Assessment Types

Risk Management

• When performing a risk assessment, it's important to be familiar with the following terminologies. 

• Quantitative - In a Quantitative Risk Assessment, a financial or monetary value is mapped to each specific risk.

• Qualitative - In Qualitative Risk Assessment the aim is assign solid values to each risk factor within the organization.

Single Loss Expectancy (SLE)

• This is the financial cost of loss if a one-time or single event occur within the organization.

• An example of a SLE may be a company's asset such as smartphone worth (Asset Value = $500)

Annualized Rate of Occurrence (ARO)

• This is the likelihood that an event will occur.

• Such as in some countries, there are a lot of rain fall during certain times of the year. Organizations with buildings in flood prone areas need to consider how often flooding will occur each year. 

Annual Loss Expectancy (ALE)

• The Annual Loss Expectancy is the ARO x SLE.

• An example is the loss of 4 company-owned smartphones (ARO) x $500 (SLE) = $2000

Risk register

• The Risk Register is the risk associate with each step during a project within an organization.

• The Risk Register also helps us to determine any solutions for each identified risk at each step during the project and helps us to monitor if the solution fixes the issue or not. 

Risk response techniques

• Accept - The organization understands the risk involved in their processes or procedures and accepts it. 

• Transfer - In transference, the risk is transferred to a 3rd party to handle and manage the risk on behalf of the organization. 

• Avoid - Avoidance simply ensures the organization stops all activities that are creating the risk. 

• Mitigate - Mitigating risk is where the organization implements systems in place to prevent the risk from occurring. 

NIST Risk Management Framework (RMF)

• The NIST Risk Management Framework (RMF) provides a comprehensive, flexible, repeatable, and measurable 7-step process that any organization can use to manage information security and privacy risk for organizations and systems and links to a suite of NIST standards and guidelines to support implementation of risk management programs to meet the requirements of the Federal Information Security Modernization Act (FISMA).  

• The following are the 7-step process:

  • Prepare

  • Categorize

  • Select

  • Implement

  • Assess

  • Authorize

Vulnerability Assessment

• A vulnerability is a security weakness or flaw in a system which a threat actor can compromise the system by taking advantage (exploiting) the weakness.

• Helps identify the security vulnerabilities on a system and their risk levels.

• Classifying and categorizing the vulnerabilities.

Weak configurations

• Default settings - These are systems and devices which are deployed on a network using the same configurations as they have left the manufacturer. 

• Weak encryption - These are systems which uses insecure encryption technologies which a threat actor can exploit can gain unauthorized access to the system.

• Unsecure protocols - Unsecure protocols are network and application protocols which does not provide security features such as encryption to ensure privacy between the client and the server. 

• Open permission - These are full permissions which are given to everyone which can lead to a security risk from users on the network.

• Unsecure root accounts - These are root accounts on Linux-based systems which does not contain complex passwords that are easy to compromised.

• Open ports and services - There many unnecessary services running on a system. Some services may open a network port to allow inbound connections from remote system, a threat actor can launch a remote exploit across the network to take advantage of the a vulnerable service on a target system.

Cloud-based vs. on-premises

• A vulnerability on the cloud is having insecure applications, services and even virtual machines on cloud and is vulnerable to anyone on the Internet.

• A vulnerability within an on-premise are security weakness which exists on the systems that are within the organization's network.

Third-party risks

• When a security risk exists, an organization may seek to transfer the risk handling to a third-party.

• The third-party is usually a trusted provider who may have experience in handling the type of risk.

Lack of vendor support

• If there's an issue with a product from a vendor, the vendor may not provide adequate support to the customer and may inform the customer there is something wrong on the customer's end and not the actual device.

Data storage

• It's important to know where your data is being stored.

• Data can be lost or leaked by the third-party vendor.

• Data can be stolen while it's being stored on the third-party infrastructure.

Vendor management

• There are many issues when managing the third-party vendor.

• There can be security concerns which as is the vendor has certified professionals to work on the equipment they support, does the vendor has a privacy policy for customer data, does the vendor meet certain compliance and regulatory standards.

• An organization should ensure a vendor is properly screened and meets all requirements before conducting business with the vendor.

