After studying chapter 9 you should be able to: Define risk and risk management, describe the components of risk management, list and describe vulnerability scanning tools, define penetration testing.
Trang 1
Risk Management
Trang 2v Define risk and risk management
v Describe the components of risk management
v List and describe vulnerability scanning tools
v Define penetration testing
Trang 3Risk Management, Assessment, and
Trang 4v And if it does occur, then it has a negative impact
v Risk generally denotes a potential negative impact to an asset
Trang 5Definition of Risk Management
v Realistically, risk cannot ever be entirely eliminated
v Would cost too much or take too long
v Rather, some degree of risk must always be assumed
v Risk management
v A systematic and structured approach to managing the potential for loss that is related to a threat
Trang 6Steps in Risk Management
v The first step or task in risk management is to determine the assets that need to be protected
Trang 7Attributes of Assets
v Along with the assets, the attributes of the assets need to
be compiled
v Attributes are details
v Important to determine each item’s relative value
Trang 8Attributes of Assets
Trang 9Determining Relative Value
v Factors that should be considered in determining the relative value are:
v How critical is this asset to the goals of the organization?
v How difficult would it be to replace it?
v How much does it cost to protect it?
v How much revenue does it generate?
Trang 10Determining Relative Value
v Factors that should be considered in determining the relative value are: (continued)
v How quickly can it be replaced?
v What is the cost to replace it?
v What is the impact to the organization if this asset is unavailable?
v What is the security implication if this asset is unavailable?
Trang 12Threat Agents
Trang 13Attack Tree
v Provides a visual image of the attacks that may occur against an asset
Goal Method Method Method Method Method
Trang 14Attack Tree
Trang 16Vulnerability Appraisal
v Finding security weaknesses that expose assets to threats
v Takes a snapshot of the security of the organization as it now stands
v Every asset must be viewed in light of each threat
v Determining vulnerabilities often depends upon the background and experience of the assessor
Trang 17Risk Assessment
v Determining:
v The damage that would result from an attack, and
v The likelihood that the vulnerability is a risk to the organization
Trang 18Risk Assessment
Trang 19Anticipated Losses
v Single Loss Expectancy (SLE)
v The expected monetary loss every time a risk occurs
v Annualized Loss Expectancy (ALE)
v The expected monetary loss that can be expected for an asset due to a risk over a one-year period
Trang 20Risk Mitigation
v The final step determine what to do about the risks
v Options when confronted with a risk:
v Diminish the risk
v Transfer the risk
v Outsourcing or insurance
v Accept the risk
Trang 21Steps in Risk Management
Trang 22Identifying Vulnerabilities
v Identifying vulnerabilities through a vulnerability appraisal
v Determines the current security weaknesses that could expose assets to threats
v Two categories of software and hardware tools
v Vulnerability scanning
v Penetration testing
Trang 23Vulnerability Scanning
v Vulnerability scanning is typically used by an organization
to identify weaknesses in the system
v That need to be addressed in order to increase the level of security
v Tools include port scanners, network mappers, protocol analyzers, vulnerability scanners, the Open Vulnerability and Assessment Language, and password crackers
Trang 24IP Addresses and Ports
v Internet protocol (IP) addresses
v The primary form of address identification on a TCP/IP network
v Used to uniquely identify each network device
Trang 25TCP/IP Ports
Trang 26Port Scanners
v Port scanner
v Sends probes to interesting ports on a target system
v Determines the state of a port to know what applications are running and could be exploited
v Three port states:
v Open, closed, and blocked
Trang 27Port Scanners
Trang 29Network Mappers
v Software tools that can identify all the systems connected
to a network
v Most network mappers utilize the TCP/IP protocol ICMP
v Internet Control Message Protocol (ICMP)
v Used by PING to identify devices
v Less useful for modern versions of Windows
Trang 30Network Mappers
Trang 32Protocol Analyzers
v Also called a sniffer
v Captures each packet to decode and analyze its contents
v Can fully decode application-layer network protocols
v Common uses include:
v Network troubleshooting
v Network traffic characterization
v Security analysis
Trang 34Vulnerability Scanners
v Products that look for vulnerabilities in networks or systems
v Help network administrators find security problems
v Most vulnerability scanners maintain a database that categorizes and describes the vulnerabilities that it can detect
v Other types of vulnerability scanners combine the features
of a port scanner and network mapper
Trang 36Open Vulnerability and Assessment
Trang 37Open Vulnerability and Assessment
Trang 38Open Vulnerability and Assessment Language
Trang 39v Password cracker programs
v Use the file of hashed passwords and then attempts to break the hashed passwords offline
v The most common offline password cracker programs are based on dictionary attacks or rainbow tables
Trang 40Password Crackers
Trang 41Shadow File
v A defense against password cracker programs for UNIX and Linux systems
v On a system without a shadow fiile
v The passwd file that contains the hashed passwords and other user information is visible to all users
v The shadow file can only be accessed at the highest level and contains only the hashed passwords
Trang 43v Report the problems without actually exploiting them
v Offer a tutorial that explained the problem, what its impact could be, and how to resolve the problem