Risk

Likelihood that a threat will exploit a vulnerability

Vulnerability

Weakness in the system

Threat

Potential danger

Threats

Threat vector: Means to carry out a threat

Threat types

Natural threats - natural disasters etc, such as fire, a storm

Malicious human threats (malicious insider for instance)

Accidental human threats (maybe the support guy forgot to close off a certain port or someone unintentionally propagates a worm)

Environmental threats (ESD, RFID) (Especially important in SCADA systems)

Threat assessment

helps an organization identify and categorize threats

Vulnerabilities

Sources of vulnerabilities

Lack of updates

Default configurations

Lack of malware protection or updating of definitions

Lack of firewalls

Lack of organizational policies

Lack of end user awareness

Risk Management

Practices of identifying, monitoring, and limiting risks to a manageable level

Risk management methods

Risk avoidance - totally eliminating risk but consumes lots of resources and is not feasible for the end user

Risk transference - transfer some detriments of a threat occurring, for instance, insurance  

Risk acceptance - accepting that things will happen

Risk mitigation - most common method, mitigate some risks, so employing just enough risk management to make it both secure and feasible for the end user

Risk deterrence - deter risks, through security guards, etc

Quantitative risk assessment 

Measures the risk using a specific monetary amount  

Signal loss expectancy (SLE)

Cost of a single loss

Annual rate of occurrence (ARO) (Amount of times a loss will occur in a year)

Annual loss expectancy

Cost of losses over a year

ALE = SLE x ARO

Qualitative risk assessment

Uses judgement to categorize risk based on probability and impact

Difficult to measure

Arbitrary figures are generally used

Metrics

MTBF (mean time between failures) (want this to be high as possible)

MTTF (mean time to failure) (want this to be high as possible)

MTTR (mean time to recover) (want this to be as low as possible)

Risk Registers

Detailed entries on the information regarding identified risks

Category

Specific risk

Likelihood of occurrence

Impact

Risk score

Security controls

Contingencies 

Action assigned to

Action deadline

Supply Chain Assessment 

Evaluates every resource needed to produce and sell a product

Risk assessments should be taken concurrently

Vulnerability Assessment

Assesses the security posture of a system

Passive test, contrary to a pentest, which is intrusive

Identifies vulnerabilities passively

Key steps

Vulnerability scan

Identifies vulnerabilities

Identifies misconfigurations

Passively tests security controls

Identifies lack of security controls

You can perform a vulnerability scan by, for instance, an IDS

Unlike a pentest, security controls are tested passively

Credentialed vulnerability

Runs a scan with the credentials of an authorized user

More official vulnerability scan with slightly more validity

Other assessment techniques

Baseline reporting

Code review (input validation, fuzzing, etc)

Attack surface review

Architecture review (topologies) 

Design revie

Testers have no knowledge of the system prior to the test

White box testing

Gray box testing

Testers have limited knowledge of the system prior to the test

Continuous monitoring and routine auditing is imperative

Protecting a system against vulnerabilities must be an ongoing process

AKA protocol analyzer

Captures, displays, and analyzes packets sent over a network

Auditing tools

Logs

IDSs

Assess the rights and permissions allocated to users

Passive reconnaissance

Uses open source and public knowledge

Active reconnaissance

Gaining access to other resources through an initial vector

Commands

tcpdump - linux

Nmap - Windows (Zenmap is a GUI version of nmap)

Netcat - linux