Chapter 8 Flashcards
1
Q
Risk
A
Risk is the likelihood that a threat will exploit a vulnerability.
2
Q
vulnerability
A
A vulnerability is a weakness in a system, application, or process,
3
Q
threat
A
a threat is a potential danger that might take advantage of a vulnerability.
1. Malicious human threats.
2. Accidental human threats.
3. Environmental threats.
4
Q
Evaluating Risk
A
- First, we look at the impact of the risk. This is the magnitude of harm that can be caused if a threat exploits a vulnerability.
- Second, we look at the likelihood or probability of that risk occurring. This tells us how often we expect a risk to occur, if at all.
5
Q
threat assessment
A
A threat assessment helps an organization identify and categorize threats. It attempts to predict the threats against an organization’s assets, along with the likelihood the threat will occur. Threat assessments also attempt to identify the potential impact from these threats. Once the organization identifies and prioritizes threats, it identifies security controls to protect against the most serious threats.
6
Q
Risk Identification
A
This process looks at information arriving from many different sources and tries to list all of the possible risks that might affect the organization.
7
Q
Risk Types
A
- Internal. Internal risks are any risks from within an organization. This includes employees and all the hardware and software used within the organization. Internal risks are generally predictable and can be mitigated with standard security controls.
- External. External risks are from outside the organization. This includes any threats from external attackers. It also includes any natural threats, such as hurricanes, earthquakes, and tornadoes. While some external risks are predictable, many are not. Attackers are constantly modifying attack methods and trying to circumvent existing security controls.
- Intellectual property theft. Intellectual property (IP) includes things like copyrights, patents, trademarks, and trade secrets. Intellectual property is valuable to an organization, and IP theft represents a significant risk.
- Software compliance/licensing.
Software compliance/licensing. Organizations typically put in a lot of time and effort when developing software. They make their money back by selling the licenses to use the software. However, if individuals or organizations use the software without buying a license, the development company loses money. Similarly, an organization can lose money if it purchases licenses, but doesn’t protect them. Imagine your organization purchased 10 licenses for a software application, but several people used 5 of the licenses without authorization. Later, your supervisor gives you one of the licenses, but the application gives an error saying the license has already been used when you try to use it. In this scenario, the organization loses the cost of five licenses.
5 Legacy systems and legacy platforms. The primary risk related to legacy systems and platforms is that the vendor doesn’t support them. If vulnerabilities become known, the vendor doesn’t release patches, and anyone using the legacy system or software is at risk.
8
Q
Vulnerabilities
A
A vulnerability is a flaw or weakness in software, hardware, or a process that a threat could exploit, resulting in a security breach. Examples of vulnerabilities include:
- Default configurations. Hardening a system includes changing systems from their default hardware and software configurations, including changing default usernames and passwords. If systems aren’t hardened, they are more susceptible to attacks.
2.Lack of malware protection or updated definitions.
- Improper or weak patch management. If systems aren’t kept up to date with patches, hotfixes, and service packs, they are vulnerable to bugs and flaws in the software, OS, or firmware. Attackers can exploit operating systems, applications, and firmware that have known bugs but aren’t patched.
- Lack of firewalls. If host-based and network firewalls aren’t enabled or configured properly, systems are more vulnerable to network and Internet-based attacks. Chapter 3, “Exploring Network Technologies and Tools,” covers firewalls in more depth.
- Lack of organizational policies. If job rotation, mandatory vacations, and least privilege policies aren’t implemented, an organization may be more susceptible to fraud and collusion from employees.
9
Q
Risk Management
A
Risk management is the practice of identifying, analyzing, monitoring, and limiting risks to a manageable level. It doesn’t eliminate risks but instead identifies methods to limit or mitigate them. There are several basic terms that you should understand related to risk management:
- Risk awareness is the acknowledgment that risks exist and must be addressed to mitigate them. Senior personnel need to acknowledge that risks exist. Before they do, they won’t dedicate any resources to manage them.
- Inherent risk refers to the risk that exists before controls are in place to manage the risk.
