Book-Notes Section 5 Flashcards
whatโs the difference between plugins and templates?
๐ Example: Plugins vs. Templates in Nessus (Vulnerability Scanner)
โ
Plugins โ Individual vulnerability tests (e.g., outdated SSH, misconfigured SSL, missing patches).
โ
Templates โ Predefined scanning profiles (e.g., โInternal Network Scan,โ โWeb Application Scanโ) that use a set of plugins.
๐ Key Takeaways
Plugins = Small modules that run specific security tests.
Templates = Preconfigured scan settings that use multiple plugins.
Plugins give detailed control, while templates simplify scans by bundling settings.
What is a Credentialed Scan?
A credentialed scan (or authenticated scan) is a type of vulnerability scan where the scanning tool logs into the target system using valid credentials (username & password) to perform a more in-depth security assessment.
whatโs the difference between Credentialed and Non-credentialed scanning?
Credentialed vs. Non-Credentialed Scanning (Simple Explanation)
๐น Credentialed Scanning (Authenticated Scan)
The scanning tool logs into the system using valid credentials (username & password).
It can check deeper system details like installed software, missing patches, and misconfigurations.
More accurate and lower false positives since it directly accesses system data.
Used for internal security checks to find risks after an attacker gains access.
โ
Example: Checking a Windows server for missing security updates by logging in as an admin.
๐น Non-Credentialed Scanning (Unauthenticated Scan)
The scanner does NOT log in and only probes from the outside.
It can detect open ports, running services, and public vulnerabilities but misses internal risks.
Less accurate and may have false positives since it relies on guesswork.
Used for external security checks to see what an outsider could find.
โ
Example: Scanning a website for vulnerabilities without logging into the server.
what are administrative setup pages?
Administrative Setup Pages (Simple Explanation)
Administrative setup pages are special web pages or interfaces used by administrators to configure and manage a system, device, or software.
๐น What They Do?
Control user accounts and permissions
Configure network settings (e.g., Wi-Fi, firewalls)
Manage security settings (e.g., passwords, access controls)
Monitor system performance and logs
Adjust software or application settings
๐น Examples:
Router settings page (192.168.1.1) where you set up Wi-Fi passwords.
CMS (Content Management System) admin panel (/admin) to manage a website.
Enterprise software dashboards to configure security policies.
Whatโs an Open-Ended Penetration Test?
An open-ended penetration test is a type of security test where there are no strict rules or predefined scope for the testers. Instead, ethical hackers have the freedom to explore and simulate real-world attacks as they see fit.
๐น Key Features:
No strict limitations on attack methods, targets, or time frame.
Testers act like real attackers, using creative techniques to find weaknesses.
Focuses on uncovering unexpected vulnerabilities that may not be obvious in a standard test.
๐น Example:
A company hires ethical hackers for an open-ended penetration test. Instead of testing just a specific web app, they might:
โ
Try phishing employees to steal credentials.
โ
Look for weaknesses in cloud services.
โ
Test physical security, like sneaking into offices.
Whatโs a Postmortem Analysis?
A postmortem analysis is a process where a team reviews what went wrong after a major incident (like a security breach, system failure, or cyberattack) to understand the cause and prevent it from happening again.
Security Advisories vs. Security Bulletins?
๐น Security Advisory
A security advisory is a warning issued by a vendor, security organization, or government agency about a newly discovered security risk. It provides detailed information about the vulnerability and may include:
โ
What the issue is (e.g., a bug in a software or hardware).
โ
Which systems are affected (e.g., specific operating systems, applications, or devices).
โ
Mitigation steps (e.g., workarounds or temporary fixes if a patch is not yet available).
Example:
Microsoft releases a security advisory warning about a zero-day vulnerability affecting Windows before an official patch is available.
๐น Security Bulletin
A security bulletin is a formal update that includes detailed fixes for known security vulnerabilities. It usually comes after a security advisory and provides:
โ
List of patched vulnerabilities (CVE numbers).
