INFORMATION

ASSURANCE &
SECURITY 1
 MODULE 8

RISK
MANAGEMENT
OBJECTIVES
Upon completion of this module, the student would be able to:
▪ Define the Risk Analysis and its goals;
▪ Demonstrate the Threat and Risk Management;
▪ Explain the importance of Risk Response Strategies;
▪ Give different techniques and tools for vulnerability assessment.
▪ Discuss the different types of mitigation;
▪ Give different deterrent techniques;
OBJECTIVES
Upon completion of this module, the student would be able to:
▪ To identify and perform vulnerability risk.
▪ To discuss mitigation and deterrent techniques
▪ Discuss vulnerability assessment techniques;
▪ Give different types of vulnerability scans.
 RISK ANALYSIS, IMPLEMENT
VULNERABILITY ASSESSMENT
TOOLS, MITIGATION AND
DETERRENT TECHNIQUES
DEFINING THREAT AND RISK MANAGEMENT
❑Threat and risk management is the process of identifying, assessing, and
prioritizing threats and risks.
Threat and Risk Management

Assessment

Mitigation Analysis

Response
Use DREAD to measure and rank the threats risk level:
❑ Damage potential: How much damage can be inflicted on our system?

❑ Reproducibility: Can the attack be reproduced easily?

❑ Exploitability: How much effort and experience are necessary?

❑ Affected users: If the attack occurs, how many users will be affected?

❑ Discoverability: the quality of being able to be discovered or found

Security Assessment Types

❑ Risk- is generally defined as the probability that an event will occur.

❑ Threat- is a very specific type of risk, and it is defined as an action or

occurrence that could result in a breach in the security, outage, or
corruption of a system by exploiting known or unknown vulnerabilities.

❑ Vulnerability- the quality or state of being exposed to the possibility of

being attacked or harmed, either physically or emotionally.
Risk Types
❑Natural disasters:
✓Earthquake
✓Wildfire
✓Flooding
✓Storms
✓power outages

❑Man-made disasters:
✓Intentional:
• Terrorism, Bomb Threats, Arson, Theft
✓Unintentional:
• Employee mistakes
Components of Risk Analysis

❑Determine vulnerabilities that a threat can exploit.

❑Determine the possibility of damage occurring.
❑Determine the extent of potential damage.
Phases of Risk Analysis

Risk Analysis Process Phase Description

1. Asset identification Determining value of asset that needs protection.

2. Vulnerability identification Locating weaknesses in a system.

3. Threat assessment Determining who or what can exploit vulnerabilities.

4. Probability quantification Determining how likely it is for a threat to exploit a vulnerability.

5. Impact analysis Estimating the cost of recovering from a harmful event.

6. Countermeasures determination Establishing cost-effective measures to reduce risk.

Risk Analysis Methods

❑Qualitative
❑Quantitative
Risk Calculation

Impact
Risk of Occurrence
Vulnerability Identification Source Estimate (US Mitigation
(1=Low; 5=High)
Dollars)

Flood damage Physical plant 5 $95,000 Flood insurance

Electrical failure Physical plant 2 $100,000 Generator, UPS

Flu epidemic Personnel 4 $200,000 Flu shots

Failsafe, Fail secure, and Fail open
❑Failsafe:
✓Prevents harm in the event of failure
✓Mechanical crash bars

❑Fail secure:
✓Keeps something secure in the event of failure
✓Electric door strikes

❑Fail open:
✓Allows access in the event of failure
✓Magnetic lock
Risk Response Strategies

❑Avoidance
❑Transference
❑Acceptance
❑Mitigation
RISK AVOIDANCE is the process of eliminating a risk by choosing to
not engage in an action or activity.
RISK TRANSFERENCE is the act of taking steps to move responsibility
for a risk to a third party through insurance or outsourcing.
RISK ACCEPTANCE is the act of identifying and then making an
informed decision to accept the likelihood and impact of a specific risk.
RISK MITIGATION consists of taking steps to reduce the likelihood or
impact of a risk.
RISK DETERRENCE involves putting into place systems and policies
to mitigate a risk by protecting against the exploitation of vulnerabilities
that cannot be eliminated.
SCAN FOR VULNERABILITIES,
MITIGATION AND DETERRENT
TECHNIQUES
Vulnerability Assessment
Vulnerability Assessment is the process of identifying, quantifying, and
prioritizing (or ranking) the vulnerabilities in a system.

