Lesson 3 Security Assessments Flashcards

1
Q

Tools for footprinting the network and detecting rogue systems

A

ipconfig, ifconfig, ip
reports the local IP configurations

ping
test connectivity with a host
use ping sweep to detect live hosts on a subnet

arp
Address Resolution Protocol
shows IP to MAC mappings
detect spoofing (validate MAC of gateway)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Tools for understanding routing

A

route
shows the local routing table
identify default route and local subnet
check for suspicious entries

tracert/traceroute
test path to a remote host

pathping/mtr
measure latency

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

IP Scanner tool

A

nmap (network mapping)
host discovery
- test whether host in an IP range response to probes

port scan
- test whether TCP or UDP ports allow connections

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Service Discovery tool

A

nmap -A
Service Directory
- scan custom TCP/UDP port ranges

Service and version detection

  • fingerprint each port
  • protocol
  • application version
  • os type
  • device type
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Local host and hostname resolution tools

A

netstat

  • reports port status on local machine
  • can filter by protocol
  • shows process ids which opened the port

nslookup

  • query name servers
  • zone transfers
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Other reconnaissance/discovery tools

A

theHArvester - collate OSINT

dnsenum - collate DNS hosting info, name records

scanless - collate results from 3rd party scanning sites

curl - craft and submit protocol requests

Nessus - perform automated vulnerability scanning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Capturing traffic on the network tools

A

Sniffer tools

  • sw to interact with host network driver
  • SPAN mirrored ports/switch port analyzer
  • TAP test access port to read frames from network media

tcpdump

  • attaches to traffic interfaces, like eth0
  • write to pcap
  • read from pcap
  • filters
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Network task tool

A

netcat

  • port scanning and fingerprinting
  • command prompt listener over given port
  • file transfer over given port
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

SW vulnerabilities and Patching

A
Exploits for faults in SW code
Applications
-various impacts and exploit scenarios
-client vs server apps
OS
-attacker can gain high level privileges change sys level files
Firmware
-IoT devices can be hacked
Weak Patching process/management
-unknown assets on network
-failed updates or removed patches
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

zero-day vulnerabilities

A

New vulnerability, unknown to vendor
Unable to patch, don’t know fix for given attack
used against high value targets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Legacy platform vulnerabilities

A

No more patches to defend older systems/devices

usually isolate from rest of network through use of ACLs, limit who can access device

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Weak host configs vulnerabilities

A

Using default settings, easy to obtain credentials
Unsecured root accounts
Open permissions

All allow threat actor to gain significant control of network and it’s devices to carry out attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Weak Network Configurations Vulnerabilities

A

Open ports and services
Unsecure protocols
Weak Encryption
Errors - messages which reveal too much info about system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Vulnerability impacts

A
Data breach
Data exfiltration
Identity theft
Data loss and availability impacts
Financial
Reputation impacts
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

third party risks

A
Supply chain
Vendor management
outsource code development
data storage
cloud-based vs on premise risks
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Vulnerability Scan Types

A

Automated scanners - utilize list of known Vs

Network Vulnerability scanner

  • configured with tests for network hosts
  • focus is mostly OS, with some server applications

Application and Web app scanners
- configured with app specific tests

17
Q

Common Vulnerabilities information sources used as feeds

A

SCAP - Security Content Automation Protocol

  • mechanism for updating scanner via feed
  • common identifiers

CVE - Common Vulnerabilities and Exposures
- db of info, accessible from web service

CVSS - Common Vulnerability Scoring System
- scoring system of vulnerabilities by possible impact to systems

18
Q

Intrusive Sanning vs Non-Intrusive Scanning

A

Intrusive scanning

  • actively uses real exploits to confirm vulnerability
  • more likely to crash system
  • more accurate findings
  • less false positives

Non-Intrusive scanning

  • passive, no exploits performed
  • only sniff traffic
  • low impact, low-interaction with hosts
  • less likely to crash system
  • less accurate findings
  • more false positives
19
Q

Credentialed vs Non-Credentialed Vulnerability Scanning

A

Credentialed

  • uses a valid account on system
  • low volume of data
  • low impact on system
  • more accurate
  • fewer false positives
  • point of view is insider
  • can see system processes and app versions

Non-Credentialed

  • no access to system, no credentials
  • probe system for configuration
  • high volume of net traffic
  • less accurate
  • more false positives
  • point of view of outsider
  • may crash older systems
20
Q

Config Review findings showing Vulnerabilities

A

Lack of controls - security controls missing/not functional

Misconfiguration

Driven by templates of config setting

  • OVAL - open Vulnerability and assessment language
  • XCCDF - Extensible Configuration Checklist Description Format
21
Q

Threat Hunting

A

Use logs and threat data to search for indicators of compromise (IoC)

review advisories and bulletins

Take care to not tip off attackers to gain positional advantage

22
Q

Pen testing/ethical hacking for improved system robustness

Pen Testing Steps

A

Steps:

  1. Verify threats and threat vectors
  2. Bypass security controls - shows lack of controls
  3. Actively test security controls - shows weakness of controls
  4. Exploit Vulnerabilities to prove threat exists

Employs active and highly intrusive techniques

23
Q

Pen Testing attack profile

A

black box - unknown environment
white box - known environment
gray box - partially known environment

24
Q

Pen testing exercise types

A

Team perform actions according to colors
Red - offensive/attacker
Blue - defensive
White - sets rules of engagement and monitors event
Purple - red and blue share info/collaborate

25
Q

Pen tester passive and active reconnaissance

A
pen testing and kill chain attack life cycle
passive - don't alert target
active - detectable by target
OSINT (Open Source Intelligence)
Social Engineering
Footprinting
War driving
UAV/war flying
26
Q

Pen test Attack Life Cycle

A

persistence
- able to reconnect to attack sys

privilege escalation
- higher perm for actions

lateral movement
- move to another host

pivoting
- ability to bypass network boundary

actions/objectives
- exfiltrate (steal) data

cleanup
- remove evidence of attack