โ
Severity rating (e.g., critical, high, medium, low).
โ
Instructions on how to apply the fix (e.g., software updates, patches).
Example:
Microsoft releases a Security Bulletin as part of Patch Tuesday, listing all the security updates for Windows, Office, and other products.
๐ Simple Comparison:
๐น Security Advisory โ Early warning about a security issue (before or during investigation).
๐น Security Bulletin โ Official update that provides patches and fixes.
โ
Final Takeaway:
Security advisories alert you to new threats, while security bulletins provide solutions to fix them. Both help keep systems secure! ๐
whatโs the concept of intelligence fusion?
Intelligence Fusion:
Intelligence fusion is the process of gathering, combining, and analyzing different types of security information from multiple sources to get a clearer and more complete picture of potential threats.
NOTE:
Threat hunting is build on assuming that an attacker has already breached an organization security. And threat hunters search for any sings or evidence of a successful attack.
what does shunning mean in penetration test?
In penetration testing, shunning refers to a security mechanism where a system actively blocks or drops connections from an attacker or a suspicious IP address. This is typically done automatically by Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), firewalls, or other security controls when they detect malicious activity.
what does Deny listing mean?
โDeny listingโ (also known as blacklisting) in cybersecurity refers to the practice of explicitly blocking certain IP addresses, domains, applications, or users from accessing a system or network. It is used to prevent known threats from interacting with protected resources.
difference between passive and active reconnaissance in penetration testing
Passive Reconnaissance:
Gathering information without directly interacting with the target.
The target does not detect your activities.
Examples:
Searching for company details on Google.
Looking at social media profiles for employee information.
Using tools like Shodan to find exposed systems.
Active Reconnaissance:
Actively engaging with the target to collect information.
The target may detect your activities.
Examples:
Scanning the target network using Nmap.
Sending requests to a web server to see how it responds.
Checking for open ports and vulnerabilities.
Key Difference:
Passive recon is like spying from a distance (low risk).
Active recon is like knocking on doors to see who answers (higher risk of detection).
Footprinting in Active Reconnaissance
Footprinting refers to the process of gathering detailed information about a target system, network, or organization before launching an attack. In active reconnaissance, footprinting involves directly interacting with the target to collect data, making it more likely to be detected.
simple breakdown of the differences between security testing, security assessments, and security audits:
- Security Testing (Vulnerability Testing & Penetration Testing)
๐น Definition:
Security testing focuses on identifying vulnerabilities in systems, networks, and applications. It involves technical assessments like vulnerability scanning and penetration testing.
๐น Types (from Security+):
Vulnerability Scanning โ Uses tools (e.g., Nessus, OpenVAS) to find security weaknesses in a system.
Penetration Testing โ Ethical hackers actively exploit vulnerabilities to assess security risks.
๐น Key Concepts (Security+):
Passive Testing โ Observing without interacting (e.g., reviewing logs).
Active Testing โ Actively probing for weaknesses (e.g., scanning ports with Nmap).
๐น Example in Security+ Exam:
You perform a vulnerability scan on a companyโs web server and find outdated software.
2. Security Assessment
๐น Definition:
A comprehensive review of an organizationโs security posture, including technical, administrative, and physical security controls.
๐น Key Concepts (Security+):
Risk Assessment โ Identifies potential threats and their impact.
Security Posture Assessment โ Evaluates how well security controls protect against threats.
Configuration Review โ Ensures systems follow best practices (e.g., checking firewall rules).
๐น Example in Security+ Exam:
A company hires a security consultant to review policies, firewalls, and access controls to ensure best security practices.
3. Security Audit
๐น Definition:
A formal and structured process to verify if an organization meets specific security policies, regulations, or compliance standards (e.g., PCI-DSS, HIPAA, ISO 27001).
๐น Key Concepts (Security+):
Compliance Audits โ Ensures adherence to legal or regulatory requirements.
