Book-Notes Section 5

Question 1

what’s the difference between plugins and templates?

Answer 1

📌 Example: Plugins vs. Templates in Nessus (Vulnerability Scanner)
✅ Plugins → Individual vulnerability tests (e.g., outdated SSH, misconfigured SSL, missing patches).
✅ Templates → Predefined scanning profiles (e.g., “Internal Network Scan,” “Web Application Scan”) that use a set of plugins.

🚀 Key Takeaways
Plugins = Small modules that run specific security tests.
Templates = Preconfigured scan settings that use multiple plugins.
Plugins give detailed control, while templates simplify scans by bundling settings.

Question 2

What is a Credentialed Scan?

Answer 2

A credentialed scan (or authenticated scan) is a type of vulnerability scan where the scanning tool logs into the target system using valid credentials (username & password) to perform a more in-depth security assessment.

Question 3

what’s the difference between Credentialed and Non-credentialed scanning?

Answer 3

Credentialed vs. Non-Credentialed Scanning (Simple Explanation)
🔹 Credentialed Scanning (Authenticated Scan)

The scanning tool logs into the system using valid credentials (username & password).
It can check deeper system details like installed software, missing patches, and misconfigurations.
More accurate and lower false positives since it directly accesses system data.
Used for internal security checks to find risks after an attacker gains access.
✅ Example: Checking a Windows server for missing security updates by logging in as an admin.

🔹 Non-Credentialed Scanning (Unauthenticated Scan)

The scanner does NOT log in and only probes from the outside.
It can detect open ports, running services, and public vulnerabilities but misses internal risks.
Less accurate and may have false positives since it relies on guesswork.
Used for external security checks to see what an outsider could find.
✅ Example: Scanning a website for vulnerabilities without logging into the server.

Question 4

what are administrative setup pages?

Answer 4

Administrative Setup Pages (Simple Explanation)
Administrative setup pages are special web pages or interfaces used by administrators to configure and manage a system, device, or software.

🔹 What They Do?

Control user accounts and permissions
Configure network settings (e.g., Wi-Fi, firewalls)
Manage security settings (e.g., passwords, access controls)
Monitor system performance and logs
Adjust software or application settings
🔹 Examples:

Router settings page (192.168.1.1) where you set up Wi-Fi passwords.
CMS (Content Management System) admin panel (/admin) to manage a website.
Enterprise software dashboards to configure security policies.

Question 5

What’s an Open-Ended Penetration Test?

Answer 5

An open-ended penetration test is a type of security test where there are no strict rules or predefined scope for the testers. Instead, ethical hackers have the freedom to explore and simulate real-world attacks as they see fit.

🔹 Key Features:

No strict limitations on attack methods, targets, or time frame.
Testers act like real attackers, using creative techniques to find weaknesses.
Focuses on uncovering unexpected vulnerabilities that may not be obvious in a standard test.
🔹 Example:
A company hires ethical hackers for an open-ended penetration test. Instead of testing just a specific web app, they might:
✅ Try phishing employees to steal credentials.
✅ Look for weaknesses in cloud services.
✅ Test physical security, like sneaking into offices.

Question 6

What’s a Postmortem Analysis?

Answer 6

A postmortem analysis is a process where a team reviews what went wrong after a major incident (like a security breach, system failure, or cyberattack) to understand the cause and prevent it from happening again.

Question 7

Security Advisories vs. Security Bulletins?

Answer 7

🔹 Security Advisory
A security advisory is a warning issued by a vendor, security organization, or government agency about a newly discovered security risk. It provides detailed information about the vulnerability and may include:
✅ What the issue is (e.g., a bug in a software or hardware).
✅ Which systems are affected (e.g., specific operating systems, applications, or devices).
✅ Mitigation steps (e.g., workarounds or temporary fixes if a patch is not yet available).

Example:
Microsoft releases a security advisory warning about a zero-day vulnerability affecting Windows before an official patch is available.

🔹 Security Bulletin
A security bulletin is a formal update that includes detailed fixes for known security vulnerabilities. It usually comes after a security advisory and provides:
✅ List of patched vulnerabilities (CVE numbers).
✅ Severity rating (e.g., critical, high, medium, low).
✅ Instructions on how to apply the fix (e.g., software updates, patches).

Example:
Microsoft releases a Security Bulletin as part of Patch Tuesday, listing all the security updates for Windows, Office, and other products.

🚀 Simple Comparison:
🔹 Security Advisory → Early warning about a security issue (before or during investigation).
🔹 Security Bulletin → Official update that provides patches and fixes.

