Risk Management Tools Flashcards
Quantitative Risk Assessment Equation
Quantitative Risk Assessment Equation
Annual Loss Expectancy (ALE) = Single Loss Expectancy (SLE) x Annual Rate of Occurrence (ARO)
Ping Scan
Ping Scan
- Network scanning method
- Send ICMP pings to range of IP addresses
ARP Ping Scan
ARP Ping Scan
- Network scanning method
- A host receiving an ARP packet with its IP address responds with MAC address
- If host responds, scanner learns host is operational with that IP address
SYN Stealth Scan
SYN Stealth Scan
- Network scanning method
- TCP three-way handshake
- Send SYN to each IP address
- If host responds, scanner learns host is operational with that IP address
- Sends RST to close connection instead of ACK
Port Scan
Port Scan
- Network scanning method
- Check open ports
- Identifies protocols running
Service Scan
Service Scan
- Network scanning method
- Like port scan, but verifies protocols/services
- Ie, if port 80 open, send HTTP command
OS Detection
OS Detection
- Network scanning method
- TCP/IP fingerprinting
- Analyze packets from IP address to identify OS
Network Mapping
Network Mapping
- Network scanning method
- Discover devices and how connected
- Graphical representation
Wireless Scanners
-Two types
Wireless Scanners
- Network scanning method
- Passive: Listen to traffic broadcast on known channels to detect SSID, MAC, signal strength, channels, security
- Active: Scanner/cracker - sends queries to APs, crack passwords, WPS attack
Rogue System Detection
Rogue System Detection
- Network scanning method
- Detect rogue APs, unknown SSIDs
Banner Grabbing
-Tools
Banner Grabbing
- Network scanning method
- Get info on server OS and apps from HTTP, FTP, SMTP banners
- Netcat
- telnet
- Nmap
Vulnerability Scan
Vulnerability Scan
- Identify systems susceptible to attack
- Passively test security controls
- Identify misconfigurations (DB of known vulns: open ports, weak passwords, default accounts and passwords, sensitive data)
- Do not actively exploit -> no impact on system
- Identify lack of security controls (old patches, no antivirus)
Configuration Compliance Scanner
Configuration Compliance Scanner
- File identifies proper config
- Verifies system has same config
- Credentialed scan
Penetration Testing
Penetration Testing
- Actively assess security controls
- Determine extent of damage attacker could inflict
- Test how org will respond
- Can disrupt operations and cause system instability
- Must define boundaries of test
Penetration Testing Activities
Penetration Testing Activities
- Passive recon - info from open-source (social media, websites, whois, DNS queries, passive wifi recon (SSIDs). Not illegal. Does not send info to targets and analyze responses
- Active recon - Use tools to send info and analyze responses. Network scanners (Nmap, Nessus) and vulnerability scanners. Illegal. Can identify IP addresses, active ports/services, OS’s
- Escalation of privilege - gain access to low-level accounts; increase privileges. APTs use RATs
- Pivot - Use exploited system to target other systems. Use tools to gain additional info: user password databases, email, info on other computers
- Persistence - Backdoor: alternate accounts that can be accessed remotely; install/modify services to connect, like ssh
tcpdump
tcpdump
- linux packet (protocol) analyzer
- Often use to capture packets, later use Wireshark to analyze
Nmap
Nmap
- Network scanner
- Identify active hosts & IP addresses, protocols & services running on hosts, as well as host OS’s
Security Log
Security Log
- Windows auditable events
- Log on
- Access resources
- Recorded as sucess/failure
Application Log
Application Log
-Windows events recorded by applications
System Log
System Log
- Windows records events related to OS
- Start
- Shutdown
- Services starting/stopping
- Drivers loading/failing
messages
messages
- /var/log/messages
- System messages
- Startup
- Kernal
- Authentication
boot.log
boot. log
- /var/log/boot.log
- System boot logs
auth.log
auth. log
- /var/log/auth.log
- authorization log
- successful and unsuccessful logins
faillog
faillog
- /var/log/faillog
- Failed login attempts
kern.log
kern.log
/var/log/kern/log
-Info logged by system kernal
httpd
httpd
- /var/log/httpd
- Apache web server error logs
utmp
utmp
- Current status of Linux system
- Who is currently logged in
- who command queries
wtmp
wtmp
-Archive of utmp file
btmp
btmp
- Linux log
- Failed login attempts
- lastb shows failed login attempts
SIEM
SIEM
Security Info and Event Management System
-Real-time monitoring, analysis, notification of security events
-Long-term storage of data, methods to look for trends, create reports
-Aggregation - collect data from multiple sources (firewalls, IDS, proxy servers)
-Correlation engine - detect patterns of potential security events
-Automated alerting - triggers
-Event deduplication
-Prevent modification of logs - WORM - Write Once Read Many
Nmap
-Credentialed or uncredentialed
Nmap
- Network Scanner Tool
- Uncredentialled scan
- Detect hosts, their OS’s, and running protocols/services
Netcat
Netcat
- Network Scanner Tool
- Listen on a port
- Transfer data
- Scan ports and send data to a port
Nessus
Nessus
- Vulnerability Scanner Tool
- Configuration compliance scans
Credentialed vs Uncredentialled Scan
- Two examples of what needs credentials
- One example of what doesn’t
Credentialed vs Uncredentialled Scan
- Viewing file permissions - credentialed
- Info about OS files (unpatched files) - credentialed
- Version of web server software - noncredentialled -Nmap
