Security Risk Management Chapter 4

Questions and Answers

What is the primary goal of a threat assessment?

• To assess historical risks
• To identify and evaluate potential threats (correct)
• To review system documentation
• To perform vulnerability scans

Threat assessments are performed indefinitely over time.

False (B)

What are the three impacts that threats can have on information systems?

Confidentiality, Integrity, Availability

A threat assessment evaluates the _____ of a threat's frequency.

estimate

Which technique helps ensure that data is not modified or destroyed?

Hashing (B)

Match the following terms with their definitions:

Threat = An activity that represents a possible danger Vulnerability = A weakness that can be exploited Exploit = The act of taking advantage of a vulnerability Risk = The potential for loss or damage when a threat exploits a vulnerability

The success of a vulnerability assessment often relies on reviewing system logs and _____ trails.

audit

What is the primary function of an Intrusion Detection System (IDS)?

To send alerts when intrusions are detected (D)

A host-based IDS is installed on multiple systems throughout a network.

False (B)

What information is recorded when auditing is enabled on a folder?

User name, accessed file, time of access, server or computer used.

An automated system has the capability of examining logs from multiple __________.

sources

Match the following agents with their functions in a network-based IDS:

Agent 1 = Identifies attacks from the Internet Agent 2 = Reports attacks that get through the external firewall Agent 3 = Monitors attacks through the second firewall of the DMZ

What is a primary purpose of implementing fault tolerance strategies?

To ensure systems continue to operate during an outage (A)

Natural threats are primarily caused by human actions.

False (B)

Name one common threat from internal sources.

Unintentional access

A disgruntled employee could cause __________ to data if their access is not properly controlled.

corruption

Match the following threats to their categories:

Phishing = Human threat - Unintentional Flood = Natural threat Unauthorized access = Human threat - Intentional Earthquake = Natural threat

Which of the following events is categorized as a natural threat?

Tornado (B)

Accidental access to data by employees poses no risk to organizations.

False (B)

What should be done with a terminated employee’s user account?

It should be deleted or disabled.

External attackers can include __________ trying to launch denial of service attacks.

hackers

How frequently are automated vulnerability scans typically performed?

Weekly (B)

Internal vulnerability assessments are conducted by personnel outside the company.

False (B)

What type of assessment is typically conducted on an annual basis to evaluate security controls?

Audit

A successful __________ attack may indicate that the system is not being updated often enough.

buffer overflow

Match the type of assessment with its description:

Internal assessments = Conducted by in-house security personnel External assessments = Performed by outside consultants Audit = Annual evaluation of security controls Vulnerability scans = Automated checks for security weaknesses

Which of the following is NOT a source for documentation review during a vulnerability assessment?

User satisfaction surveys (B)

External personnel are usually less effective at quickly identifying security weaknesses than in-house staff.

False (B)

What practice is used to improve the effectiveness of vulnerability assessments?

Reviewing past assessment reports

The process of evaluating security controls includes documenting incidents and __________ reports.

outage

What is one of the steps taken during a vulnerability assessment?

Documentation review (C)

Which of the following is NOT one of the seven domains of a typical IT infrastructure?

Physical Domain (B)

Threat modeling requires understanding both hardware and software failures in a system.

True (A)

What is the first step in performing threat modeling?

Identify the assets you want to evaluate.

The seven domains of a typical IT infrastructure include the User Domain, __________ Domain, LAN Domain, and System/Application Domain.

Workstation

Match the following domains with their descriptions:

User Domain = Where end-users interact with systems LAN Domain = Local area network environments WAN Domain = Wide area network connectivity Remote Access Domain = Access from external locations

What is one best practice when evaluating threats across the seven domains?

Verify that systems operate as expected (D)

Internal users cannot misuse a system.

False (B)

Name one question to ask when performing threat modeling.

Is the system susceptible to attacks?

Understanding data ______ is essential to perform effective threat assessments.

flow

Which of the following best describes asset management?

