Chapter 5: Monitoring, Scanning, and Penetration Testing Flashcards

1
Q

These pen testers work in an unknown environment and are given no info on the company. They will carry out an initial exploitation looking for vulnerabilities.

A

Black Box

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

These pen testers work in a partially known environment as they are given limited info.

A

Gray Box

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

These pen testers work in a known environment. One of the purposes of these pen testers is to test applications in a sandbox o that when they are released, they do not have any vulnerabilities. They know everything about a system or application as they have access to an application’s source code.

A

White Box

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

These are details of the person within the company who has authorized the pen test, also with their contact details, so that they can be updated periodically on the progress of the test. They should agree to a time and date to start the pen test.

A

Rules of Engagement (ROE)

Client Contact Details

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

The type of test, whether it is black, gray, or white, and what action is allowed to be taken if a vulnerability has been found.

A

Rules of Engagement (ROE)

Scope

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

If this is an announced pen test, we should let the IT team know the IP addresses of the pen testers. This will allow the IT team to differentiate between live attacks and the pen testers.

A

Rules of Engagement (ROE)

IT Team Notification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The rules of how pen testers will handle PII and sensitive info that they acquire: do they keep copies on their computers, and what levels of encryption should they use for storage.

A

Rules of Engagement (ROE)

Data Handling

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Pen testing on web applications is conducted in a sandbox rather than affect the customer’s potential sales on the production website.

A

Rules of Engagement (ROE)

Web Applications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Depending on the length of the pen test, regular meetings should be conducted with the client, giving them real-time updates of the progress being made, The client will then inform the pen testers if their IT team has identified any breaches of security.

A

Rules of Engagement (ROE)

Regular Client Meeting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

TIP

A white box pen tester has all the info they need, including the source code.

A

TIP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

This is the process to restore the environment back to the original state. The pen testers may be asked to provide details of vulnerabilities to the IT team so that they can secure their environment.

A

Rules of Engagement (ROE)

Cleanup

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

This is the process where corporations or software vendors reward the testers who find vulnerabilities in their environment, especially those affecting the security of their environments. Large corporations should have this in place. The pen tester will be asked to look for the same software vulnerabilities as the ___ ______ program.

A

Rules of Engagement (ROE)

Bug Bounty

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A _____ attack is when an attacker gains access to a desktop computer inside a company, which they use to launch and attack another computer or server.

A

(Network Exploitation Techniques)

Pivoting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

This is where attackers move around your network looking for resources to exploit in an effort to avoid detection. This digs deeper into your network in a search.

A

(Network Exploitation Techniques)

Lateral Movement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

This is an attack over an extended period of time.

A

(Network Exploitation Techniques)

Persistence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Escalation of privilege is where an attacker exploits a weakness in a system so that they can gain a higher level of privileges on it.

A

(Network Exploitation Techniques)

Escalation of Privilege

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

_____ __________ is where someone actively tries to gain information about the system. For example, an attacker finds a username left on one of the corporate desktops; they then ring up the active directory team, pretending to be that person and requests a password reset. This is ______ ___________, as they have carried out an action.

A

(Network Exploitation Techniques)

Active Reconnaissance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

____ ________ is where an attacker is constantly gathering info, without the victim’s knowledge. For example, an attacker is sitting in a coffee shop when they realize that two members of Company A’s security team are having lunch. The attacker listens to every word that is said, and the security team is unaware of the eavesdropping. This is ______ _______.

A

Passive Reconnaissance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

These can be used for passive reconnaissance as they have cameras, including thermal imaging, and can collect useful info. However, they also could be armed and used to cause destruction. In this case, ____ constitute active reconnaissance.

A

(Reconnaissance Tools)

Drones

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

This could also use a drone with a laptop or PDA so that they can map out wireless networks, and they could also have Bluetooth and cellular capability. This is passive reconnaissance as it maps out the networks.

A

(Reconnaissance Tools)

War Flying

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

This is where someone drives around in a car mapping out wireless access points, including those that could be vulnerable. This is passive reconnaissance.

