CompTIA Pentest+ PT0-002 – Section 2: Planning an Engagement Part 2

6. Risk Handling (OBJ 1.2)

When we talk about risk, we have to think about what we can do about risk as an organization. After you conclude your penetration test, one of the biggest deliverables you’re going to have is a final report to your client’s organization that lists all the vulnerabilities you found, how they were exploited, and what controls the organization can add as mitigations to minimize their risk exposure. In every risk management program, there are essentially only four things you can do with risk. You can avoid it, you can transfer it, you can mitigate it, and you can accept it. Risk avoidance is a strategy that involves stopping a risky activity or choosing a less risky alternative. But how does this apply to our IT networks? Well, let’s assume that we have a network currently comprised of 100 computers, but 15 of those are running Windows 7. If you know anything about end of life and unsupported software, you already know that Windows 7 stopped receiving official support back in January of 2020.

To avoid the risk of running an unsupported software like Windows 7, we really only have two choices. We can take those computers offline, meaning we stop that risky activity, or we can upgrade those computers to Windows 10, which is a newer and still supported operating system, and thereby is a less risky alternative. Now, when we talk about risk avoidance, we’re basically eliminating the hazards, activities, and exposures that could negatively affect us. For example, in my own company, we ended up choosing risk avoidance for our CompTIA Exam Voucher Sales Program. We saw a sharp increase of fraud from people buying our exam vouchers using stolen credit cards. In just one month, one out of every two exam vouchers that we sold ended up being disputed as fraud by the victim’s credit card companies. This means that my company reserved not just the purchase price, but also the exam voucher itself, because we had already issued that to our buyer.

Because of this, we made the business decision to stop selling exam vouchers in certain countries around the world because the rate of fraud was simply too high, and we wanted to avoid that risk. The second thing we can do with risk is we can transfer it. Now, risk transfer is a strategy that passes the risk over to a third party. And most commonly, this is done by giving it to an insurance company. Now, a good example of this is if our organization was worried about the risk of our server room being destroyed by a flood, we could go out and purchase insurance to transfer the risk of losing all of those assets over to a third party insurer. Then if a flood did occur, they’re going to write us a really large check so we can replace all of our equipment and pay for a data recovery team to help restore our data and services. The third thing we can do with risk is we can mitigate it. Now, this is probably the most popular thing you’re going to see done with risk in the real world. Risk mitigation is simply a strategy that seeks to minimize the risk to an acceptable level which an organization can then accept. Now, for example, let’s say if we identified there was a running server that’s identified to have five critical, two high, four medium and 17 low vulnerabilities.

Our risk management program might have a policy that states that any server with a critical vulnerability should be taken offline immediately. But if we can patch those five critical vulnerabilities, they might be willing to accept the residual risk from the high, medium and low vulnerabilities, because the overall risk was mitigated downwards by adding those extra controls and patches, and bringing that overall risk level down to an acceptable level. Let’s go back to my earlier example of the fraud that occurred with our exam vouchers. There were some countries where we experienced fraud but it was a little lower level. For example, our United States voucher program actually experiences fraud on a regular basis, but we’ve put in place certain mitigations to block some of that fraud from occurring, and we were able to get it down to a low enough level of fraud, that we’re able to continue offering the exam vouchers without losing money. Therefore, we made a business risk decision to accept that residual risk level after applying our risk mitigations for now.

The final thing we can do with risk is we can accept it. Risk acceptance is the strategy that seeks to accept the current level of risk and the cost associated with it if those risks were actually realized. Generally, this is the proper strategy if the asset is very low cost, or the impact in the organization would be very low. For example, we may choose to transfer the risk of a server being damaged by purchasing insurance, because those cost $10,000 or more to replace, but for a laptop, we might just accept that risk because a laptop can be replaced for 3 to $500. So how does an organization determine which risk handling action they need to take, or when they’ve applied enough mitigations to accept the residual risk? Well, as in most things in life, it’s all about how much risk you’re willing to accept. Every organization is unique and they have a different level that they’re willing to accept. There is actually a term for this, it’s known as the organization’s risk appetite. Now risk appetite is the amount of risk that an organization is willing to accept in pursuit of its objectives, before action is deemed necessary to reduce the risk level.

