Security Plus - Chapter 5 Flashcards
Vulnerability Management
A program used to identify, prioritize, and remediate vulnerabilities.
Vulnerability Scanning
Tools used to detect new vulnerabilities as they arise and implement a remediation workflow that addresses the highest priority vulnerabilities.
Asset Inventory
A list of all of the assets that are in an environment.
Asset Criticality
Determining the level of importance that an asset is to the organization and how the asset should be protected with security controls.
Asset Map
The asset inventory as it is distributed throughout the organizations network.
Risk Appetite
The willingness to tolerate risk within the environment.
Regulatory Requirements
Requirements imposed by governmental agencies to provide guidance on how to apply security controls to protect the organization’s data.
PCI
HIPAA
FISMA
Technical Constraints
The lack of technical resources that a tool may have to complete the requested task. Ex. The scanning system may only be capable of performing a certain number of scans per day, and organizations may need to adjust scanning frequency to ensure scans complete successfully.
Business Constraints
The lack of business resources that may cause a tool the inability to complete a task. Ex. Running a vulnerability scan may result in high usage of server resources that in turn may cause a slowdown of the network.
Licensing Limitations
Licensing of a scanning tool may either be a limitation of the amount of bandwidth the tool is permitted to use or a limit of the number of assets that the tool is permitted to scan.
Vulnerability Scan Configuration
All of the functions that are established to schedule, produce reports, determine the types of checks performed, provide credentials to access the targets, installation of scanning agents and conduct scans from a variety of network perspectives.
Scan Sensitivity Levels
These settings determine the types of checks that the scanner will perform and should be customized to ensure that the scan meets its objectives while minimizing the possibility of disrupting the target environment.
Credentialed Scanning
Scans of network assets with a provided network login to improve the accuracy of the vulnerability scans. These can provide the scanner with the ability to access operating systems, databases, and applications as well. This could cause some disruption to these systems though with this increased scanning ability.
Server-Based Scanning
Vulnerability scanning performed by a tool installed on a server within the network.
Agent-Based Scanning
Administrators install small software agents on each target server which provides an inside out scan and report information back to vulnerability management platform for analysis and reporting.
Scan Perspectives
Conducting scans from different locations within the network, providing a different view into vulnerabilities. Ex. External, Internal, Data Center
Controls That May Affect Scan Results
Firewall Settings
Network segmentation
Intrusion Detection Systems
Intrusion Prevention Systems
Vulnerability Feeds
Updates of vulnerabilities that are sent to the vulnerability management platform on a regular basis.
Security Content Automation Protocol (SCAP)
An effort by the security community led by the National Institute of Standards (NIST), to create a standardized approach for communicating security-related information.
SCAP Standards
Common Configuration Enumeration (CCE)
Common Platform Enumeration (CPE)
Common Vulnerabilities and Exposures (CVE)
Common Vulnerability Scoring System (CVSS)
Extensible Configuration Checklist Description Format (XCCDF)
Open Vulnerability and Assessment Language (OVAL)
Common Configuration Enumeration (CCE)
Provides a standard nomenclature for discussing system configuration issues.
Common Platform Enumeration (CPE)
Provides a standard nomenclature for describing product names and versions.
Common Vulnerabilities and Exposures (CVE)
Provides a standard nomenclature for describing security-related software flaws.
Common Vulnerability Scoring System (CVSS)
Provides a standardized approach for measuring and describing the severity of security-related software flaws.
Extensible Configuration Checklist Description Format (XCCDF)
A language for specifying checklists and reporting checklist results.
Open Vulnerability and Assessment Language (OVAL)
A language for specifying low-level testing procedures used by checklists.
Network Vulnerability Scanner Examples
Tenable Nessus - Widely respected and one of the first products introduced
Qualys - Commercially available and more recent product
Rapid 7 Nexpose - Commercially available and more recent
OpenVAS free alternative to commercially available
Static Application Testing
Analyzes code without executing the code.
Dynamic Application Testing
Executes the code as part of the test, running the interfaces that the code exposes to the user with a variety of inputs, searching for vulnerabilities.
Interactive Application Testing
Analyzes the source code while testers interact with the application through exposed interfaces.
Web Application Scanning
Tools that examine the security of web applications that test for web-specific vulnerabilities like SQL injection, cross site scripting (XSS), and cross-site request forgery (CSRF) vulnerabilities.
Vulnerability Report Reviews
Nessus - Vulnerability Name, Overall Severity, Detailed Description, Solution, See Also (References), Output (Description of the remote section), Portal/Hosts (Details on the server that contains the vulnerability), Vulnerability Information (Miscellaneous information about the vulnerability, Risk Information (Useful information for assessing the severity of the vulnerability.
