Risk Assessment & Management

Questions and Answers

Which of the following is the MOST accurate definition of risk in computer security?

• Anything that can potentially equate to monetary loss. (correct)
• The use of cryptographic techniques.
• Employing vulnerability management.
• Potential hardware failure.

Smart organizations are generally uninterested in managing vulnerabilities.

False (B)

Which of the following is NOT a general strategy that organizations typically employ when managing a particular risk?

• Transfer the risk to another organization.
• Accept some or all of the consequences of a risk.
• Reduce the risk.
• Ignore the risk completely. (correct)

What are the five steps of risk assessment?

Identify assets, identify vulnerabilities, identify threats and likelihood, identify potential monetary impact, and documentation.

In security, what does the acronym 'RA' stand for?

Risk Assessment (A)

What are the MOST common risk assessment methods?

Qualitative and quantitative. (B)

A qualitative risk assessment assigns monetary values to assets or possible losses.

False (B)

The magnitude of harm resulting from a risk, including loss of confidentiality, integrity, or availability, is referred to as the ______.

impact

Which of the following is NOT a step in conducting a risk assessment?

Identify existing security controls. (C)

Which of the risk management strategies involves contracting with a third party to take on financial responsibility for potential losses?

Risk transference. (D)

In quantitative risk assessment, what does SLE stand for, and what does it represent?

Single Loss Expectancy; the loss of value in GBP based on a single incident.

In quantitative risk assessment, ALE is calculated by multiplying SLE by ______.

ARO

What does ARO stand for in quantitative risk assessment?

Annualized Rate of Occurrence. (A)

What security measure should a risk assessment recommend for a database-enabled web application susceptible to SQL injection attacks?

Rewriting the web application with input validation techniques or stored procedures, to protect the database.

What is the final phase of a risk assessment?

Report preparation. (D)

In the context of security analysis, assessing an organization's security by analyzing servers, devices, and networks, which are not affected by your analyses or scans, is an example of active security analysis.

False (B)

Analyzing computers, servers, and network devices in order to assess risk is part of:

Security analysis methodologies. (D)

Security analysts create a list of ______, then watch for threats that could exploit those vulnerabilities.

vulnerabilities

What are two ways to do security analysis?

Active and passive. (C)

Active security analysis never cause a loss in productivity.

False (B)

Match the security control type with its description:

Preventive controls = Employed before an event to prevent an incident. Detective controls = Used during an event to identify malicious activity. Corrective controls = Used after an event to repair damage and restore resources.

Which security control type is exemplified by biometric systems?

Preventive controls. (C)

CCTV is an example of ______ security controls.

detective

Which of the following is an example of a corrective control?

Data backup. (C)

Vulnerability management only involves finding vulnerabilities; mitigating them is a separate process.

False (B)

Which of the following is NOT a step in vulnerability management?

Implement intrusion detection systems. (C)

What is assessed when creating baselines in vulnerability management?

The current security state of computers, servers, network devices, and the network in general.

Monitoring the environment after implementing mitigation measures involves comparing current results to the ______.

original baseline

What is the purpose of penetration testing?

Simulating attacks to evaluate system security. (D)

Penetration testing can be passive or active.

False (B)

What is the difference between Black-box and White-box pen-testing?

In Black-box testing, the tester has little or no knowledge of the system; in White-box testing, the tester has complete knowledge.

In what type of penetration testing would the tester have little or no prior knowledge of the system being tested?

Black-box. (D)

The study of physical and logical connectivity of networks is known as ______.

network mapping

Which of the following tools would be BEST suited for creating a visual representation of network infrastructure?

Network Topology Mapper. (C)

Vulnerability scanning exploits threats on your network.

False (B)

Name a vulnerability scanner.

Nessus

Which tool would be MOST effective at capturing and analyzing the traffic flowing over a network?

Wireshark. (A)

The process of capturing network traffic for analysis is known as network ______.

sniffing

Which activity is MOST closely associated with testing password strength?

Password analysis. (D)

Brute Force Cracking is guessing based on the most common passwords

False (B)

What is the purpose of password-cracking tools in security analysis?

To identify weak and vulnerable passwords.

What is the primary goal of using cryptographic techniques in data security?

To ensure the confidentiality, integrity, and availability of user data. (C)

Organizations interested in managing vulnerabilities are trying to manage risk.

True (A)

Which of the following is the MOST accurate definition of risk management?

The identification, assessment, and prioritization of risks, including mitigating and monitoring them. (D)

Match the following risk management strategies with their descriptions:

Transfer = Shifting the risk to another organization or third party. Avoid = Choosing not to proceed with activities that introduce the risk. Reduce = Implementing measures to lower the probability or impact of the risk. Accept = Acknowledging the risk and deciding to bear the consequences.

