Penetration Testing & Vulnerability Scanning

Question 1

What is a penetration test?

Answer 1

A penetration test (AKA pen test), reveals security weaknesses through real-world attacks. Results from the test can help an organization better understand their security systems, prioritize risks, and identify areas of improvement. These tests are active evaluations.

Question 2

What is the difference between a vulnerability scan and a penetration test?

Answer 2

Vulnerability scanning is only intended to programmatically identify vulnerabilities. Penetration tests goes even further to exploit the vulnerabilities and gain access. Both can be a risk to an organization, but penetration tests are a higher risk and should only be conducted within a defined program of governance with senior management.

Question 3

Testing methodology: What is a black box test?

Answer 3

A black box test is where the tester has no knowledge of inner workings of the system or source code. An application is just being tested for functionality.

Question 4

Testing methodology: What is a white box test?

Answer 4

A white box test is where the tester has knowledge of either the inner workings of the system or source code. This test is more transparent and efficient, as well as cost-effective. It is the more common type of test and sometimes called clear box or glass box test.

Question 5

Testing methodology: What is a gray box test?

Answer 5

Gray box testing combines black and white box testing. The tester has some understanding or limited knowledge of the inner workings.

Question 6

What are the components of a penetration test?

Answer 6

1. Verify that a threat exists (understand the threat and its extent)
2. Bypass security controls (mimic real world attacker)
3. Actively test security controls (active techniques seek to identify if controls are properly implemented)
4. Exploit vulnerability (resulting exploit verifies the vulnerability and should lead to mitigation techniques and controls)

Question 7

What are the four primary phases of a penetration test?

Answer 7

1. Planning - Provide clarity with the plan and goals. It’s important to have a documented plan that includes rules and expectations.
2. Discovery - Includes information gathering & scanning and vulnerability analysis.
3. Attack - Initial exploitation, escalation of privilege, pivoting, persistence.
4. Reporting - After testing, a comprehensive report should be delivered that at least includes vulnerability identified, actions taken and the results, mitigation techniques, and some sort of quantification of the risk.

Question 8

What does a vulnerability scan do?

Answer 8

It identifies vulnerabilities, misconfigurations, and a lack of security controls. The results of a scan should be organized based on the relative security snd value associated with each identified threat. The organization can then prioritize the vulnerabilities to address first.
Interpreting results leads to one of three approaches: do nothing ad no risk was found, fixing or eliminating vulnerability, or accept security gap and implement mitigation controls.

Question 9

What are the three goals of a comprehensive vulnerability scan?

Answer 9

1. Identify vulnerability
2. Identify common misconfiguration
3. Identify lack of security controls

Question 10

How does a vulnerability scanner work?

Answer 10

A vulnerability scanner is a software utility that scans a range of IP addresses and tests for known vulnerabilities in software configuration and accessible services. It relies on a database of known vulnerabilities.

Question 11

What is the difference between intrusive and non-intrusive scan?

Answer 11

Intrusive scans combine verification of actual vulnerabilities by trying to exploit the vulnerability. Non-intrusive scans help organizations mitigate disruptions as a result of the vulnerability assessment.

Question 12

What is the difference between credentialed and non-credentialed scans?

Answer 12

Non-credentialed scans are less invasive and provide outsiders point of view. Credentialed scans obtain more info, resulting in a more complete vulnerability status with greater certainty. Credentialed scans help reduce false positives.

Question 13

What is a race condition?

Answer 13

A race condition involves software, specifically how a program executes a sequence of code. Usually occurs when code sequences are competing over the same resource or acting concurrently. It exploits a small window of time in which one action impacts another. These out of sequence actions can result in a system crash, data loss, or allow attackers to escalate their privileges.

Question 14

What is resource exhaustion?

Answer 14

Resource exhaustion can occur when software doesn’t properly manage resources (memory, CPU, storage, etc) and the system completely consumes or exhausts its resources. This can happen with a DoS attack.

Question 15

How does architecture and design impact continued vulnerabilities?

Answer 15

Clear oversight for the design of systems is important to security. If poorly documented, it can result in system sprawl and loss of visibility and control. This can include: unpatched software, weak configurations, poor access management controls, lack of backups, downtime, less resiliency to change.

Question 16

Why is it important to change default configurations?

Answer 16

Configuration errors are one of the most common sources of data breaches. Default configurations can provide a larger attack surface as they give a simple means for an attacker to gain access to a system.

Question 17

Why is cryptographic management important?

Answer 17

Without cryptographic management, data that is supposed to remain confidential is vulnerable to be decrypted by an attacker. Weak ciphers and implementation can cause this, especially if key size is too small. A key size (number of bits an algorithm uses in a key) should be large enough to make a brute-force attack infeasible.

Question 18

How does lack of vendor support impact vulnerability?

Answer 18

Systems that vendors no longer support or have reached end-of-life (EOL) means that patches for newly discovered vulnerabilities are no longer being provided. This makes it easy for attackers to exploit the system.

Question 19

What impact does improper input handling and improper error handling have?

Answer 19

Software that is not properly designed to validate input or manage errors is vulnerable to program manipulation and could reveal info that should not be disclosed.
Improper input handling: solutions that don’t properly validate input into the system can affect data flow and expectations
Improper error handling: software is not designed to properly handle errors, results could be a message and diagnostic info sensitive to inner workings of system.

Question 20

How do leaks, overflows, and code injections impact vulnerability?

Answer 20

Integer overflows can allow malicious code or a buffer overflow. Buffer overflows can cause system crashes or enable an attacker to execute code outside that application. Bugs in software allow attackers to overtake a process.