Chapter 5: Monitoring, Scanning, and Penetration Testing

Question 1

These pen testers work in an unknown environment and are given no info on the company. They will carry out an initial exploitation looking for vulnerabilities.

Answer 1

Black Box

Question 2

These pen testers work in a partially known environment as they are given limited info.

Answer 2

Gray Box

Question 3

These pen testers work in a known environment. One of the purposes of these pen testers is to test applications in a sandbox o that when they are released, they do not have any vulnerabilities. They know everything about a system or application as they have access to an application’s source code.

Answer 3

White Box

Question 4

These are details of the person within the company who has authorized the pen test, also with their contact details, so that they can be updated periodically on the progress of the test. They should agree to a time and date to start the pen test.

Answer 4

Rules of Engagement (ROE)

Client Contact Details

Question 5

The type of test, whether it is black, gray, or white, and what action is allowed to be taken if a vulnerability has been found.

Answer 5

Rules of Engagement (ROE)

Scope

Question 6

If this is an announced pen test, we should let the IT team know the IP addresses of the pen testers. This will allow the IT team to differentiate between live attacks and the pen testers.

Answer 6

Rules of Engagement (ROE)

IT Team Notification

Question 7

The rules of how pen testers will handle PII and sensitive info that they acquire: do they keep copies on their computers, and what levels of encryption should they use for storage.

Answer 7

Rules of Engagement (ROE)

Data Handling

Question 8

Pen testing on web applications is conducted in a sandbox rather than affect the customer’s potential sales on the production website.

Answer 8

Rules of Engagement (ROE)

Web Applications

Question 9

Depending on the length of the pen test, regular meetings should be conducted with the client, giving them real-time updates of the progress being made, The client will then inform the pen testers if their IT team has identified any breaches of security.

Answer 9

Rules of Engagement (ROE)

Regular Client Meeting

Question 10

TIP

A white box pen tester has all the info they need, including the source code.

Answer 10

TIP

Question 11

This is the process to restore the environment back to the original state. The pen testers may be asked to provide details of vulnerabilities to the IT team so that they can secure their environment.

Answer 11

Rules of Engagement (ROE)

Cleanup

Question 12

This is the process where corporations or software vendors reward the testers who find vulnerabilities in their environment, especially those affecting the security of their environments. Large corporations should have this in place. The pen tester will be asked to look for the same software vulnerabilities as the ___ ______ program.

Answer 12

Rules of Engagement (ROE)

Bug Bounty

Question 13

A _____ attack is when an attacker gains access to a desktop computer inside a company, which they use to launch and attack another computer or server.

Answer 13

(Network Exploitation Techniques)

Pivoting

Question 14

This is where attackers move around your network looking for resources to exploit in an effort to avoid detection. This digs deeper into your network in a search.

Answer 14

(Network Exploitation Techniques)

Lateral Movement

Question 15

This is an attack over an extended period of time.

Answer 15

(Network Exploitation Techniques)

Persistence

Question 16

Escalation of privilege is where an attacker exploits a weakness in a system so that they can gain a higher level of privileges on it.

Answer 16

(Network Exploitation Techniques)

Escalation of Privilege

Question 17

_____ __________ is where someone actively tries to gain information about the system. For example, an attacker finds a username left on one of the corporate desktops; they then ring up the active directory team, pretending to be that person and requests a password reset. This is ______ ___________, as they have carried out an action.

Answer 17

(Network Exploitation Techniques)

Active Reconnaissance

Question 18

____ ________ is where an attacker is constantly gathering info, without the victim’s knowledge. For example, an attacker is sitting in a coffee shop when they realize that two members of Company A’s security team are having lunch. The attacker listens to every word that is said, and the security team is unaware of the eavesdropping. This is ______ _______.

Answer 18

Passive Reconnaissance

Question 19

These can be used for passive reconnaissance as they have cameras, including thermal imaging, and can collect useful info. However, they also could be armed and used to cause destruction. In this case, ____ constitute active reconnaissance.

Answer 19

(Reconnaissance Tools)

Drones

Question 20

This could also use a drone with a laptop or PDA so that they can map out wireless networks, and they could also have Bluetooth and cellular capability. This is passive reconnaissance as it maps out the networks.

Answer 20

(Reconnaissance Tools)

War Flying

Question 21

This is where someone drives around in a car mapping out wireless access points, including those that could be vulnerable. This is passive reconnaissance.

