Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
38 Cards in this Set
- Front
- Back
- 3rd side (hint)
Risk Assessment |
1. Identify the risk. 2. Conduct threat assessment 3. Analyze business impact for each threat 4. Determine likelihood of threat doing damage. 5. Prioritize risks by weighing likelihood vs potential impact. 6. Create risk mitigation strategy. |
|
|
Length of time to replace equipment |
Replacement cost |
|
|
Loss of new business opportunities |
Revenue or opportunity lost |
|
|
How long to get production line up and running again |
Production loss |
|
|
Most severe from an ethical perspective |
Human cost |
|
|
Damn your reputation could be critical if threat is obvious or five profile |
Reputation |
|
|
Must comply with federal laws and industry regulations |
Legal consequences |
|
|
Includes SLE, ARO, and ALE values. |
Qualitative risk assessment values |
|
|
Cost of any single loss |
Single loss expectancy (SLE) |
|
|
The expected number of times a given loss may occur per year. |
Annual rate of occurrence (ARO) |
|
|
The expected cost per year from threat (SLE x ARO) |
Annual loss expectancy (ALE) |
|
|
Avoidance, transference, mitigation, deterrence, acceptance, and residual risk are all called. |
Risk management |
|
|
Technology controls, policies and procedures, routine audits, incident management, change management are all a part of. |
Risk Management Techniques |
|
|
Device or system configuration tools, continuous monitoring and alert systems - NIDS, NIPS, network vulnerability scanners, remediation tools, patch management software, automated troubleshooters, and application testers - pin testing |
Automated Security Tools |
|
|
Conducting a Baseline Review, Determining the attack surface, Reviewing code, Reviewing architecture, and Reviewing Design are........... |
Vulnerability Assessment Elements |
|
|
The existing intended security configuration and comparing network performance to your Security baseline. |
Baseline Review |
|
|
The existing intended security configuration and comparing network performance to your Security baseline. |
Baseline Review |
|
|
All of the software and services installed which can be subject to attack. network hardening techniques |
Determining attack surface |
|
|
The existing intended security configuration and comparing network performance to your Security baseline. |
Baseline Review |
|
|
All of the software and services installed which can be subject to attack. network hardening techniques |
Determining attack surface |
|
|
Conduct beta testing before implementing software into your network, and secure application design |
Reviewing code |
|
|
Multiple name brands, known hardware flaws |
Reviewing Architecture |
|
|
Technology, technology, design of hard drives, solutions, etc. |
Reviewing design |
|
|
Intrusive and non-intrusive Credentialed and non-credentialed |
Types of vulnerability scans |
|
|
Focuses on monitoring communications and makes minor requests |
Non-intrusive |
|
|
Uses larger traffic volumes, unusual messages, or attempts to gain permissions |
Intrusive |
|
|
Uses no special permissions or credentials, acts like an outside visitor |
Non-credentialed |
|
|
Uses user credentials of the host or network being scanned, has a greater knowledge of the network, less intrusive because you have more rights, and no more. |
Credentialed |
|
|
The goal is to find missing or misconfigured security controls, open ports, weak passwords or encryption, misconfigured security controls, unsecured data, compromised systems, exploitable vulnerabilities, unpatched systems. |
Goals of Vulnerability scans |
|
|
Front (Term) |
Penetration test process |
|
|
Black box, white box, gray box |
Penetration tests |
|
|
No attack or knowledge of system |
Black Box |
|
|
Full attacker knowledge of system |
White box |
|
|
Partial attacker knowledge of system |
Gray box |
|
|
Fundamentally passive in nature examiners entire system network organization checking for specific list of known vulnerabilities. It may be passive an invisible to security systems, or it may be active and prone to set off alarms but does not mean to compromise assets |
Vulnerability Scan |
Knock on the door |
|
A simulated attack designed to prove that an asset can be compromised through knowledge of existing security controls, known attack methods to bypass security and compromise the system. Active and intrusive but more focused, is not likely to uncover vulnerabilities. |
Penetration test |
Using the hammer |
|
SAINT and Nessus OpenVAS |
Vulnerability Scans |
|
|
Vulnerability Assessments |
Vulnerability Assessments |
|