Common Vulnerability Scoring System (CVSS)
An industry standard for assessing the severity of security vulnerabilities. It scores vulnerabilities on a variety of measures:
Attack Vector Metric - Evaluates the exploitability
Attack Complexity Metric - Evaluates the exploitability
Privileges Required Metric - Evaluates the exploitability
User Interaction Metric - Evaluates the exploitability
Confidentiality Metric - Evaluates the impact of the vulnerability
CVSS Confidentiality Metric - Evaluates the impact of the vulnerability
Integrity Metric - Evaluates the impact of the vulnerability
Availability Metric - Evaluates the impact of the vulnerability
Scope Metric - Scope of the vulnerability
Attack Vector Metric
Describes how an attacker would exploit the vulnerability.
Attack Complexity Metric
Describes the difficulty of exploiting the vulnerability.
Privileges Required Metric
Describes the type of account access that an attacker needs to exploit the vulnerability.
User Interaction Metric
Describes whether the attacker needs to involve another human in the attack.
Confidentiality Metric
Describes the type of information disclosure that might occur if an attacker successfully exploits the vulnerability.
Integrity Metric
Describes the type of information alteration that might occur if an attacker successfully exploits the vulnerability.
Availability Metric
Describes the type of disruption that might occur if an attacker successfully exploits the vulnerability.
Scope Metric
Describes whether the vulnerability can affect system components beyond the scope of the vulnerability.
CVSS Vector
Single-line format to convey the ratings of a vulnerability on all eight of the metrics described.
CVSS Severity Rating Scale
CVSS Score Rating
0.0 None
0.1-3.9 Low
4.0-6.9 Medium
7.0-8.9 High
9.0-10.0 Critical
False Positives
When a scanner reports a vulnerability that does not exist.
Positive Report
When a scanner reports a vulnerability.
Negative Report
When a scanner reports there are no vulnerabilities.
False Negative
When a scanner reports there are no vulnerabilities when there actually are some on the system.
Information Sources for Interpreting Scan Reports
Log Reviews
Security Information and Event Management systems
Configuration Management systems
Patch Management
The process of applying updates to operating systems, applications, and other systems and tools.
Legacy Systems
Systems that are no longer supported by the vendors that produced those systems.
Weak Configurations
A cause of vulnerabilities due to the below poor security practices:
-Using default settings for setup/configuration pages
-Using default credentials or unsecured accounts of standard user and administrator accounts
-Leaving open service ports that are not necessary to support normal system operations
-Leaving open permissions that allow users to access that violates the principle of least privilege
Debug Mode
Gives the developer crucial error information needed to troubleshoot applications in the development process. This could provide an attacker the ability to gain information of the inner workings of an application, on the structure of a database, authentication mechanisms, or other details.
Insecure Protocols
Early protocols utilized without security controls established. TelNet and FTP are two examples.
Weak Encryption
Utilizing broken cryptographic algorithms which are easily defeated by an attacker.
Penetration Testing
A review of an organizations systems to determine if the security controls established by the organization are sufficient enough to maintain the security while a sophisticated attacker attempts to defeat those controls.
Adopting the Hacker Mindset
Understanding the process of an attacker, knowing that they only need one vulnerability to be able to compromise an entire network of an organization. To find these vulnerabilities, security professionals must think like the mind of an adversary.
Benefits of Penetration Testing
-Provides the organization with an understanding of an attacker, if successful what security controls were not properly configured or established and if they are unsuccessful that we are confident that we have established the proper security controls to thwart the advances of an attacker.
-If the attackers are successful, it provides the blueprint for remediation of the attack. The organization would be able to trace the actions of the attacker through the network as they progressed and close the series of open doors and establish the necessary security controls to block future attacks.
-The tests can provide the organization with essential, focused information on specific attack targets.
Threat Hunting
Searching the organizations technology infrastructure for the artifacts of a successful attack. This assumes attackers have already gained access to the system and the organization finding evidence of this successful attack.
Physical Penetration Testing
Identifying and exploiting vulnerabilities in an organization’s physical security controls.
Offensive Penetration Testing
A proactive approach where security professionals act as an attacker to identify and exploit vulnerabilities in an organization’s networks, systems, and applications.
Defensive Penetration Testing
Evaluating an organization’s ability to defend against cyberattacks. Testing the defenses that are established.
Integrated Penetration Testing
Combines both offensive and defensive testing to provide a comprehensive assessment of an organization’s security posture.
Known Environment Testing
Performed with full knowledge of the underlying technology, configurations, and settings that make up the target.
Unknown Environment Testing
Intends to replicate what an actual attacker would encounter.
Partially Known Environment Testing
A blend of known and unknown testing. The tester may be provided some information about the environment without giving full access, credentials, of configurations.
Rules Of Engagement (ROE)
The agreed upon testing process and permission that the testing firm is given to attack the organizations networks.
Elements of the Rules of Engagement
Timeline - When the testing is permitted to be performed.
What targets - What locations, systems, applications, and other potential areas that are permitted to be tested.