- Residual risk is the amount of risk that remains after managing or mitigating risk to an acceptable level. Senior management is ultimately responsible for residual risk, and they are responsible for choosing a level of acceptable risk based on the organization’s goals. They decide what resources (such as money, hardware, and time) to dedicate to manage the risk.
- Control risk refers to the risk that exists if in-place controls do not adequately manage risks. Imagine systems have antivirus software installed, but they don’t have a reliable method of keeping it up to date. Additional controls are needed to manage this risk adequately.
10
Q
Risk appetite refers to the amount of risk an organization is willing to accept
A
Organizations with expansionary risk appetites are willing to take on a high level of risk in pursuit of high rewards. For example, they may invest heavily in cutting-edge security technologies or aggressively pursue new business opportunities, even if they come with additional security risks.
Organizations with conservative risk appetites have a preference for low-risk investments and prioritize preserving their current security posture. For example, they may focus on implementing basic security measures or avoiding new technologies that could introduce new security risks.
Organizations with neutral risk appetites take a balanced approach to risk-taking. For example, they may adopt new technologies but with a cautious approach to implementation and invest in additional security measures to manage potential risks.
11
Q
Risk tolerance
A
Risk tolerance is closely related to risk appetite. It refers to the organization’s ability to withstand risk. More money can withstand more financial risk.
12
Q
risk management strategies
A
- Avoidance. An organization can avoid a risk by not providing a service or not participating in a risky activity.
- Mitigation. The organization implements controls to reduce risks.
- Acceptance. When the cost of a control outweighs the risk, an organization will often accept the risk.
- Transference. When an organization transfers the risk to another entity or at least shares the risk with another entity, that is an example of risk transference. The most common method is purchasing insurance. This moves a portion of the financial risk from the organization itself to an insurance company, which will reimburse the organization for costs or damages relating to the risk.
- Cybersecurity insurance helps protect businesses and individuals from some of the losses related to cybersecurity incidents such as data breaches and network damage. Traditional insurance policies often exclude cybersecurity risks such as the loss of data or extortion from criminals using ransomware. Organizations purchase cybersecurity insurance to help cover the gaps left by traditional insurance.
Remember This! It is not possible to eliminate risk, but you can take steps to manage it. An organization can avoid a risk by not providing a service or not participating in a risky activity. Insurance transfers the risk to another entity. You can mitigate risk by implementing controls, but when the cost of the controls exceeds the cost of the risk, an organization accepts the remaining, or residual, risk.
13
Q
risk assessment
A
A risk assessment, or risk analysis, is an important task in risk management. It quantifies or qualifies risks based on different values or judgments. Risk assessment may be one-time, or ad hoc, assessments performed to give the organization a point-in-time view of the risk it faces. Organizations may choose to conduct these risk assessments on a recurring basis to reassess risk. For example, the organization might undergo an annual risk assessment exercise.
14
Q
continuous risk assessment
A
Some organizations are moving toward a continuous risk assessment process where risk is constantly re-evaluated and addressed as the business and technical environment changes.
15
Q
asset
A
An asset includes any product, system, resource, or process that an organization values,
16
Q
asset value (AV)
A
The asset value (AV) identifies the value of the asset to the organization. It is normally a specific monetary amount. The asset value helps an organization focus on high-value assets and avoid wasting time on low-value assets.
17
Q
risk control assessment
A
A risk control assessment (sometimes called a risk and control assessment) examines an organization’s known risks and evaluates the effectiveness of in-place controls. If a risk assessment is available, the risk control assessment will use it to identify the known risks. It then focuses on the in-place controls to determine if they adequately mitigate the known risks.
The risk control self-assessment is a risk control assessment, but employees perform it. In contrast, a risk control assessment is performed by a third-party. The danger of doing a self-assessment is that the same employees who installed the controls may be asked to evaluate their effectiveness.
18
Q
Quantitative Risk Assessment
A
A quantitative risk assessment measures the risk of using a specific monetary amount. This monetary amount makes it easier to prioritize risks. For example, a risk with a potential loss of $30,000 is much more important than a risk with a potential loss of $1,000.
