Chapter 12 - The Pen Test, Putting it all Together

Question 1

Security Assessment

Answer 1

any test performed to assess the level of security on an network or system

Question 2

3 categories of security assessments

Answer 2

security audit

vulnerability assessment

penetration test

Question 3

Security Audit

Answer 3

policy and procedure focused

tests whether the organization is following specific standards and policies they have in place

Question 4

Vulnerability assessment

Answer 4

scans and tests a system or network for existing vulnerabilities but doesn’t exploit them

Question 5

Penetration test

Answer 5

searches for vulnerabilities and actively seeks to exploit them

must have an agreement in place before testing begins

agreement should spell out limitations, constraints, liabilities, between organization and the pen test team. A separate indemnity form releasing you from financial liability is also necessary (ie what if port scanner accidentally takes down server)

Question 6

Exam Tip, know Shellshock vulnerability

aka Bashdoor, Bash Bug, CVE-2014-6271

Answer 6

affected Bash shell found in most versions of Linux, Unix and Mac OS X. Also some linux-based routers with CGI-enabled web interface

Question 7

External assessment

Answer 7

analyzes publicly available information, performs network scanning, enumeration and testing from the network perimeter. Usually the internet

Question 8

Internal assessment

Answer 8

performed from inside the organization

Question 9

define black, white, gray box testing

Answer 9

black - no knowledge of infrastructure. simulates outside hacker

white - complete knowledge of infrastructure. simulates insider

gray - soem information on infrastructure

Question 10

red team

Answer 10

offense, hacking group, black box style with no knowledge

Question 11

blue team

Answer 11

defensive team

Question 12

automated testing

codenomicon
core impact pro
metasploit (with Autopwn module)
CANVAS

Answer 12

point and shoot with all inclusive tool set like Core Impact

can save time and money, but prone to false positives and negatives, doesn’t necessarily care about your scope agreement

Question 13

3 phases of a pen test

Answer 13

pre-attack

attack

post-attack

Question 14

pre-attack phase

Answer 14

reconnaissance and data gathering

ID network ranges, DNS enumeration, IP ranges, nmap network scanning, test proxy servers, checking for firewalls

Question 15

attack phase

Answer 15

attempt to penetrate network perimeter, acquire targets, execute attacks, elevate privileges

verify ACL’s by crafting packets, seeing if you can use covert tunnels, trying XSS, buffer overflows, SQL injections, password cracking,

Question 16

post attack

Answer 16

cleanup anything uploaded to the network. Remove tools, malware, backdoors, attack software

provide deliverables: reports, etc

Question 17

5 basics of a pen test report

Answer 17

executive summary (if using FISMA, DIACAP, RMF, HIPAA, etc, this summary will be tailored to that)

names of participants and dates of tests

list of findings, usually ordered by risk

analysis of each finding and recommended mitigation steps

log files and evidence from your toolset. customers seem to want screenshots

Question 18

Open Source Security Testing Methodology Manual (OSSTM)

Answer 18

created by Institute for Security and Open Methodologies (ISECOM) in 2001

effort to improve how security is tested

peer reviewed manual of security testing and analysis.

results in fact based actions that improve security

downloadable as a PDF file

constantly updated

Question 19

Testing Guidelines and Methodologies

OSSTM

SANS

OWASP

Answer 19

OSSTM and SANS have their own methodologies

OWASP focuses on web servers and appliations

Question 20

ECC 4 categories of insider threats

Answer 20

pure insider

insider associate

insider affiliate

outside affiliate

Question 21

pure insider

Answer 21

an employee with all rights and access an employee has (physical and network access, badge, etc)

common problem is that their privileges are often higher than they need to be

Question 22

insider associate

Answer 22

someone with limited access like a contractor, janitor, guard.

have physical access, not network. Not employees

Question 23

insider affiliate

Answer 23

friend, spouse or client of the employee who uses the employees credentials to gain access.

Key thing is not the persons so much as the credentials

Question 24

outsider affiliate

Answer 24

someone outside the organization who is untrusted, unknown but uses and open access channel to gain access

example - someone using an unsecured wireless access point