Security + Computer System Security

DCOM 258 E31

Name: Shaamim Ahmed
Chapter 11: Vulnerability & Risk Assessment
Part # 1

Define the following Key Terms (12 points)

Part A: Define the following key Terms (12 points):

1. Risk management
The identification, assessment, and prioritization of risks, and the mitigating and
monitoring of those risks.
2. Residual risk
The risk left over after a security and disaster recovery plan have been implemented
3. Risk assessment
The risk left over after a security and disaster recovery plan have been implemented
4. Qualitative risk assessment
An assessment that assigns numeric values to the probability of a risk and the impact it
can have on the system or network
5. Quantitative risk assessment
Measures risk by using exact monetary values
Attempts to give an expected yearly loss in dollars for any given risk
SLE x ARO = ALE
6. SLE
The loss of value in dollars based on a single incident.
7. ARO
The number of times per year that the specific incident occurs
8. ALE
The total loss in dollars per year due to a specific incident. The incident might happen
once or more than once; either way, this number is the total loss in dollars for that
particular type of incident.
9. Active security analysis
Active security analysis is when actual hands-on tests are run on the system in question.
These tests might require a device to be taken off the network for a short time, or might
cause a loss in productivity.
10. Passive security analysis
Passive security analysis is when servers, devices, and networks are not affected by your
analyses, scans, and other tests. It could be as simple as using documentation only to test
the security of a system. For example, if an organizations network documentation shows
computers, switches, servers, and routers, but no firewall, you have found a vulnerability
to the network (a rather large one).
11. Fingerprinting

Security + Computer System Security

DCOM 258 E31
Active fingerprinting is when a direct connection is made to the computer starting with
ICMP requests. This type of test could cause the system to respond slowly to other
requests from legitimate computers. Passive fingerprinting is when the scanning host
sniffs the network by chance, classifying hosts as the scanning host observes its traffic on
the occasion that it occurs. This method is less common in port scanners but can help to
reduce stress on the system being scanned.
12. Penetration testing
Penetration testing is a method of evaluating the security of a system by simulating one
or more attacks on that system. One of the differences between regular vulnerability
scanning and penetration testing is that vulnerability scanning may be passive or active,
whereas penetration testing will be active. Generally, vulnerability scans will not exploit
found threats, but penetration testing will definitely exploit those threats. Another
difference is that vulnerability scanning will seek out all vulnerabilities and weaknesses
within an organization.
13. Open Vulnerability and Assessment Language (OVAL)
The Open Vulnerability and Assessment Language (OVAL) is a standard designed to
regulate the transfer of secure public information across networks and the Internet
utilizing any security tools and services available at the time. It is an international
standard but is funded by the U.S. Department of Homeland Security.
14. Password analysis
Password analysis is the name given to a variety of methods used to recover or crack a
password.

Part B: Short Answers (8 points)

1. Identify the four major strategies used by organizations to manage risks.
Transfer the risk to another organization or third party.
Avoid the risk.
Reduce the risk.
Accept some or all the consequences of a risk.
2. Discuss the following concepts:
A. Management controls
Management controls means these are techniques and concerns addressed by
an organizations management (managers and executives). Generally, these
controls focus on decisions and the management of risk. They also concentrate

Security + Computer System Security

DCOM 258 E31
on procedures, policies, legal and regulatory, the systems development life
cycle (SDLC), the computer security life cycle, information assurance, and
vulnerability management/scanning. In short, these controls focus on how the
security of your data and systems is managed.
B. Operational controls
Operational controls: These are the controls executed by people. They are
designed to increase individual and group system security. They include user
awareness and training, fault tolerance and disaster recovery plans, incident
handling, computer support, baseline configuration development, and
environmental security.
C. Technical controls
Technical controls: These are the logical controls executed by the computer
system. Technical controls include authentication, access control, auditing,
and cryptography. The configuration and workings of firewalls, session locks,
RADIUS servers, or RAID 5 arrays would be within this category, as well as
concepts such as least privilege implementation.
D. Preventive controls
Preventive controls: These controls are employed before the event and are
designed to pre- vent an incident. Examples include biometric systems
designed to keep unauthorized persons out, NIPSs to prevent malicious
activity, and RAID 1 to prevent loss of data. These are also sometimes
referred to as deterrent controls.
E. Detective controls
Detective controls: These controls are used during an event and can find out
whether malicious activity is occurring or has occurred. Examples include
CCTV/video surveillance, alarms, NIDSs, and auditing.

Active security analysis is when actual hands-on tests are run

on the system in question. These tests might require a device
to be taken off the network for a short time, or might cause a
loss in productivity.
Corrective controls: These controls are used after an event. They limit the
extent of damage and help the company recover from damage quickly. Tape
backup, hot sites, and other fault tolerance and disaster recovery methods are
also included here. These are sometimes referred to as compensating controls.

3. Discuss Vulnerability management and list the five steps involved in the process.
Define the wanted state of security.
Create baselines.
Prioritize vulnerabilities.

Security + Computer System Security

DCOM 258 E31

Mitigate vulnerabilities.
Monitor the environment.

4. Discuss the following concepts of password analysis:

A. Guessing
If guessing attackers know the person and some of the persons details, they
might attempt the persons username as the password, or someone the person
knows, date of birth, and so on.
B. Dictionary attacks
Uses a pre-arranged list of likely words, trying each of them one at a time
C. Brute force attacks
When every possible password instance is attempted
D. Cryptanalysis attacks
Uses a considerable set of pre calculated encrypted passwords located in a
lookup table, known as rainbow tables