An organization decides to purchase insurance for a group of servers in its data center. What risk management strategy is the organization employing?

Risk transference (C)

A risk assessment determines the amount of ______ that could possibly occur to your computers and networks.

threats

What are the first three steps in conducting a systematic risk assessment?

Identify assets, identify vulnerabilities, and identify threats. (B)

What are the two most common methods for risk assessment?

Qualitative and Quantitative

A qualitative risk assessment assigns monetary values to assets.

False (B)

What factor is directly related to the 'magnitude of harm' resulting from a risk?

Impact (D)

A qualitative risk assessment provides you a total for possible monetary loss.

False (B)

What is the primary advantage of using a quantitative risk assessment?

It provides a total for possible monetary loss. (B)

Match the following Quantitative Risk Assessment terms with their definition:

SLE (Single Loss Expectancy) = Loss of value based on a single incident. ARO (Annualized Rate of Occurence) = Number of times per year that a specific incident occurs. ALE (Annualized Loss Expectancy) = Total loss per year due to a specific incident.

A company experiences a data breach that costs them $50,000 in damages. This is classified as the loss of value of a single incident. Which term best describes this?

Single Loss Expectancy (SLE) (B)

The final phase of a risk assessment is report presentation.

True (A)

A risk assessment of a web application reveals that it is susceptible to SQL injection attacks. What recommendation from the risk assessment would best address this?

Rewriting the web application with input validation techniques. (A)

In security analysis, ______ security analysis is when actual tests are performed on the system.

active

Which of the following security tests might affect the normal operations of a system and cause a loss in productivity?

Active security analysis. (A)

Passive security analysis can affect servers, devices and networks.

False (B)

An organization's network documentation shows computers, switches and routers but there is no firewall implemented. What type of analysis is this an example of?

Passive analysis (A)

Match the security controls with their descriptions:

Preventive Controls = Controls employed before an event to prevent an incident. Detective Controls = Controls used during an event to detect malicious activity. Corrective Controls = Controls used after an event to recover from damage.

Implementing biometric systems to keep unauthorized persons out is an example of what security control?

Preventive controls. (B)

Video surveillance and alarms are considered ______ controls.

detective

Tape backups are a detective control.

False (B)

After analyzing network documentation and using a variety of security tools, your team has been finding and mitigating vulnerabilities in your network. What is this an example of?

Vulnerability Management. (D)

What is one of the initial steps in Vulnerability Management?

Define the desired state of security. (A)

Vulnerability Management is a one-time event.

False (B)

______ testing is method of evaluating the security of a system by trying to exploit vulnerabilities.

Penetration

In what way does vulnerability scanning differ from penetration testing?

Vulnerability scanning may be active or passive, while penetration testing is always active. (B)

Match the following penetration testing methods with their descriptions..

Black-box Penetration Testing = Penetration test with little or no knowledge of the computer/infrastructure. White-box Penetration Testing = Penetration test with complete knowledge of the computer/infrastructure

A penetration tester operates with no prior knowledge of the system's infrastructure. What testing method is this?

Black-box pen-testing. (D)

What tool scans a computer network and generates a map of the entire network infrastructure for you?

Network Topology Mapper

Vulnerability scanning attempts to exploit threats on your network.

False (B)

What does a network sniffer use to capture frames directly?

Adapter (A)

A variety of ______-cracking tools can help security analysts identify weak and vulnerable passwords.

password

Flashcards

What is Risk?

Potential for loss or harm in a computer system.

Risk Management

A systematic process to identify, assess, and mitigate risks.

Risk Transference

Transferring risk to another entity.

Risk Avoidance

Declining involvement in risky activities.

Risk Reduction

Reducing the degree or likelihood of a risk

Risk Acceptance

Accepting potential consequences; good for low-impact risks.

Risk Assessment (RA)

Process to determine the amount of threats

Qualitative Risk Assessment

Subjective risk assessment based on judgement

Quantitative Risk Assessment

Assigning monetary values for risk assessment.

Single Loss Expectancy (SLE)

The loss of value based on a single incident.

Annualized Rate of Occurrence (ARO)

Number of times per year a specific incident occurs.

Annualized Loss Expectancy (ALE)

Total expected loss per year due to an incident.

Risk Assessment Documentation

The final stage of the risk assessment.

Security Analysis Methodologies

Analyzing the security of computers, servers, networks and data

Active Security Analysis

Security test method using actual tests on the system.

Passive Security Analysis

Security test method that does not affect the system.

Preventive Controls

They try to prevent an event from occurring.

Detective Controls

Controls to find out whether malicious activity is or has occured.

Corrective Controls

Controls that limit damage and restore quickly after incidents.

Vulnerability Management

Practice of finding and resolving vulnerabilities in computers and networks.

Define desired security state

Written policies defining the desired security state.

