Security Operations 4.3 Flashcards
Explain various activities associated with vulnerability management.
Vulnerability Scanning
Scans the operating system to see if the potential for an exam exists on a particular system.
Port Scan, Identify Systems, Test from the outside and inside.
SAST
Static Code analyser
Identify many security vulnerabilities. Buffer overflows, database injections.
Not everything can be identified through analysis.
Dynamic Analysis (Fuzzers)
Random input put into an application to see what the results might be.
Looking for the application to act in a way out of the ordinary.
Package Monitoring
Some applications are distributed in a package. Confirm the package is legitimate. Confirm a safe package before deployment - by opening in a sandbox/lab environment.
OSINT
Open-source (Publicly available sources)
Internet - Discussion groups, social media
Government data
Commercial Data.
Proprietary/Third-party Intelligence.
Third party intelligence company has compiled the threat information and you can buy it. Correlation across different data sources. Constantly monitoring the threat landscape.
Information-sharing organisation
Organisations might publicise threats to collaborate against threats.
Public threat intelligence
Private threat intelligence
Need to share critical security details.
Cyber threat alliance (CTA).
Members upload specifically formatted threat intelligence.
Dark web intelligence.
Use to conduct research on hackers and their activities.
Monitor forums.
Penetration testing
Simulating an attack to see if we can gain exploits. Often a compliance mandate.
National institute of standards and technology - NIST
Rules of engagement
An important document;
Defines the purpose and scope, make sure everyone is aware of the rest parameters.
Type of testing and schedule - no pen testing on business hours for example
Rules, Emergency, How to handle sensitive information.
Exploiting vulnerabilities while pen-testing.
Be careful not to break into the system. Be careful to not cause a denial of service or loss of data.
What is the process after gaining access to a system.
After breaking into a network you’d want to use the exploit to move from system to system. This is known as lateral movement.
Persistence (Set up a back door to make sure there is always a way back in).
The pivot - Pen testing.
Gain access to the stems that would normally not be accessible. Use a vulnerable system as a proxy or relay.
Responsible disclosure program.
Takes time to fix a vulnerability. Software changes, testing, deployment.
Bug bounty programes - A reward for discovering vulnerabilities, Earn money for hacking a system.
False positive
A vulnerability is identified that doesn’t really exist. This is a different than a low-severity vulnerability.
False Negative
A vulnerability does exist but wasn’t detected by the vulnerability scan.
Prioritising vulnerabilities
Not every vulnerability shares the same priority.
This may be difficult to determine.
CVSS
Common vulnerability scoring system. 0-10
CVE
The vulnerabilities can be crossed referenced online.
Common Vulnerabilities and exposures.
Vulnerability classification
After the vulnerability scanner detects the vulnerability it should provide a ranking system which shows the severity of the vulnerability.
Exposure Factor
An exposure factor loss of value or business activity. If the vulnerability is exploited expressed as a percentage.
A small DDoS may limit access to a service.
Environmental Variables.
Environmental variables.
What type of environment is associated with this vulnerability?
Consider the environment so:
number and type of users
Revenue generating application
Potential for exploit
Industry/organisation impact.
The amount of risk acceptable to an organisation is risk tolerance.