✅ Final Takeaway:
Security advisories alert you to new threats, while security bulletins provide solutions to fix them. Both help keep systems secure! 🔒

Question 8

what’s the concept of intelligence fusion?

Answer 8

Intelligence Fusion:

Intelligence fusion is the process of gathering, combining, and analyzing different types of security information from multiple sources to get a clearer and more complete picture of potential threats.

Question 9

NOTE:

Answer 9

Threat hunting is build on assuming that an attacker has already breached an organization security. And threat hunters search for any sings or evidence of a successful attack.

Question 10

what does shunning mean in penetration test?

Answer 10

In penetration testing, shunning refers to a security mechanism where a system actively blocks or drops connections from an attacker or a suspicious IP address. This is typically done automatically by Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), firewalls, or other security controls when they detect malicious activity.

Question 11

what does Deny listing mean?

Answer 11

“Deny listing” (also known as blacklisting) in cybersecurity refers to the practice of explicitly blocking certain IP addresses, domains, applications, or users from accessing a system or network. It is used to prevent known threats from interacting with protected resources.

Question 12

difference between passive and active reconnaissance in penetration testing

Answer 12

Passive Reconnaissance:

Gathering information without directly interacting with the target.
The target does not detect your activities.
Examples:
Searching for company details on Google.
Looking at social media profiles for employee information.
Using tools like Shodan to find exposed systems.

Active Reconnaissance:

Actively engaging with the target to collect information.
The target may detect your activities.
Examples:
Scanning the target network using Nmap.
Sending requests to a web server to see how it responds.
Checking for open ports and vulnerabilities.

Key Difference:
Passive recon is like spying from a distance (low risk).
Active recon is like knocking on doors to see who answers (higher risk of detection).

Question 13

Footprinting in Active Reconnaissance

Answer 13

Footprinting refers to the process of gathering detailed information about a target system, network, or organization before launching an attack. In active reconnaissance, footprinting involves directly interacting with the target to collect data, making it more likely to be detected.

Question 14

simple breakdown of the differences between security testing, security assessments, and security audits:

Answer 14

1. Security Testing (Vulnerability Testing & Penetration Testing)
   🔹 Definition:
   Security testing focuses on identifying vulnerabilities in systems, networks, and applications. It involves technical assessments like vulnerability scanning and penetration testing.

🔹 Types (from Security+):

Vulnerability Scanning → Uses tools (e.g., Nessus, OpenVAS) to find security weaknesses in a system.
Penetration Testing → Ethical hackers actively exploit vulnerabilities to assess security risks.
🔹 Key Concepts (Security+):

Passive Testing → Observing without interacting (e.g., reviewing logs).
Active Testing → Actively probing for weaknesses (e.g., scanning ports with Nmap).
🔹 Example in Security+ Exam:

You perform a vulnerability scan on a company’s web server and find outdated software.
2. Security Assessment
🔹 Definition:
A comprehensive review of an organization’s security posture, including technical, administrative, and physical security controls.

🔹 Key Concepts (Security+):

Risk Assessment → Identifies potential threats and their impact.
Security Posture Assessment → Evaluates how well security controls protect against threats.
Configuration Review → Ensures systems follow best practices (e.g., checking firewall rules).
🔹 Example in Security+ Exam:

A company hires a security consultant to review policies, firewalls, and access controls to ensure best security practices.
3. Security Audit
🔹 Definition:
A formal and structured process to verify if an organization meets specific security policies, regulations, or compliance standards (e.g., PCI-DSS, HIPAA, ISO 27001).

🔹 Key Concepts (Security+):

Compliance Audits → Ensures adherence to legal or regulatory requirements.
Internal vs. External Audits →
Internal Audit → Done by in-house security teams.
External Audit → Performed by third-party auditors (e.g., a PCI compliance check).
🔹 Example in Security+ Exam:

A healthcare company undergoes a HIPAA compliance audit to verify they are handling patient data securely.

Exam Tip:
Security Testing → Focuses on finding vulnerabilities.
Security Assessments → Evaluates the entire security environment.
Security Audits → Ensures compliance with standards.

Question 15

The difference between external audit, and independent third party audit:

Answer 15

Key Difference: Who Requests the Audit?
External Audit → Your company requests it from an external entity to review security practices.
Independent Third-Party Audit → A vendor, regulator, or compliance body requests it, and an independent entity conducts the audit.

🔹 External Audit (Your Company Requests It)
Your own organization brings in an external firm to conduct a security review.
This is done to check your security posture, ensure best practices, or prepare for compliance.
The external auditors have no decision-making power over your organization.
✅ Example:

Your company hires a cybersecurity consulting firm to conduct an external audit and identify security gaps before an official compliance check.