Identifying and evaluating important assets within an organization (B)

What is the main issue caused by scope creep in software development?

Increased functionality without planning (A)

Access controls testing verifies that users have more permissions than they need for their jobs.

False (B)

What is a 'right' in the context of access controls?

A right grants the authority to perform an action on a system.

Scope creep refers to the addition of functionalities that are outside the scope of the original __________ specifications.

product

What is spear-phishing?

Targeted phishing attempts from within a company (C)

Threat modeling is a straightforward process that requires minimal effort.

False (B)

What are two techniques for identifying threats?

Review historical data and perform threat modeling.

A lack of physical control over laptops often leads to ______ of hardware and compromised data.

theft

Match each type of threat with its description:

Forwarding viruses = Infected emails being shared unknowingly Spear-phishing = Targeted email deception from known individuals Lack of laptop control = Risk of theft and data compromise Historical data review = Analyzing past incidents to identify threats

What is the final step in a threat assessment?

Providing a report of findings (A)

What does a threat assessment report typically include?

Findings, threats, likelihood, and identified costs.

Threat modeling requires understanding the flow of data in and out of systems.

True (A)

The seven domains of typical IT infrastructure include User Domain, Workstation Domain, LAN Domain, and __________ Domain.

WAN

Which of the following is a key question to ask when performing threat modeling?

What system are you trying to protect? (D)

Internal users are exempt from misusing the system.

False (B)

What is the primary purpose of asset management in threat modeling?

To identify and evaluate important assets.

Understanding how __________ flows in and out of systems is crucial for threat assessment.

data

What is the purpose of an audit in an organization?

To determine if policies are being followed (B)

A policy should not disable user accounts when an employee leaves an organization.

False (B)

What should be done with user accounts that have not been used for six months?

Accounts should be deleted.

The ______ analysis examines the output to determine if a vulnerability exists.

output

Match the following analysis types with their descriptions:

Process Analysis = Evaluates processes used to determine output Output Analysis = Examines the resulting output for vulnerabilities

What tool can assist an auditor in determining enabled accounts not used recently?

Script (B)

Personnel interviews can help assess the security knowledge of employees.

True (A)

When is it acceptable to give out passwords according to a secure organization policy?

Never.

An audit may include checking for user accounts that haven't been used in the past ______ days.

15

What is one method for determining the effectiveness of a firewall?

Using process or output analysis (B)

What is the primary purpose of system logs in computer systems?

To log data based on system activities (D)

Audit trails only log successful user activities.

False (B)

Name one type of event that system logs can record.

Warnings

An audit trail attempts to log at least who, what, when, and _____ of events.

where

Which event would likely stand out immediately when reviewing system logs?

An error event (D)

Automated systems can only review a single source of audit trails at a time.

False (B)

What is a key element that an audit log typically captures when auditing is enabled?

User name

The _____ is used in Microsoft Windows to view system events.

Windows Event Viewer

Match the type of log with its function:

System log = Captures system start and stop events Security log = Records access attempts Network log = Tracks data transfer activities Application log = Monitors application-specific events

Which of the following threats are categorized as human threats?

Hacking attempts (D)

Name one reason why disgruntled employees can pose a threat to data security.

They may access, modify, or corrupt the organization’s data.

Employees can accidentally delete data if they have __________ access to information they do not need.

unintentional

Match the following types of threats with their descriptions:

Internal threats = Include actions from employees that may be accidental or malicious Natural threats = Result from weather events such as floods and earthquakes External threats = Origin from outside the organization, like hackers or malware Accidental threats = Caused by unintentional actions of users

Which of the following is a proactive measure to mitigate internal threats?

Employee training and access control implementation (D)

What should happen to an employee's user account after termination?

It should be deleted or disabled.

What type of Intrusion Detection System (IDS) is installed on a single system?

Host-based IDS (B)

An intrusion detection system can only monitor and cannot alert users.

