Impt chap 1,2,4,5 except DNS Flashcards
What is enterprise security assessment (why and goal)
Why?
To assess the security policies, procedures and guidelines in the organization
To discover vulnerabilities and risks that exist within the organization
Goal
Ensure that effective security controls are integrated into the systems of the organization
3 parts of enterprise security assessment and describe them
Vulnerability testing
Focus on finding vulnerabilities and flaws in the target system
No exploitation of flaws in the system
Usually includes policy and procedure reviews
Pen testing
Focus on gaining access and obtaining info in the system
Security audit
Assess security risks in organization
Countermeasures to those risks compared to a set of standards
CIS benchmarks
Reveals weaknesses in systems, practices and other key areas
Describe ___ triangle
Security, functionality and ease of use triangle
Need find balance the 3 factors as change in one factor can impact the other 2
Purpose of penetration testing
See from a hacker’s pov
Use pen testing tools for defensive purposes
Test systems for vulnerabilities and openings in the system that can be exploited
Help find mistakes that other approaches miss
Fewer in depth interviews and more scope checks and debriefs
Propose countermeasures
Penetration testing types
White box
Jump right into attack phase
All information about system and network architecture given
Save expense and time compared to black box testing
Gray box
Test internally and conduct security eval internally to determine the extent of access from users
Simulate an attack from the inside
Test level of access by employees, contractors
Black box
No information about system or infrastructure
Simulate a real attack from the outside
Tester has to determine system configurations and location
More time spent on info gathering
Pen testing steps
Preparation
Formal agreement about the full scope of the test
Type of test and type of attacks done on target
Conducting evaluation
Conduct the actual security evaluation on the target
Prepare findings
Conclusion
Present findings and propose countermeasures
Performing pen testing
Pen testing does not fix vulnerabilities and implement countermeasures
Deliverables of pen testing are
Findings of test
Analysis of associated risks
Logs, screenshots and hacking tool outputs
Describe each phase of penetration testing and what tools do they use
Recon
Scanning
Gain access
Maintain access
Covering tracks
Describe passive info gathering
Gain information about the target by using mainly publicly available information
Focus on collecting information on system that is not on target network
Information can be gained from examples are company website, company literature and partner sites
very difficult to defend against
Types of information gained eg. are staff names, location of offices and system architecture eg. firewall and ids used
could be used for social engineering
What is footprinting
Process in creating a map of the target’s system and network
Determine the target system, applications and physical location
Look for information related to network architecture, applications and servers
Part of the preparatory attack phase where info is gathered such as
Remote access
Ports and services
Security mechanisms
Tools include sam spade, domain lookups, nslookup, search engines and whois database
What is whois lookup and reverse lookup
Gain information such as technical, administrative and billing contacts, telephone numbers and email addresses, and domain name servers and other juicy information
Identifies who registered for the domain name used for websites or emails
Kali linux has whois built into it
Reverse lookup is entering whois command but using the ip address as input instead of the domain name and it will return the IP address range that belongs to the company
What is whois
ICANN requires that every domain name is to be registered
Ensure that a single organization only has one domain name
Domain registrar submits the contact information of the individual or organization that holds the domain registry
Each registrar maintains its own whois database
Central whois database is managed by InterNIC
Google hacking
Google will violently crawl websites for information
Misconfigurations in the web server will result in exposure of sensitive information such as directory indexing, etc.
Can be used in creative ways to gather info
Google hacking search operators
Operators include (sicilf)
Site: searches for only specified site
Inurl: searches for urls that contain specific words
Intitle: searches for words contained in specified titles
Filetype: searches for specific file types
Cache: identifies the version of the web page
Link: searches within hyperlinks for a specific term
Describe active info gathering
Gain information about the target through the use of more intrusive methods such as social engineering, onsite visits, interviews
Actively interacting with the target
Might show up on the intrusion logs
Example: pose as a user on a website
Does not involve hacking the system and may involve social engineering
