1.5 Explain vulnerability scanning concepts Flashcards
How can examining assessment objects to understand the security system and identifying logical weaknesses, help during a security assessment? (Select two)
- They can identify a lack of security controls.
- They can identify a common misconfiguration.
The NIST’s Technical Guide to Information Security Testing and Assessment notes that examining assessment objects to understand the security system and identify any logical weaknesses can highlight a lack of security controls.
The NIST’s Technical Guide to Information Security Testing and Assessment notes that examining assessment objects to understand the security system and identify any logical weaknesses can highlight a common misconfiguration.
Interviewing personnel can be used to gather information and probe attitudes toward the understanding of security.
Testing the object under assessment can help discover vulnerabilities or to prove the effectiveness of security controls.
Which of the following represents a non-intrusive scanning type of framework?
Vulnerability scanning
Whether they use purely passive techniques or some sort of active session or agent, vulnerability scanners represent a non-intrusive scanning type. The scanner identifies vulnerabilities from its database by analyzing things, such as build and patch levels or system policies.
Pen testing that uses exploitation frameworks is considered “active” and “intrusive.”
An exploitation framework is a means of running intrusive scanning. It uses the vulnerabilities identified by a scanner and launches scripts or software to attempt to exploit selected vulnerabilities.
Metasploit is an exploit code framework, and comprises a database of exploit code, each targeting a particular CVE (Common Vulnerabilities and Exposures).
Which of the following will identify common misconfigurations, the lack of necessary security controls, and other related vulnerabilities and is considered a passive technique?
A vulnerability assessment
Typical results from a vulnerability assessment will identify common misconfigurations, the lack of necessary security controls, and other related vulnerabilities.
Penetration testing involves the use of exploitation frameworks and is considered “active” or “intrusive” compared to vulnerability assessments which are “passive” and non-intrusive activity.
An exploitation framework is a means of running intrusive scanning. An exploitation framework uses the vulnerabilities identified by a scanner and launches scripts or software to attempt to exploit selected vulnerabilities.
Active reconnaissance, such as a penetration test, attempts to use exploit vulnerabilities discovered, such as performing code injection to own a server.
Which of the following will most likely cause false positives?
- Port scanning
- Passive scanning
Passive scanning is less likely to detect a wide range of vulnerabilities in host systems and can result in false positives.
A scanning technique to passively test security controls, such as detecting which service ports are used, can result in false positives.
Active techniques, such as active reconnaissance, are more likely to detect a wider range of vulnerabilities in host systems and can reduce false positives. Better detection is possible through established sessions or installed agents.
Active techniques, such as exploiting vulnerabilities, more likely confirms the validity of a vulnerability and can reduce false positives.
A penetration tester performed a vulnerability assessment. Although the tester normally uses default passwords to manage service accounts and other device management interfaces, the tester did not use any privileged access to run the vulnerability scan. What type of scan did the pen tester perform?
A non-credentialed scan
A non-credentialed scan is one that proceeds without being able to log on to a host and are not given any sort of privileged access.
A credentialed scan is giving a user account logon rights to various hosts plus whatever other permissions are appropriate for the testing routines. This allows the detection of application or security setting misconfigurations.
Like the ping command, host discovery can be used to detect the presence of a host on a particular IP address or that responds to a particular host name.
Topology discovery (footprinting) is the part of the discovery phase where the attacker or pen tester starts to identify the structure of the target network.
An attacker sniffs network traffic to identify devices communicating on a network, their ports and vulnerabilities. What type of scanning technique did the attacker perform?
Passive test routines
Passive scanning techniques passively test security controls and operates by sniffing network traffic to identify assets communicating on the network, service ports used, and potentially some types of vulnerabilities.
Active scanning techniques involve making a connection to the target host. This might mean authenticating and establishing a session with the host or running an agent on a host.
A pivot point is a system and/or set of privileges that allow the tester to compromise other network systems (lateral spread). The initial exploit might give the tester local administrator privileges and use these to obtain privileges on other machines.
Action on objectives refers to the adversary or penetration tester stealing data from one or more systems (data exfiltration).
Which of the following is true about active and passive scanning? (Select two)
- Active scanning is more likely to cause performance problems than passive scanning.
- Passive scanning results in more false positives.
Active scans are more likely to cause performance problems with the host, therefore, active scans are very often scheduled during periods of network downtime.
Passive scanning is less likely to detect a wide range of vulnerabilities in host systems and can result in false positives.
A scanning technique to passively test security controls operates by sniffing network traffic to identify assets communicating on the network, service ports used, and potentially other types of vulnerabilities.
Active scanning techniques involve making a connection to the target host. This might mean authenticating and establishing a session with the host or running an agent on a host. Pen testing that uses exploitation frameworks is considered “active” and “intrusive.”
Which of the following will least likely cause performance problems? (Select two)
- Passive scanning
- Port scanning
Passive scanning is less likely to detect a wide range of vulnerabilities in host systems and can result in false positives, but has less performance issues.
A scanning technique to passively test security controls, such as detecting which service ports are used, has less performance issues than active scanning techniques.
Active scans are more likely to cause performance problems with the host, so active scans are very often scheduled during periods of network downtime.
Exploiting vulnerabilities can have a negative impact on system performance, system stability, and negatively affect user productivity.
Which of the following is true about active and passive scanning? (Select two)
Active scanning is more likely to cause performance problems than passive scanning.
Passive scanning results in more false positives.
Which of the following will identify common misconfigurations, the lack of necessary security controls, and other related vulnerabilities and is considered a passive technique?
A vuln assessment
Which of the following will most likely cause false positives? (Select two)
Passive scanning
Port scanning
A penetration tester performed a vulnerability assessment. The tester had logon rights to different hosts with certain elevated permissions to check security setting misconfigurations. What type of scan did the pen tester perform?
A credentialed scan
An attacker sniffs network traffic to identify devices communicating on a network, their ports and vulnerabilities. What type of scanning technique did the attacker perform?
Passive test routines
How can examining assessment objects to understand the security system and identifying logical weaknesses, help during a security assessment? (Select two)
They can identify a common misconfiguration.
They can identify a lack of security controls.