System integration

• Sometimes an organization may been to integrate their systems with a third-party system.

• Ensure the third-party systems are trusted and secure.

 Supply chain

• The third-party vendor may be vulnerable or a victim of a supply chain attack and have not realized it.

• There are security concerns if the third-party is not acquiring their hardware and software components from other suppliers than the trusted retailer.

Outsourced code development

• When a third-party is developing code or application, there are security concerns such as compliance, secure coding techniques.

• Improper or weak patch management

• There are security vulnerabilities when an organization does not have a proper patch management policy in effect.

• Firmware

• Operating system (OS)

• Applications

Legacy platforms

• Legacy platforms can be older software and systems which are no longer supported by the vendor.

• This means there vendor has stopped providing security updates to legacy or end-of-life (EoL) systems and applications.

• If an organization is running legacy systems, they will be vulnerable to newer threats and cyber-attacks.

Threat assessment

• When evaluating risk within an organization, it's import to consider the following types of threats:

  • Environmental - These are usually caused by nature, such as hurricanes, flooding, earthquakes, and so on. 

  • Manmade - A man-made threat is caused by a people. This can be a disgruntled employee which is attempting to disrupt the network services within an organization, this is an internal threat. 

  • An external threat is simply a threat that is outside the organization such as a hacker is launching a DDoS attack to the company's webserver.

Penetration Testing

• Penetration testing is the technique of simulating a real-world cyber-attack on an organization systems and networks.

• Companies hire an "ethical" hacker to hack their network to discover any security vulnerabilities.

• The "ethical" hacker will look for vulnerabilities and exploit them, thus breaking into the system

• At the end of a penetration test, the ethical hacker provides a report which contains all the vulnerabilities found and how each can be exploited.

• The organization uses this information from the report to improve the security on their network, such as applying patches, updates and even closing unused network ports on systems.

• The need for penetration testing - each day new vulnerabilities are being discovered by security researchers and hackers.

• It's important to perform continuous testing on your network to ensure all backdoors and security flaws are fixed before a real hacker compromises your network. 

Phases of Penetration Testing

Reconnaissance

• This phase is where the attacker does passive information gather

• The attack uses various resources on the Internet such as social media sites to gather information about target.

• Passive reconnaissance is an indirect method of gathering information without engaging the target

Scanning

• Active Reconnaissance - The attacker actively engages the target to gather information

• An example of Active Reconnaissance can be checking the target's website, retrieving DNS records, performing a port scan and fingerprinting an operating system.

• The attacker also performs vulnerability scanning to find any weakness

Gain Access

• Once vulnerabilities are found, the attacker uses an exploit to break into a system or network.

• During this phase, the exploit code many or many not work.

• The attacker can use multiple techniques to compromise the target system such as social engineering or perform buffer overflow attacks to gain access to a system.

Maintaining Access

• Usually after an attacker gains access to the system, the attack ensure he/she will be able to access the compromise system in future. This is called persistent access.

• Creates a backdoor on the compromise system to allow the attacker.

• Attacker are also able to pivot their attack from a compromise system allowing them to move around the insider network

Covering Tracks

• In this  phase, the attacker attempts to clear all logs and any traces of evidence that may indicate the system was compromised.

Types of Testing

• Black Box - In this type of test, the penetration tester does not have any prior knowledge of the organization's system or network

• White Box - In this test, the penetration tester is given all the details about the systems and network.

• Gray Box - The gray box test is in-between the white and box testing. The penetration tester knows some details about the network but not all the details.

Rules of engagement (RoE)

• Timeline for the test

• When the test can happen

• What can be tested

• What data can be gathered

• Legal concerns

• Third-party concern

• Communication

Exercise types

• Red-team - Discover security vulnerabilities and exploit those security weaknesses. They also assist in resolving security vulnerabilities that are discovered. This team usually not part of the organization.

• Blue-team - Focuses on detecting and preventing threats. This teams is responsible for the defensive side of security and protecting the organization's assets.

• White-team - Ensuring both red and blue team abide by the rules and maintaining their integrity. Helps the organization to understand the lessons-learned.

• Purple-team - The purple team is a combination of both red and blue teaming.