The process of identifying, assessing and prioritizing potential risks for an organization or company.
Designed and used to assess computers, networks or applications for known weaknesses.
The practice of gathering, collecting, and logging some or all packets that pass through a computer network.
A situation when a device or system has two or more operations running at the same time that must be completed in proper sequence.
A situation when too much data is placed into a fixed-sized buffer that can cause data corruption.
When a value higher than the maximum or lower than the minimum is used which can result in logic errors.
When a company hires a white hat hacker to assess the security of a system by finding and exploiting vulnerabilities.
Collecting information about a target without directly accessing the system (social media, news, website, etc).
Collecting information about a target by actively engaging a system and analyzing responses (network and port scans).
When the tester is first able to gain access into the target system.
Using a compromised trusted system to gain access to a target system within the same network.
Using tools to gain higher levels of privilege.
When the tester has no knowledge of the target system (simulates an external attack).
When the tester has intimate knowledge of the target system (simulates an internal attack).
When the tester is limited knowledge of the target system.
Risk assessment that gives a numerical (typically monetary) value to the impact of a threat occuring.
How much money could be lost at any one time which is determined by the formula: AV * EF + SLE
How much an asset is worth.
The amount of the asset that would be impacted (amount of time, % of data, etc) by a threat event.
How much can be expected to be lost in a year due to a single threat event which is determined by the formula: SLE * ARO = ALE
How often a threat event per year (typically determined by historical data).
Risk assessment that defines an event’s level of risk in words rather than numbers which is determined by the potential level of impact and the likelihood of occurrence.
Risk response that removes the risk by avoiding the behavior completely.
Risk response that shares the responsibility of the risk with someone else.
Risk response that accepts the risk as is.
Risk response that takes steps to avoid the risk or minimize the impact or likelihood.
