
_ sends RST (reset) rather than ACK to end connection
Port scan
_ checks of open ports
Service scan
_ verifies protocol or service at a port
_ performs a test of the protocol
OS detection
_ uses TCP/IP fingerprinting to analyze packets and determine OS of host
_ different OSs typically use different TCP window sizes
_ other values also help determine the OS
CVE
_ common vulnerabilities and exposures
_ dictionary of publicly known security vulnerabilities
_ funded by U.S. government
CVSS
_ common vulnerability scoring system
_ assigns vulnerabilities scores of 0 through 10
_ 10 is most severe
Offensive penetration testing
_ simulates a real world attack
Defensive penetration testing
_ evaluates security controls for vulnerabilities
_ e.g. firewall rule analysis, configuration reviews, penetration testing of web apps
Integrated penetration testing
_ combines physical, offensive, and defensive penetration testing for a comprehensive evaluation
reconnaissance
_ aka footprinting
_ attacker learns as much as possible
_ passive or active
Passive reconnaissance
_ collects info using OSINT
_ does not include analyzing or interacting with the targets directly
Active reconnaissance
_ uses tools to engage with targets to collect information
Network reconnaissance and discovery
Almost always illegal, sans permission. Tools:
_ IP scanner
_ nmap
_ netcat (nc)
_ scanless
_ dnesum
_ nessus
_ hping
_ sn1per
_ curl
IP scanner
_ aka ping scanner
nmap
_ identifies active hosts
_ reports IP addresses
_ reports protocols and services running
_ reports OS installed
netcat
_ nc
_ used for “banner grabbing” to gain info about remote systems
_ can return OS used and info about some apps
_ can transfer files
_ can check for open ports
scanless
_ does port scans
_ makes scan originate from a website (with or without owner’s permission), hiding the tester’s IP
dnsenum
_ DNS enumeration
_ lists DNS records for domains
nessus
_ vulnerability scanner
hping
_ sends pings using TCP, UDP, or ICMP
_ can scan for open ports on remote systems
sn1per
_ community edition performs vulnerability assessments
_ professional edition attempts to exploit vulnerabilities
Footprinting vs fingerprinting
_ network footprinting provides big-picture view of network
_ fingerprinting provides details of systems on network
Attacker persistence
_ ability to maintain presence in a network for a long time
_ often involves creating a backdoor
Lateral movement
_ how attackers move in a network
_ once in a network, uses new abilities to attempt to move to other systems of network (called “pivoting”)
pivoting
_ using an exploited system to target other systems
Vulnerability tester classification
_ unknown environment testing - testers have no prior knowledge of the environment
_ known environment testing - testers have full prior knowledge of the environment
_ partially known environment testing
RD
_ responsible disclosure program
_ policies for reporting vulnerabilities
_ e.g. bug bounty
tcpreplay
_ suite of tools for editing packet captures and sending modified replays
tcpdump
_ command line tool for capturing packets
NetFlow
_ common router and switch feature
_ stores and analyzes network header data
Gap analysis
_ reviewers compare requirements of a standard to an organization’s normal operations
attestation
_ outcome of an audit
_ formal statement of controls that are in place for security
Pressure sensor
_ detect changes in pressure on a service or in an area
_ detects walking or forcing doors and windows
Microwave sensor
_ detects movement by observing reflections of microwaves
Ultrasonic sensors
_ echo location, measuring distance
bollard
_ short vertical post of reinforced concrete and steel
_ barricade inhibiting cars
Vendor diversity
_ implementing security controls from multiple vendors to reduce changes of a single vulnerability allowing access
RAID
_ redundant array of inexpensive disks
RAID-0
_ striping
_ no redundancy across disks
_ improves performance by spreading a file across multiple disks
RAID-1
_ mirroring
_ only redundancy
_ twice as many disks
RAID-5
_ 3+ disk striped together with parity
_ If one disk goes down, data can be recovered
RAID-6
_ like RAID-5 but uses an additional disk for additional parity
_ two disk can go down and data still recovered
RAID-10
_ aka RAID 1+0
_ mirroring and striping
_ 4+ drives
_ requires twice the drive capacity of data stored
Source IP address affinity
_ ensures load balanced connection goes to same server for duration of a session
Load balancing with persistence
_ uses source IP address affinity to keep sessions hitting the same backend node
active/active vs active/passive load balancers
_ active/active distributes load across multiple nodes
_ active/passive changes the receiving node only when the prior receiving node goes down
NIC teaming
_ combining multiple NICs into one virtual NIC
_ load balances across NICs
_ improves performance and reliability
NAS
_ networked attached storage
_dedicated computer for file storage
SAN
_ storage area network
_ block-level data storage
_ high-speed
Differential vs incremental backup
_ differential backs up all data that changed since last full backup
_ incremental backs up all data that changed since last full or incremental backup
journaling
_ backup technique
_ records changes to data or files in a log (aka journal)
_ can apply changes given in log for recovery
_ useful in databases and filesystems
BCP
_ business continuity plan
BIA
_ business impact analysis
_ part of the BCP
_ identifies mission-essential functions
RTO
_ recovery time objective
_ max time allowed for restoring system after outage
RPO
_ recovery point objective
_ period of time over which data loss is acceptable (e.g. just the most recent week)
MTBF
_ mean time between failures
MTTR
_ mean time to repair (or recover)
COOP
_ continuity of operations planning
_ plan for restoring essential functions after outage
Recovery site
_ sites established for resiliency
_ hot sites, warm sites, and cold sites
Hot site
_ recovery site that is always operational, ready to go
_ usually takes at least a little time to switch over
Cold site
_ recovery site that isn’t ready to go but has power and connectivity
Warm site
_ recovery site that remains partially operational
DRP
_ disaster recovery plan
_ how to recover critical systems and data
_ a BCP may have multiple DRPs for different disasters
Disaster recovery steps
_ activate the DRP
_ implement contingencies (e.g. change to a recovery site)
_ recover critical systems
_ test recovered systems
_ after-action report (lessons learned, updated plan)
Tabletop exercises
_ discussion of hypothetical scenarios to plan for disasters