We begin the assessment of an individual risk by identifying two important factors: the asset value (AV) and the exposure factor (EF). Many organizations choose to use the replacement cost of an asset as the AV because that is the cost the organization would incur if a risk materializes. The exposure factor is the portion of an asset that we expect would be damaged if a risk materializes.
19
Q
SLE
A
single loss expectancy. Next, we calculate the single loss expectancy (SLE) of the risk. The SLE is the cost of any single loss of a specific asset.
20
Q
ARO
A
That brings us to the annualized rate of occurrence (ARO). The ARO indicates how many times the loss will occur in a year. If the ARO is less than 1, the ARO is represented as a percentage. For example, if you expect flooding to occur in the basement once every ten years, the ARO is 10% or 0.1. The ARO is a measure of probability/likelihood.
21
Q
ALE
A
annualized loss expectancy (ALE).
A quantitative risk assessment uses specific monetary amounts to identify cost and asset values. The SLE identifies each loss’s cost, the ARO identifies the number of events in a typical year, and the ALE identifies the expected annual loss from the risk. You calculate the ALE as SLE × ARO. A qualitative risk assessment uses judgment to categorize risks based on the likelihood of occurrence and impact.
22
Q
qualitative risk assessment
A
A qualitative risk assessment uses judgment to categorize risks based on the likelihood of occurrence (or probability) and impact.
23
Q
Risk Reporting
A
The final phase of the risk assessment is risk reporting. This identifies the risks discovered during the assessment and the recommended controls.
24
Q
Risk Analysis
A
Generically, a risk analysis identifies potential issues that could negatively impact an organization’s goals and objectives.
25
KRIs
Key risk indicators Key risk indicators (KRIs) are metrics used to measure and monitor the level of risk associated with a particular activity, process, or system. KRIs provide a way for organizations to proactively identify potential risks and take action to mitigate or manage them before they become significant issues. Examples of KRIs may include measures such as the number of security incidents detected per month, the percentage of overdue security patches, or the average time to detect and respond to a security incident. These metrics can help organizations identify trends, detect potential issues early, and take corrective action to minimize the impact of potential risks.
26
risk register
A risk register is a document or tool that organizations use to identify, assess, and manage risks.
27
Risk matrix
Risk matrix. A risk matrix places risks onto a chart of rows and columns, showing probability and impact. As a simple example, it can plot the likelihood of occurrence data against the impact of a risk, as shown in Figure 8.1.
A risk register is a comprehensive document listing known information about risks such as the risk owner. It typically includes risk scores along with recommended security controls to reduce the risk scores. A risk matrix plots risks onto a chart.
28
supply chain risks
A supply chain includes all the elements required to produce and sell a product.
29
Checking for Vulnerabilities
Vulnerabilities are weaknesses, and by reducing vulnerabilities, you can reduce risks.
30
vulnerability assessment
The overall goal of a vulnerability assessment is to assess the security posture of systems and networks. They identify vulnerabilities or weaknesses within systems, networks, and organizations and are part of an overall risk management plan.
Identify assets and capabilities.
Prioritize assets based on value.
Identify vulnerabilities and prioritize them.
Recommend controls to mitigate serious vulnerabilities.
31
network scanner
A network scanner uses various techniques to gather information about hosts within a network. As an example, Nmap is a popular network scanning tool that can give you a lot of information about hosts within a network. Network scanners typically use the following methods:
1. ARP ping scan; Any host that receives an ARP packet with its IP address responds with its MAC address. If the host responds, the network scanner knows that a host is operational with that IP address.
2. Syn stealth scan Protocol (TCP) three-way handshake. As a reminder, one host sends out a SYN (synchronize) packet to initiate a TCP session. The other host responds with a SYN/ACK (synchronize/acknowledge) packet. The first host then completes the handshake with an ACK packet to establish the connection. A syn stealth scan sends a single SYN packet to each IP address in the scan range. If a host responds, the scanner knows that a host is operational with that IP address. However, instead of responding with an ACK packet, a scanner typically sends an RST (reset) response to close the connection.
