Chapter 5 Security Assessment and Testing

Question 1

What factors determine scan frequency

Answer 1

organizations risk appetite (willingness to tolerate risk)
regulatory requirements (InfoSec is FIMSA, payment card is PCI DSS)
Tech constraints
Business constraints such as periods of high activity
Licensing constraints may curtail bandwidth

Question 2

Scan sensitivity

Answer 2

improve efficiency by disabling unnecessary plugins,

Question 3

What is credentialed scanning

Answer 3

credentialed scanning is a scan in which the scan computer has an account on the computer being scanned.

• allows for more thorough check looking for problems that can’t be seen from the network
• use principle of least privilege by providing scanner a read only account

Question 4

What is agent-based scanning

Answer 4

A scan in which admins install small software agents on target server to scan server configuration, providing an inside out vulnerability scan

Question 5

Scan perspective

Answer 5

External scan run from network shows what an attacker would see
Internal scan run. from general corporate network provides view of what malicious insiders see

Question 6

Scanner Maintenance

Answer 6

Scanners are vulnerable just like any other program, so ensure they are regularly updated and patched

Question 7

SCAP (Security Content Automation Protocol)

Answer 7

Includes CVE and CVSS

others are CCE, CPE, XCCDF and OVAL

Question 8

Infrastructure Vulnerability Scanning

Answer 8

Tenable’s Nessus
Qualys’ (SaaS)
Rapid7 Nexpose
OpenVAS (open source)

Question 9

Application Scanning - what is static testing vs dynamic testing vs interactive testing?

Answer 9

static testing analyzes code without executing it
dynamic testing executes code as part of the test
interactive testing combines the two

Question 10

Web app scanning

Answer 10

Tools like Nikto and Arachni test for web specific vulnerabilities like SQL injection, XSS, and XSRF

Question 11

CVSS

Answer 11

AV - Attack Vector
AC - Attack Complexity
P - Privileges, scope calculation is included here
UI - User Interaction
C - Confidentiality
I - Integrity 
A - Availability
S - Scope (scored in Privilege)

Question 12

Patch Management

Answer 12

Patch management is a CORE PRACTICE of any InfoSec program
it is often neglected due to lack of resources for preventative maintenance. It is common to see out of date product versions of OS or apps

Question 13

Legacy Platforms

Answer 13

Software vendors eventually discontinue support of products. Continuing to run end of life systems is a significant security risk
Upgrade to a currently supported version

Question 14

Weak Configurations

Answer 14

Weak Configuration includes:

• Use of default settings and passwords
• presence of unsecured accounts
• open ports and services not necessary for operation
• open permissions violating the principle of least privilege

Question 15

Error Messages/Debug mode

Answer 15

Many apps support debug mode
can be useful to developers but can assist attackers in gaining info about the system

Developers should test only on dedicated systems and can use debug mode, but public facing systems do NOT need this capability

Question 16

Insecure Protocols

Answer 16

Replace Telnet with SSH
Replace FTP with FTPS or SFTP
Replace HTTP with HTTPS
IMAP to IMAPS
LDAP TO LDAPS
POP to POPS

Question 17

When implementing encryption, you must choose:

Answer 17

the algorithm to use to encrypt and decrypt

the encryption key that will be used with the algorithm

Question 18

Penetration Testing - why do it?

Answer 18

Pen testing provides visibility into the organizations security posture that is not available through other means.

• knowledge not otherwise abtainable
• blueprint for remediation
• essential information on specific attack targets

Question 19

What is the difference between pen testing and threat hunting?

Answer 19

Pen testing tells you how an attacker could potentially get into your environment, threat hunting tells you who is already in your environment and what they are doing

Question 20

Pen test types
what is white box vs black box?
what is gray box?

Answer 20

White box pen testing is performed with full knowledge of technology configuration and settings, it is more complete but may not provide accurate view of what attacker sees
black box test replicate what an attacker encounters
gray box tests are a blend that help focus time and resources while still being accurate

Question 21

Bug bounty

Answer 21

financial incentives for testers who report discovered vulnerabilities

Question 22

Rules of Engagement

Answer 22

ROEs set the parameters of the penetration test

• Timeline of engagement
• locations, systems, applications, etc.
• data handling requirements
• expected target behaviors
• Resources committed to the test
• Legan concerns
• when or how communications will occur
• permission (get out of jail free card) is essential in case pen testing goes bad

Question 23

Reconnaissance

Answer 23

Passive recon (OSINT)
Active recon (footprinting)

war driving/flying uses cars or drones with big antennas attempting to collect wireless communications

Question 24

Pen test key phases

Answer 24

Initial access
privilege escalation
pivoting or lateral movement
persistence (backdoors)

clean up close out all activities after test

Question 25

What is privilege escalation

Answer 25

shift from initial access to advanced privileges

Question 26

training exercises

Answer 26

Red team attacks
blue team defends/responds
white team observes and judges

purple teaming is the process of red and blue working together after exercise to learn from it