Chapter 2: Threat Management and Cybersecurity Resources Flashcards
A type of test that attempts to exploit vulnerabilities just as a threat actor would
Penetration test
Why should pen testing be carried out?
Deep vulnerabilities can only be revealed through a simulated attack using the mindset of an actual threat actor
What are 3 advantages to using internal security personnel in a pen test?
- Low cost
- Fast
- Enhances training
What are 3 disadvantages to using internal security personnel?
- Insider knowledge
- Lack of expertise
- Reluctance to reveal findings
What are 4 advantages to using external consultants for pen testing?
- Expertise
- Credentials
- Experience
- Focus
What is the primary disadvantage to using external consultants in a pen test?
Use of discovered information
A monetary award for uncovering a software vulnerability
Bug bounty
What are three advantages to crowdsourcing pen testing?
- Fast
- Flexible
- Wide scope
Scans for vulnerabilities and exploits them in a pen test
Red team
Monitors for attackers and shores up defenses as necessary in a pen test
Blue team
Enforces the rules in a pen test
White team
Provides feedback to defenders and attackers during pen test
Purple team
A type of pen test where the attackers have no knowledge of the network nor special privileges
Black box
A type of pen test where the attackers are given limited knowledge of the network and some elevated privileges
Gray box
A type of pen test where attackers are given full knowledge of the network and the source code of applications
White box
Limitations or parameters on the pen test
Rules of engagement
What are 7 elements of the rules of engagement?
- Timing
- Scope
- Authorization
- Exploitation
- Communication
- Cleanup
- Reporting
Less technical element of a report aimed at those in charge
Executive summary
A process, involving determination, resolve, and perseverance, in which a load balancer crates a link between an endpoint and a specific network server for the duration of a session
Persistence
Gathering information from outside the organization
Footprinting
Directly probing for vulnerabilities and useful information
Active reconnaissance
Searching for wireless signals from an automobile or on foot while using a portable computing device
War driving
An efficient means of discovering a WiFi signal using drones
War flying
An unmanned aerial vehicle without a human pilot
Drone
An aircraft without a human pilot on board to control its flight
Unmanned aerial vehicle (UAV)
Searching online for publicly accessible information
Passive surveillance
Publicly accessible information
Open source intelligence (OSINT)
Moving to more advanced resources that are normally protected from an application or user
Privilege escalation
Turning to other systems to be compromised
Pivoting
A frequent and ongoing process, often automated, that continuously identifies vulnerabilities and monitors cybersecurity progress
Vulnerability scanning
What are 7 ways that a pen test and vulnerability scan are different?
- Purpose
- Procedure
- Frequency
- Personnel
- Process
- Goal
- Audience
What are 2 issues when conducting a vulnerability scan?
- Workflow interruptions
- Technical constraints
A list of all significant assets
Asset inventory
An examination of the software settings for a vulnerability scan
Configuration review
Depth of a vulnerability scan
Sensitivity level
4 elements of a configuration review include …
- Define target devices
- Ensure scan designed to meet intended goals
- Sensitivity level
- Specify data types
A scan in which authenticated credentials, such as usernames and passwords, are supplied to the stability scanner to mimic the work of a threat actor who possesses these credentials
Credentialed scan
A vulnerability scan that provides no authentication information to the tester
Non-credentialed scan
A vulnerability scan that attempts to employ any vulnerabilities which it finds, much like a threat actor would
Intrusive scan
A vulnerability scan that does not attempt to exploit the vulnerabilities which it finds, but o Lu records it was discovered
Non-intrusive scan
A numeric rating system of the impact of a vulnerability
Common Vulnerability Scoring System (CVSS)
A tool that consolidates real-time security monitoring and management of security information with analysis and reporting of security events
Security Information and Event Management (SIEM)
Looking at normal behavior of users and how they interact with systems to create a picture of typical activity
User behavior analysis
The process of computationally identifying and categorizing opinions, usually expressed in response to textual data, in order to determine the writer’s attitude toward a particular topic
Sentiment analysis
A tool designed to help security teams manage and respond to the very high number of security warnings and alarms by combining comprehensive data gathering and analytics in order to automate incident response
Security Orchestration, Automation, and Response (SOAR)
Proactively searching for cyber threats that this far have gone undetected in a network
Threat hunting
Conducting unusual behavior when threat hunting
Maneuvering
Cybersecurity data feeds that provide information on the latest threats
Threat feeds
A formal repository of information from enterprises and the government used to share information on the latest attacks
Fusion center
A series of documented processes used to define policies and procedures for implementation and management of security controls in an enterprise environment
Framework
4 NIST framework elements
- Functions
- Categories
- Subcategories
- Information sources
A guidance document designed to help organizations assess and manage risks to their information and systems
NIST Risk Management Framework
A measuring stick against which companies can compare their cybersecurity practices relative to the threats they face
NIST Cybersecurity Framework
A ISO standard that provides requirements for an information security management system
ISO 27001
An extension of ISO 27001 that is a framework for managing privacy controls to reduce the risk of privacy breaches
ISO 27701
An ISO “code of practice” for information security management within an organization and contains 114 different control recommendations
ISO 27002
An ISO standard that contains controls for managing and controlling risk
ISO 31000
An AICPA System and Organization control standard for reports on internal controls that reviews how a company safeguards consumer data and how well those controls are operating
SSAE SOC 2 Type II
An AICPA System and Organization control standard for reports on internal controls that can be freely distributed
SSAE SOC 2 Type III
A specialized framework of cloud-specific security controls
Cloud Controls Matrix
An authoritative source of information
Reference architecture
Standards typically developed by established professional organizations or government agencies using the expertise of seasoned security professionals
Regulations
A document approved through consensus by a recognized standardization body
Standards
A compliance standard to provide a minimum degree of security for handling customer card information
Payment Card Industry Data Security Standard (PCI DSS)
Guidelines for configuring a device or software usually distributed by hardware manufacturers and software developers
Benchmark/Secure Configuration Guide
Guidelines that only apply to specific products
Platform/vendor-specific guides
Documents that are authored by technology bodies employing specialists, engineers, and scientists who are experts in those areas
Requests for Comment (RFCs)
Cybersecurity information streams which include information on the latest vulnerabilities and threats
- Vulnerability feeds
- Threat feeds
A database of the behavior of threat actors and how they orchestrate and manage attacks
Adversary tactics, techniques, and procedures (TTP)