False (B)

What information is included in an audit trail when file access is recorded?

user name, accessed file, time of access, and server or computer

A network-based IDS has several monitoring agents installed throughout the __________.

network

Match the agents in a network-based IDS with their respective functions:

Agent 1 = Identifies attacks launched from the Internet Agent 2 = Detects successful attacks that penetrate the external firewall Agent 3 = Shows attacks that manage to pass through the DMZ's second firewall

What is the primary focus of a vulnerability assessment?

Identifying existing vulnerabilities (D)

Internal human threats pose no risk to data integrity.

False (B)

What principle ensures that users have only the access they need to perform their job?

Principle of least privilege

Failure to implement access controls can make an entire network vulnerable, leading to unauthorized ______ of data.

disclosure

Match the type of threat with its example:

Natural Threat = Earthquake causing data center damage Internal Human Threat = Disgruntled employee leaking information External Human Threat = Hacker attempting to breach network Natural Disaster = Flood impacting physical infrastructure

Which of the following describes social engineering in the context of security vulnerabilities?

Manipulating individuals to reveal confidential information (A)

A buffer overflow attack can be reported as an internal human threat.

False (B)

What is one method to minimize human-related vulnerabilities?

User training and awareness

A ______ is a process conducted to evaluate the effectiveness of an organization's security controls.

vulnerability assessment

All users having the same rights and permissions for a network enhances security.

False (B)

Understanding how data flows in and out of systems is essential for effective threat assessments.

True (A)

List one of the seven domains of a typical IT infrastructure.

User Domain

When performing threat assessments, it’s important to understand the system or application you’re ______.

evaluating

Match the following best practices to their descriptions:

Verify system operations = Ensure the system is functioning as intended Limit the scope of assessment = Focus on one domain at a time Interview experts = Gain insights from knowledgeable individuals Review documentation = Understand system configuration and data flow

Who could be potential adversaries when performing threat modeling?

Both internal and external parties (B)

A successful threat assessment does not require an understanding of hardware or software failures.

False (B)

An excellent starting point for threat modeling is to use the _____ of a typical IT infrastructure.

seven domains

What is one key question to ask when performing threat modeling?

Is the system susceptible to attacks?

An audit trail can only be recorded in security logs.

False (B)

What information does an automated system have the capability of examining in audit trails?

Logs from multiple sources

Windows systems use the Event Viewer to view the _____ log.

System

Match the following types of logs with their functions:

System Log = Records system events such as errors and warnings Security Log = Tracks auditable events like user access Firewall Log = Monitors network traffic and access attempts Application Log = Logs application-specific events and errors

What type of information is typically recorded in an audit log?

Who accessed what, when, and where (B)

System logs are primarily concerned with monitoring user behavior.

False (B)

What is one advantage of using automated systems for reviewing audit trails?

Efficiency in analyzing multiple logs

An audit trail attempts to log at least _____ elements: who, what, when, and where.

four

Which of the following statements about audit trails is true?

They can help identify unauthorized access to data. (B)

Flashcards

What is a threat assessment?

A threat assessment identifies and evaluates potential threats. The goal is to identify as many threats as possible, evaluate their frequency, and assess the potential impact.

When is a threat assessment performed?

A threat assessment is performed for a specific time, evaluating current threats within the existing environment.

What is a threat?

A threat is any activity that represents a possible danger to confidentiality, integrity, or availability of data or systems.

How does a threat impact confidentiality?

Confidentiality refers to unauthorized disclosure of data. Techniques like access controls and encryption help protect confidentiality.

How does a threat impact integrity?

Integrity refers to modification or destruction of data. Access controls and hashing techniques help protect integrity.

How does a threat impact availability?

System availability refers to the ability to access services or systems. Threats can disrupt availability, making systems inaccessible.

How do access controls and encryption protect confidentiality?

Access controls limit who can access data, while encryption scrambles data to make it unreadable without a key. Both help protect confidentiality.

Auditable Event

Any event that you want to track, such as a file access or a login attempt. It usually records information about the user, the action performed, and the time and location of the event.