Data handling requirements - How information gathered during the testing will be collected, maintained, provided to the organization, and destroyed at the end of the testing agreement.
Behaviors - What the organization can perform in regards to defensive controls for the testers to perform sufficient testing to the organizations satisfaction.
What Resources - Understanding what time commitment may be required from administrators, developers, engineers, operations center, and other experts of the targets that may be included in working through the testing.
Legal Concerns - Include a review of the laws that cover the target organization, any remote locations, and any service providers that may be in scope.
Communications - How often will the testing firm communicate with the organization engaging in the tests. How should testers respond if they are successful in breaching the organization. How should the testers respond in the case of finding evidence that a breach has already occurred.
Limitations - Including what systems or targets the testing firm is permitted to access and where they are not permitted to access.
Problem handling and resolution - Understanding how the testing firm will provide assistance in the case that the testing causes disruption to systems and services.
Passive Reconnaissance
Techniques used to seek to gather information without directly engaging with the target.
Active Reconnaissance
Techniques used that directly engage the target in intelligence gathering.
Port Scanning
Footprinting - Identifying operating systems and applications in use
Vulnerability Scanning
War Driving or War Flying
The use of vehicles or unmanned vehicles to drive or fly near an organization to identify unsecured wireless network that the attacker may be able to utilize to gain access.
Penetration Testing Steps
Initial Access - When the attacker exploits a vulnerability
Privilege Escalation - Using hacking techniques to shift from initial access to establishing advanced privileges.
Pivoting (Lateral Movement) - Occurs when the attacker moves from one system if the initial access to additional systems within the network.
Persistence - Attacker establishes backdoors into the systems and using other mechanisms to regain access to the network even if the initial vulnerability is patched.
Major Components of a Security Assessment Program
Security tests
Security assessments
Security audits
Security Tests
Verify that a control is functioning properly.
- Automated scans
- Tool-assisted penetration tests
- Manual attempts to undermine security
Security Testing Factors
- Availability of security testing resources
- Criticality of systems and applications being protected by the controls.
- Sensitivity of information contained on tested systems
- Likelihood of a technical failure of the mechanism implementing the control
- Likelihood of a misconfiguration of the control
- Risk that the system will come under attack
- Rate of change of the control configuration
- Other changes in the technical environment that may affect performance
- Difficulty and time required to perform a control test
- Impact of the test on normal business operations
Security Assessments
Comprehensive reviews of the security of a system, application, or other tested environment. This can be performed by internal staff members or an authorized external third-party.
Security Audit
Comprehensive, impartial, and unbiased view of the security controls of a system, application, or other tested environment performed by an authorized third-party of independent auditors.
Internal Audits
Audits performed by internal staff members that are members of the organizations audit team. The reports are intended for internal audiences.
External Audits
Audits performed by an outside auditing firm who serves as an independent third party.
Independent Third-Party Audits
Audits performed by an external firm on behalf of another organization. Example, a regulatory body may have the authority to initiate an audit of a regulated firm under contract or law.
American Institute of Certified Public Accountants (AICPA)
Accounting group that provides a common standard to be used by auditors performing assessments of service organizations.
Control Objectives for Information and related Technologies (COBIT)
Framework of the common requirements that organizations should have in place surrounding their information systems.
Vulnerability Life Cycle
Identification, Analysis, Response and remediation, Validation of remediation, Reporting
Vulnerability Identification
The first stage where the organization becomes aware of the vulnerability that exists within the organization. Ways orgs are made aware of a vulnerability:
- Vulnerability scans of the environment
- Penetration tests of the organization
- Reports from responsible disclosures
- Results of system and process audits
Vulnerability Analysis
The second stage of the life cycle where the cybersecurity professionals perform an analysis of the report.
Steps for Vulnerability Analysis
- Confirm there is a vulnerability and it is not a false positive
- Prioritize and categorize the vulnerability using tools such as CVSS and CVE
- Supplement the external analysis with the organization’s specific details for risk assessment. Assess using the exposure factor, environmental variables, industry and organizational impact, and the organizations risk tolerance.
Vulnerability Response and Remediation
Using the outcome of the report to guide the organization to identify the vulnerabilities that are most in need of remediation.
Vulnerability Remediation Steps
- Apply a patch or other corrective measure to correct the vulnerability
- Use network segmentation to isolate the affected system so that the probability of an exploit becomes remote.
- Implement other compensating controls, such as application firewalls or intrusion prevention systems, to reduce the likelihood that an attempted exploit will be successful.
- Purchase insurance to transfer the financial risk of the vulnerability to an insurance provider.
- Grant an exception or exemption to the system as part of a formal risk acceptance strategy.
Validation of Remediation
After completion of the remediation, the cybersecurity professionals should perform a validation that the vulnerability is no longer present.
Reporting
Communicating the findings, action taken, and lessons learned to relevant stakeholders within the organization.
