Sec+ Chapter 05: Security Assessment and Testing

Question 1

Vulnerability management

Answer 1

Identifying, prioritizing, and remediating vulnerabilities in our environments

Question 2

Vulnerability scanning

Answer 2

How we detect new vulnerabilities and implement a remediation workflow that addresses the highest priorities first

Scanners look at a huge amount of information, but not everything

Looks at very specific signatures for known vulnerabilities that can be x-referenced online

Minimally invasive, unlike pentests

Question 3

Asset inventory / map

Answer 3

The result of using scanning tools to search the network for connected systems, whether they were previously known or unknown

Question 4

Nessus

Answer 4

Created by Tenable, one of the first vulnerability scanners on the market that’s widely used today

Question 5

Configuration review

Answer 5

A process conducted on vulnerability scanners to ensure their settings match current requirements

Question 6

Factors that influence how often vulnerability scans are run

Answer 6

1) Risk appetite

2) Regulatory requirements

3) Technical constraints

4) Business constraints

5) Licensing limitations

Question 7

Credentialed scanning

Answer 7

When you provide the scanner with credentials that allow it to connect to a target server

Known environment scan, emulates insider attack

Question 8

Agent based scanning

Answer 8

Installed agents conduct scans for an inside-out view of a server

Reports info back to vulnerability management platform

Can cause performance and stability issues

Question 9

Scan perspectives

Answer 9

Conducting a scan from a different location on the network

EX: External vs internal scans

Question 10

Controls that could affect scans

Answer 10

1) Firewall settings

2) Network segmentation

3) IDS

4) IPS

Question 11

SCAP

Answer 11

Security content automation protocol

Effort led by NIST to create a standardized approach for communicating security-related info

Question 12

CCE

Answer 12

Common configuration enumeration

SCAP standard for system configuration issues

Question 13

CPE

Answer 13

Common platform enumeration

SCAP standard for product names and versions

Question 14

CVE

Answer 14

Common vulnerabilities and exposures

SCAP standard for security-related flaws

Question 15

CVSS

Answer 15

Common vulnerability scoring system

SCAP standard for severity of security-related flaws

Question 16

XCCDF

Answer 16

Extensible configuration checklist description format

SCAP standard for checklists and reporting checklist results

Question 17

OVAL

Answer 17

Open vulnerability and assessment language

SCAP standard for specifying low-level testing procedures used by checklists

Question 18

Scanning tools you need

Answer 18

1) Network vulnerability scanner

2) Application scanner

3) Web app scanner

Question 19

Network vulnerability scanner

Answer 19

Tool that detects the presence of vulnerabilities on network-connected devices

Question 20

4 commonly used network vulnerability scanners

Answer 20

1) Qualys

2) Rapid7 Nexpose

3) OpenVAS

4) Nessus

Question 21

Application scanner

Answer 21

Tool that analyzes custom-developed software to identify common security vulnerabilities

Should always be integral to dev process

Question 22

Static application testing

Answer 22

Analyzing code without executing it

Points devs at vulnerabilities and provides specific remediation suggestions

Question 23

Dynamic application testing

Answer 23

Executes code as part of a test

Runs all interfaces that the code exposes a user to with a variety of inputs

Question 24

Interactive application testing

Answer 24

Combination of static and dynamic testing

Analyzes the source code while testers interact with the application through exposed interfaces

Question 25

Web app scanner

Answer 25

Specialized tools to examine the security of web apps

Can test for SQL injection, XSS, and CSRF

Question 26

How web app scanners work

Answer 26

Combines network scans of web servers with detailed web app probing

Sends known malicious input sequences and fuzzing in attempts to break the app

Question 27

Common web app scanners

Answer 27

1) Nikto: CLI-based

2) Arachni: Windows, Linux, macOS

Question 28

CVSS AV

Answer 28

Attack vector

How an attacker exploits a vulnerability

1) Physical (P)

2) Local (L)

3) Adjacent network (A)

4) Network (N)

Question 29

CVSS AC

Answer 29

Attack complexity

The difficulty of exploiting a vulnerability

1) High (H)

2) Low (L)

Question 30

CVSS PR

Answer 30

Privileges required

The type of account access an attacker needs to exploit a vulnerability

1) High (H)

2) Low (L)

3) None (N)

Question 31

CVSS U

Answer 31

User interaction

Whether the attacker needs to involve another human in the attack

1) None (N)

2) Required (R)

Question 32

CVSS C

Answer 32

Confidentiality

The type of information disclosure that may occur if an attacker successfully exploits

1) None (N)

2) Low (L)

3) High (H)

Question 33

CVSS I

Answer 33

Integrity

The type of information alteration that may occur if an attack successfully exploits

1) None (N)

2) Low (L)