Answer 21

(Reconnaissance Tools)

War Driving

Question 22

This is the process that hackers would use to map out all of the connections to a specific computer looking for remote access capabilities, open ports, services, and vulnerabilities.

Answer 22

(Reconnaissance Tools)

Footprinting

Question 23

This is intelligence collected legally from the public domain, such as social media or websites on the internet. It is used in law enforcement and business intelligence to help identify the source of attacks. It is only used for non-sensitive data.

Answer 23

(Reconnaissance Tools)

Open Source Intelligence (OSINT)

Question 24

The red team mimics an attacker, and they try to find vulnerabilities within your company. They quite often use social engineering and phishing as part of their attacks.

Answer 24

(Exercise Types)

Red Team

Question 25

The blue team looks to discover security vulnerabilities within the company and take action to mitigate them so that the company is secure.

Answer 25

(Exercise Types)

Blue Team

Question 26

The white team organizes and judges cybersecurity exercises based on the information given. They set the rules of engagement and details of the exercise. If they find that the red team has created a vulnerability that is serious, they will stop the exercise immediately. They score the blue team’s effort based on information from the red and green teams. They look at the reports regarding accuracy and ensure that any countermeasures are suitable.

Answer 26

(Exercise Types)

White Team

Question 27

The green team is trained to be an attacker, but has a defensive posture, and their focus is on repairing vulnerabilities as quickly as possible.

Answer 27

(Exercise Types)

Green Team

Question 28

The purple team can carry out the role of both the blue and red teams. By combining these teams, they can discover the threat actors’ tactics. These guys could be auditors or external consultants.

Answer 28

(Exercise Types)

Purple Team

Question 29

This is a non-profit, government funded organization working out of Bedford Massachusetts that looks at different attack vectors. They produce the ___ ____ _____ (CVE) list, which looks at computer flaws. Each flaw has an ID.

Answer 29

(Vulnerability Scanning Concepts)

Common Vulnerabilities and Exposure (CVE): Massachusetts Institute of Technology Research & Engineering (MITRE)

Question 30

____ is built into many vulnerability scanners and indicates the severity of vulnerabilities. The security team can use this output to identify which vulnerabilities need to be dealt with first. Always deal with the critical event first.

Answer 30

(Vulnerability Scanning Concepts)

Common Vulnerabilities Scoring System (CVSS)

Question 31

This is where the scan believes that there is a vulnerability but when you physically check, it is not there.

Answer 31

(Vulnerability Scanning Concepts)

False Positive

Question 32

A _____ ______, on the other hand, is more dangerous. There is a vulnerability, but the scanner does not detect it. An example of a____ ______ is a Zero-Day exploit that is attacking the system without there being a way of detecting it.

Answer 32

(Vulnerability Scanning Concepts)

False Negative

Question 33

This is where the results of the system scan agree with the manual inspection.

Answer 33

(Vulnerability Scanning Concepts)

True Positive

Question 34

Following a vulnerability scan, it is important to review the log files that will list any potential vulnerabilities. The security team should ensure that these are addressed immediately.

Answer 34

(Vulnerability Scanning Concepts)

Log Reviews

Question 35

This type of vulnerability scanner is much more powerful than its counterpart. It has higher privilege than a non-credentialed scan. It provides more accurate information, and it can scan documents, audit files, check certificates, and account information. It will tell you what accounts have vulnerabilities.

Answer 35

Credentialed Scan

Question 36

This type of vulnerability scan has lower privileges than the credentialed scan. It will identify vulnerabilities that an attacker would easily find. We should fix the vulnerabilities found with a non-credentialed scan first, as this is what the hacker will see when they enter your network.

Answer 36

Non-Credentialed Scan

Question 37

These are passive and merely report vulnerabilities. They do not cause damage to your system.

Answer 37

Non-Intrusive Scan

Question 38

These types of scans can cause damage so they try to exploit the vulnerability and should be used in a sandbox and not on your live production system. The min difference between the ______ scan and a pen test is that the person running the ______ scan has more knowledge of the system than the pen tester.

Answer 38

Intrusive Scans

Question 39

TIP

A credentialed scan can produce more information and can audit the network. A non-credentialed scan is primitive and can only find missing patches or updates. It has fewer permissions than a credentialed scan.

