Security Operations 4.3 Flashcards
Explain various activities associated with vulnerability management.
Vulnerability Scanning
Scans the operating system to see if the potential for an exam exists on a particular system.
Port Scan, Identify Systems, Test from the outside and inside.
SAST
Static Code analyser
Identify many security vulnerabilities. Buffer overflows, database injections.
Not everything can be identified through analysis.
Dynamic Analysis (Fuzzers)
Random input put into an application to see what the results might be.
Looking for the application to act in a way out of the ordinary.
Package Monitoring
Some applications are distributed in a package. Confirm the package is legitimate. Confirm a safe package before deployment - by opening in a sandbox/lab environment.
OSINT
Open-source (Publicly available sources)
Internet - Discussion groups, social media
Government data
Commercial Data.
Proprietary/Third-party Intelligence.
Third party intelligence company has compiled the threat information and you can buy it. Correlation across different data sources. Constantly monitoring the threat landscape.
Information-sharing organisation
Organisations might publicise threats to collaborate against threats.
Public threat intelligence
Private threat intelligence
Need to share critical security details.
Cyber threat alliance (CTA).
Members upload specifically formatted threat intelligence.
Dark web intelligence.
Use to conduct research on hackers and their activities.
Monitor forums.
Penetration testing
Simulating an attack to see if we can gain exploits. Often a compliance mandate.
National institute of standards and technology - NIST
Rules of engagement
An important document;
Defines the purpose and scope, make sure everyone is aware of the rest parameters.
Type of testing and schedule - no pen testing on business hours for example
Rules, Emergency, How to handle sensitive information.
Exploiting vulnerabilities while pen-testing.
Be careful not to break into the system. Be careful to not cause a denial of service or loss of data.
What is the process after gaining access to a system.
After breaking into a network you’d want to use the exploit to move from system to system. This is known as lateral movement.
Persistence (Set up a back door to make sure there is always a way back in).
The pivot - Pen testing.
Gain access to the stems that would normally not be accessible. Use a vulnerable system as a proxy or relay.
Responsible disclosure program.
Takes time to fix a vulnerability. Software changes, testing, deployment.
Bug bounty programes - A reward for discovering vulnerabilities, Earn money for hacking a system.
False positive
A vulnerability is identified that doesn’t really exist. This is a different than a low-severity vulnerability.
False Negative
A vulnerability does exist but wasn’t detected by the vulnerability scan.
Prioritising vulnerabilities
Not every vulnerability shares the same priority.
This may be difficult to determine.
CVSS
Common vulnerability scoring system. 0-10
CVE
The vulnerabilities can be crossed referenced online.
Common Vulnerabilities and exposures.
Vulnerability classification
After the vulnerability scanner detects the vulnerability it should provide a ranking system which shows the severity of the vulnerability.
Exposure Factor
An exposure factor loss of value or business activity. If the vulnerability is exploited expressed as a percentage.
A small DDoS may limit access to a service.
Environmental Variables.
Environmental variables.
What type of environment is associated with this vulnerability?
Consider the environment so:
number and type of users
Revenue generating application
Potential for exploit
Industry/organisation impact.
The amount of risk acceptable to an organisation is risk tolerance.
Patching
The most common mitigation techniques. Patches are often scheduled, monthly, quarterly. Constantly provided.
Unscheduled patches often occur if there is an urgent vulnerability.
Insurance
Cyber security insurance coverage.
-Lost revenue
-Data recovery costs
-Money lost to phishing
-Privacy lawsuit costs.
Insurance doesn’t cover everything.
Segmentation to limit scope.
Limit scope of a potential exploit by separating devices into their own network via VLANS.
Airgaps may be required.
Use internal NGFW’s
Block unwanted unnecessary traffic between VLANS.
What are the two ways to achieve segmentation
Physical segmentation, multiple units, separate infrastructure
Logical segmentation with VLANS.
Compensating controls examples in the event of a breach.
Disable the problematic service.
Revoke access to the application
Limit external access
Modify internal security control and software firewalls.
Exceptions and exemptions
Not everything can be patched so the change control committee will make decisions on what devices will not receive a patch.
Whilst a vulnerability may exist it may not be easy to exploit for example it may need to be physically accessed to exploit so leaving unpatched does not dramatically increase risk.
Validation of remediation
Important to perform a a scan to ensure that the patch really did stop the exploit and all vulnerable systems.
Important to conduct another vulnerability scan to see if the vulnerability still exists.
Reporting
Ongoing checks are required. New vulnerabilities are continuously discovered. Necessary once an organisation reaches a certain size.
Continuous reporting:
- Number of identified vulnerabilities
-System patched vs unpatched
-New threat notifications
-Errors, exceptions and exemptions.
