Risk Management Tools Flashcards

1
Q

Quantitative Risk Assessment Equation

A

Quantitative Risk Assessment Equation

Annual Loss Expectancy (ALE) = Single Loss Expectancy (SLE) x Annual Rate of Occurrence (ARO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Ping Scan

A

Ping Scan

  • Network scanning method
  • Send ICMP pings to range of IP addresses
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

ARP Ping Scan

A

ARP Ping Scan

  • Network scanning method
  • A host receiving an ARP packet with its IP address responds with MAC address
  • If host responds, scanner learns host is operational with that IP address
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

SYN Stealth Scan

A

SYN Stealth Scan

  • Network scanning method
  • TCP three-way handshake
  • Send SYN to each IP address
  • If host responds, scanner learns host is operational with that IP address
  • Sends RST to close connection instead of ACK
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Port Scan

A

Port Scan

  • Network scanning method
  • Check open ports
  • Identifies protocols running
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Service Scan

A

Service Scan

  • Network scanning method
  • Like port scan, but verifies protocols/services
  • Ie, if port 80 open, send HTTP command
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

OS Detection

A

OS Detection

  • Network scanning method
  • TCP/IP fingerprinting
  • Analyze packets from IP address to identify OS
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Network Mapping

A

Network Mapping

  • Network scanning method
  • Discover devices and how connected
  • Graphical representation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Wireless Scanners

-Two types

A

Wireless Scanners

  • Network scanning method
  • Passive: Listen to traffic broadcast on known channels to detect SSID, MAC, signal strength, channels, security
  • Active: Scanner/cracker - sends queries to APs, crack passwords, WPS attack
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Rogue System Detection

A

Rogue System Detection

  • Network scanning method
  • Detect rogue APs, unknown SSIDs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Banner Grabbing

-Tools

A

Banner Grabbing

  • Network scanning method
  • Get info on server OS and apps from HTTP, FTP, SMTP banners
  • Netcat
  • telnet
  • Nmap
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Vulnerability Scan

A

Vulnerability Scan

  • Identify systems susceptible to attack
  • Passively test security controls
  • Identify misconfigurations (DB of known vulns: open ports, weak passwords, default accounts and passwords, sensitive data)
  • Do not actively exploit -> no impact on system
  • Identify lack of security controls (old patches, no antivirus)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Configuration Compliance Scanner

A

Configuration Compliance Scanner

  • File identifies proper config
  • Verifies system has same config
  • Credentialed scan
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Penetration Testing

A

Penetration Testing

  • Actively assess security controls
  • Determine extent of damage attacker could inflict
  • Test how org will respond
  • Can disrupt operations and cause system instability
  • Must define boundaries of test
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Penetration Testing Activities

A

Penetration Testing Activities

  1. Passive recon - info from open-source (social media, websites, whois, DNS queries, passive wifi recon (SSIDs). Not illegal. Does not send info to targets and analyze responses
  2. Active recon - Use tools to send info and analyze responses. Network scanners (Nmap, Nessus) and vulnerability scanners. Illegal. Can identify IP addresses, active ports/services, OS’s
  3. Escalation of privilege - gain access to low-level accounts; increase privileges. APTs use RATs
  4. Pivot - Use exploited system to target other systems. Use tools to gain additional info: user password databases, email, info on other computers
  5. Persistence - Backdoor: alternate accounts that can be accessed remotely; install/modify services to connect, like ssh
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

tcpdump

A

tcpdump

  • linux packet (protocol) analyzer
  • Often use to capture packets, later use Wireshark to analyze
17
Q

Nmap

A

Nmap

  • Network scanner
  • Identify active hosts & IP addresses, protocols & services running on hosts, as well as host OS’s
18
Q

Security Log

A

Security Log

  • Windows auditable events
  • Log on
  • Access resources
  • Recorded as sucess/failure
19
Q

Application Log

A

Application Log

-Windows events recorded by applications

20
Q

System Log

A

System Log

  • Windows records events related to OS
  • Start
  • Shutdown
  • Services starting/stopping
  • Drivers loading/failing
21
Q

messages

A

messages

  • /var/log/messages
  • System messages
  • Startup
  • Mail
  • Kernal
  • Authentication
22
Q

boot.log

A

boot. log
- /var/log/boot.log
- System boot logs

23
Q

auth.log

A

auth. log
- /var/log/auth.log
- authorization log
- successful and unsuccessful logins

24
Q

faillog

A

faillog

  • /var/log/faillog
  • Failed login attempts
25
Q

kern.log

A

kern.log
/var/log/kern/log
-Info logged by system kernal

26
Q

httpd

A

httpd

  • /var/log/httpd
  • Apache web server error logs
27
Q

utmp

A

utmp

  • Current status of Linux system
  • Who is currently logged in
  • who command queries
28
Q

wtmp

A

wtmp

-Archive of utmp file

29
Q

btmp

A

btmp

  • Linux log
  • Failed login attempts
  • lastb shows failed login attempts
30
Q

SIEM

A

SIEM
Security Info and Event Management System
-Real-time monitoring, analysis, notification of security events
-Long-term storage of data, methods to look for trends, create reports
-Aggregation - collect data from multiple sources (firewalls, IDS, proxy servers)
-Correlation engine - detect patterns of potential security events
-Automated alerting - triggers
-Event deduplication
-Prevent modification of logs - WORM - Write Once Read Many

31
Q

Nmap

-Credentialed or uncredentialed

A

Nmap

  • Network Scanner Tool
  • Uncredentialled scan
  • Detect hosts, their OS’s, and running protocols/services
32
Q

Netcat

A

Netcat

  • Network Scanner Tool
  • Listen on a port
  • Transfer data
  • Scan ports and send data to a port
33
Q

Nessus

A

Nessus

  • Vulnerability Scanner Tool
  • Configuration compliance scans
34
Q

Credentialed vs Uncredentialled Scan

  • Two examples of what needs credentials
  • One example of what doesn’t
A

Credentialed vs Uncredentialled Scan

  • Viewing file permissions - credentialed
  • Info about OS files (unpatched files) - credentialed
  • Version of web server software - noncredentialled -Nmap