Lesson 3: Performing Security Assessments Flashcards
During a penetration test, systems administrators for a large company are tasked to play on the white team for an affiliated company. Examine each of the following roles and determine which role the systems admins will fill.
A. The systems admins will arbitrate the exercise, setting rules of engagement and guidance.
B. The systems admins will try to infiltrate the target system.
C. The systems admins will operate monitoring and alerting controls to detect and prevent the infiltration.
D. The systems admins will collaborate with attackers and defenders to promote constructive developments.
A
A white team sets the rules of engagement and monitors the exercise, providing arbitration and guidance, and if necessary, halt the exercise. If the red team is third party, the white team will include a representative of the consultancy company.
Red team acts offensively
Blue team performs the defensive role
In a purple team exercise, the red and blue teams meet for regular debriefs while the exercise is ongoing
A manufacturing company hires a pentesting firm to uncover any vulnerabilities in their network with the understanding that the pen tester receives no information about the company’s system. Which of the following penetration testing strategies is the manufacturing company requesting?
A. Black box
B. Sandbox
C. Gray box
D. White box
A Black box (or blind) is when the pen tester receives no privileged information about the network and its security systems. Black box tests are useful for simulating the behavior of an external threat.
An IT director reads about a new form of malware that targets a system widely utilized in the company’s network. The director wants to discover whether the network has been targeted, but also wants to conduct the scan without disrupting company operations or tipping off potential attackers to the investigation. Evaluate vulnerability scanning techniques and determine the best tool for the investigation.
A. Credentialed scan
B. Configuration review
C. Penetration testing
D. Threat hunting
D
Where a pen test attempts to demonstrate a system’s weakness or achieve intrusion, threat hunting is based only on analysis of data within the system. It is potentially less disruptive than pen testing
In which of these situations might a non-credentialed vulnerability scan be more advantageous than a credentialed scan? (Select all that apply.)
A. When active scanning poses no risk to system stability
B. External assessments of a network perimeter
C. Detection of security setting misconfiguration
D. Web application scanning
B, D
Non-credentialed scanning is often the most appropriate technique for external assessment of the network perimeter or when performing web application scanning.
A non-credentialed scan proceeds by directing test packets at a host without being able to log on to the OS or application. A non-credentialed scan provides a view of what the host exposes to an unprivileged user on the network.
Which statement best explains the differences between black box, white box, and gray box attack profiles used in penetration testing?
A. A black box pen tester acts as a privileged insider and must perform no reconnaissance. A white box pen tester has no access, and reconnaissance is necessary. A gray box actor is a third-party actor who mediates between a black box and white box pen tester.
B. A black box pen tester acts as the adversary in the test, while the white box pen tester acts in a defensive role. A gray box pen tester is a third-party actor who mediates between a black box pen tester and a white box pen tester.
C. In a black box pen test, the contractor receives no privileged information, so they must perform reconnaissance. In contrast, a white box pen tester has complete access and skips reconnaissance. A gray box tester has some, but not all information, and requires partial reconnaissance.
D. In a white box pen test, the contractor receives no privileged information, so they must perform reconnaissance. In contrast, a black box pen tester has complete access and skips reconnaissance. A gray box tester has some, but not all information, and requires partial reconnaissance.
C
A black box penetration tester receives no privileged information, while a white box tester has complete access. A white box test may follow up on a black box test.
In a black box pen test, the consultant receives no privileged information about the network and its security systems. A gray box pen tester has partial access and must perform some reconnaissance.
A red team performs an offensive role to try to infiltrate the target. A blue team defends a target system by operating monitoring and alerting controls to detect and prevent the infiltration.
White box tests are useful for simulating the behavior of a privileged insider threat. Gray box tests are useful for simulating the behavior of an unprivileged insider threat.
A network manager needs a map of the network’s topology. The network manager is using Network Mapper (Nmap) and will obtain the visual map with the Zenmap tool. If the target IP address is 192.168.1.1, determine the command within Nmap that will return the necessary data to build the visual map of the network topology.
A. nmap -sn –ipconfig 192.168.1.1
B. nmap -sn –ifconfig 192.168.1.1
C. nmap -sn –traceroute 192.168.1.1
D. nmap -sn –nslookup 192.168.1.1
C
The traceroute command is used to probe a path from one end system to another, and lists the intermediate systems providing the link. The Nmap combined with Zenmap tools will give a visual of the network topology.
A system administrator must scan the company’s web-based application to identify which ports are open and which operating system can be seen from the outside world. Determine the syntax that should be used to yield the desired information if the administrator will be executing this task from a Linux command line.
