1.7 Security Assessment Techniques Flashcards
Define Threat Hunting: Intelligence Fusion
Combining internal security log data with threat feeds from external sources to identify attacks
Define Threat Hunting: Advisories & Bulletins
Monitoring resources provided by external entities listing new and emerging threats and vulnerabilities
Define Threat Hunting: Maneuver
Thinking like an attacker to identify trends/patterns that may indicate an attack or breach
Define Vulnerability scan: false positive
Detection of a vulnerability when one doesn’t actually exist, an error
Define vulnerability scan: false negative
When a vulnerability scan fails to detect an existing vulnerability, this is dangerous
Define vulnerability scan: credentialed
Running the scan as a logged in user to determine vulnerabilities that a non-credentialed scan might not detect
Define vulnerability scan: non-credentialed
Running the scan as an external user that does not have any permissions to the systems
Define vulnerability scan: intrusive vs non-intrusive
- non-intrusive scan simply identifies vulnerabilities
- intrusive scan actually tries to exploit any vulnerabilities found
Define vulnerability scan: application
Specific desktop applications, such as MS Word, may have vulnerabilities that need to be patched
Define vulnerability scan: web application
Web-application software, such as Python, might have vulnerabilities and need to be patched
Define vulnerability scan: network
Vulnerabilities within network hardware/devices, such as open ports or a misconfigured firewall
How can Common Vulnerabilities & Exposures (CVE) data help with vulnerability scans?
CVE (common vulnerabilities and exposures) are databases of threats that can be referenced by vulnerability scanners for more information on vulnerabilities found by scanner
What is CVSS?
Common Vulnerability Scoring System, a scoring system from 1-10 to indicate how serious a vulnerability is
Define Vulnerability scan: Configuration review
Review of configurations, such as accounts on a workstation or server, firewall ACLs, to check for any misconfigurations
Define Security Information and Event Management (SIEM
A central repository where all logging information, such as security logs, network traffic logs, etc.. is aggregated for analysis