Risk and Controls (Ch. 8,9)

Question 1

risk

Answer 1

_ likelihood that a threat will exploit a vulnerability

Question 2

Inherent risk

Answer 2

_ risk that exists prior to using risk management controls

Question 3

Residual risk

Answer 3

_ risk that remains after mitigating risk to an acceptable level

Question 4

Control risk

Answer 4

_ risks of in-place controls not being sufficient

Question 5

Risk appetite vs risk tolerance

Answer 5

_ risk willing to accept vs ability to withstand risk
_ even accepting security risk can have rewards

Question 6

AV

Answer 6

_ asset value
_ value of an asset to the organization

Question 7

Risk control assessment

Answer 7

_ evaluates in-place controls against known risks

Question 8

Quantitative risk assessment

Answer 8

_ assigns monetary values to risk

Question 9

EF

Answer 9

_ risk exposure factor
_ portion of an asset that would be damaged should a risk materialize

Question 10

SLE

Answer 10

_ single loss expectancy
_ loss expected for a particular asset on exposure
_ SLE = AV x EF

Question 11

ARO

Answer 11

_ annualized rate of occurrence
_ number of times loss expected to occur in a year (%)

Question 12

ALE

Answer 12

_ annualized loss expectancy
_ loss expected in a year (per asset?)
_ ALE = SLE x ARO

Question 13

Qualitative risk assessment

Answer 13

_ uses judgment to assess risk probability

Question 14

impact

Answer 14

_ magnitude of harm resulting from a risk

Question 15

Numerical risk

Answer 15

_ probability x impact

Question 16

KRI

Answer 16

_ key risk indicator
_ metrics for monitoring risk associated with an activity, process, or system
_ e.g. security incidents per month
_ e.g. % of overdue security patches
_ e.g. avg. time to detect and respond to a security incident

Question 17

Risk register

Answer 17

_ identifies risks
_ indicates likelihood
_ indicates potential impact
_ reports current status
_ assigns risk owners
_ good for prioritizing risks

Question 18

Risk matrix

Answer 18

_ chart showing likelihood (probability) vs impact of a risk
_ scores the risks

Question 19

Vulnerability scanner

Answer 19

Creates a vulnerability report but does not address vulnerabilities (aka “passive”):
_ runs either credentialed (shows what an attacker would see) or non-credentialed (which can provide more detail)
_ lists hosts discovered
_ lists apps running on each host
_ lists open ports and services on each host
_ lists vulnerabilities discovered
_ lists recommendations

Question 20

Penetration test

Answer 20

_ starts with a reconnaissance of vulnerabilities
_ attempts to exploit vulnerabilities

Question 21

Vulnerability assessment

Answer 21

_ identifies assets and capabilities
_ prioritizes assets based on value
_ identifies vulnerabilities and prioritizes them
_ recommends controls to mitigate vulnerabilities

Question 22

Network scanner

Answer 22

_ gathers info about hosts
_ nmap
_ typically one of: ARP ping scan, Syn stealth scan, port scan, service scan, OS detection

Question 23

ARP ping scan

Answer 23

_ address resolution protocol ping scan
_ hosts receiving an ARP packet with its IP address responds with a MAC address
_ response tells scanner that host is operational at an IP address

Question 24

SYN stealth scan

Answer 24

_ scanner sends a TCP SYN to start a connection
_ looks for SYN/ACK response to know host is capable of connection
_ sends RST (reset) rather than ACK to end connection

Question 25

Port scan

Answer 25

_ checks of open ports

Question 26

Service scan

Answer 26

_ verifies protocol or service at a port _ performs a test of the protocol

Question 27

OS detection

Answer 27

_ uses TCP/IP fingerprinting to analyze packets and determine OS of host _ different OSs typically use different TCP window sizes _ other values also help determine the OS

Question 28

CVE

Answer 28

_ common vulnerabilities and exposures _ dictionary of publicly known security vulnerabilities _ funded by U.S. government

Question 29

CVSS

Answer 29

_ common vulnerability scoring system _ assigns vulnerabilities scores of 0 through 10 _ 10 is most severe

Question 30

Offensive penetration testing

Answer 30

_ simulates a real world attack

Question 31

Defensive penetration testing

Answer 31

_ evaluates security controls for vulnerabilities _ e.g. firewall rule analysis, configuration reviews, penetration testing of web apps

Question 32

Integrated penetration testing

Answer 32

_ combines physical, offensive, and defensive penetration testing for a comprehensive evaluation

Question 33

reconnaissance

Answer 33

_ aka footprinting _ attacker learns as much as possible _ passive or active

Question 34

Passive reconnaissance

Answer 34

_ collects info using OSINT _ does not include analyzing or interacting with the targets directly

Question 35

Active reconnaissance

Answer 35

_ uses tools to engage with targets to collect information

Question 36

Network reconnaissance and discovery

Answer 36

Almost always illegal, sans permission. Tools: _ IP scanner _ nmap _ netcat (nc) _ scanless _ dnesum _ nessus _ hping _ sn1per _ curl

Question 37

IP scanner

Answer 37

_ aka ping scanner

Question 38

nmap

Answer 38

_ identifies active hosts _ reports IP addresses _ reports protocols and services running _ reports OS installed

Question 39

netcat

Answer 39

_ nc _ used for “banner grabbing” to gain info about remote systems _ can return OS used and info about some apps _ can transfer files _ can check for open ports

Question 40

scanless

Answer 40

_ does port scans _ makes scan originate from a website (with or without owner’s permission), hiding the tester’s IP