3) High (H)

Question 34

CVSS A

Answer 34

Availability

The type of disruption that may occur if the attacker successfully exploits

1) None (N)

2) Low (L)

3) High (H)

Question 35

CVSS S

Answer 35

Scope

Whether or not the vulnerability can affect system components beyond the scope of the vulnerability

Value of the scope metric is reflected in the values for the privileges required metric

1) Unchanged (U)

2) Changed (C)

Question 36

CVSS Base score

Answer 36

Single number representing the overall risk posed by a vulnerability

Question 37

CVSS qualitative rating scale

Answer 37

CVSS based on risk categories instead of numeric value

1) None: 0.00

2) Low: 0.1 to 3.9

3) Medium: 4.0 to 6.9

4) High: 7.0 to 8.9

5) Critical: 9.0 to 10.0

Question 38

False positive error

Answer 38

When a vulnerability scanner reports a vulnerability that doesn’t exist

Question 39

Positive report

Answer 39

When a vulnerability scanner reports a real vulnerability

It could be a true positive (accurate) or false positive (inaccurate)

Question 40

Negative report

Answer 40

When a vulnerability scanner reports no vulnerability present

It could be a true negative (accurate) or false negative (inaccurate)

Question 41

Log review

Answer 41

Scouring logs to find possible attempts to exploit

Question 42

SIEM

Answer 42

Security information and event management systems

Collects real time information from anything on a network that can tell us what’s happening right now, like log files and security alerts

Central repository that correlates data from multiple sources to provide actionable intelligence on vulnerability exploits

Question 43

Configuration management system

Answer 43

Provides information on the OS and applications installed on a system to verify vulnerabilities and exploits

Question 44

Patch management

Answer 44

Core security practice

Consistently applying security patches to systems

Question 45

Legacy platform

Answer 45

Any product that’s been discontinued and no longer has support, massive security risk

Question 46

If you can’t update legacy platforms

Answer 46

Isolate the system

Don’t connect to network if possible

Apply compensating security controls

Increase monitoring

Strict firewall rules

Question 47

Weak configurations

Answer 47

1) Default settings

2) Unsecured accounts

3) Unnecessary open ports and services

4) Permissions that violate least privilege

Question 48

Debug mode and error messages

Answer 48

Gives crucial error info needed for troubleshooting

Also provides attackers info with the same details like db structure, authentication mechanisms, etc

Question 49

How to manage debug mode effectively

Answer 49

1) Disable it on public-facing systems

2) Give devs a dedicated environment for their work only accessible from private network – then you can enable

Question 50

White box tests

Answer 50

Known environment

Pentest where you have full knowledge of the underlying tech, configs, and settings

Question 51

Black box tests

Answer 51

Unknown environment

Pentest that seeks to replicate what an attacker encounters, no information or access

Question 52

Gray box test

Answer 52

Partially known environment

Pentest that blends white and black

Some info given, but not full info

Question 53

RoE

Answer 53

Rules of engagement for pen testing. Key elements include:

1) The timeline for the engagement and when testing can be conducted

2) What locations, systems, apps, or other targets are included or excluded (IPs, etc)

3) Data handling requirements for information gathered during the pen test

4) What behaviors to expect from the target (shunning, black-listing, or active defenses and how they can limit the value of a pen test)

5) What resources are committed to the test

6) Legal concerns

7) When and how communications will occur about the test

Question 54

War driving

Answer 54

When pentesters drive by facilities with high-powered antennae to eavesdrop and connect on wireless networks

Question 55

War flying

Answer 55

Same as war driving, but with UAVs

Question 56

Initial access

Answer 56

When an attacker exploits a vulnerability to gain access to an org’s network

Question 57

Privilege escalation

Answer 57

Shift to more advanced privileges like root access on the same system

Question 58

Pivot / lateral movement

Answer 58

Using initial system compromise to gain access to other systems on the target network

Question 59

Persistence

Answer 59

Install backdoors and other mechanisms on compromised networks that allow repeat access to the network, even if the initial vulnerability is patched

Question 60

Syslog

Answer 60

Standard method for transferring log files from one device to a centralized database, like a SIEM

SIEM has syslog compatible collectors that waitfor messages to be sent from all the devices on the network

When we send info via syslog, we label each log entry into the syslog destination with a facility code (program that created the log) and a severity level

Different syslog daemons:

1) Rsyslog: Rocket fast system for log processing

2) syslog-ng: Additional filtering and storage options

3) NXLog: Collection from many diverse log types

Question 61

SIEM data

Answer 61

Some examples of the types of data that are valuable to store in SIEM

1) Server authentication attempts

2) VPN connections

3) Firewall session logs

4) Denied outbound traffic flows

5) Network utilizations

6) Packet captures