3. Port scan. A port scan checks for open ports on a system. Each open port indicates the underlying protocol is running on the system. For example, if port 443 is open, it indicates the host is running HTTPS, meaning it is probably a web server. A port scan typically uses the ports identified as well-known ports by the Internet Assigned Numbers Authority (IANA) and discussed in Appendix D.
4. Service scan. A service scan is like a port scan, but it goes a step further. A port scan identifies open ports and gives hints about what protocols or services might be running. The service scan verifies the protocol or service. For example, if a port scan identifies port 443 is open, a service scan will send an HTTPS command, such as “Get /.” If HTTPS is running on port 443, it will respond to the Get command verifying that it is a web server.
5. OS detection. Operating system (OS) detection techniques analyze packets from an IP address to identify the OS. This is often referred to as TCP/IP fingerprinting. As a simple example, the TCP window size (the size of the receive window in the first packet of a TCP session) is not fixed. Different operating systems use different sizes. Some Linux versions use a size of 5,840 bytes, some Cisco routers use a size of 4,128 bytes, and different Windows versions use sizes of
32
vulnerability scanner
Remember This! A vulnerability scanner can identify vulnerabilities, misconfigured systems, and the lack of security controls such as up-to-date patches. Vulnerability scans may be configured as passive and have little impact on a system during a test. In contrast, a penetration test is intrusive and can potentially compromise a system.
Identify vulnerabilities.
Identify misconfigurations.
Passively test security controls.
Identify lack of security controls.
Vulnerability Classification Standards
Vulnerability scanners utilize a database or dictionary of known vulnerabilities and test systems against this database.
The Common Vulnerability Scoring System (CVSS) assesses vulnerabilities and assigns severity scores in a range of 0 to 10, with 10 being the most severe. This helps security professionals prioritize their work in mitigating known vulnerabilities.
Other standards used by vulnerability scanners include the Security Content Automation Protocol (SCAP). SCAP is designed to help facilitate communication between vulnerability scanners and other security and management tools.
33
Prioritizing Vulnerabilities
1. Vulnerability classification. Use an industry-standard classification system to identify the type and severity of a vulnerability. Organizations commonly use the CVSS score for this purpose.
2. environmental variables. Every organization is different and operates in a different technical environment. Consider the nature of that environment when prioritizing vulnerabilities.
3. Industry/organizational impact. Different industries work with different types of data and have different regulations and sensitivities. A vulnerability that is very serious in an online banking environment might be far less worrisome on a system used to monitor water flow.
4. Risk tolerance/threshold. Organizations need to decide what level of risk a vulnerability must rise to before they will address it. It’s unlikely that you will be able to address every vulnerability that exists, so you must use a threshold to determine those that require attention.
34
Analyzing Vulnerability Scan Output
A list of hosts that it discovered and scanned
A detailed list of applications running on each host
A detailed list of open ports and services found on each host
A list of vulnerabilities discovered on any of the scanned hosts
Recommendations to resolve any of the discovered
35
Confirmation of Scan Results
Remember This! A false positive from a vulnerability scan indicates that a scan detected a vulnerability, but the vulnerability doesn’t exist. Credentialed scans run under the context of a valid account and can get more detailed information on targets, such as the software versions of installed applications. They are typically more accurate than non-credentialed scans and result in fewer false positives.
false positive. scan may indicate a system has a known vulnerability, but the report is false.
false negative If a vulnerability exists but the scanner doesn’t detect it,
True positive. A true positive indicates that the vulnerability scanner correctly identified a vulnerability.
True negative. A true negative indicates that a system doesn’t have a vulnerability, and the vulnerability scanner did not report the vulnerability.
36
credentialed scans
Vulnerability scanners can run as a credentialed scan using an account’s credentials privileges of an administrator account.
37
non-credentialed scan
Security administrators often run credentialed scans with the privileges of an administrator account. This allows the scan to check security issues at a much deeper level than a non-credentialed scan
38
Penetration testing
Integrated Penetration Testing: This type of testing combines elements of physical, offensive, and defensive testing to provide a comprehensive evaluation of an organization’s security posture. It involves simulating a real-world attack on an organization’s physical and digital assets to identify vulnerabilities that could be exploited by attackers. Integrated penetration testing is typically conducted by a team of experts who have expertise in physical security, network security, and application security.