Question 41

dnsenum

Answer 41

_ DNS enumeration _ lists DNS records for domains

Question 42

nessus

Answer 42

_ vulnerability scanner

Question 43

hping

Answer 43

_ sends pings using TCP, UDP, or ICMP _ can scan for open ports on remote systems

Question 44

sn1per

Answer 44

_ community edition performs vulnerability assessments _ professional edition attempts to exploit vulnerabilities

Question 45

Footprinting vs fingerprinting

Answer 45

_ network footprinting provides big-picture view of network _ fingerprinting provides details of systems on network

Question 46

Attacker persistence

Answer 46

_ ability to maintain presence in a network for a long time _ often involves creating a backdoor

Question 47

Lateral movement

Answer 47

_ how attackers move in a network _ once in a network, uses new abilities to attempt to move to other systems of network (called “pivoting”)

Question 48

pivoting

Answer 48

_ using an exploited system to target other systems

Question 49

Vulnerability tester classification

Answer 49

_ unknown environment testing - testers have no prior knowledge of the environment _ known environment testing - testers have full prior knowledge of the environment _ partially known environment testing

Question 50

RD

Answer 50

_ responsible disclosure program _ policies for reporting vulnerabilities _ e.g. bug bounty

Question 51

tcpreplay

Answer 51

_ suite of tools for editing packet captures and sending modified replays

Question 52

tcpdump

Answer 52

_ command line tool for capturing packets

Question 53

NetFlow

Answer 53

_ common router and switch feature _ stores and analyzes network header data

Question 54

Gap analysis

Answer 54

_ reviewers compare requirements of a standard to an organization’s normal operations

Question 55

attestation

Answer 55

_ outcome of an audit _ formal statement of controls that are in place for security

Question 56

Pressure sensor

Answer 56

_ detect changes in pressure on a service or in an area _ detects walking or forcing doors and windows

Question 57

Microwave sensor

Answer 57

_ detects movement by observing reflections of microwaves

Question 58

Ultrasonic sensors

Answer 58

_ echo location, measuring distance

Question 59

bollard

Answer 59

_ short vertical post of reinforced concrete and steel _ barricade inhibiting cars

Question 60

Vendor diversity

Answer 60

_ implementing security controls from multiple vendors to reduce changes of a single vulnerability allowing access

Question 61

RAID

Answer 61

_ redundant array of inexpensive disks

Question 62

RAID-0

Answer 62

_ striping _ no redundancy across disks _ improves performance by spreading a file across multiple disks

Question 63

RAID-1

Answer 63

_ mirroring _ only redundancy _ twice as many disks

Question 64

RAID-5

Answer 64

_ 3+ disk striped together with parity _ If one disk goes down, data can be recovered

Question 65

RAID-6

Answer 65

_ like RAID-5 but uses an additional disk for additional parity _ two disk can go down and data still recovered

Question 66

RAID-10

Answer 66

_ aka RAID 1+0 _ mirroring and striping _ 4+ drives _ requires twice the drive capacity of data stored

Question 67

Source IP address affinity

Answer 67

_ ensures load balanced connection goes to same server for duration of a session

Question 68

Load balancing with persistence

Answer 68

_ uses source IP address affinity to keep sessions hitting the same backend node

Question 69

active/active vs active/passive load balancers

Answer 69

_ active/active distributes load across multiple nodes _ active/passive changes the receiving node only when the prior receiving node goes down

Question 70

NIC teaming

Answer 70

_ combining multiple NICs into one virtual NIC _ load balances across NICs _ improves performance and reliability

Question 71

NAS

Answer 71

_ networked attached storage _dedicated computer for file storage

Question 72

SAN

Answer 72

_ storage area network _ block-level data storage _ high-speed

Question 73

Differential vs incremental backup

Answer 73

_ differential backs up all data that changed since last full backup _ incremental backs up all data that changed since last full or incremental backup

Question 74

journaling

Answer 74

_ backup technique _ records changes to data or files in a log (aka journal) _ can apply changes given in log for recovery _ useful in databases and filesystems

Question 75

BCP

Answer 75

_ business continuity plan

Question 76

BIA

Answer 76

_ business impact analysis _ part of the BCP _ identifies mission-essential functions

Question 77

RTO

Answer 77

_ recovery time objective _ max time allowed for restoring system after outage

Question 78

RPO

Answer 78

_ recovery point objective _ period of time over which data loss is acceptable (e.g. just the most recent week)

Question 79

MTBF

Answer 79

_ mean time between failures

Question 80

MTTR

Answer 80

_ mean time to repair (or recover)

Question 81

COOP

Answer 81

_ continuity of operations planning _ plan for restoring essential functions after outage

Question 82

Recovery site

Answer 82

_ sites established for resiliency _ hot sites, warm sites, and cold sites

Question 83

Hot site

Answer 83

_ recovery site that is always operational, ready to go _ usually takes at least a little time to switch over

Question 84

Cold site

Answer 84

_ recovery site that isn’t ready to go but has power and connectivity

Question 85

Warm site

Answer 85

_ recovery site that remains partially operational

Question 86

DRP

Answer 86

_ disaster recovery plan _ how to recover critical systems and data _ a BCP may have multiple DRPs for different disasters

Question 87

Disaster recovery steps

Answer 87

_ activate the DRP _ implement contingencies (e.g. change to a recovery site) _ recover critical systems _ test recovered systems _ after-action report (lessons learned, updated plan)

Question 88

Tabletop exercises

Answer 88

_ discussion of hypothetical scenarios to plan for disasters