Create Baselines

Assesses the current security state of computers and networks.

Prioritize Vulnerabilities

Ranking vulnerabilities by importance.

Mitigate Vulnerabilities

Addressing and fixing identified weaknesses.

Monitor environment

Overseeing and comparing to baseline.

Penetration Testing

Evaluating security by simulating attacks.

Black-box pen-testing

Pen-test with no prior system knowledge.

White-box pen-testing

Pen-test with complete system knowledge.

Network Mapping

Study of physical and logical network connections.

Vulnerability Scanning

Technique to identify threats on your network.

Network Sniffing

Analyzing network traffic.

Password Analysis

Tools to identify weak passwords.

Password Guessing

Guessing passwords based on common choices.

Dictionary Attack

Trying known words from a list as passwords.

Brute-force Attack

Trying every possible character combination.

Cryptanalysis Attack

Using a table of precalculated passwords.

Study Notes

What is Risk?

• In computer security, risk can be equated to potential monetary loss
• This can include; computer vulnerabilities, potential dangers, hardware and software failures, wasted man hours and downtime

Risk Assessments

• Computers form an indispensable part of organizations
• Managing vulnerabilities is vital to managing risks for organizations
• Computer security represents a risky business

Risk Management

• Can be defined as identification, assessment, and prioritization of risks and the mitigation and monitoring of the same
• Organizations employ four general strategies when managing a particular risk:
  • Transfer: Transferring risk to another organization or third party
    • It is possible to transfer some risk to a third party by purchasing insurance, for example covering a group of servers in a data centre
    • The organization still risks losing data if failure, theft, or disaster occurs, but transfers the financial risk if the servers are lost
  • Avoid: Avoiding potential risks altogether
    • Some organizations may decide not to carry out a proposed plan because the risk factor is too great
    • A high-profile organization could decide not to implement a new and controversial web service
  • Reduce: Act to reduce risk
    • Mitigating risks as much as possible, eliminate of all risks are not possible
    • Usually, budgeting and IT resources dictate the level of risk reduction
    • For example, a risk mitigation strategy could be to install antivirus software on every client computer. However, hardware-based firewalls are an expensive risk mitigation alternative
  • Accept: Accepting some or all the consequences of a risk
    • Most organizations are willing to accept certain levels of risk
    • Some vulnerabilities are too expensive to patch

Risk Assessment

• Risk assessment determines the number of threats and the amount of time to your computers and networks and digital assets

Risk Assessment steps

• Identify the organization’s assets
• Identify vulnerabilities
• Identify threats and their likelihood
• Identify the potential monetary impact
• Documentation

Risk assessment methods

• The two most common risk assessment methods are qualitative and quantitative

Qualitative Risk Assessments

• Qualitative risk assessments use judgement to categorize risks based on the likelihood of occurrence and impact
• The likelihood of occurrence is the probability that an event will occur, usually annually
• Impact is the magnitude of arm resulting from a risk, including the negative results of an events, for example; loss of confidentiality, integrity or availability
• Unlike its counterpart quantitative risk assessment, it does not assign monetary values to assets or possible losses.
• Represents the easier, quicker, and cheaper way to asses risk
• Cannot provide a total for possible monetary loss.

Quantitative Risk Assessments

• Quantitative does measure risk using monetary amounts
• Allows easier prioritization of risks:
  • A risk with a potential loss of £30,000 is much more important than a risk with a potential loss of £1,000
• Attempts to give an expected yearly loss in GBP, also included assessment of asset values

Quantitative Risk Assessment Values

• Three values are used when making quantitative risk calculations:
  • Single Loss Expectancy (SLE): Value in GBP based on a single incident
  • Annualized Rate of Occurrence (ARO): Represents the number of times an incident occurs per year
  • Annualized Loss Expectancy (ALE): The total loss in GBP per year due to a specific incident. The calculation is: ALE = SLE * ARO

Documentation

• The final phase of the risk assessment represents report preparation
• Report identifies the risks discovered and recommended controls
  • SQL injection attacks can be discovered in database enabled web applications
  • Rewriting the web application to protect the database, using input validation techniques or stored procedures, is recommended

Example 1: Risk Assessment

• Average cost of a laptop is $2000, inc hardware, software and data and employees lose one laptop per month on average
• Hardware locks are purchased to secure laptops for a total of $1000
• The value of each laptop is 2000,thereforeSLE=2000, therefore SLE = 2000,thereforeSLE=2000
• ARO - employees lose roughly 1 laptop a month = 12 per year
• Annual Loss Expectancy (ALE) = SLE x ARO = 2000x12=2000 x 12 = 2000x12=24000
• Security experts believe locks will reduce stolen laptops down from 12 to 2 per year
• New ALE of $4000
• Original ALE = $24,000
• = $20,000 saving a year
• Orgainistaion spent 1000tocreateoverallsavingof1000 to create overall saving of 1000tocreateoverallsavingof20000

