Sec+ Chapter 05: Security Assessment and Testing Flashcards
Vulnerability management
Identifying, prioritizing, and remediating vulnerabilities in our environments
Vulnerability scanning
How we detect new vulnerabilities and implement a remediation workflow that addresses the highest priorities first
Scanners look at a huge amount of information, but not everything
Looks at very specific signatures for known vulnerabilities that can be x-referenced online
Minimally invasive, unlike pentests
Asset inventory / map
The result of using scanning tools to search the network for connected systems, whether they were previously known or unknown
Nessus
Created by Tenable, one of the first vulnerability scanners on the market that’s widely used today
Configuration review
A process conducted on vulnerability scanners to ensure their settings match current requirements
Factors that influence how often vulnerability scans are run
1) Risk appetite
2) Regulatory requirements
3) Technical constraints
4) Business constraints
5) Licensing limitations
Credentialed scanning
When you provide the scanner with credentials that allow it to connect to a target server
Known environment scan, emulates insider attack
Agent based scanning
Installed agents conduct scans for an inside-out view of a server
Reports info back to vulnerability management platform
Can cause performance and stability issues
Scan perspectives
Conducting a scan from a different location on the network
EX: External vs internal scans
Controls that could affect scans
1) Firewall settings
2) Network segmentation
3) IDS
4) IPS
SCAP
Security content automation protocol
Effort led by NIST to create a standardized approach for communicating security-related info
CCE
Common configuration enumeration
SCAP standard for system configuration issues
CPE
Common platform enumeration
SCAP standard for product names and versions
CVE
Common vulnerabilities and exposures
SCAP standard for security-related flaws
CVSS
Common vulnerability scoring system
SCAP standard for severity of security-related flaws
XCCDF
Extensible configuration checklist description format
SCAP standard for checklists and reporting checklist results
OVAL
Open vulnerability and assessment language
SCAP standard for specifying low-level testing procedures used by checklists
Scanning tools you need
1) Network vulnerability scanner
2) Application scanner
3) Web app scanner
Network vulnerability scanner
Tool that detects the presence of vulnerabilities on network-connected devices
4 commonly used network vulnerability scanners
1) Qualys
2) Rapid7 Nexpose
3) OpenVAS
4) Nessus
Application scanner
Tool that analyzes custom-developed software to identify common security vulnerabilities
Should always be integral to dev process
Static application testing
Analyzing code without executing it
Points devs at vulnerabilities and provides specific remediation suggestions
Dynamic application testing
Executes code as part of a test
Runs all interfaces that the code exposes a user to with a variety of inputs
Interactive application testing
Combination of static and dynamic testing
Analyzes the source code while testers interact with the application through exposed interfaces
Web app scanner
Specialized tools to examine the security of web apps
Can test for SQL injection, XSS, and CSRF
How web app scanners work
Combines network scans of web servers with detailed web app probing
Sends known malicious input sequences and fuzzing in attempts to break the app
Common web app scanners
1) Nikto: CLI-based
2) Arachni: Windows, Linux, macOS
CVSS AV
Attack vector
How an attacker exploits a vulnerability
1) Physical (P)
2) Local (L)
3) Adjacent network (A)
4) Network (N)
CVSS AC
Attack complexity
The difficulty of exploiting a vulnerability
1) High (H)
2) Low (L)
CVSS PR
Privileges required
The type of account access an attacker needs to exploit a vulnerability
1) High (H)
2) Low (L)
3) None (N)
CVSS U
User interaction
Whether the attacker needs to involve another human in the attack
1) None (N)
2) Required (R)
CVSS C
Confidentiality
The type of information disclosure that may occur if an attacker successfully exploits
1) None (N)
2) Low (L)
3) High (H)
CVSS I
Integrity
The type of information alteration that may occur if an attack successfully exploits
1) None (N)
2) Low (L)
3) High (H)
CVSS A
Availability
The type of disruption that may occur if the attacker successfully exploits
1) None (N)
2) Low (L)
3) High (H)
CVSS S
Scope
Whether or not the vulnerability can affect system components beyond the scope of the vulnerability
