ch 8: managing risk comptia security+: get certified get ahead: sy0-301 study guide darril gibson...
TRANSCRIPT
![Page 1: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/1.jpg)
Ch 8: Ch 8: Managing RiskManaging Risk
CompTIA Security+: CompTIA Security+: Get Certified Get Get Certified Get Ahead: SY0-301 Ahead: SY0-301
Study GuideStudy Guide
Darril GibsonDarril Gibson
Last modified 10-11-12Last modified 10-11-12
![Page 2: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/2.jpg)
Threats, Vulnerabilities, and Risks
![Page 3: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/3.jpg)
Threats
Types of threats– Natural threats
Hurricanes, floods, etc.
– Malicious human threats– Accidental human threats– Environmental threats
Power failures, overheating, etc.
![Page 4: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/4.jpg)
Malicious Insider Threat
Abuse of legitimate access to harm the company
Motivations include greed & revenge
Countermeasures– Least privilege – Job rotation– Separation of duties– Mandatory vacations
![Page 5: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/5.jpg)
Threat Modeling
Identify and prioritize threats
Identify controls to protect against most serious threats
Avoid wasting resources on low-priority threats
![Page 6: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/6.jpg)
Vulnerabilities
A flaw or weakness that could be exploited, resulting in a security breach– Lack of updates– Default configuration– Lack of malware protection– No firewall– Lack of organizational policies
![Page 7: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/7.jpg)
Risks
The likelihood that a threat will exploit a vulnerability
Risk cannot be reduced to zero
Risk management– Identifying, monitoring, and limiting risks to an
acceptable level
Residual risk– The risk remaining after risk management
![Page 8: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/8.jpg)
Risk Management Methods
Risk avoidance– Forbid risky activities
Risk transference– Insurance
Risk acceptance
Risk mitigation– Implementing controls
Risk deterrence– Sometimes included in risk mitigation
![Page 9: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/9.jpg)
Risk Assessment
Identify assets and asset values
Identify threats and vulnerabilities
Prioritize them
Recommend controls
![Page 10: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/10.jpg)
Quantitative Risk Assessment
Estimate money lost per year to a risk
Single Loss Expectancy (SLE)– Cost of a single loss
Annualized Rate of Occurrence (ARO)– How many times per year the loss will occur
Annualized Loss Expectancy (ALE)– ALE = SLE x ARO
![Page 11: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/11.jpg)
Example
Risk: Employees lose laptops, which must then be replaced
A laptop costs $1000– This is the SLE
Employees lose a laptop each month– This is the ARO
Expected loss is $12,000 per year
NOTE: This does not consider the risk of the data on the laptops being exposed
![Page 12: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/12.jpg)
Qualitative Risk Assessment
Judge risks as "High", "Medium", or "Low"
Or use a numerical scale, 1 to 10
Compare risks of attack to a Web server v. a library workstation with no Internet access
Web server: High likelihood, high impact
Workstation: Low likelihood, low impact
![Page 13: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/13.jpg)
Documenting the Assessment
Report identifies risks discovered and recommended controls
This report should be kept confidential
It will help attackers
![Page 14: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/14.jpg)
Checking for Vulnerabilities
![Page 15: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/15.jpg)
Methods
Vulnerability assessments
Vulnerability scans
Penetration tests
![Page 16: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/16.jpg)
Anatomy of an Attack
Reconnaissance– IP addresses of target network– Company information found from the outside
Fingerprinting– Details of individual systems– OS and versions
Attack
![Page 17: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/17.jpg)
Identify IP Addresses of Targets
Geolocation– Approximate
physical location from an IP address
Whois– Assigned
address range for a company
– Link Ch 8b
![Page 18: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/18.jpg)
Port Scanning
Nmap or another port scanner
Finds– Well-known services– P2P software– Fingerprints the system
Vulnerability scanners like Nessus– Find vulnerabilities as well as open ports
Countermeasures: IDS and IPS
![Page 19: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/19.jpg)
Identify Vulnerabilities
Use appropriate attacks for services– Web server
Input validation
Buffer overflow
SQL injection
XSS
– Email serverAnonymous relay
– Application serverDefault names and passwords
![Page 20: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/20.jpg)
Attack
Attack tools v. Custom scripts
Privilege escalation
Smash & Grab attacks get in & out fast
Advanced Persistent Threats– Plant hidden malware– Steak data for months or years
Pivoting from one system to attack another
Clean log files
![Page 21: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/21.jpg)
Advanced Persistent Threats
Large criminal organizations– Russian Business Network
Nation-states– The USA: Stuxnet, DuQu, Flame, Mini-Flame– China: Aurora, many others
Use zero-days
Hide on systems for years
![Page 22: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/22.jpg)
Vulnerability Assessment
Find weaknesses in– System– Network– Organization
Sources of information– Security policies– Logs– Interviews with personnel– System testing
![Page 23: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/23.jpg)
Vulnerability Assessment Steps
Identify assets and capabilities
Prioritize assets based on value
Identify vulnerabilities and prioritize them based on severity
