I’m gonna be honest, today’s materials were not my favourites. Risk management was fine and it actually feels important but using Openvaas just didn’t click.
We talked about some few terms like: threat vulnerability, asset, risk, and risk management.
Then, about the NIST SP 800-30 and the four steps:
Frame Risk
Set the context in which all risk-related decisions will be made. This includes identifying the environment, mission, and constraints.
Assess Risk
Identify and evaluate potential risks, estimate their likelihood and impact, and prioritize them. This step is key to figuring out how to respond.
Respond to Risk
Take action to reduce or manage the identified risks. The specific response depends on the situation, risk tolerance, and available safeguards.
Monitor Risk
Continuously track how risks evolve and whether the responses are effective. Since conditions change over time, monitoring must be ongoing.
We also touched on some calculations used in quantitative risk analysis, which I actually found pretty straightforward. For example:
SLE (Single Loss Expectancy)SLE = Asset Value × EF
- Asset Value: the dollar value of the asset
- EF (Exposure Factor): the percentage of value lost if a risk is realized
- SLE: the expected monetary loss for one incident
ALE (Annualized Loss Expectancy)ALE = SLE × ARO
- ARO (Annual Rate of Occurrence): how often the risk is expected to happen in a year
- ALE: total expected loss per year from that risk
We had a practical exercise to decide whether a safeguard was worth implementing. Here’s the breakdown:
Example:
- Asset: Laptop
- Risk: Theft from Office
- Asset Value: $2,500
- EF (before safeguard): 100%
- SLE: $2,500
- ARO: 0.05 (5% chance per year)
- ALE: $2,500 × 0.05 = $125
- Safeguard: Laptop lock and cable
- Cost of safeguard: $45
- EF (after safeguard): 6%
- New SLE: $2,500 × 0.06 = $150
- New ALE: $150 × 0.05 = $7.50
So:
The safeguard reduces the expected annual loss from $125 to $7.50, and it only costs $45 one-time. Definitely worth it.
Later in the afternoon, I did a revision lab on Linux forensics with Mathieu, Adil, and Simon. This one was actually pretty fun and helped reinforce some commands I hadn’t used in a while. One detail I learned was that the visudo command is used when editing the /etc/sudoers file—this prevents syntax errors that could lock you out of sudo.
To finish the day, I teamed up once again with Mathieu and Adil to work on a CTF challenge called Pickle Rick.
- The login part was easy. The username was found in the HTML source code, and the password was hidden in the
/robots.txtfile. - The hard part was finding the flags using the command line. I had to dig through the file system, especially in locations like
/rootand/home. It really showed me how important it is to explore directories in the file system.
That was my last room for the day. I’m calling it a night a bit earlier than usual, I’ve been doing too much the past few days and definitely need some rest.