Penetration testing actively assesses deployed security controls within a system or network. It starts with reconnaissance to learn about the target but takes it a step further and tries to exploit vulnerabilities by simulating or performing an attack. There are four major categories of penetration test:
1. Physical Penetration Testing:, an organization. It involves attempting to gain unauthorized access to physical spaces, such as buildings, data centers, or other secure areas. Physical penetration testing may involve tactics such as social engineering, lock picking, or physical bypassing of security measures. The goal is to identify weaknesses in physical security controls that could be exploited by attackers.
2. Offensive Penetration Testing: This type of testing involves simulating a real-world attack on an organization’s network, systems, or applications. It is carried out from the perspective of an attacker and seeks to identify vulnerabilities that could be exploited to gain unauthorized access or cause damage to the organization.
3. Defensive Penetration Testing: This type of testing involves evaluating an organization’s security controls to identify areas where they may be vulnerable to attack. The goal is to identify weaknesses in security controls before they can be exploited by attackers. Defensive penetration testing may include tactics such as firewall rule analysis, configuration reviews, or penetration testing of web applications.
4. Integrated Penetration Testing: This type of testing combines elements of physical, offensive, and defensive testing to provide a comprehensive evaluation of an organization’s security posture. It involves simulating a real-world attack on an organization’s physical and digital assets to identify vulnerabilities that could be exploited by attackers. Integrated penetration testing is typically conducted by a team of experts who have expertise in physical security, network security, and application security.
39
rules of engagement
It’s important to obtain authorization before beginning any vulnerability or penetration testing. This outlines the rules of engagement or the boundaries of the tests. If testing results in an outage even though the testers followed the engagement rules, repercussions are less likely. In most cases, this consent is in writing. If it isn’t in writing, many security professionals won’t perform any testing. A penetration test without consent is an attack, and an organization may perceive a well-meaning administrator doing an unauthorized penetration test as an attacker.
.
40
Reconnaissance (sometimes called footprinting)
.
Penetration testers use a variety of methods for reconnaissance (sometimes called footprinting). During the reconnaissance phase, the penetration tester (or attacker) attempts to learn as much as possible about a network. Testers use both passive reconnaissance and active network reconnaissance and discovery when gathering information on targets.
41
Passive and Active Reconnaissance
Passive reconnaissance collects information about a targeted system, network, or organization using open-source intelligence (OSINT). This includes viewing social media sources about the target, news reports, and even the organization’s website. If the organization has wireless networks, it could include passively collecting information from the network, such as network SSIDs. Note that because passive reconnaissance doesn’t engage a target, it isn’t illegal.
Active reconnaissance methods use tools to engage targets. The next section describes many tools used to gather information about networks using active reconnaissance methods.
42
Network reconnaissance and discovery
Network reconnaissance and discovery methods use tools to send data to systems and analyze the responses. This phase typically starts by using various scanning tools such as network scanners and vulnerability scanners. It’s important to realize that network reconnaissance engages targets and is almost always illegal. It should never be started without first getting explicit authorization to do so.
IP scanner. An IP scanner (sometimes called a ping scanner) searches a network for active IP addresses. It typically sends an Internet Control Message Protocol (ICMP) ping to a range of IP addresses in a network. If the host responds, the network scanner knows there is a host operational with that IP address. A problem with ping scans is that firewalls often block ICMP, so the scan may give inconsistent results.
Nmap. Nmap is a network scanner that you can run from the command prompt. It includes many capabilities, including identifying all the active hosts on a network, their IP addresses, the protocols and services
Netcat. Netcat (nc) is a command-line tool that administrators often use for remotely accessing Linux systems. Testers often use it for banner grabbing, a technique used to gain information about remote systems. Banner grabbing will identify the target’s operating system along with information about some applications. It can also be used to transfer files and check for open ports. Scanless. Penetration testers often use scanless,
Scanless. Penetration testers often use scanless, a Python-based command-line utility to perform port scans. A benefit is that scanless uses an online website (with or without the website owner’s permission) to perform the scans so that the scans don’t come from the tester’s IP address. Instead, they appear to originate from the website’s IP address.