Value of the scope metric is reflected in the values for the privileges required metric
1) Unchanged (U)
2) Changed (C)
CVSS Base score
Single number representing the overall risk posed by a vulnerability
CVSS qualitative rating scale
CVSS based on risk categories instead of numeric value
1) None: 0.00
2) Low: 0.1 to 3.9
3) Medium: 4.0 to 6.9
4) High: 7.0 to 8.9
5) Critical: 9.0 to 10.0
False positive error
When a vulnerability scanner reports a vulnerability that doesn’t exist
Positive report
When a vulnerability scanner reports a real vulnerability
It could be a true positive (accurate) or false positive (inaccurate)
Negative report
When a vulnerability scanner reports no vulnerability present
It could be a true negative (accurate) or false negative (inaccurate)
Log review
Scouring logs to find possible attempts to exploit
SIEM
Security information and event management systems
Collects real time information from anything on a network that can tell us what’s happening right now, like log files and security alerts
Central repository that correlates data from multiple sources to provide actionable intelligence on vulnerability exploits
Configuration management system
Provides information on the OS and applications installed on a system to verify vulnerabilities and exploits
Patch management
Core security practice
Consistently applying security patches to systems
Legacy platform
Any product that’s been discontinued and no longer has support, massive security risk
If you can’t update legacy platforms
Isolate the system
Don’t connect to network if possible
Apply compensating security controls
Increase monitoring
Strict firewall rules
Weak configurations
1) Default settings
2) Unsecured accounts
3) Unnecessary open ports and services
4) Permissions that violate least privilege
Debug mode and error messages
Gives crucial error info needed for troubleshooting
Also provides attackers info with the same details like db structure, authentication mechanisms, etc
How to manage debug mode effectively
1) Disable it on public-facing systems
2) Give devs a dedicated environment for their work only accessible from private network – then you can enable
White box tests
Known environment
Pentest where you have full knowledge of the underlying tech, configs, and settings
Black box tests
Unknown environment
Pentest that seeks to replicate what an attacker encounters, no information or access
Gray box test
Partially known environment
Pentest that blends white and black
Some info given, but not full info
RoE
Rules of engagement for pen testing. Key elements include:
1) The timeline for the engagement and when testing can be conducted
2) What locations, systems, apps, or other targets are included or excluded (IPs, etc)
3) Data handling requirements for information gathered during the pen test
4) What behaviors to expect from the target (shunning, black-listing, or active defenses and how they can limit the value of a pen test)
5) What resources are committed to the test
6) Legal concerns
7) When and how communications will occur about the test
War driving
When pentesters drive by facilities with high-powered antennae to eavesdrop and connect on wireless networks
War flying
Same as war driving, but with UAVs
Initial access
When an attacker exploits a vulnerability to gain access to an org’s network
Privilege escalation
Shift to more advanced privileges like root access on the same system
Pivot / lateral movement
Using initial system compromise to gain access to other systems on the target network
Persistence
Install backdoors and other mechanisms on compromised networks that allow repeat access to the network, even if the initial vulnerability is patched
Syslog
Standard method for transferring log files from one device to a centralized database, like a SIEM
SIEM has syslog compatible collectors that waitfor messages to be sent from all the devices on the network
When we send info via syslog, we label each log entry into the syslog destination with a facility code (program that created the log) and a severity level
Different syslog daemons:
1) Rsyslog: Rocket fast system for log processing
2) syslog-ng: Additional filtering and storage options
3) NXLog: Collection from many diverse log types
SIEM data
Some examples of the types of data that are valuable to store in SIEM
1) Server authentication attempts
2) VPN connections
3) Firewall session logs
4) Denied outbound traffic flows
5) Network utilizations
6) Packet captures
