CHAPTER 2
Managing Risk: Threats, Vulnerabilities, and Exploits
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Learning Objective(s) and Key Concepts
Describe techniques for identifying, analyzing, and mitigating relevant threats, vulnerabilities, and exploits.
Understanding and managing threats, vulnerabilities, and exploits
Use of threat/vulnerability pairs in managing risk
U.S. federal government risk management initiatives
Learning Objective(s)
Key Concepts
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Understanding and Protecting Assets
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
An asset represents anything of value that needs to be protected
In the IT world, assets include data, people, processes, and technology systems
Weaknesses in any of these areas can be exploited by threats to harm these assets
Understanding and Managing Threats
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Risk =
Threat
×
Vulnerability
×
Asset
Uncontrollable Nature of Threats
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Threats cannot be eliminated
Threats are always present
Threats can persist for a long period of time
Action can be taken to reduce the potential for a threat to occur
Action can be taken to reduce the impact of a threat
Unintentional Threats
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Environmental
Human
Accidents
Failures
Intentional Threats
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Greed
Anger
Desire to damage
Intentional and Unintentional Threats
Unintentional Threats Intentional Threats
Environmental:
Fire, wind
Lightning, flooding
Accident
Equipment failures Individuals or organizations:
Criminals
Advanced persistent threats (APTs)
Vandals
Saboteurs
Disgruntled employees
Activists
Other nations
Human:
Keystroke errors
Procedural errors
Programming bugs
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Best Practices for Managing Risk Within an IT Infrastructure
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Create a security policy
Purchase insurance
Use access controls
Use automation
Include input validation
Provide training
Use antivirus software
EY Global Information Security Survey 2018–2019
Cyberrisks are evolving
Organizations must:
Protect the enterprise
Optimize security
Increase efficiency
Reinvest in tech that enhances protection
6.4 billion fake emails sent; average cost of breach $3.62 million
40% had same budget as previous year, 15% plan to increase budget, 1% had 25% budget decrease
Largest source of vulnerabilities is careless or unaware employees
Cybersecurity needs to be in the DNA of the organization
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Understanding and Managing Vulnerabilities
Countermeasures reduce risk and loss
Reduce vulnerabilities
Reduce impact of loss
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Threat/Vulnerability Pairs
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Occurs when a threat exploits a vulnerability
A vulnerability provides a path for the threat that results in a harmful event or a loss
Both the threat and the vulnerability must come together to result in a loss
Vulnerabilities Can Be Mitigated
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Identify and prioritize vulnerabilities
Reduce the exposure of the vulnerabilities
Reduce the rate of occurrence
Reduce the impact of the loss
Provide security education, training, and awareness
Mitigation Techniques
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Policies and procedures
Documentation
Training
Separation of duties
Configuration management
Version control
Patch management
Intrusion detection system (IDS)
Incident response
Continuous monitoring
Technical controls
Physical controls
Best Practices for Managing Vulnerabilities Within an IT Infrastructure
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Identify vulnerabilities
Match the threat/vulnerability pairs
Use as many of the mitigation techniques as feasible
Perform vulnerability assessments
Use security analytical tools
Understanding and Managing Exploits
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
An exploit is the act of taking advantage of a vulnerability
Executes a command or program against an IT system to take advantage of a weakness
Results in a compromise to the system, an application, or data
Understanding and Managing Exploits
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Attacks executed by code primarily affect public-facing servers
Web servers
Simple Mail Transfer Protocol (SMTP) email servers
File Transfer Protocol (FTP) servers
Exploits
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Attack public-facing servers
Buffer overflow
SQL injection
Denial of service (DoS) attack
Distributed denial of service (DDoS) attack
How Do Perpetrators Initiate an Exploit?
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Public server discovery
Server fingerprinting
Vulnerability discovery
Programmers
Attackers
Where Do Perpetrators Find Information About Vulnerabilities and Exploits?
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Blogs
Forums
Security newsletters
2600: The Hacker Quarterly
Common Vulnerabilities and Exposures (CVE) list
Reverse engineering
The dark web
Mitigation Techniques
Remove or change defaults
Reduce the attack surface
Keep systems up to date
Enable firewalls
Enable IDS
Enable an intrusion prevention system
Install antivirus software
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Best Practices for Managing Exploits Within an IT Infrastructure
Harden servers
Use configuration management
Perform risk assessments
Perform vulnerability assessments
Use security information and event management (SIEM) tools
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
U.S. Federal Government Risk Management Initiatives
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
The National Institute of Standards and Technology (NIST)
The Department of Homeland Security
The National Cybersecurity and Communications Integration Center (NCCIC)
U.S. Computer Emergency Readiness Team (US-CERT)
The MITRE Corporation – Common Vulnerabilities Exposure (CVE) List
Relationships Among Organizations Involved in the U.S. Federal Government Risk Management Initiatives
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Summary
Understanding and managing threats, vulnerabilities, and exploits
Use of threat/vulnerability pairs in managing risk
U.S. federal government risk management initiatives
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
10/8/2020
25
Delivering a high-quality product at a reasonable price is not enough anymore.
That’s why we have developed 5 beneficial guarantees that will make your experience with our service enjoyable, easy, and safe.
You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.
Read moreEach paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.
Read moreThanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.
Read moreYour email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.
Read moreBy sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.
Read more