Dnsenum. The dnsenum command will enumerate (or list) Domain Name System (DNS) records for domains. It lists the DNS servers holding the records and identifies the mail servers (if they exist) by listing the mx records. Next, it attempts to do an AXFR transfer to download all DNS records from the DNS servers holding the records. However, unauthenticated AXFR transfers are usually blocked on DNS servers so the AXFR requests will normally fail.
Nessus. Nessus is a vulnerability scanner developed by Tenable Network Security. It uses plug-ins to perform various scans against systems and is often used for configuration reviews. AutoNessus is a free tool that can be used to automate Nessus scans.
hping. You can use the hping utility to send pings using TCP, UDP, or ICMP. You can also use it to scan systems for open ports on remote systems.
Sn1per. Sn1per is a robust automated scanner used for vulnerability assessments and to gather information on targets during penetration testing. It combines the features of many common tools into a single application. It comes in two editions: Community and Professional. The Community edition performs vulnerability assessments, listing all discovered vulnerabilities and detailed information on the targets. The Professional edition also includes the ability to exploit the vulnerabilities.
cURL. The Client URL command (cURL) is used to transfer and retrieve data to and from servers, such as web servers. The Uniform Resource Locator (URL) is the address of a webpage. Penetration testers can use scripts to identify all of the URLs of a website and then use cURL to retrieve all of the pages. Most websites prevent unauthorized personnel from posting data to them, but blocking cURL requests isn’t as easy.
43
Footprinting Versus Fingerprinting
Penetration testers often combine footprinting with fingerprinting techniques to identify targets.
Network footprinting provides a big-picture view of a network, including the Internet Protocol (IP) addresses active on a target network. Fingerprinting then homes in on individual systems to provide details of each. This is similar to how fingerprints identify an individual.
Operating system fingerprinting identifies the operating system. For example, is this a Linux system or a Windows system?
44
Initial Exploitation
After scanning the target, testers discover vulnerabilities. They then take it further and look for a vulnerability they can exploit. For example, a vulnerability scan may discover that a system doesn’t have a patch installed for a known vulnerability. The vulnerability allows attackers (and testers) to remotely access the system and install malware.
45
Persistence
Persistence is an attacker’s ability to maintain a presence in a network for weeks, months, or even years without being detected. Penetration testers use similar techniques to maintain persistence within a network.
A common technique used to maintain persistence is to create a backdoor into the network.
46
Lateral Movement
Lateral movement refers to the way attackers maneuver throughout a network.
47
Privilege Escalation
privilege escalation tactics that attackers often use. The “One Click Lets Them In” section discusses how advanced persistent threats (APTs) often use remote access Trojans (RATs) to gain access to a single system. Attackers trick a user into clicking a malicious link, which gives them access to a single computer. Attackers then use various techniques to scan the network looking for vulnerabilities.
48
Pivoting
Pivoting is the process of using various tools to gain access to additional systems on a network after an initial compromise.
After exploiting a system, penetration testers use privilege escalation techniques to gain more access to target systems. Pivoting is the process of using an exploited system to target other systems.
49
Known, Unknown, and Partially Known Testing Environments
Remember This! Unknown environment testers have zero prior knowledge of a system prior to a penetration test. Known environment testers have full knowledge of the environment, and partially known environment testers have some knowledge.
50
Cleanup
It includes removing all traces of the penetration tester’s activities. Of course, this is dependent on what the penetration tester did during the test and the rules of engagement.
Cleanup activities include:
Removing any user accounts created on systems in the network
Removing any scripts or applications added or installed on systems
Removing any files, such as logs or temporary files, created on systems
Reconfiguring all settings modified by testers during the penetration test
Shelley, Joe; Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-701 Study Guide (p. 412). Certification Experts, LLC. Kindle Edition.