A. netstat -a
B. nmap -O webapp.company.com
C. nmap -sS 10.1.0.0/24
D. netstat -n
B
The correct syntax is nmap -O webapp.company.com. When the -O switch is used with nmap, it displays open ports and running software, but does not show the version.
The netstat command checks the state of ports on the local machine. In Linux, the -a switch displays ports in the listening state, it does not enable software and version detection.
Using nmap -sS 10.1.0.0/24 is a fast technique also referred to as half-open scanning, as the scanning host requests a connection without acknowledging it.
Netstat shows the state of TCP/UDP ports on the local machine. Netstat -n suppresses name resolution, so host IP addresses and numeric ports are shown in the output.
Select the appropriate methods for packet capture. (Select all that apply.)
A. Wireshark
B. Packet analyzer
C. Packet injection
D. tcpdump
A, D
Wireshark and tcdump are packet sniffers. A sniffer is a tool that captures packets, or frames, moving over a network.
Wireshark is an open source graphical packet capture and analysis utility. Wireshark works with most operating systems, where tcpdump is a command line packet capture utility for Linux.
Which of the following statements summarizes a disadvantage to performing an active vulnerability scan? (Select all that apply.)
A. Active scanning consumes more network bandwidth.
B. Active scanning runs the risk of causing an outage.
C. Active scanning may fail to identify all of a system’s known vulnerabilities.
D. Active scanning techniques do not use system login.
A, B
Scan intrusiveness is a measure of how much the scanner interacts with the target. Active scanning consumes more network bandwidth than passive scanning.
Active scanning means probing the device’s configuration using some type of network connection with the target. This type of scanning runs the risk of crashing the target of the scan or causing some other sort of outage.
A hacker set up a Command and Control network to control a compromised host. What is the ability of the hacker to use this remote connection method as needed known as?
A. Weaponization
B. Persistence
C. Reconnaissance
D. Pivoting
B
Persistence refers to the hacker’s ability to reconnect to the compromised host and use it as a Remote Access Tool (RAT) or backdoor. To do this, the hacker must establish a Command and Control (C2 or C&C) network.
Analyze and eliminate the item that is NOT an example of a reconnaissance technique.
A. Initial exploitation
B. Open Source Intelligence (OSINT)
C. Social engineering
D. Scanning
A
The initial exploitation phase (also referred to as weaponization) is not a reconnaissance technique. It is an exploit that is used to gain some sort of access to the target’s network.
Compare and contrast vulnerability scanning and penetration testing. Select the true statement from the following options.
A. Vulnerability scanning is conducted by a “white hat” and penetration testing is carried out by a “black hat.”
B. Vulnerability scanning by eavesdropping is passive, while penetration testing with credentials is active.
C. Penetration testing and vulnerability scanning are considered “black hat” practices.
D. Vulnerability scanning is part of network reconnaissance, but penetration testing is not.
B
Vulnerability scanning and penetration testing can use passive or active reconnaissance techniques. A passive approach tries to discover issues without causing an impact to systems, whereas an active approach may cause instability on a scanned system.
Select the statement which best describes the difference between a zero-day vulnerability and a legacy platform vulnerability.
A. A legacy platform vulnerability is unpatchable, while a zero-day vulnerability may be exploited before a developer can create a patch for it.
B. A zero-day vulnerability is unpatchable, while a legacy platform vulnerability can be patched, once detected.
C. A zero-day vulnerability can be mitigated by responsible patch management, while a legacy platform vulnerability cannot be patched.
D. A legacy platform vulnerability can be mitigated by responsible patch management, while a zero-day vulnerability does not yet have a patch solution.
A
A zero-day vulnerability is exploited before the developer knows about it or can release a patch. These can be extremely destructive, as it can take the vendor some time to develop a patch, leaving systems vulnerable in the interim.
A legacy platform is no longer supported with security patches by its developer or vendor. By definition, legacy platforms are not patchable.
A network administrator uses two different automated vulnerability scanners. They regularly update with the latest vulnerability feeds. If the system regularly performs active scans, what type of error is the system most likely to make?
A. False positive
B. False negative
C. Validation error
D. Configuration error
A
A false positive is something that is identified by a scanner or other assessment tool as being a vulnerability, when in fact it is not.
False negatives are potential vulnerabilities that are not identified in a scan. This risk can be mitigated somewhat by running repeat scans periodically and by using scanners from more than one vendor.
Encryption vulnerabilities allow unauthorized access to protected data. Which component is subject to brute-force enumeration?
A. An unsecured protocol
B. A software vulnerability
C. A weak cipher
D. A lost decryption key
C
Weak encryption vulnerabilities allow unauthorized access to data. An algorithm or cipher used for encryption has known weaknesses that allow brute-force enumeration.