Often, the term risk appetite is also called risk attitude or risk tolerance. For the exam, you may see these three terms being used interchangeably, and you’ll also find this occurs in the real world as well. Some organizations though, make a distinction between risk appetite and risk tolerance. When they talk of risk appetite, they refer to the overall generic level of risk to the organization that they’re willing to accept. Conversely, when they talk about risk tolerance in these organizations, they’re going to be referring to a specific maximum risk the organization is willing to take in regards to a specific identified risk. So, if you’re thinking about your organization, remember, they’re going to have an overall risk appetite associated with the organization that is set by your higher level decision makers, like the C-suite. And then you’re going to find that there are different levels of risk tolerance within certain product lines, certain departments, or even certain servers within a department or division. This risk appetite and risk tolerance is going to affect the decisions you make in regards to risk avoidance, risk transfer, risk mitigation, and risk acceptance.

Now, as you decide which of these four to choose from in your risk handling, remember there are always going to be trade-offs that have to be made. If you add more security, you’re adding more cost to the project. Also, if you add more security, you’re often reducing the usability of that system. This is the never ending trade-off that occurs, the war between usability and security. For example, I worked for one organization that required users to access their work email only from a dedicated smartphone that the organization issued them, but that was going to be a huge expense. So not everybody could access their email because not everybody got a smartphone. Instead, they chose 5 to 10% of the people who were given a smartphone, and those people could access their email using that dedicated device. Now this was a security decision, but its consequences were that the service became less usable because 90 to 95% of the employees couldn’t access their email after working hours. So who do you think had the smartphones?

Well, mostly it was the managers and the bosses. So the bosses would be frantically sending out emails at 8:00 PM at night when something went wrong. And then they were surprised when the workers didn’t respond to them until 8:00 AM the next day. They would say things like, “But I sent you this email and I marked it as urgent, why didn’t you respond?” Well, because we made that system so secure, it made it so the only way people could access their email was by driving into work and checking it from their desktop. And they weren’t going to be doing that at eight o’clock at night if they didn’t know there was a problem. This is the idea of usability versus security. You always have to keep this in mind when you’re making your security recommendations at the end of a penetration test, because just because something is more secure, doesn’t mean it’s the right answer for that organization.

7. Controls (OBJ 1.2)

In order to protect our networks and information systems, we utilize various types of access controls. Now access control measures are broken down into seven different categories: compensative, corrective, detective, deterrent, directive, preventive, and recovery. Now let’s discuss each of these categories briefly because you’re going to be looking for ways to exploit all seven of these categories during your penetration test. And then you’re going to be making recommendations from these seven categories to help remediate the vulnerabilities that you’ve found in your assessments. First, compensative access controls. Compensative access controls are used in place of primary access controls in order to mitigate a given risk. These controls can be deployed to enforce and support a security policy. For example, we might require that two system administrators perform a certain action, like downloading a copy of the database to an external device in order to minimize the risk of a trusted insider stealing that information. This mitigation is based on the policy of dual control, which might be considered an administrative or managerial control. Second, corrective access controls.

Corrective access controls are used to reduce the effect of an undesirable event or attack. Examples of corrective access controls include fire extinguishers, antivirus solutions, and similar measures. If a fire broke out, then we could correct that issue by using fire extinguishers, for example. Third, we have detective measures. Now, detective measures are used to detect an attack while it’s occurring and notify the proper personnel. This type of control includes alarm systems, closed circuit television systems, honeypots, and other such controls. Fourth, we have deterrent controls. Deterrent controls are used to discourage any violation of the security policies, both to attackers and insiders. Deterrent controls can go further than detective controls because not only do they detect the event, but they also ensure consequences for those actions. For example, if I posted a sign outside of my house that says, “This house has a video camera to record intrusions,” this would be a deterrent control. I’m trying to tell potential burglars that they should go to another house because if they try to break into mine, I can give that recording to the police to help identify them, and they might get arrested.

