Risk Management Flashcards
What are the 4 risk response techniques available to an organization?
Avoid, transfer, mitigate, accept
Quantitative risk assessment
Measures risk using a specific monetary amount
SLE
Single loss expectancy
The cost of any single loss
ARO
Annual Rate of Occurrence
Indicates how many times the loss may occur in one year (if less than 1, it’s represented as a %)
ALE
Annual Loss Expectancy
The value of the SLE x ARO
Qualitative Risk Assessment
Uses judgement to categorize risks based on likelihood of Occurrence (probability) and impact. Often represented as numbers (scale of 1 to 5, etc)
Impact
The magnitude of loss/harm resulting from a risk
Supply Chain Assessment
An assessment that evaluates the elements used in an organization to create, sell, and distribute products.
Risk Register
A comprehensive document that lists known information about identified risks. Usually includes risk scores and recommended security controls to reduce those scores.
What is Risk?
The likelihood that a threat will exploit an organizational vulnerability.
What is a Threat, in context of Risk Management?
Any circumstance/event that can compromise the confidentiality, integrity, or availability of a system or data.
Threat Assessment
Helps an organization to identify + categorize threats by predicting what threats exist against an organization’s assets along with the likelihood that the threat will occur.
What is Risk Management?
The practice of identifying, monitoring, and limiting risks to a manageable level.
What is the primary goal of a Vulnerability Assessment?
To assess the security posture of a systems and networks.
What methods do network scanners use to gather information about hosts on a network?
Ping scan/Ping sweep, ARP ping scan, Syn stealth scan (TCP 3-way handshake), Port scan (to determine open ports, Service Scan, OS detection (TCP/IP fingerprinting)
What is the goal of a password cracker in relation to Risk Management?
Helps to discover weak, or poorly protected passwords on a network.
Banner Grabbing
A technique used to gain information about remote systems. Used by many scanners to identify the OS and information about some applications on it.
What are some of the common misconfigurations that a vulnerability scanner will look for?
Open ports that are not being used, weak passwords, default accounts+passwords that are not hardened, security+configuration errors, sensitive data.
Configuration Compliance Scanner
A tool that is used to verify that systems are configured correctly
Difference between Passive and Active Reconnaissance?
Passive recon collects information about a system via open-source intelligence.
Active recon uses tools to send data to a system and then analyze the responses.
What is pivoting, in the context of IT security?
Uses various tools to gain additional information about an organization. Example: If you gain access to a workstation within a company’s network, you can then use that computer to gather information about other systems.
What is the difference between Black box, white box, and gray box testing?
Black box = tester has no knowledge of the environment prior to starting a test
White box = tester has full knowledge of environment
Gray box = tester has some knowledge of environment, but not full.
What is an exploitation framework?
A tool used to store information about security vulnerabilities. Often used by testers (and attackers) to detect+compromise a system.
What are some commonly used exploitation frameworks?
Metasploit, BeEF (Browser Exploitation Framework), w3af (Web Application Attack and Audit Framework)
What is Nmap, and what is it used for?
A network scanner that can identify all of the active hosts + their IP addresses in a network, the protocols + services they’re running, and the OS of each system.
How does Tcpdump differ from Wireshark?
Wireshark is a GUI network scanner on Windows systems, and tcpdump is executed from the command line on Linux systems.
What are the uses of Netcat?
- Remotely accessing a Linux system (with SSH to encrypt the session
- Transferring files between systems
- Port scan against a single IP address (evade detection via randomizing ports scanned)
Security information and Event Management (SIEM)
A centralized solution for collecting, analyzing, and managing data from multiple sources. Supports continuous monitoring and real-time reporting, making it useful in a large enterprise environment.
What are some capabilities shared by most SIEMs?
Aggregation and correlation capabilities to collect+organize log data from different sources (i.e. firewalls, routers, etc), automated alerting, automated triggers, time synchronization, event deduplication (removing duplicate entries), logs/WORM (write once read many)
What is a permission auditing review?
Looks at the rights and permissions assigned to users, helps ensure that an organization is enforcing principle of least privilege. Helps detect “privilege creep”
What is usage auditing?
Refers to logging information on what users are doing. Provides non-repudiation. Helps create an auditing trail in the event of an incident.
