Chapter 8 - Using Risk Management Tools Flashcards
SLE
Single Loss Expectancy
The cost of any single loss
ARO
Annual Rate of Occurrence
Indicates how many times the loss will occur in a year. If ARO is less than 1, the ARO is represented as a percentage (ie .5 = once every 2 years)
ALE
Annual Loss Expectancy
SLE x ARO
Risk register
Lists all known risks for a system or an organization, often in table format and also known as a risk log. Is a living document.E
Risk matrix
Plots risks onto a graph or chart. Can plot things like the likelihood of occurrence data against the impact of a risk. Includes marking acceptable risk vs unacceptable risk
Heat map
Similar to a risk matrix, except uses colors such as green and red.
Supply chain risk
Supply chain = all the elements required to produce and sell a product. Supply chain can become an attack vector if an attacker can disrupt the supply chain.
Threat hutning
The process of actively looking for threats within a network before an automated tool detects and reports on the threat.
-Gathering data on the threat through threat intelligence, ie info on the threat’s capabilities, motives, goals and resources coming from both internal and external sources.
OSINT
Open Source Intelligence.
Includes anything available on the internet such as blogs from researchers and vendors, media reports and more.
Threat feeds
Provide subscribers with up-to-date information on current threats. Many security organizations publish feeds and anyone with an email address can subscribe to them.
TTP
Tactics, techniques and procedures used by adversaries.
Refers to attacker methods when exploiting a target. Commonly included in threat feeds.
intelligence fusion
Combines all this intelligence data to create a pictures of likely threats and risks for an organization.
Password crackerth`
attempts to discover a password. PWs are normally hashed, some hashing algos are strong than others, such as MD5 which is now vulnerable.
Done online or offline.
Network scanner
Use various techniques to gather info about hosts within a network, ie nmap which is a popular scanning tool that gives you a lot of info about hosts within a network. Network scanners usually use the following methods:
-Arp ping scan
Any host that receives an ARP packet with its IP address responds with its MAC address. If the host responds, the network scanner knows that a host is operational with that IP address.
-Syn stealth can
Sends a single SYN packet to each IP address in the scan range. If a host responds, the scanner knows that a host is operational with that IP address. The scanner normally responds with a RST reply to close the connection instead of an ACK.
-Port scan
Checks for open ports on a system, each indicating the underlying protocol is running on the system, ie if port 443 is open we know the host is running HTTPS, meaning it’s probably a web server. A port scan normally uses the ports identified as well-known ports by the IANA.
-Service scan
Like a port scan, but goes a step further and verifies the protocol or service, ie is a port scan shows 443 is open, a service scan will send a HTTPS command such as “GET/.” If HTTPS is running on port 443, it will respond to the Get command verifying that it is a web server.
-OS detection
OS detection techniques analyze packets from an IP address to identify the OS. This is often referred to as TCP/IP fingerprinting.
EX: TCP window size (the size of the receive window in the first packet of the TCP session) is not fixed. Different OSs use different sizes, ie Linux uses 5,840 bytes, Cisco routers 4,128 bytes, Windows 8,192 and 65,535. OS detection techniques don’t rely on a single value but typically evaluate multiple values included in systems responses.
Identifying Vulnerabilities and Misconfigurations
-open ports and services
-unsecure root accounts
-default accounts and passwords
-default settings
-unpatched systems
-errors
-open permissions
-unsecure protocols
-weak encryption
-weak passwords
-sensitive data
Credentialed vs Non-credentialed
Vulnerability scanners can run as credentialed scan using an account’s credentials or as non-credentialed without any user credentials. Attackers typically do not have an internal account’s credentials, so when they run scans against systems, they run non-credentialed scans.
Admins can run credentialed scans with admin privileges to check security issues at a much deeper level, ie listing the software versions of installed programs, and also have fewer false positives.
Penetration testing
Actively assesses deployed security controls within a system or network. Includes:
-Rules of engagement (authorization outlining the boundaries of the test)
-Reconnaissance/footprinting (tester/attacker attempts to learn as much as possible about a network)
Passive recon = collecting info about a targeted system using OSINT
Active recon = uses tools to engage targets
Network reconnaissance and discovery methods
Using tools to send data to systems and analyze the responses. This phase typically starts by using various scanning tools such as network scanners and vulnerability scanners. Is technically illegal so you need explicit authorization ahead of time
Some tools include:
-IP Scanner (or a ping scanner)
Searches a network for active IP addresses, sending ICMP ping to a range of IP addresses in a network. Ping s are often blocked by firewalls, so can be inconsistent
-Nmap
Network scanner that you can run from command prompt that can identify all active hosts on a network, their IP addresses, the protocols and services running on each of the hosts, and the host’s OS. Can include scan type, options, and target specifications when running the command.
-Scanless
Python-based CLI utility to perform port scans, uses an online website so doesn’t come from the tester’s IP address, instead appearing to originate from the website’s IP address.
-dnsenum
Command that enumerates (or list) DNS records for domains, including the servers holding the records, and identifying the mail servers (if they exist) by listing the mx records. Also attempts AXFR transfer to download all DNS records from DNS servers, but those normally fail
-Nessus
Vulnerability scanner developed by Tenable that uses plugins to perform various scans on Windows and Linux alike, and is often used for configuration reviews. AutoNessus is a free tool that can be used to automate Nessus scans.
-hping
Used to send pings using TCP, UDP or ICMP, and also to scan systems for open ports on remote sytems.
-Sn1per
A robust automated scanner user for vulnerability assessments and to gather info on targets during pen testing, combining features of many common tools into a single app. Comes in 2 additions: Community (performs vulnerability assessments, listing all discovered vulnerabilities and detailed info on the targets), and Professional which also includes the ability to exploit the vulnerabilities.
-Curl
Client URL command (curl) is used to transfer and retrieve data to and from servers, such as web servers. The URL is the address of a webpage. Pen testers can use scripts to identify all of the URLs of a website and then use curl to retrieve all of the pages.
Most websites prevent unauthorized personnel from posting data to them, but blocking curl requests isn’t easy.
Footprinting vs. fingerprinting
Network footprinting provides a big-picture view of a network, including the IP addresses active on a target network.
Fingerprinting then hones in on individual systems to provide details of each.
Persistence
An attacker’s ability to maintain a presence in a network for a week, month or even years without being detected.
Once they discover a vulnerability they can research and find known exploits to remotely access a system or install malware.
Lateral movement
Refers to the way attackers maneuver throughout a network.
EX: Windows Management Instrumentation (WMI) and Powershell are frequently used to scan a Windows network. After discovering other systems, the attacker looks for vulnerabilities and exploits them if possible. By exploiting multiple systems, the attacker has a better chance of maintaining persistence in a network.
Privilege escalation
Gaining access to a low-level system/account then using techniques to gain more and more privileges on a user’s computer and network, attempting to gain administrator access.
Pivoting
the process of using various tools to gain additional information, ie getting into one user’s computer then using that user’s computer to gather information on other computers.
Known / Unknown / Partially Known testing environment
- Unknown: testers have zero knowledge of environment prior to starting (black box test), instead they use the same knowledge as an attacker
- Known: testers have full knowledge of the environment before starting, ie access to product documentation, source code, possibly even logon details (white box test).
- Partially known: testers have some knowledge (gray box), like having access to some network documentation but not the full network layout.