Internal vs. External Audits โ
Internal Audit โ Done by in-house security teams.
External Audit โ Performed by third-party auditors (e.g., a PCI compliance check).
๐น Example in Security+ Exam:
A healthcare company undergoes a HIPAA compliance audit to verify they are handling patient data securely.
Exam Tip:
Security Testing โ Focuses on finding vulnerabilities.
Security Assessments โ Evaluates the entire security environment.
Security Audits โ Ensures compliance with standards.
The difference between external audit, and independent third party audit:
Key Difference: Who Requests the Audit?
External Audit โ Your company requests it from an external entity to review security practices.
Independent Third-Party Audit โ A vendor, regulator, or compliance body requests it, and an independent entity conducts the audit.
๐น External Audit (Your Company Requests It)
Your own organization brings in an external firm to conduct a security review.
This is done to check your security posture, ensure best practices, or prepare for compliance.
The external auditors have no decision-making power over your organization.
โ
Example:
Your company hires a cybersecurity consulting firm to conduct an external audit and identify security gaps before an official compliance check.
๐น Independent Third-Party Audit (A Vendor or Regulator Requests It)
This is not initiated by your companyโit is required by an outside entity (e.g., a regulatory body, vendor, or client).
The audit is performed by a completely neutral, certified third-party organization.
It determines if you are compliant with an official security standard (e.g., ISO 27001, PCI-DSS).
โ
Example:
A payment processor requires your company to undergo a PCI-DSS compliance audit by a certified third-party auditor before allowing you to handle credit card transactions.
Final Exam Tip:
External Audit โ Your company initiates it for self-assessment.
Independent Third-Party Audit โ A third party (vendor/regulator) requires it to check compliance.
whatโs the difference between intrusive and none-intrusive vulnerability scans?
๐น Intrusive Vulnerability Scan
โ
Definition:
Actively tests vulnerabilities by exploiting them in a controlled manner.
May cause system disruptions or performance issues.
โ
How It Works:
The scanner attempts to exploit known vulnerabilities to confirm their presence.
Simulates real-world attacks to assess the impact of vulnerabilities.
Provides more accurate results since vulnerabilities are actually tested.
โ
Examples:
Attempting SQL injection on a database.
Exploiting an unpatched RCE (Remote Code Execution) vulnerability.
Running a penetration test within a vulnerability scan.
โ
Pros & Cons:
โ
Pros
Provides real-world impact of vulnerabilities
Reduces false positives
Helps security teams prioritize critical threats
โ Cons
Requires permission before running in production
abilities Can crash systems or cause downtime
Risk of data loss or corruption
๐น Non-Intrusive Vulnerability Scan
โ
Definition:
Passive approachโonly identifies vulnerabilities without exploiting them.
Does not interact aggressively with the target system.
โ
How It Works:
Scans system configurations, software versions, and known vulnerabilities.
Uses fingerprinting techniques to detect weaknesses.
Generates reports with potential vulnerabilities (but does not confirm them).
โ
Examples:
Scanning a web application to detect outdated software.
Identifying open ports and misconfigurations on a network.
Checking for default passwords in network devices.
โ
Pros & Cons:
โ
Pros
Safe for production systems
Quick and efficient
Requires less permission
โ Cons
False positives (vulnerabilities might not actually be exploitable)
Doesnโt confirm if an exploit is truly possible
Less useful for prioritizing risk
Security+ Exam Tip
Intrusive vulnerability scans = Testing if vulnerabilities are actually exploitable.
Can be automated (e.g., Nexpose, Burp Suite active scanning).
Can be manual (e.g., a pentester manually running exploits).
Non-intrusive vulnerability scans = Only detect vulnerabilities without testing exploits.
Why Do Credentialed Scans Only Require Read-Only Access?
๐น Credentialed vulnerability scans use valid login credentials to access internal system information, such as installed software, configurations, registry settings, and security policies. However, these scans only require read-only access because their purpose is to identify vulnerabilities, not modify the system.