Chapter 8: Using Risk Management Tools Flashcards
Types & catagories of threats
Human (Accidental/malicious), environmental. Internal/external/IP theft/
Examples of vulnerabilities
In systems and organizational
default configs/weak configs, improper patch management, lack of antivirus/malware software & firewalls, poor policies (both software and organizational.
What are the different types of risk definitions? A.I.R.C.A
Awareness - KNowing that risks exist and must be addressed
Inherent risk - the risks that exist before controls are placed.
Residual risk - risks remaining after controls are placed. Need to choose an acceptable amount of risk.
Control risk - if in-place controls don’t manage it, what additional controls need to be in place?
Risk appetite - the amount of risk an organization is willing to accept
What are some risk management strategies companies might use? A.M.A.T.I
Avoidance - avoiding risk by not implementing a service that poses risk. I.e service requires additional ports to be open.
Mitigation - Implementing controls to reduce risks or reduce impact.
Acceptance - accepting a certain level of risk. Might occur if the cost of a control is more than it is worth.
Transference - Risk handled by third party or is shared with that third party.
Insurance -
Give a description of how a risk assessment might look?
First identifying assets and their values (objective and/or subjective).
Then threats & vulnerabilities are determined. How likely are they to occur?
Lastly, recommendations on what controls would reduce these threats and vulnerabilities.
It is a snapshot based on current threats, vulnerabilities, controls.
The overall goal is to assess impact of potential incidents, their likelihood and then prioritize assets and controls.
When does a risk control assessment come into play? how does it differ from a risk control self-assessment?
This occurs to examine the potential risks based on current controls. If a risk assessment is in play it will use that to check if they adequately mitigate known risks.
self-assessment is performed by employees. The control assessment by a third party.
What is SLE, ALE and ARO? how do you work out ALE?
Single loss expectancy - cost of any single loss (one occurrence of that loss)
Annual loss expectancy - cost of single loss x how many times per year it has happened.
Annual rate of occurrence - Times per year something is expected to happen. Represented as a percentage (50% = 0.5).
ALE = AROxSLE
In a subjective or qualitative risk assessment how can you perform a calculation?
Using a scale of 1-10, 1 being low 10 being high. This can be applied to both the probability, and impact. Probably = 7, impact = 10. Then, you could say 7x10 = an overall risk is 70.
What is the final process and briefly those leading up to it of risk assessment ?
documenting the assessment. The report. Essentially just recommendations. Leading up to this, identifying assets, identifying threats/vulnerabilities, implementing controls. Assets need to be valued quantitatively or qualitatively, SLE, ALE and ARO come into play. Strategies should be considered. Avoidance, mitigation, acceptance, transference and insurance.
Risk assessments use a variety of tools/frameworks give a brief description of each
Risk register - Usually a table of known risks, risk owner, mitigation measures, likelihood of occurrence, risk score.
Risk matrix - A graph or a chart likelihood vs rate of occurrence,
Heat map - Similar to a risk matrix but uses colours
Give some examples of what a network scan for vulnerabilities might want to achieve and using what?
The use of NMAP -
May perform an ARP ping scan to see if a system is operational (and its IP address).
Syn Stealth scan - sends out a syn, but no ack, it resets connection. Same as arp ping reason.
Port scan - checkcing for any open ports. Giving hints about what protocols and services are running.
Service scan - Will send a command to a known open port to verify that that service is running.
OS detection - Analyze packets from an IP address to identify the OS. Different OS use different sizes of TCP windows as an example.
What are a few things a vulnerability scanner aims to do?
Identify any vulnerabilities/misconfigurations/passively test security controls and identify a lack of security controls.
How does a vulnerability scanner know what to look for?
Through the use of a database / known vulnerabilities it tests systems against these. There is a common vulnerability scoring system (0-10) that assesses and assigns priorities
Give a list of some basic misconfigurations and vulnerability scanner might pick up on
- Unused/open ports
- Unsecured root accounts
- Default accounts & passwords
- Default settings
- Unpatched systems
- Open permissions (Files available to everybody)
- Unsecure protocols
- Weak encryption and passwords
Vulnerability vs penetration test?
it does not exploit any vulnerabilities. Only passively searches for them. Whereas a penetration test will try to exploit all vulnerabilities.
Credentialed vs non credentialed scans
Credentialed uses an account, has some access to the system with privilege’s of an administrator. Provides deeper insight.
Non credentialed, like an attacker typically, unless they use priviledge escalation to gain more access to the system.
A configuration scanner uses what to perform its function?
A configuration baseline file searching systems to match this. Often run automatically via tools.
An important thing to do for penetration tests?
Define boundaries, as penetration tests are invasive. Also develop a replica system on a test system.
Passive vs active foot printing (reconnaissance )
Passive - OSINT, no engagement with target, not illegal.
Active - Use of tools, more invasive
What are some tools used in active reconnaissance
may use IPscanners (ping), Nmap, Netcat (identify OS, open ports, transfer files, info about apps), scanless (portscan), Dnsenum (DNS record list), Nessus (vulnerability scanner), hping (send pings icmp, tcp, udp), Sn1per vulnerability testing & exploiter, Curl (transfer and recieve data from servers and webservers),
How does a penetration tester create persistance?
After exploiting a vulnerability, creating a backdoor to maintain entry into the system
What is lateral movement?
The process of moving through the network, typically looking for other systems vulnerabilities and exploiting them as well. By doing this, it increases persistence.
What is it called when a penetration tester uses one exploited system to target another?
Pivoting.
What occurs in the last step of a penetration test?
Clean up, removing all traces. User accounts, scripts, logs, settings reverted. Etc.
