More on this book
Community
Kindle Notes & Highlights
B.
D.
C.
B.
D.
C.
A.
D.
B.
C.
A.
D.
C.
A.
D.
Risk is the likelihood that a threat will exploit a vulnerability.
A threat is a potential danger.
Accidental human threats. Users can accidentally delete or corrupt data, or accidentally access data that they shouldn’t be able to access.
Environmental threats. This includes long-term power failure, which could lead to chemical spills, pollution, or other possible threats to the environment.
A threat assessment helps an organization identify and categorize threats.
Remember this A threat is a potential danger and a threat assessment evaluates potential threats. Environmental threats include natural threats such as weather events. Manmade threats are any potential dangers from people and can be either malicious or accidental. Internal threats typically refer to employees within an organization, while external threats can come from any source outside the organization.
A vulnerability is a flaw or weakness in software or hardware, or a weakness in a process that a threat could exploit, resulting in a security breach. Examples of vulnerabilities include:
Risk management is the practice of identifying, monitoring, and limiting risks to a manageable level.
risk response techniques,
Avoid. An organization can avoid a risk by not providing a service or not participating in a risky activity. For
Transfer. The organization transfers the risk to another entity, or at least shares the risk with another entity.
Mitigate. The organization implements controls to reduce risks. These controls either reduce the vulnerabilities or reduce the impact of the threat.
Remember this It is not possible to eliminate risk, but you can take steps to manage it. An organization can avoid a risk by not providing a service or not participating in a risky activity. Insurance transfers the risk to another entity. You can mitigate risk by implementing controls, but when the cost of the controls exceeds the cost of the risk, an organization accepts the remaining, or residual, risk.
The asset value identifies the worth of the asset to the organization.
A quantitative risk assessment measures the risk using a specific monetary amount.
• Single loss expectancy (SLE). The SLE is the cost of any single loss.
Annual rate of occurrence (ARO). The ARO indicates how many times the loss will occur in a year. If
• Annual loss expectancy (ALE). The ALE is the value of SLE × ARO.
Remember this A quantitative risk assessment uses specific monetary amounts to identify cost and asset values. The SLE identifies the amount of each loss, the ARO identifies the number of failures in a year, and the ALE identifies the expected annual loss. You calculate the ALE as SLE × ARO. A qualitative risk assessment uses judgment to categorize risks based on likelihood of occurrence and impact.
A qualitative risk assessment uses judgment to categorize risks based on likelihood of occurrence (or probability) and impact.
Impact is the magnitude of harm resulting from a risk.
Some risk assessments use a risk register.
Remember this A risk register is a comprehensive document listing known information about risks. It typically includes risk scores along with recommended security controls to reduce the risk scores. A supply chain assessment evaluates everything needed to produce and sell a product. It includes all the raw materials and processes required to create and distribute a finished product.
Assessments often use a variety of scans and penetration tests, all discussed in this section. A vulnerability assessment typically includes the following high-level steps: • Identify assets and capabilities. • Prioritize assets based on value. • Identify vulnerabilities and prioritize them. • Recommend controls to mitigate serious vulnerabilities.
A password cracker attempts to discover a password.
An offline password cracker attempts to discover passwords by analyzing a database or file containing passwords.
An online password cracker attempts to discover passwords by guessing them in a brute force attack.
Other online password crackers collect network traffic and attempt to crack any passwords sent over the network.
A network scanner uses various techniques to gather information about hosts within a network. As
Ping scan. A ping scan (sometimes called a ping sweep) sends an Internet Control Message Protocol (ICMP) ping to a range of IP addresses in a network. If the host responds, the network scanner knows there is a host operational with that IP address.
Address Resolution Protocol (ARP) and how systems use it to resolve IP addresses to media access control (MAC) addresses.
A port scan checks for open ports on a system.
Service scan. A service scan is like a port scan, but it goes a step further. A port scan identifies open ports and gives hints about what protocols or services might be running.
OS detection. Operating system (OS) detection techniques analyze packets from an IP address to identify the OS. This is often referred to as TCP/IP fingerprinting.
Remember this Password crackers attempt to discover passwords and can identify weak passwords, or poorly protected passwords. Network scanners can detect all the hosts on a network, including the operating system and services or protocols running on each host.