51
Responsible Disclosure Programs
Responsible disclosure (RD) programs for vulnerabilities enable individuals and organizations to report security vulnerabilities or weaknesses they have discovered to the appropriate parties. The goal of responsible disclosure is to allow security issues to be addressed before they are exploited by attackers, ultimately improving overall security for everyone.
52
Bug bounty
Bug bounty programs are a type of responsible disclosure program that incentivizes individuals or organizations to report vulnerabilities by offering monetary or other rewards for valid submissions.
53
System and Process Audits
System and process audits are important tools for assessing an organization’s compliance with industry standards, best practices, and internal policies. Audits typically involve a review of an organization’s systems, processes, and procedures to identify areas of non-compliance, inefficiencies, or areas of potential risk.
54
Intrusive Versus Non-Intrusive Testing
Scans can be either intrusive or non-intrusive. You can also think of these terms as invasive and non-invasive, respectively. Tools using intrusive methods can potentially disrupt the operations of a system. In contrast, tools using non-intrusive methods will not compromise a system. These terms also apply to penetration testing (intrusive) and vulnerability scanning (non-intrusive).
Vulnerability scans are generally non-intrusive and less invasive than penetration tests. Standard scans do not attempt to exploit a vulnerability.
55
Responding to Vulnerabilities
1. The most common method for resolving a vulnerability is patching the affected system.
2. Deploy a compensating control.
3. Use segmentation to place the system on an isolated network.
4. Grant an exception or exemption to security policy that allows the system to continue operating.
56
Validation of Remediation
After remediating a vulnerability, you’ll want to confirm that your corrective measures are working properly and that the vulnerability no longer exists. The first thing you should do is rescan the affected system and verify that the vulnerability no longer exists. You may then update your vulnerability reporting to communicate to stakeholders that the vulnerability was addressed.
57
Capturing Network Traffic
Packet Capture and Replay
Packet capture refers to capturing network packets transmitted over a network, and packet replay refers to sending packets back out over the network. You can capture packets using a protocol analyzer, which is sometimes called sniffing or using a sniffer.
Protocol analyzers provide administrators and attackers with the ability to analyze and modify packet headers and their payloads. They typically modify them before sending them back out as a packet replay.
Wireshark is a free protocol analyzer that you can download from the Wireshark website: https://www.wireshark.org/
Remember This! Administrators use a protocol analyzer to capture, display, and analyze packets sent over a network. It is useful when troubleshooting communication problems between systems. It is also useful to detect attacks that manipulate or fragment packets.
58
Tcpreplay and Tcpdump
Tcpreplay is a suite of utilities used to edit packet captures and then send the edited packets over the network. It includes tcpreplay, tcpprep, tcprewrite, and more. It is often used for testing network devices.
The tcpdump command is a command-line protocol analyzer. It allows you to capture packets like you can with Wireshark. The difference is that Wireshark is a Windows-based tool and tcpdump is executed from the command line. Many administrators use tcpdump to capture the packets and later use Wireshark to analyze the packet capture.
59
NetFlow
NetFlow is a feature available on many routers and switches that can collect IP traffic statistics and send them to a NetFlow collector. The NetFlow collector receives the data and stores it, and analysis software on the NetFlow collector allows administrators to view and analyze the network activity.
60
framework
A framework is a structure used to provide a foundation. Cybersecurity frameworks typically use a structure of basic concepts, and they provide guidance to professionals on how to implement security in various systems. There are multiple frameworks available that describe best practices and provide instructions on how to secure systems.
61
ISO Standards
The International Organization for Standardization (ISO) is an independent organization that establishes standards. They develop standards for a wide variety of industrial and commercial applications, and some directly address cybersecurity topics. However, these documents are not available for free but must be purchased online. In contrast, documents created by NIST are all free to download and use. The following list shows some standards relevant to cybersecurity.
62
attestation
The outcome of an audit is an attestation made by the auditor. This is a formal statement that specific security controls and processes are in place and operating effectively within an organization. This is a significant statement, as the audit firm is putting their reputation on the line.
