CompTIA Pentest+
Udemy
Last updated
Udemy
Last updated
Good risk management skills are incredibly important in the world of penetration testing, because without them, you are going to cause some horrific accidents that could cost you your job
So let's start with two basic questions : What is risk and Where does risk exist?
Risk : the probability that a threat will be realized. Risk is a continual balancing act between vulnerabilities and the threats that try to exploit them.
Vulnerability: any weakness in the system design or implementation. Vulnerabilities come form internal factors, thing like software bugs, misconfigured software, improperly protected network devices, lacking physical security and other issues like this
Threat: anything that could cause harm, loss, damage, or compromise to information technology systems.
Risk exists in the intersection area between threats and vulnerabilities
If you have a threat, but there is no vulnerability, then there is no risk. If you have a vulnerability, but no threat against it, there's also ro risk.
Risk Managerment : finds ways to minimize the likelihood of a certain outcome form occurring and to achieve the desired outcomes
Risk is identified by the different risk types that exist: inherent, residual and exceptions.
Inherent: occurs when a risk is indentified but no mitigation factors anre applied. ( There will always be some inherent risk some attackers will try to exploit)
Residual: occurs when a risk is calculated after applying mitigation and security controls
Risk exception: created risk due to an exemption being granted or failure to comply with corporate policy.