🔹 Independent Third-Party Audit (A Vendor or Regulator Requests It)
This is not initiated by your company—it is required by an outside entity (e.g., a regulatory body, vendor, or client).
The audit is performed by a completely neutral, certified third-party organization.
It determines if you are compliant with an official security standard (e.g., ISO 27001, PCI-DSS).
✅ Example:

A payment processor requires your company to undergo a PCI-DSS compliance audit by a certified third-party auditor before allowing you to handle credit card transactions.

Final Exam Tip:
External Audit → Your company initiates it for self-assessment.
Independent Third-Party Audit → A third party (vendor/regulator) requires it to check compliance.

Question 16

what’s the difference between intrusive and none-intrusive vulnerability scans?

Answer 16

🔹 Intrusive Vulnerability Scan
✅ Definition:

Actively tests vulnerabilities by exploiting them in a controlled manner.
May cause system disruptions or performance issues.
✅ How It Works:

The scanner attempts to exploit known vulnerabilities to confirm their presence.
Simulates real-world attacks to assess the impact of vulnerabilities.
Provides more accurate results since vulnerabilities are actually tested.
✅ Examples:

Attempting SQL injection on a database.
Exploiting an unpatched RCE (Remote Code Execution) vulnerability.
Running a penetration test within a vulnerability scan.
✅ Pros & Cons:

✅ Pros
Provides real-world impact of vulnerabilities
Reduces false positives
Helps security teams prioritize critical threats

❌ Cons
Requires permission before running in production
abilities Can crash systems or cause downtime
Risk of data loss or corruption

🔹 Non-Intrusive Vulnerability Scan
✅ Definition:

Passive approach—only identifies vulnerabilities without exploiting them.
Does not interact aggressively with the target system.
✅ How It Works:

Scans system configurations, software versions, and known vulnerabilities.
Uses fingerprinting techniques to detect weaknesses.
Generates reports with potential vulnerabilities (but does not confirm them).
✅ Examples:

Scanning a web application to detect outdated software.
Identifying open ports and misconfigurations on a network.
Checking for default passwords in network devices.
✅ Pros & Cons:

✅ Pros
Safe for production systems
Quick and efficient
Requires less permission
❌ Cons
False positives (vulnerabilities might not actually be exploitable)
Doesn’t confirm if an exploit is truly possible
Less useful for prioritizing risk

Security+ Exam Tip
Intrusive vulnerability scans = Testing if vulnerabilities are actually exploitable.
Can be automated (e.g., Nexpose, Burp Suite active scanning).
Can be manual (e.g., a pentester manually running exploits).
Non-intrusive vulnerability scans = Only detect vulnerabilities without testing exploits.

Question 17

Why Do Credentialed Scans Only Require Read-Only Access?

Answer 17

🔹 Credentialed vulnerability scans use valid login credentials to access internal system information, such as installed software, configurations, registry settings, and security policies. However, these scans only require read-only access because their purpose is to identify vulnerabilities, not modify the system.

Question 18

🧰 What is SCAP?

Answer 18

SCAP stands for:

Security Content Automation Protocol

It’s a framework of tools, standards, and formats used to automate vulnerability management, compliance checking, and security assessments.

🧠 Think of SCAP as:
A toolbox for security automation — it helps systems talk the same language when checking for vulnerabilities, patch status, and compliance.

🔧 Why SCAP is Important:
✅ Helps automate security scans and audits

✅ Ensures systems follow security standards

✅ Makes it easier to manage large networks

✅ Commonly used in government and enterprise environments

🧩 SCAP Includes These Standards:
Component What It Does
CVE (Common Vulnerabilities and Exposures) Unique IDs for known vulnerabilities (e.g., CVE-2023-0001)
CPE (Common Platform Enumeration) Standard way to name hardware/software (e.g., Windows_10)
CVSS (Common Vulnerability Scoring System) Rates how severe a vulnerability is
CCE (Common Configuration Enumeration) IDs for security misconfigurations
XCCDF (Checklist format) Standard format for writing security checklists and rules
OVAL (Open Vulnerability and Assessment Language) Language for testing system security settings and patches
🛠️ Example Use Case:
Imagine a security tool uses SCAP to:

Check if a system has missing patches (using OVAL and CVE)

Confirm system settings match a compliance benchmark (using XCCDF and CCE)

Identify the software it’s scanning (using CPE)

Rate the risk of each finding (using CVSS)

✅ Summary:
Term Meaning
SCAP A framework that uses standardized formats to automate vulnerability management and compliance checks.
Who uses it? Security tools, government agencies (like NIST), and enterprise IT teams