Scribd Logo
Upload

Welcome to Scribd!

  • 501 CH 8 Risk Management Tools

    Uploaded by

    something
    6 views42 pages

    Original Title

    501 Ch 8 Risk Management Tools

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    6 views42 pages

    501 CH 8 Risk Management Tools

    Uploaded by

    something

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 42

    Chapter 8

    Using Risk Management Tools

    CompTIA Security+
    Get Certified Get Ahead
    By Darril Gibson

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Introduction
    • Understanding risk management

    • Comparing scanning and testing tools

    • Using security tools

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Understanding Risk Management
    • Risk
    – Likelihood that a threat will exploit a vulnerability
    • Vulnerabilities
    – Weaknesses Threat

    • Threats Exploits
    Vulnerability
    – Potential danger Resulting in
    • Impact Loss
    – Magnitude of harm
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    Threat
    • Event that compromises confidentiality,
    integrity, or availability

    • Malicious human Threat

    threats Exploits
    Vulnerability
    • Accidental human Resulting in
    threats Loss
    • Environmental threats
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    Threat
    • Event that compromises confidentiality,
    integrity, or availability

    • Manmade Threat

    • Internal Exploits
    Vulnerability
    • External Resulting in

    Loss

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Threat Assessment
    • Helps identify and organize threats

    • Attempts to identify:
    – Potential threats Threat

    – Likelihood of threat Exploits


    Vulnerability
    (priority)
    Resulting in
    – Potential impact
    Loss
    – Security controls

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Vulnerabilities
    • Flaw or weakness
    (in software, hardware, or process)
    – Lack of updates Threat
    – Default configurations
    Exploits
    – Lack of up-to-date Vulnerability
    malware protection Resulting in
    – No firewall Loss
    – Lack of organizational policies

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Risk Management
    • Practice of identifying, monitoring, and
    limiting risks to a manageable level

    • Cannot eliminate risks

    • Amount of risk that remains after managing


    risk is residual risk

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Risk Response Techniques
    Method Comments
    Avoid Not participate in risky activity.
    Transfer Outsource. Purchase insurance.
    Sometimes referred to as sharing risk.
    Mitigate Implement controls to reduce risks.
    Antimalware reduced risk from malware
    Accept Use if cost of control greater than the benefit.
    Remaining risk is residual risk.

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Risk Assessments
    • First steps
    – Identify assets and asset value

    • Quantitative
    – Uses specific monetary amounts $$$
    to identify cost and asset values

    • Qualitative
    – Uses judgment to categorize risks based on probability and
    impact
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    Quantitative Risk Assessment
    • SLE (single loss expectancy)
    – Cost of any single loss

    • ARO (annual rate of occurrence)


    – How many times the loss will occur annually

    • ALE (annual loss expectancy)


    – SLE × ARO
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    Quantitative Risk Assessment
    • Laptop cost $2,000
    • Employees lose one a month
    • What is SLE? SLE = $2,000
    • What is ARO? ARO = 12
    • What is ALE? ALE = $24,000

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Quantitative Risk Assessment
    • Formulas
    – ALE = SLE × ARO
    – ARO = ALE / SLE
    – SLE = ALE / ARO

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Qualitative Risk Assessment
    • Likelihood of occurrence
    – Probability that an event will occur
    – Probability that a threat will attempt to exploit a
    vulnerability
    • Impact
    – Magnitude of harm resulting from a risk
    – Negative result of the event
    – Loss of confidentiality, integrity, or availability of a
    system or data
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    Qualitative Risk Assessment
    • Web server selling products on the Internet
    – Probability of being attacked High (10)
    – Impact High (10)
    Risk score (10 x 10 = 100)
    • Library computer
    – Probability of being attacked Low (1)
    – Impact Low (1)
    Risk score (1 x 1 = 1)
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    Risk Assessments
    • Documenting the assessment

    • Results valuable
    – Help organization evaluate threats and
    vulnerabilities
    – Should be protected
    – Only accessible to management and security
    professionals

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Risk Register
    • A record of information on identified risks
    • A repository of information on risks
    • Often recorded in a table
    • Category • Security controls
    • Specific risk • Contingencies
    • Likelihood • Risk score (with controls)
    • Impact • Action assigned to
    • Risk score • Action deadline
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    Supply Chain Assessment
    • Supply chain
    – Materials
    – All the processes required to create and distribute
    a product

    • Assessment evaluates these elements


    – Identifies risks such as single point of failure

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Checking for Vulnerabilities
    • Determines the security posture of a system
    • Identifies vulnerabilities and weaknesses
    Identify assets and capabilities

    Prioritize assets based on value

    Identify vulnerabilities and prioritize them

    Recommend controls to mitigate serious vulnerabilities

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Checking for Vulnerabilities
    • Password cracker
    – Attempts to discover passwords
    MD5 Hash: 161ebd7d45089b3446ee4e0d86dbcf92
    Password: P@ssw0rd
    – Offline password cracker
    – Online password cracker