In this particular example, the video recording itself will be considered a detective control because it will be used to identify the burglars, but the sign is actually a deterrent control by trying to scare them off in the first place. Fifth, we have directive controls. Now, directive controls are used to force compliance with the security policy and practices within the organization. The most common directive control is the acceptable use policy or AUP. This is going to dictate what behaviors are and are not allowed on a company’s network systems. Sixth, we have preventive controls. Now preventive controls are those controls that seek to prevent or stop an attack from ever occurring in the first place. Examples of this include protections like password protection, security badges, antivirus software, and intrusion prevention systems. Seventh, we have recovery control measures. Now recovery control measures are going to be used to recover device after an attack. The best known examples of recovery controls are disaster recovery plans, backups, and continuity of operation plans.

Now, when we develop security for our networks, we often use the concept of defense in depth to layer various access controls on top of each other for additional security. This can be from the same category or from various categories. Now, in order to achieve the goals of defense in depth, we’d have to implement through three broad categories of access controls. These are known as administrative, logical, and physical. The first type of access control is known as an administrative control. This is also sometimes called managerial controls. Now these are controls that are implemented to manage the organization’s personnel and assets through security policies, standards, procedures, guidelines, and baselines. Examples of administrative or managerial controls include proper data classification and labeling, supervision of personnel, and security awareness training. In fact, security awareness training is one of the most important administrative controls that any organization can implement. Studies have shown that many incidents could have been prevented with proper user training upfront, and it is one of the most cost effective ways to increase the organization’s security and provides the best return on investment.

The second type of access control we have is known as logical controls. These are also called technical controls. These controls are implemented through hardware or software, and they’re to prevent or restrict access to a given system. For example, we have things like installing new devices like firewalls, intrusion detection systems, intrusion prevention systems, authentication schemes, encryption, new protocols, auditing or monitoring software, biometrics, and much more. Auditing and monitoring are both types of logical controls, but they vary slightly in their use. Auditing is a one-time evaluation of a security posture, whereas monitoring is an ongoing process that continually evaluates a system or its users. For example, a penetration test is considered a type of audit; therefore, it is considered a logical control. All organizations should be aiming at continually improving themselves in order to become either more effective, more efficient, or preferably both.

To do this, though, the organization must monitor any changes to their networks in order to understand the risks associated with those changes. Often, this will fall under the category of change management, where a baseline is created and changes to that baseline are tracked and assessed. Before those changes are implemented, though, they should be analyzed for risk through the risk management program. To conduct efficient continuous monitoring, organizations need to automate the process as much as is practical. For example, the collection of logs from security systems, applications, and network suites should always be automatically collected, correlated, and triaged by software before being displayed to a cybersecurity analyst. Continuous monitoring also includes overseeing the change management process, configuration management process, monitoring logs, and analyzing the status reporting that’s being collected across the organization.

This allows the security professionals to evaluate the effectiveness of their existing security controls and make recommendations for improved controls if they’re warranted. Now, the third type of access control we have is physical controls. These are controls that are implemented to protect the organization’s personnel and their facilities. Examples of physical controls include fences, locks, security badges, proximity cards for entry into the building, guards, access control vestibules, biometrics, and other means of securing the facility. So, in summary, it’s important to remember the seven different types of access control categories, which are compensative, corrective, detective, deterrent, directive, preventive and recovery.

Also, you want to remember the three types of access controls, which are administrative, logical, and physical. Some controls may work across multiple categories and types as well, and that’s okay. When you’re doing your planning, you should think through each of these categories to identify which type of controls you’re going to be focused on exploiting during your upcoming penetration test as you work with the client to determine what things will or will not be tested during your engagement.

• Category: Uncategorized