Comptia SECURITY +

Module 08

Risk Management

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 8 - 1

 Risk Management

 Risk Analysis
 Implement Vulnerability Assessment Tools and Techniques
 Scan for Vulnerabilities
 Mitigation and Deterrent Techniques

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 8 - 2

 Risk Management

Assessment

Mitigation Analysis

Response

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 8 - 3

 Security Assessment Types

 Risk
 Threat
 Vulnerability

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 8 - 4

 Risk Types

 Natural disasters:
 Earthquake
 Wildfire
 Flooding
 Man-made disasters:
 Intentional:
 Arson
 Theft
 Unintentional:
 Employee mistakes
 System:
 Mobile devices
 Virtualization
 Network devices
 Email
 User accounts
Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 8 - 5
 Components of Risk Analysis

 Determine vulnerabilities that a threat can exploit.

 Determine the possibility of damage occurring.
 Determine the extent of potential damage.

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 8 - 6

 Phases of Risk Analysis

Risk Analysis Process

Description
Phase
Determining value of asset that needs
1. Asset identification
protection.
2. Vulnerability
Locating weaknesses in a system.
identification
Determining who or what can exploit
3. Threat assessment
vulnerabilities.
Determining how likely it is for a threat to
4. Probability quantification
exploit a vulnerability.
Estimating the cost of recovering from a
5. Impact analysis
harmful event.
6. Countermeasures Establishing cost-effective measures to
determination reduce risk.

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 8 - 7

 Risk Analysis Methods

 Qualitative
 Quantitative
 Semi-quantitative

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 8 - 8

 Risk Calculation

Risk of Impact
Identificatio Occurrenc Estimate
Vulnerability Mitigation
n Source e (1=Low; (US
5=High) Dollars)
Flood
Flood damage Physical plant 5 $95,000
insurance
Electrical Generator,
Physical plant 2 $100,000
failure UPS
Flu epidemic Personnel 4 $200,000 Flu shots

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 8 - 9

 Risk Response Strategies

 Avoidance
 Transference
 Acceptance
 Mitigation
 Deterrence

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 8 - 10

 Risk Mitigation and Control Types

 Technical
 Management
 Operational
 Loss/damage

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 8 - 11

 Vulnerability Assessment Techniques

 Review a baseline report.

 Perform regular code reviews.
 Determine the attack surface.
 Review security architecture.
 Review security design.

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 8 - 12

 Vulnerability Assessment Tools

 Protocol analyzer
 Sniffer
 Vulnerability scanner
 Port scanner
 Honeypot

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 8 - 13

 The Hacking Process

1. Footprinting
2. Scanning
3. Enumerating
4. Attacking

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 8 - 14

 Ethical Hacking

Report on
White Hat Security Flaws

Footprinting Scanning Enumerating Attacking

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 8 - 15

 Vulnerability Scanning and Penetration Testing

 Vulnerability scan:
 Passively identifies missing security controls
 Detects poor configurations
 Doesn’t test the security mechanisms themselves
 Credentialed vs. non-credentialed
 May produce false positives and false negatives
 Penetration test:
 Actively simulates an attack on a system
 Tests security strength directly and thoroughly
 Less common
 More intrusive
 May cause actual damage

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 8 - 16

 Types of Vulnerability Scans

 General vulnerabilities
 Application-specific vulnerabilities
 Tools for different scan types

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 8 - 17

 Box Testing Methods

Footprinting Scanning Enumerating Attacking

Black Box Grey Box White Box

Test Test Test

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 8 - 18

 Security Utilities

 Vulnerability scanning tools

 Port scanning tools
 Password scanning and cracking tools
 Exploits and stress testers
 Intrusion detection utility
 Network and security administration
 Protocol analyzer or packet sniffer

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 8 - 19

 Security Posture

Strong posture:
 Strict mitigation and deterrent methods.
 Initial baseline configuration.
 Continuous monitoring methods and remediation.

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 8 - 20

 DLP

 Data loss prevention.

 Detects and prevents data from being sent to unauthorized
parties.
 Monitors and blocks suspicious data-related activity.
 Focuses on the outbound (data exfiltration).

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 8 - 21

 Detection Controls and Prevention Controls

 Detection:
 Monitor a situation or potential event
 Alert qualified personnel
 Surveillance camera
 Prevention:
 React to a situation or event
 Block access
 Security guard

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 8 - 22

 Risk Mitigation Strategies

Risk mitigation includes:

 Policies and procedures

 Auditing and reviews
 Security controls
 Change management
 Incident management

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 8 - 23

 Types of Mitigation and Deterrent Techniques

 Performance and system monitoring

 Monitoring system logs
 Manual bypassing of electronic controls
 Hardening
 Applying port security
 Reporting
 Implementing physical security

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 8 - 24

 Failsafe, Failsecure, and Failopen

 Failsafe:
 Prevents harm in the event of failure
 Mechanical crashbars
 Failsecure:
 Keeps something secure in the event of failure
 Electric door strikes
 Failopen:
 Allows access in the event of failure
 Magnetic lock

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 8 - 25

 Reflective Questions

1. What security risks does your organization face, and what

methods would you employ in your risk analysis?

2. What vulnerability assessment tools are you familiar with? What

tools do you think you may use in the future?

Copyright © 2014 Logical Operations, Inc. All rights reserved. OV 8 - 26