Intrusion Detection System (IDS)

A system that monitors network traffic for suspicious activity and alerts administrators when a potential intrusion is detected.

Host-Based IDS

An IDS that is installed on a single computer. It protects that specific system from attacks.

Network-Based IDS

An IDS that is installed across an entire network. It has agents deployed at various points to cover wider areas.

Demilitarized Zone (DMZ)

A monitored area that is exposed to the internet, typically used for web servers and external applications.

Fault tolerance strategies

Strategies that ensure systems and services keep running even if a part fails.

Data backup

Creating copies of data to restore it if it gets lost or damaged.

Threat assessment.

Assessing potential threats to an organization, classifying them as human or natural, and analyzing their impact.

Human threats

Threats caused by individuals, either intentionally or unintentionally.

Natural threats

Threats originating from natural events, like storms, earthquakes, or fires.

Internal threats

Employees who intentionally or unintentionally cause harm to their organization.

Disgruntled ex-employees

Employees who leave their jobs and may pose a risk to the organization's security.

Denial of service (DoS) attacks

Attacks designed to overwhelm a network with traffic and make it unavailable.

Malware

Malicious software designed to gain unauthorized access, modify or corrupt data, or cause harm to systems.

Threat Modeling

The process of identifying, analyzing, and mitigating potential threats to valuable assets within an organization's IT infrastructure.

Assets

Items crucial to an organization's operations, including data, systems, and applications.

Seven Domains of a Typical IT Infrastructure

The seven primary divisions of a typical IT infrastructure, used to guide threat modeling assessments by covering all potential attack vectors.

User Domain

The domain encompassing users, their workstations, and the local network.

LAN Domain

The domain encompassing the network connecting workstations and servers within a single location.

LAN-to-WAN Domain

The domain encompassing the connection between a local network and a larger external network, often the internet.

WAN Domain

The domain encompassing the network connecting computers and systems across geographically dispersed locations.

System/Application Domain

The domain encompassing systems and applications that run on servers and other network devices.

Remote Access Domain

The domain encompassing the mechanisms by which users remotely access the organization's network.

Automated Vulnerability Scans

Regularly checking systems for weaknesses using automated tools.

Security Audits

A formal examination of security controls to ensure they are working as intended.

Social Engineering Tests

Tests designed to evaluate how well personnel respond to social engineering attempts.

Internal Vulnerability Assessments

Vulnerability assessments performed by internal security professionals within the organization.

External Vulnerability Assessments

Vulnerability assessments conducted by external security consultants hired by the organization.

Documentation Review in VA

Examining existing documentation to identify potential vulnerabilities, such as incident reports, outage reports and prior assessment reports.

Log Analysis in VA

Analyzing system logs, audit trails, and intrusion detection system outputs to find patterns and potential vulnerabilities.

Vulnerability Scanning in VA

Using security assessment tools to actively scan systems for vulnerabilities and identify potential weaknesses.

Audits and Personnel Interviews in VA

Formal assessments of security controls using interviews and questionnaires to see if policies are being followed.

Process Analysis in VA

Analyzing how processes and workflows are executed to identify potential vulnerabilities and improve security measures.

Spear-phishing

A targeted phishing attempt that appears to originate from a legitimate source within the company.

Reviewing Historical Data

Examining past incidents and security breaches to identify recurring patterns and vulnerabilities.

Threat Assessment Report

A report summarizing the findings of a threat assessment, including identified threats, their likelihood, and potential costs.

What is Threat Modeling?

The process of identifying, analyzing, and mitigating potential threats to valuable assets within an organization's IT infrastructure.

What are the Seven Domains of IT Infrastructure?

The seven primary divisions of a typical IT infrastructure, used to guide threat modeling assessments by covering all potential attack vectors.

What is Asset Management in Threat Modeling?

Identifying critical assets that are important to an organization, including their value. This helps prioritize security efforts.

What are the Key Questions for Performing Threat Modeling?

Asking questions to understand and analyze potential threats. This involves identifying the system, potential attackers, attack methods, and user vulnerabilities.