Example 2: Risk Assessment

• The e-commerce web server fails 7 times a year (ARO = 7)
• Average downtime of each failure = 45 minutes
• The website processes an average of 10 orders every minute and revenue of $35 per order
• $350 of revenue is generated per minute
• One downtime = 15750(45outageminutesx15750 (45 outage minutes x 15750(45outageminutesx350)
• SLE is $15750 (the loss from single occurence)
• ALE = SLE x ARO - 15750x7=15750 x 7 = 15750x7=110,250 (the ALE)

Security Analysis Methodologies

• Analyse the security of assets to assess risk, including computers, servers (HW), software (SW), network devices, and data
• Develop and maintain vulnerabilities list
• Security analyst monitors the list for any exploitation and takes necessary actions

Security Analysis Types

• Analysis can be done in one of two ways:
  • Active Security Analysis
    • Tests are run on the system in question
    • Can affect the normal operation of systems that can cause loss in productivity
    • Examples;
      • Active Scanning: Identify open ports and hosts
      • Denial of Service (DoS) testing.
      • Penetration testing.
  • Passive security analysis
    • Servers, devices, and networks are not affected
    • Could be as simple as checking documentation (configurations, policies)
      • For example, checking and organization's documentation to find if there is a firewall in place
      • A missing firewall = security vunerability

Security Controls

• Three basic security controls:
  • Preventative controls: controls employed before an event, preventing an incident:
    • Example: Biometrics preventing unauthorized access to a data center or RAID 1 to prevent data loss
  • Detective controls: the controls are used during an event and can find out whether malicious activity are occurring or have occurred.
    • Example: CCTV/video surveillance, alarms, IDS, auditing
  • Corrective controls: the used after an event: limit the extent of damage and help the company recover from the damage quickly
    • Example: Tape backup, hot sites, and other fault-tolerence methods

Vulnerability Management

• Vulnerability management is the practice of finding and mitigating vulnerabilities in computers and networks.
• It consists of analyzing network documentation, testing computers and networks with a variety of security tools, and taking action to mitigate vulnerabilities

Steps for vulnerability management

• Define desired state of security: Establish policies identifying desired state of security (e.g security check lists, device configurations etc..)
• Create baselines: Assess current security state of computers, servers, network devices, and network in general. Also known as vulnerability assessments
• Prioritize vulnerabilities: Which vulnerabilities should take precedence? For example, an SQL injection attack on an e-commerce web site has higher priority than other types of attacks
• Mitigate vulnerabilities: Go through the prioritized list and mitigate as many of the vulnerabilities as possible. Depends on organisation level of risk acceptance
• Monitor the environment: monitor the environment after mitigation actions, and compare results to initial baseline. Vulnerability management is an iterative process

Penetration Testing

• Penetration tests evaluate the security of a system by simulating real-world attacks.
• Regular vulnerability scanning may be passive or active, and active penetration testing will be active
• Tests are designed to determine the impact of a threat against the target organization.

Penetration Testing (Pen Testing) Types

• Black-box: the tester has little or no knowledge of the computer, infrastructure, or environment. This simulates external actors unfamiliar with systems
• White-box: the tester has complete knowledge of the computer, user credentials, infrastructure, or environment; this aims to test internal actor threats

Assessing vulnerability

• There are multiple tools and software that facilitate discovering vunerabilities and performing risk assessments. Tools include:
  • Network Mapping
  • Vulnerability Scanning
  • Network Sniffing
  • Password Analysis

Network Mapping

• Provides a study of the physical and logical network connections
• Network mapping is a comprehensive documentation of network configurations
• Network Topology Mapper by SolarWinds scans your computer network and generates a map for your entire network infrastructure.

Vulnerability Scanning

• Technique that finds threats without exploiting them
• Some examples include:
  • Full vulnerability scanner such as Nessus
  • Simple port scanner such as Nmap

Network Sniffing

• Enables you to identify all traffic passing a network
• AKA protocol analysers
• Provides more detail than vulnerability or port scanners
• Involves capturing frames from the network adapter and displaying packets with a capture window
• Wireshark is an example

Password Analysis

• Passwords are often the weakest link in the chain
• Enforcing policies for password complexity is a wise idea in combination with scanning network devices and computers for weak and vulnerable passwords utilizing password cracking tools.

Password cracking methods

• Guessing is an educated guess based on the most common passwords.
• Dictionary Attack uses a prearranged list of sensible words, trying each of them one at a time.
• Brute-force Attack involves trying every single combination of every single character.
• Cryptanalysis Attack implements a considerable set of precalculated encrypted passwords located in a lookup table.