A

(Reconnaissance Tools)

War Driving

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

This is the process that hackers would use to map out all of the connections to a specific computer looking for remote access capabilities, open ports, services, and vulnerabilities.

A

(Reconnaissance Tools)

Footprinting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

This is intelligence collected legally from the public domain, such as social media or websites on the internet. It is used in law enforcement and business intelligence to help identify the source of attacks. It is only used for non-sensitive data.

A

(Reconnaissance Tools)

Open Source Intelligence (OSINT)

24
Q

The red team mimics an attacker, and they try to find vulnerabilities within your company. They quite often use social engineering and phishing as part of their attacks.

A

(Exercise Types)

Red Team

25
Q

The blue team looks to discover security vulnerabilities within the company and take action to mitigate them so that the company is secure.

A

(Exercise Types)

Blue Team

26
Q

The white team organizes and judges cybersecurity exercises based on the information given. They set the rules of engagement and details of the exercise. If they find that the red team has created a vulnerability that is serious, they will stop the exercise immediately. They score the blue team’s effort based on information from the red and green teams. They look at the reports regarding accuracy and ensure that any countermeasures are suitable.

A

(Exercise Types)

White Team

27
Q

The green team is trained to be an attacker, but has a defensive posture, and their focus is on repairing vulnerabilities as quickly as possible.

A

(Exercise Types)

Green Team

28
Q

The purple team can carry out the role of both the blue and red teams. By combining these teams, they can discover the threat actors’ tactics. These guys could be auditors or external consultants.

A

(Exercise Types)

Purple Team

29
Q

This is a non-profit, government funded organization working out of Bedford Massachusetts that looks at different attack vectors. They produce the ___ ____ _____ (CVE) list, which looks at computer flaws. Each flaw has an ID.

A

(Vulnerability Scanning Concepts)

Common Vulnerabilities and Exposure (CVE): Massachusetts Institute of Technology Research & Engineering (MITRE)

30
Q

____ is built into many vulnerability scanners and indicates the severity of vulnerabilities. The security team can use this output to identify which vulnerabilities need to be dealt with first. Always deal with the critical event first.

A

(Vulnerability Scanning Concepts)

Common Vulnerabilities Scoring System (CVSS)

31
Q

This is where the scan believes that there is a vulnerability but when you physically check, it is not there.

A

(Vulnerability Scanning Concepts)

False Positive

32
Q

A _____ ______, on the other hand, is more dangerous. There is a vulnerability, but the scanner does not detect it. An example of a____ ______ is a Zero-Day exploit that is attacking the system without there being a way of detecting it.

A

(Vulnerability Scanning Concepts)

False Negative

33
Q

This is where the results of the system scan agree with the manual inspection.

A

(Vulnerability Scanning Concepts)

True Positive

34
Q

Following a vulnerability scan, it is important to review the log files that will list any potential vulnerabilities. The security team should ensure that these are addressed immediately.

A

(Vulnerability Scanning Concepts)

Log Reviews

35
Q

This type of vulnerability scanner is much more powerful than its counterpart. It has higher privilege than a non-credentialed scan. It provides more accurate information, and it can scan documents, audit files, check certificates, and account information. It will tell you what accounts have vulnerabilities.

A

Credentialed Scan

36
Q

This type of vulnerability scan has lower privileges than the credentialed scan. It will identify vulnerabilities that an attacker would easily find. We should fix the vulnerabilities found with a non-credentialed scan first, as this is what the hacker will see when they enter your network.

A

Non-Credentialed Scan

37
Q

These are passive and merely report vulnerabilities. They do not cause damage to your system.

A

Non-Intrusive Scan

38
Q

These types of scans can cause damage so they try to exploit the vulnerability and should be used in a sandbox and not on your live production system. The min difference between the ______ scan and a pen test is that the person running the ______ scan has more knowledge of the system than the pen tester.

A

Intrusive Scans

39
Q

TIP

A credentialed scan can produce more information and can audit the network. A non-credentialed scan is primitive and can only find missing patches or updates. It has fewer permissions than a credentialed scan.