Recommend controls to mitigate serious vulnerabilities
![Page 24: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/24.jpg)
Other Assessment Methods
Baseline reporting
Code review
Architecture review
Design review
![Page 25: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/25.jpg)
Error in Textbook
Nessus is a vulnerability scanner
Nmap is a port scanner, not a vulnerability scanner
Netcat is even simpler, an all-purpose network connection tool
![Page 26: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/26.jpg)
Vulnerability Scanning
Passively test security controls
Identify vulnerability
Identify lack of security controls
Identify common misconfigurations
![Page 27: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/27.jpg)
Results of a Vulnerability Scan
Security and Configuration errors
Patches and updates
Open ports
Weak passwords
Default accounts and passwords
Sensitive data– Data Loss Prevention
![Page 28: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/28.jpg)
Penetration Testing
Find a vulnerability and exploit it
May also show how employees respond to a security incident
Common elements– Verify a threat exists– Bypass security controls– Actively test security controls– Exploit vulnerabilities
![Page 29: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/29.jpg)
Penetration Test Considerations
Scope of test must be determined in advance
Get written authorization
Unexpected results can occur
Fuzzing a system may crash it
Sometimes a test system is used instead of the live system in use
![Page 30: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/30.jpg)
White, Gray, and Black Box Testing
Black box testing– Testers are given zero knowledge of internal
systems
White box testing– Testers have full knowledge of the
environment
Gray box testing– Testers have some knowledge of the system
![Page 31: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/31.jpg)
Black Hat v. White Hat
Black hat hackers– Criminals
White hat hackers– Legitimate security professionals
Gray hat hackers– Break the law but have some justification for
it, such as political protest ("Hacktivists")– "Every way of a man is right in his own
eyes…" –Proverbs 21:2
![Page 32: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/32.jpg)
Hackers and Crackers
Hackers– Originally only someone very proficient with
technology– Defined as a criminal under US Law and in
the media
Crackers– A hacker who performs malicious acts
![Page 33: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/33.jpg)
Rules of Engagement
A written document explaining the boundaries of a penetration test
![Page 34: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/34.jpg)
Identifying Security Tools
![Page 35: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/35.jpg)
Protocol Analyzer (Sniffer)
Examples– Wireshark– tcpdump– Microsoft's Network Monitor– Many others
Unencrypted passwords are easy to see with sniffers
![Page 36: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/36.jpg)
Routine Audits
Identify risks
Verify that policies are being followed– Are accounts for departing employees
disabled promptly?– Do administrators have two accounts, one
low-privilege and one high-privilege?– Are all systems patched?– Many more questions…
![Page 37: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/37.jpg)
User Rights and Permissions Review
A type of audit
Identifies privileges (rights and permissions) granted to users
Checks to see if they are appropriate
"Permission bloat"– Users gain more and more privileges as jobs
change
![Page 38: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/38.jpg)
Password-Cracking Tools
Also called password recovery tools
Administrators use these tools to identify weak passwords
Brute Force– Try all possible passwords
Dictionary– Use a dictionary of common passwords
Cryptanalysis– Exploit a mathematical flaw in the encryption method
![Page 39: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/39.jpg)
Password Hashing
Rather than storing the password itself, or sending it over a network, the system uses its hash– Calculated with MD5, SHA-1, SHA-512, etc.
![Page 40: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/40.jpg)
Windows Password Hashes
![Page 41: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/41.jpg)
Linux Password Hashes
![Page 42: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/42.jpg)
Mac OS X Password Hash
Link Ch 8c
![Page 43: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/43.jpg)
Rainbow Tables
A large database of precomputed hashes, stored in RAM
Makes cracking hashes much fasterAlso called "Time-Memory Tradeoff"
![Page 44: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/44.jpg)
Password-Cracking Tools
John the ripper– Works on many systems
Cain – All-purpose Windows hacking tool
Ophcrack– Finds Windows passwords
Aircrack– Finds WEP keys
![Page 45: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/45.jpg)
Monitoring Logs
Operating System Logs– Records basic events– Windows Event Viewer
Security – logon and logoff, etc.– Also audited events
Application – events recorded by applicationsSystem – startup, shutdown, loading a driver, etc.
![Page 46: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/46.jpg)
Other Logs
Firewall logsAntivirus logsApplication logs
– SQL server, Oracle, etc.
Performance logs
![Page 47: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/47.jpg)
Reviewing Logs
Tedious, painful processAutomated log scanners help
– NetIQ– AlienVault
![Page 48: Ch 8: Managing Risk CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide Darril Gibson Last modified 10-11-12](https://reader036.vdocuments.mx/reader036/viewer/2022062409/56649f0e5503460f94c23098/html5/thumbnails/48.jpg)
OVAL (Open Vulnerability and Assessment Language)
International standard to list and rate vulnerabilities
Consistent with the CVE list