What are Best Practices for Threat Assessments Within the Seven Domains?

Verifying that systems operate as intended and limiting the scope of the assessment to a single domain at a time. This makes the process manageable and efficient.

What is the User Domain?

The domain encompassing users, their workstations, and the local network. This includes threats related to user behavior, device vulnerabilities, and local network security.

What is the LAN Domain?

The domain encompassing the network connecting workstations and servers within a single location. This involves threats related to network devices, access control, and data integrity.

What is the LAN-to-WAN Domain?

The domain encompassing the connection between a local network and a larger external network, often the internet. This involves threats related to firewalls, network security, and external access.

What is the WAN Domain?

The domain encompassing the network connecting computers and systems across geographically dispersed locations. This involves threats related to network security, communication protocols, and secure data transmission.

What are system logs?

System logs are records of activities happening on a computer system, such as program start-up, errors, and warnings.

What are audit trails?

Audit trails are records of specific and usually security-related events, often answering who, what, when, and where.

What is an Intrusion Detection System (IDS)?

An Intrusion Detection System (IDS) monitors network traffic for suspicious activities and alerts administrators when a potential threat is detected.

Why are system logs, audit trails, and IDS reports important?

System logs, audit trails, and IDS reports all provide valuable information about system events and potential security vulnerabilities.

What is the 'System' log in Windows?

Microsoft Windows systems have a log called 'System' that records system events like start-ups, shutdowns, errors, and warnings.

What are audit logs used for?

Audit logs record events that you want to track, such as file accesses, user logins, and system modifications. They help identify who did what, when, and where.

What are IDS outputs?

Intrusion Detection System (IDS) outputs provide detailed information about potential intrusions and suspicious network traffic.

How are system logs, audit trails, and IDS outputs used?

Organizations often use automated systems to analyze system logs, audit trails, and IDS outputs, searching for patterns and anomalies that indicate potential problems.

What can you find by reviewing logs, audit trails, and IDS outputs?

Reviewing logs, audit trails, and IDS outputs helps to identify potential problems, trends, and patterns of suspicious activities.

How can analyzing log data help improve security?

Analyzing reports from these systems can help identify vulnerabilities and potential threats, allowing you to improve your security posture.

Functionality Testing

Functionality testing ensures that a software product meets its intended functions and specifications. It helps prevent scope creep, where unintended features are added, potentially causing security risks.

Access Controls Testing

Access controls testing verifies user rights and permissions, making sure users can only access resources they need for their job. It aligns with the security principles of least privilege and need to know.

Scope Creep

Scope creep is where additional features are added to a project outside the pre-defined specifications. It can lead to security risks as these additional features weren't initially designed or tested.

Rights vs. Permissions

A "right" allows a user to perform a specific action within a system, while a "permission" grants access to resources like files or printers.

Administrative Models

Administrative models define the rights and permissions users are granted based on their roles. This ensures that users have appropriate access for their jobs but no more.

What is a security audit?

An audit checks if an organization follows its own security policies. This can involve verifying things like account disablement after employee departure or checking for inactive accounts.

What's the difference between process analysis and output analysis in security?

Process analysis focuses on how security controls are implemented, examining the steps involved in a process. Output analysis, on the other hand, looks at the results of the process to see if it's working effectively.

Explain process and output analysis with a firewall example.

Process analysis examines the rules and steps used to implement a security control, providing a detailed understanding of how it works. Output analysis focuses on the results, such as logs and firewall activity, to determine if the desired security outcome is achieved.

How can scripting be used in security audits?

Security audits can be automated using scripts, which check for specific security conditions. For example, finding accounts that haven't been used for a long time, which may indicate a security risk.

What are personnel interviews used for in security assessments?

Personnel interviews can be used to assess security awareness among employees by asking questions related to password security and other best practices.

What is a common password security policy?

A secure organization will have a policy in place prohibiting employees from sharing their passwords with anyone.