A

TIP

40
Q

These scans look at the computers and devices on your network and help identify weaknesses in their security. They scan the whole network looking for nodes that are not fully patched or have open ports.

A

Network Scans

41
Q

Before applications are released, coding experts are employed to perform regression testing that will check whether your code is written properly. The best type of analysis is dynamic analysis, as it evaluates the program in real time. After this, the white box pen tester ensures that there are no weaknesses in the application.

A

Application Scans

42
Q

They crawl through a website as if they are a search engine looking for vulnerabilities. There are automated to look for vulnerabilities, such as cross-site scripting and SQL injection.

A

Web Application Scans

43
Q

Configuration compliance scanners and desired state configuration in PowerShell ensure that no deviations are made to the security configuration of a system.

A

Configuring Review

44
Q

____ ______ protocol server is used to collect data from multiple sources and store them in a single location, such as an event logging database. Legitimate data can be filtered out, thereby reducing the amount of data held. The SIEM can benefit from the filtered data as searching becomes easier. This data is usually encrypted.

A

System Logging (Syslog)

45
Q

tools that can collect information from both syslog server and multiple other servers. An agent is placed on the device that can collect log information, parse the data into a better structure, and then pass it to the SIEM server for aggregation.

A

(SIEM System Aspects)

Log Collectors

46
Q

The SIEM system can correlate and aggregate events so that duplicates are ruled out and a better understanding of the events occurring on the network are achieved to help identify potential attacks.

A

(SIEM System Aspects)

Log Aggregation

47
Q

The log files can be used to find evidence for the forensics team to help them identity an attack.

A

(SIEM System Aspects)

Log Forensics

48
Q

A SIEM system has a dashboard and collects reports that can be reviewed on a regular basis to ensure that the policies have been enforced and that the company is compliant. It will also highlight whether or not the SIEM system is effective and working properly. False positives may arise because the wrong input filters are being used or the wrong hosts monitored.

A

(SIEM System Aspects)

Event Reporting

49
Q

From the events, the SIEM system can detects threats on the network and immediately forward the information pertaining to these threats to the security team.

A

(SIEM System Aspects)

Detect Threats

50
Q

After receiving the detection of potential threats, the security team verifies whether the security breaches have taken place. It will then take the necessary action to stop the breach and prevent it from happening again.

A

(SIEM System Aspects)

Alert Security Breaches

51
Q

The SIEM can monitor in real time and therefore alert the security teams immediately as any event is discovered. This helps to protect your working environment.

A

(SIEM System Aspects)

Real-Time Monitoring

52
Q

The SIEM system is reliant on all of the hosts that it collects and correlates data from in order to be in sync with each other. The time needs to be synchronized between all collection points. A Network Time Protocol (NTP) would be used to facilitate this. Otherwise, the events that are correlated may not be in the right order if the computer time clocks are out of synch.

A

(SIEM System Aspects)

Time Synchronization

53
Q

The SIEM system has the ability to capture packets and analyze them to identify threats as soon as they reach your network. The security team can then be alerted immediately.

A

(SIEM System Aspects)

Packet Capture

54
Q

This is based on the interaction of a user that focuses on their identity and the data that they would normally access in a normal day. It tracks the devices that the user normally uses and the servers that they normally visit. If you look at the behavior of one person, you may not identity attacks, but if you apply UBA to a whole company then you start to identify potential attackers as they deviate from normal patterns.

A

(SIEM System Aspects)

User Behavior Analysis (UBA)

55
Q

This is a real-time protection and event monitoring system that correlates the security events from multiple resources, identifies a breach, and helps the security team to prevent the breach.

A

(SIEM System Aspects)

Security Monitoring

56
Q

is an automated tool that integrates all of your security processes and tools in a central location. As an automated process that is faster that humans searching for evidence of attacks, it helps reduce the mean time to detect (MTTD) and accelerates the time to respond to events.

A

Security Orchestration, Automation, and Response (SOAR)

57
Q

is a dynamic process of seeking out cybersecurity threats inside your network from attackers and malware threats. According to the Security Intelligence website, an average cybercriminal can spend 191 days inside your network before being discovered.

A

Threat hunting