Professional Documents
Culture Documents
CompTIA Security+
Get Certified Get Ahead
By Darril Gibson
• Threats Exploits
Vulnerability
– Potential danger Resulting in
• Impact Loss
– Magnitude of harm
GetCertifiedGetAhead.com © 2017 YCDA, LLC
Threat
• Event that compromises confidentiality,
integrity, or availability
threats Exploits
Vulnerability
• Accidental human Resulting in
threats Loss
• Environmental threats
GetCertifiedGetAhead.com © 2017 YCDA, LLC
Threat
• Event that compromises confidentiality,
integrity, or availability
• Manmade Threat
• Internal Exploits
Vulnerability
• External Resulting in
Loss
• Attempts to identify:
– Potential threats Threat
• Quantitative
– Uses specific monetary amounts $$$
to identify cost and asset values
• Qualitative
– Uses judgment to categorize risks based on probability and
impact
GetCertifiedGetAhead.com © 2017 YCDA, LLC
Quantitative Risk Assessment
• SLE (single loss expectancy)
– Cost of any single loss
• Results valuable
– Help organization evaluate threats and
vulnerabilities
– Should be protected
– Only accessible to management and security
professionals
• False negative
– Vulnerability exists
– But the scan did not detect it
• Obtaining authorization
– A penetration test can cause system instability
– Without consent you may be perceived as an attacker
• Pivot
– Use exploited system to exploit other systems
• Persistence
– Take steps to retain presence on network
GetCertifiedGetAhead.com © 2017 YCDA, LLC
Penetration Testing
• Black box testing
– Testers have zero knowledge of
the environment prior to the test
– Often use fuzzing Documentation
source code
• White box testing login details
• Penetration testing
– Intrusive and active
– Can potentially compromise a system
GetCertifiedGetAhead.com © 2017 YCDA, LLC
Exploitation Frameworks
• Metasploit Framework
• Nmap
Demo
• Netcat
• Labs http://gcgapremium.com/501labs/