What are vulnerability scans and why are they important?

Vulnerability scans are automated tools that help identify potential security weaknesses in systems and networks. These scans look for common vulnerabilities and misconfigurations.

What is the purpose of a security audit?

Security audits are formal examinations of an organization's security controls to ensure they are working as intended. These audits involve reviewing policies, procedures, and technologies.

Why is process analysis sometimes preferred over output analysis?

Process analysis is particularly useful in identifying vulnerabilities that may not be immediately visible by looking only at output. It allows for a deeper understanding of how processes could be exploited.

When should process analysis and output analysis be used?

Both process and output analysis are valuable tools for assessing security controls. The choice between them depends on the specific security objective and the nature of the system being analyzed.

What are internal threats?

Internal threats involve employees who intentionally or unintentionally cause harm to their organization, such as disgruntled ex-employees or employees with insufficient access controls.

What are external threats?

External threats involve attackers outside the organization, including hackers launching denial-of-service (DoS) attacks, malware writers targeting data, and even terrorists.

What are natural threats?

Natural threats are caused by weather events or other non-manmade events, such as floods, earthquakes, tornadoes, fires, and electrical storms.

Why are disgruntled ex-employees a threat?

Disgruntled ex-employees pose a significant security threat as they may have former access to sensitive data and systems and can misuse their credentials or pass them on to others.

What are access controls, and why are they important?

Access controls are essential to prevent unauthorized access to data. They create rules determining who can access what information based on their role and need-to-know.

What are the principles of least-privilege and need-to-know?

Least-privilege and need-to-know principles are essential security practices. Least privilege minimizes access, only granting users the permissions necessary for their job, while need-to-know restricts access to only the data required for a user’s role.

Why is asset management important in threat modeling?

Asset management in threat modeling involves identifying critical assets that are important to an organization, including their value. This helps prioritize security efforts.

What key questions should you ask when performing threat modeling?

Threat modeling relies on understanding the system you are trying to protect, potential attackers, their attack methods, user vulnerabilities, and the system's susceptibility to failures. By asking key questions, you can better identify and analyze potential threats.

What are some best practices for threat assessments within the Seven Domains?

Some best practices for threat assessments within the seven domains include verifying that systems operate as expected and limiting the scope of the assessment to a single domain at a time. This makes the process manageable and efficient.

What is the User Domain in IT Infrastructure?

The User Domain encompasses users, their workstations, and the local network, including threats related to user behavior, device vulnerabilities, and local network security.

What is the LAN Domain in IT Infrastructure?

The LAN Domain comprises the network connecting workstations and servers within a single location, involving threats related to network devices, access control, and data integrity.

What is the LAN-to-WAN Domain in IT Infrastructure?

The LAN-to-WAN Domain connects a local network to a larger external network, often the internet. This involves threats related to firewalls, securing external access, and maintaining network integrity.

What is the WAN Domain in IT Infrastructure?

The WAN Domain handles the connection between computers and systems across geographically diverse locations. It involves threats related to network security, communication protocols, and ensuring secure data transmission.

What is a vulnerability assessment?

A vulnerability assessment (VA) is a process of identifying any weaknesses in an organization's IT infrastructure, including servers, networks, and personnel.

What is a buffer overflow attack?

A buffer overflow attack happens when data exceeding the allocated memory space of a program is entered, potentially allowing malicious code execution.

What are access controls?

Access controls are rules that limit user access to specific resources based on their role or permissions.

What is the principle of least privilege?

The principle of least privilege means that users should only have access to the information and resources they need for their job, and no more.

What is social engineering?

Social engineering is a technique used by attackers to manipulate people into revealing sensitive information or performing actions that compromise security.

Who or what can be assessed in a vulnerability assessment?

A vulnerability assessment can be performed for a single server, an entire network, or even personnel, as vulnerabilities can exist in various aspects of IT systems and human processes.

What is the 'need to know' principle?

A 'need to know' principle means that users should only have access to information that is directly relevant to their work.

What are administrative models?