Vulnerability assessment refers to the process of identifying risks and

vulnerabilities in computer networks, systems, hardware, applications, and
other parts of the IT ecosystem.
Importance of Vulnerability Assessments
Vulnerability assessments allow security teams to apply a consistent, comprehensive,
and clear approach to identifying and resolving security threats and risks. This has
several benefits to an organization:

✓ Early and consistent identification of threats and weaknesses in IT security

✓ Remediation actions to close any gaps and protect sensitive systems and information
✓ Meet cybersecurity compliance and regulatory needs for areas
✓ Protect against data breaches and other unauthorized access
Vulnerability Assessment Techniques
❑ Review a baseline report.
❑ Perform regular code reviews.
❑ Determine the attack surface.
❑ Review security architecture.
Vulnerability Assessment Tools

❑Protocol analyzer
❑Sniffer
❑Vulnerability scanner
❑Port scanner
❑Honeypot
A PROTOCOL ANALYZER is a tool (hardware or software) used to capture and
analyze signals and data traffic over a communication channel.
SNIFFERS are specially designed software (and in some cases hardware)
applications which capture network packets as they traverse the network
and display them for the attacker.
A VULNERABILITY SCANNER is a computer program designed to assess
computers, networks or applications for known weaknesses. In plain words,
these scanners are used to discover the weaknesses of a given system.
A honeypot is a trap for hackers. A honeypot is designed to distract hackers
from real targets, detect new vulnerabilities and exploits, and learn about the
identity of attackers.

A honey net is just a collection of honeypots used to present an attacker with

an even more realistic attack environment.
Hacking is using computer skills to find the weaknesses in a computer or a
network and then, exploiting those weaknesses by gaining unauthorized
access to the system or network.

A Hacker is a person who finds and exploits the weakness in computer

systems and/or networks to gain access.
Ethical Hacking

Report on
White Hat Security Flaws

Footprinting Scanning Enumerating Attacking

Hacking Process

✓ 1. Foot printing
✓ 2. Scanning
✓ 3. Enumeration
✓ 4. Attacking
Foot Printing process of collecting as much as information as possible
about the target system to find ways to penetrate into the system.
SCANNING is a set of procedures for identifying live hosts, ports, and services,
discovering Operating system and architecture of target system.
ENUMERATION belongs to the first phase of Ethical Hacking, i.e.,
“Information Gathering”.
Attack is an information security threat that involves an attempt to
obtain, alter, destroy, remove, implant or reveal information without
authorized access or permission.
Vulnerability Scanning and Penetration Testing
❑Vulnerability scan:
✓Passively identifies missing security controls
✓Detects poor configurations
✓Doesn’t test the security mechanisms themselves
✓Credentialed vs. non-credentialed
✓May produce false positives and false negatives

❑Penetration test:
✓Actively simulates an attack on a system
✓Tests security strength directly and thoroughly
✓Less common
✓More intrusive
✓May cause actual damage
Vulnerability scanning is an inspection of the potential points of
exploit on a computer or network to identify security holes.
Types of vulnerability scanners include:

• Port Scanner
• Network Enumerator
• Network Vulnerability Scanner
• Web Application Security Scanner
• Computer Worm
Box Testing Methods

Footprinting Scanning Enumerating Attacking

Black Grey White

Box Box Box
Test Test Test

✓ In White Box testing internal structure (code) is known

✓ In Black Box testing internal structure (code) is unknown
✓ In Grey Box Testing internal structure (code) is partially known
• CompTIA Security+ Get Certified Get Ahead: SY0-501 Study Guide
Paperback – October 12, 2017 by Darril Gibson

• CompTIA Security+ SY0-501 Cert Guide (4th Edition) (Certification

Guide), David L. Prowse (2018)

• CompTIA Security+ Study Guide: Exam SY0-501 7th Edition by

Emmett Dulaney (Author), Chuck Easttom (Author)