PenTest+ Study Notes 2 Flashcards
(1) Create and maintain a secure infrastructure by using dedicated appliances and software, that monitor and prevent attacks. (2) Employ good practice strategies, such as changing passwords from the vendor default, and training users not to open suspicious emails. (3) Continuously monitor for vulnerabilities and employ appropriate anti-malware protection that is continuously updated. (4) Provide strong access control methods by using the principle of least privilege, and routinely monitor and test networks. Also ex : rules that define proper behavior -> if merchant fails to comply and are in violation of requirements, they face a substantial fine, and may even lose ability to handle credit card transactions.
PCI DSS (standards to secure data) :
compliance relies on a continuous process of assess, remediate, and report. PCI DSS is not law, so there is no government oversight, and doing audits to see if protocols are properly put into place are done. PCI DSS does RoC (Report on Compliance), based on internal or external auditing done on a yearly basis. They have levels : Level 1 is a large merchant with over six million transactions a year. Level 2 is a merchant with one to six million transactions a year. Level 3 is a merchant with 20,000 to one million transactions a year. Level 4 is a small merchant with under 20,000 transactions a year.
Level 1 : must have an external auditor perform the assessment by an approved Qualified Security Assessor (QSA). Level 1 and 2 : must complete an RoC. Levels 2-4 : can either have an external auditor or submit a self-test that proves they are taking active steps to secure the infrastructure.
PCI DSS info
??? outlines how consumer data is protected and affects anyone that does business w/residents of EU and Britain. Law focuses on data privacy and gives consumers ability to control how their data is handled.
GDPR :
??? Require consent, Rescind consent -> known as right to be forgotten rule, consent by consumer can be opted out at any time. Global Reach -> if anyone does business with EU and Britain this rule will prevail as websites for ex dont have physical boundary. Restrict Data Collection -> org.’s should collect only minimal amount of data that’s needed to interact with the site. Violating Reporting -> if company’s consumer database is breached, they must report the breach w/in 72 hours. Any company w/over 250 employees will need to audit their systems and take rigorous steps to protect data within their systems, either locally or managed in the cloud.
Some Components of GDPR :
??? enacted in New York to protect citizens data, this law requires the beefing up of their cybersecurity defense methods to prevent data breaches and protect consumer data.
??? outlines how to handle consumer data, vendors should include pentesting of all web apps, internal systems alone w/social engineering assessments.
SHIELD Law / CCPA Law
??? listing of all publicly disclosed vulnerabilities. Includes name of vulnerability -> ???-YEAR-NUMBER. And includes description of the vulnerability.
??? database of software-related vulnerabilities maintained by the MITRE Corporation (has hardware weaknesses as well).
CVE / CWE
??? (1) Provide credentials, such as certifications that prove they have the appropriate skills to conduct PenTesting. (2) Produce recent background checks, that can include credit scores and driving records. Make sure no one has a criminal record or felony conviction. Any criminal activity that pentest team does should be reported and even if done by mistake should also be reported.
Pentest Team : must sign and conform to policy on handling proprietary and sensitive info.
Background checks of Pentest Team :
??? IP addresses -> includes appropriate network ranges, and possible ASNs the org. is using.
Domain and/or subdomains -> w/in org.’s.
APIs -> which could be either public facing apps or those that allow access to details of a specific user.
Users -> they are prone to social engineering and generally have access to resources restricted to outside parties - they are the easiest attack vector. SSID.
Targeting In-Scope Assets :
??? are visible on the Internet, such as a website, web application, email, or DNS server. An ??? is not a good candidate for attacks that require direct access to the network segment, such as sniffing or ARP poisoning.
??? can be accessed from within the organization. Access to these resources can be achieved by the efforts of either a malicious insider or an external hacker who has gained credentials through a phishing attack. If direct access to the internal network can be established, this asset is an excellent candidate for all attack types.
External Assets / Internal Assets
??? This includes assets that are hosted by the client organization. In some cases, ??? might be easier to attack than third-party hosted services, as most companies do not have the same resources, expertise, or security focus as a service provider.
??? This includes assets that are hosted by a vendor or partner of the client organization, such as cloud-based hosting. This type of asset is not an impossible target, however, established providers are generally more likely to have more stringent controls in place. In contrast, smaller, newer hosting companies may have fewer resources and less security expertise and may be easier to attack than larger, more mature providers.
1st-Party Hosted Assets / 3rd-Party Hosted Assets