Administrative models are structures that define user roles and permissions, ensuring that users have the appropriate access for their job function.

How can personnel be vulnerable?

Vulnerabilities exist with personnel if they are not aware of security practices or are susceptible to social engineering tactics.

Why are vulnerability assessments performed?

Vulnerability assessments are performed to identify any potential weaknesses within an IT infrastructure, such as buffer overflows, improper access controls, or lack of security awareness among personnel.

What are auditable events?

Auditable events are actions within a system that are recorded and tracked for security purposes. This includes activities like file access, login attempts, and system changes.

What does an Intrusion Detection System (IDS) do?

An intrusion detection system (IDS) actively monitors network traffic and system activity for malicious patterns. When a potential threat is detected, the IDS alerts administrators.

What's the difference between a Host-Based IDS and a Network-Based IDS?

Host-based IDS is installed directly on a single device, protecting that specific computer from attacks. Network-based IDS, on the other hand, has agents deployed across a network to monitor a wider area.

What is a Demilitarized Zone (DMZ) in network security?

A demilitarized zone (DMZ) acts as a buffer zone between the public internet and a private network. It's used to house servers that need to be accessible externally, like web servers, while still protecting the internal network.

Why is analyzing intrusion detection system (IDS) outputs important?

By analyzing IDS outputs, administrators gain valuable insights into the nature of attacks against the network. They can see what types of attacks are being launched, how effective the defenses are, and what vulnerabilities exist.

What is functionality testing?

Functionality testing ensures that a software product meets its intended functions and specifications. It helps prevent scope creep, where unintended features are added, potentially causing security risks.

Study Notes

Security Risk Management and Ethics

• Chapter Four focuses on identifying and analyzing threats, vulnerabilities, and exploits.
• The chapter covers threat assessments, vulnerability assessments, and exploit assessments.
• The goals of the chapter include describing threat identification techniques, listing best practices for threat assessments across seven IT infrastructure domains, explaining the value of reviewing documentation and system logs for vulnerability assessment.
• Identifying tools for vulnerability scans, best practices for vulnerability assessments, and identifying exploits throughout the seven domains of a typical IT infrastructure are also goals.

Threat Assessments

• A threat assessment identifies and evaluates potential threats.
• The goal is to identify as many potential threats as possible and then evaluate each threat to determine likelihood of occurrence.
• The frequency of a threat is important.
• A threat assessment is conducted at a specific point in time, as risks can change.
• The assessment considers existing threats in the current environment.

Threat Assessments (Continued)

• Threats represent potential dangers (human actions, environmental factors, and external threats).
• Impacts on confidentiality (unauthorized disclosure), integrity (modification or destruction of data), and availability (service or system unavailability) are considered.
• Human threats can be internal (e.g., disgruntled employees) or external (e.g., hackers, malware writers, terrorists).
• Natural threats include various weather events (floods, earthquakes, tornados, storms), and fires.
• Employee actions (malicious or accidental) can compromise data.
• Unintentional access, data deletion, and forwarding of viruses are internal threats.
• Lack of laptop security control (theft and data compromise) is an internal threat.
• External actors can launch denial-of-service (DoS) attacks, create malware, and attempt to access, modify, or corrupt organizational data. Terrorists can also launch attacks.

The Top Threats are Internal

• Internal threats can be unintentional (e.g., accidental access or data deletion) or malicious (e.g., disgruntled employee actions).
• Access controls, authentication processes, and least-privilege and need-to-know policies are crucial components to minimize the threat of unintentional or malicious user activity.
• Ex-employee access accounts should be disabled or deleted post-termination to prevent unauthorized access.
• Phishing attempts, often sophisticated, can target specific companies and trick users, appearing as if they originate from within the company.
• Virus forwarding (inadvertent sharing of malicious emails), and lack of laptop security (theft and data compromise) are internal threats.

