1.7 Summarize the techniques used in security assessments Flashcards
Summarize Threat Hunting
It’s like a game of cat and mouse; you need to find the attackers before they find you. Strategies are constantly changing to guard against attacks. Intel data is reactive; you can’t see the attack until it happens. The goal then becomes to speed up the reaction time or to prevent the attacker from even arriving to your network in the first place.
Summarize Intelligent Fusion
The goal of intelligence fusion is to fuse all the overwhelming amounts of security data into a database with big data analytics so that it becomes easier to analyze and sift through the various different types of data to find interesting data points and correlations. This makes it easier rather than parsing through all that raw security data individually. You do this by collecting all the data from various software and hardware, adding external sources that show the up-to-date problems, and begin to focus on predictive analysis.
Summarize Threat Feeds
It is an ongoing stream of data related to potential or current threats to an organization’s security.
Summarize Advisories and Bulletins
These are announcements made by the organizations providing security issues or information about their products. This is more in-depth than threat feeds because it provides threat intel on a specific vulnerability in a particular hardware or software product.
Summarize Maneuvers
Describes how we maneuver our security software/hardware to do various tasks that we need to accomplish; things like firewalls, IPS, IDS, Antiviruses, etc. These can be automated and move at the speed of light and react instantly. When this is combined with intel fusion, it can be prepared for many different intrusions and become better at predictive analysis.
Summarize Vulnerability Scans
These are scans designed to look at potential vulnerabilities from operating systems, network devices, and applications. They are usually minimally invasive unlike penetration tests. It looks at these things from the outside to see if there is potential for those vulnerabilities.
Summarize False Positives
They are vulnerabilities that are identified but don’t really exist.
Summarize False Negatives
It is a vulnerability that exists but you couldn’t detect it. In order to resolve this, you’ll need to make sure that you have the latest signatures. Make sure to work with a vulnerability detection manufacturer to make sure they update their lists as well.
Summarize Log Reviews
Low reviews can help list the out the vulnerabilities on your system like a lack of security controls (No firewall, No anti-virus, No anti-spyware) or it’ll show misconfigurations like open shares, guest access. It is good for identifying that a software needs to be updated.
Summarize Credentialed vs. Non-credentialed
A non-credentialed scan is a scan from someone who doesn’t have the credentials to gain permissions and access to the network. Think of it as a user outside your network trying to scan it.
A credentialed is a scan is when you’re a normal user that has the credentials and this emulates an insider threat. This is a user that has rights and privileges.
Summarize Application Scans
These are scans that check vulnerabilities in software that is on a webserver or mobile/desktop apps.
Summarize Intrusive vs. Non-intrusive scans
A non-intrusive scan tries to gather information and don’t try to exploit a vulnerability.
An intrusive scan will try to exploit that vulnerability to see if it works. These usually take the place as penetration tests.
Summarize Common Vulnerability and Exposures(CVE)/Common Vulnerability Scoring System
These are summaries of vulnerabilities are and what they do, their scoring of how bad they are, and how to mitigate and protect against these.
Summarize Configuration Review
You need to validate the security of device configurations. It is easy to misconfigure one thing.
Workstation need account configs, local device settings
Servers need access controls, permission settings
Security devices need firewall rules, authentication options
Summarize Syslog/Security Information and Event Management (SIEM)
A SIEM is designed to collect anything on the network that can create log files, security alerts, or any type of real time information that can tell us what is going on in the network. It is commonly used as a central repository where all logs are aggregated. You can see data correlation that can help paint a picture as to what is going on even if the data sources are very different from different devices. Perfect place for forensics after an event has occurred.