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Checking for Vulnerabilities
    • Network scanner
    – Nmap, Netcat, Nessus
    – Ping scan
    – Arp ping scan
    – Syn stealth scan
    – Service scan
    Demo
    – OS detection

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Zenmap

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Checking for Vulnerabilities
    • Wireless scanners
    • Rogue system detection

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Checking for Vulnerabilities
    • Banner grabbing
    <!DOCTYPE HTML PUBLIC“-//IETF//DTD HTML 2.0//EN”>
    <html><head><title>501 Method Not
    Demo
    Implemented</title></head><body>
    <h1>Method Not Implemented</h1>
    <p>GET to /index.html not supported.<br /></p>
    <p>Additionally, a 404 Not Found error was encountered.</p><hr>
    <address>Apache/2.2.25 (Unix) mod_ssl/2.2.25 OpenSSL/1.0.0-fips
    mod_auth_ passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
    Server at 72.52.230.233 Port 80
    </ address>
    </body></html>

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Vulnerability Scanning
    • Identify vulnerabilities and misconfigurations
    – Open ports
    – Weak passwords
    – Default accounts
    – Sensitive data
    – Security and configuration errors

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Vulnerability Scanning
    • Passively test security controls
    – Does not exploit vulnerabilities

    • Identify lack of security controls


    – Systems without patches
    – Systems without antivirus software

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Vulnerability Scanning
    • False positive
    – Scan detected a vulnerability
    – But the vulnerability doesn’t actually exist

    • False negative
    – Vulnerability exists
    – But the scan did not detect it

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Vulnerability Scanning
    • Credentialed scan
    • Non-credentialed scan
    • Configuration compliance scans

    • Obtaining authorization
    – A penetration test can cause system instability
    – Without consent you may be perceived as an attacker

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Penetration Testing
    • Assesses deployed security controls

    • Determine the impact of a threat

    • Starts with passive reconnaissance


    (such as a vulnerability scan)

    • Follows with attempt to exploit vulnerabilities

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Penetration Testing
    • Passive reconnaissance
    – Collects information
    – Often uses open-source intelligence
    • Active reconnaissance
    – Uses tools to gather information
    – Typically includes vulnerability and network scans
    • Initial exploitation
    – Exploits vulnerabilities
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    Penetration Testing
    • Escalation of privilege
    – Attempts to gain additional privileges

    • Pivot
    – Use exploited system to exploit other systems

    • Persistence
    – Take steps to retain presence on network
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    Penetration Testing
    • Black box testing
    – Testers have zero knowledge of
    the environment prior to the test
    – Often use fuzzing Documentation
    source code
    • White box testing login details

    – Testers have full knowledge of the environment


    • Gray box testing
    Some
    – Testers have some knowledge information
    of the environment
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    Comparisons
    • Vulnerability scanning
    – Nonintrusive and passive
    – Little impact on a system during a test
    – Probes systems to identify vulnerabilities
    – Does not take action to exploit vulnerabilities

    • Penetration testing
    – Intrusive and active
    – Can potentially compromise a system
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    Exploitation Frameworks
    • Metasploit Framework

    • BeEF (Browser Exploitation Framework)

    • w3af (Web Application Attack and Audit


    Framework)

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Using Security Tools
    • Protocol analyzer (sniffer)
    – Capture, display, and analyze packets sent over a
    network
    – Can examine IP headers
    • View protocols, flags, source and destination info
    – Useful when troubleshooting communication problems
    – Useful to detect manipulated or fragmented packets
    – Can view unencrypted network traffic including
    passwords sent in clear text

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Wireshark

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Command-Line Tools
    • Tcpdump

    • Nmap
    Demo
    • Netcat

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    Monitoring Logs
    • Operating system logs
    – Continuously record information that can be
    useful in troubleshooting and gaining information
    – Application Log
    – System log
    – Security log

    • Firewall and router access logs


    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    Monitoring Logs
    • Linux logs
    • Antivirus logs
    • Application logs
    • Performance logs
    • Review logs regularly
    • Store logs in central location
    – Provides protection against attacks

    GetCertifiedGetAhead.com © 2017 YCDA, LLC


    SIEM
    • Security Information and Event Management
    – Aggregation
    – Correlation engine
    – Automated alerting
    – Automated triggers
    – Time synchronization
    – Event deduplication
    – Logs/WORM
    • Continuous Monitoring
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    Auditing and Reviews
    • Usage auditing and reviews
    – Logs and identifies user actions
    – Useful during investigations

    • Permission auditing and review


    – Ensures that users have only the access they need
    and no more
    – Ensures that inactive accounts are either disabled or
    deleted
    GetCertifiedGetAhead.com © 2017 YCDA, LLC
    Chapter 8 Summary
    • Understanding risk management

    • Comparing scanning and testing tools

    • Using security tools

    • Labs http://gcgapremium.com/501labs/

    GetCertifiedGetAhead.com © 2017 YCDA, LLC

    You might also like