Answer 39

TIP

Question 40

These scans look at the computers and devices on your network and help identify weaknesses in their security. They scan the whole network looking for nodes that are not fully patched or have open ports.

Answer 40

Network Scans

Question 41

Before applications are released, coding experts are employed to perform regression testing that will check whether your code is written properly. The best type of analysis is dynamic analysis, as it evaluates the program in real time. After this, the white box pen tester ensures that there are no weaknesses in the application.

Answer 41

Application Scans

Question 42

They crawl through a website as if they are a search engine looking for vulnerabilities. There are automated to look for vulnerabilities, such as cross-site scripting and SQL injection.

Answer 42

Web Application Scans

Question 43

Configuration compliance scanners and desired state configuration in PowerShell ensure that no deviations are made to the security configuration of a system.

Answer 43

Configuring Review

Question 44

____ ______ protocol server is used to collect data from multiple sources and store them in a single location, such as an event logging database. Legitimate data can be filtered out, thereby reducing the amount of data held. The SIEM can benefit from the filtered data as searching becomes easier. This data is usually encrypted.

Answer 44

System Logging (Syslog)

Question 45

tools that can collect information from both syslog server and multiple other servers. An agent is placed on the device that can collect log information, parse the data into a better structure, and then pass it to the SIEM server for aggregation.

Answer 45

(SIEM System Aspects)

Log Collectors

Question 46

The SIEM system can correlate and aggregate events so that duplicates are ruled out and a better understanding of the events occurring on the network are achieved to help identify potential attacks.

Answer 46

(SIEM System Aspects)

Log Aggregation

Question 47

The log files can be used to find evidence for the forensics team to help them identity an attack.

Answer 47

(SIEM System Aspects)

Log Forensics

Question 48

A SIEM system has a dashboard and collects reports that can be reviewed on a regular basis to ensure that the policies have been enforced and that the company is compliant. It will also highlight whether or not the SIEM system is effective and working properly. False positives may arise because the wrong input filters are being used or the wrong hosts monitored.

Answer 48

(SIEM System Aspects)

Event Reporting

Question 49

From the events, the SIEM system can detects threats on the network and immediately forward the information pertaining to these threats to the security team.

Answer 49

(SIEM System Aspects)

Detect Threats

Question 50

After receiving the detection of potential threats, the security team verifies whether the security breaches have taken place. It will then take the necessary action to stop the breach and prevent it from happening again.

Answer 50

(SIEM System Aspects)

Alert Security Breaches

Question 51

The SIEM can monitor in real time and therefore alert the security teams immediately as any event is discovered. This helps to protect your working environment.

Answer 51

(SIEM System Aspects)

Real-Time Monitoring

Question 52

The SIEM system is reliant on all of the hosts that it collects and correlates data from in order to be in sync with each other. The time needs to be synchronized between all collection points. A Network Time Protocol (NTP) would be used to facilitate this. Otherwise, the events that are correlated may not be in the right order if the computer time clocks are out of synch.

Answer 52

(SIEM System Aspects)

Time Synchronization

Question 53

The SIEM system has the ability to capture packets and analyze them to identify threats as soon as they reach your network. The security team can then be alerted immediately.

Answer 53

(SIEM System Aspects)

Packet Capture

Question 54

This is based on the interaction of a user that focuses on their identity and the data that they would normally access in a normal day. It tracks the devices that the user normally uses and the servers that they normally visit. If you look at the behavior of one person, you may not identity attacks, but if you apply UBA to a whole company then you start to identify potential attackers as they deviate from normal patterns.

Answer 54

(SIEM System Aspects)

User Behavior Analysis (UBA)

Question 55

This is a real-time protection and event monitoring system that correlates the security events from multiple resources, identifies a breach, and helps the security team to prevent the breach.

Answer 55

(SIEM System Aspects)

Security Monitoring

Question 56

is an automated tool that integrates all of your security processes and tools in a central location. As an automated process that is faster that humans searching for evidence of attacks, it helps reduce the mean time to detect (MTTD) and accelerates the time to respond to events.

Answer 56

Security Orchestration, Automation, and Response (SOAR)

Question 57

is a dynamic process of seeking out cybersecurity threats inside your network from attackers and malware threats. According to the Security Intelligence website, an average cybercriminal can spend 191 days inside your network before being discovered.

Answer 57

Threat hunting