Threat Assessments (Continued)

• Historical data analysis and threat modeling are fundamental to identifying potential threats.
• Historical data analysis includes reviewing previous incidents in an organization, similar organizations, and the local area (including weather events) to determine threats from various sources.
• Different types of historical/organizational data can be examined, including security records, insurance claims, troubleshooting records, and employee interviews.

Threat Modeling

• Threat modeling is a method for evaluating and documenting security risks within applications or systems.
• This process should ideally occur before application development or system deployment to avoid scope creep.

Threat Modeling (Continued)

• It's essential during the initial stages of a system's life-cycle to identify valuable assets, which helps to develop appropriate security measures.
• The seven domains of IT infrastructure (User, Workstation, LAN, LAN-to-WAN, WAN, Remote Access, and System/Application) are important in threat modeling analysis.

Vulnerability Assessments

• A vulnerability assessment (VA) is performed to identify weaknesses within an IT infrastructure, or the personnel involved, or the network itself.
• These weaknesses may lead to security violations.
• Vulnerabilities can exist at the personnel, network, or specific server level.

Vulnerability Assessments (Continued)

• Vulnerabilities exist if access controls are not properly implemented or security awareness is lacking in personnel or processes.
• Social engineering tactics (misinformation or manipulation to gain access to sensitive data) also create vulnerabilities.
• Regular assessments are recommended to detect emerging or recurring vulnerabilities.

Vulnerability Assessment (Continued)

• Automated scans (e.g., Nmap, Nessus, SATAN, SAINT) are important to quickly identify vulnerabilities.
• Audits and personnel interviews help to check for policy compliance and security knowledge.
• Policies related to employee departures (disabling/deleting user accounts after they leave) are also checked as part of the audit processes.
• Process and output analysis are used to identify inherent vulnerabilities.
• System testing is important to discover vulnerabilities related to patches and updates of operational systems or programs.
• Functionality testing will evaluate the adherence to the initial specifications.
• Access controls testing verifies that user permissions and privileges are in accordance with the organization's policies. This will also include access restrictions (by grouping employees) based on their department.

Vulnerability Assessment (Continued)

• Penetration testing is another method to test and uncover vulnerabilities.
• The goal is to evaluate the effectiveness of security controls against specific known vulnerabilities. A penetration test can detect the effectiveness of controls implemented against certain vulnerabilities, which include checking for vulnerabilities from inside or outside a network, and using a DMZ.
• Appropriate and detailed documentation of results must occur for compliance and improvement.

Best Practices: Vulnerability Assessments

• Maintaining up-to-date vulnerability scanners enhances the success of assessments.
• Performing internal and external checks helps in detecting vulnerabilities from various locations (within a network or outside), and from a DMZ.
• Documenting vulnerability assessment results is crucial for tracking progress, compliance, reporting, and security improvements.

Documentation Review

• Documentation review includes reviewing incident reports, outage reports, and past assessment reports.
• It helps identify vulnerabilities, common problems, and areas needing improvements and correction.

Review of System Logs, Audit Trails, and Intrusion Detection System Outputs

• System logs, audit trails, and intrusion detection system (IDS) outputs provide information for vulnerability discovery.
• Auditing of events (actions) provides detailed information on who accessed, what was accessed, when, and where. This may include who attempted to log in to a resource or what files were accessed.
• An IDS detects intrusions and alerts administrators to security issues.
• Events from an intrusion detection system (IDS) can detail attack patterns launched against a network. Attacks from a DMZ, the Internet, and internal networks can be identified.
• IDS's usually consist of multiple agents, often one outside a firewall, one within a DMZ, and one within the internal network.

Other Assessment Tools

• Review historical data, perform threat modeling, and analyze tools (including Nmap, Nessus, SATAN, and SAINT) to identify and respond to threats and vulnerabilities.

Description

This quiz covers Chapter Four of Security Risk Management, which focuses on identifying and analyzing threats, vulnerabilities, and exploits. It discusses assessment techniques, best practices, and the importance of documentation and system logs in the assessment process. Test your knowledge on threat assessments across various IT infrastructure domains.