Topic 8C

Question 1

Vulnerability scanning tools

Answer 1

openVAS and Nessus are popular tools offering a broad range of features designed to analyze network equipment, operating systems, databases, patch compliance, configuration, and many other systems.

While these tools are very effective, application security analysis warrants much more specialized approaches.

Question 2

non-credentialed scan

Answer 2

one that proceeds by directing test packets at a host without being logged on to the OS or application. The view is the one the host exposes to an unprivileged user on the network.

The test routines may be able to include things such as using default passwords for service accounts and device management interfaces, but they are not given privileged access

Question 3

credentialed scan

Answer 3

given a user account with login rights to various hosts, plus whatever other permissions are appropriate for the testing routines. This sort of test allows much more in-depth analysis, especially in detecting when applications or security settings may be misconfigured.

It shows what an insider attack, or an attack with a compromised user account, may be able to achieve

Question 4

static analysis

Answer 4

(reviewing application code without executing it)

Question 5

dynamic analysis

Answer 5

(testing running applications)

Question 6

Is application scanning usually handled with general vulnerability scans?

Answer 6

No, it is handled differently due to the unique nature of software applications and the specific types of vulnerabilities they introduce. General vulnerability scanning is designed to detect system-wide or network-wide weaknesses, such as out-of-date software or misconfigured firewalls.

application vulnerability scanning evaluates the coding and behavior of individual software applications. It looks for issues like cross-site scripting (XSS), SQL injection, and insecure direct object references unique to software applications

Question 7

package monitoring

Answer 7

associated with vulnerability identification because it tracks and assesses the security of third-party software packages, libraries, and dependencies used within an organization to ensure that they are up to date and free from known vulnerabilities that malicious actors could exploit.

is associated with the management of software bill of materials (SBOM) and software supply chain risk management practices.

Question 8

Automated software composition analysis (SCA) tools

Answer 8

track and monitor the software packages, libraries, and dependencies used in an organization’s codebase. These tools can automatically identify outdated packages or packages with known vulnerabilities and suggest updates or replacements.

They work by continuously comparing the organization’s software inventory against various databases of known vulnerabilities, such as the National Vulnerability Database (NVD) or vendor-specific advisories.

Question 9

threat feeds

Answer 9

These are real-time, continuously updated sources of information about potential threats and vulnerabilities, often gathered from multiple sources.

AlienVault’s Open Threat Exchange (OTX), IBM’s X-Force Exchange, and Recorded Future are examples

Question 10

the outputs from the primary research undertaken by threat data feed providers and academics can take three main forms:

Answer 10

Behavioral Threat Research—is narrative commentary describing examples of attacks and TTPs gathered through primary research sources.

Reputational threat intelligence—is lists of IP addresses and domains associated with malicious behavior, plus signatures of known file-based malware.

Threat Data—is computer data that can correlate events observed on a customer’s own networks and logs with known TTP and threat actor indicators.

Question 11

cyber threat intelligence (CTI) data

Answer 11

Threat data can be packaged as feeds that integrate with a security information and event management (SIEM) platform

The data on its own is not a complete security solution. To produce actionable intelligence, the threat data must be correlated with observed data from customer networks. This type of analysis is often powered by artificial intelligence (AI) features of the SIEM.

Question 12

Closed/proprietary

Answer 12

is where threat research and CTI data is available as a paid subscription to a commercial threat intelligence platform. The security solution provider will also make the most valuable research available early to platform subscribers in the form of blogs, white papers, and webinars.

Question 13

Threat feed information-sharing organizations

Answer 13

are collaborative groups that exchange data about emerging cybersecurity threats and vulnerabilities. These organizations collect, analyze, and disseminate threat intelligence from various sources, including their members, security researchers, and public sources.

Question 14

Information Sharing and Analysis Centers (ISACs)

Answer 14

A not-for-profit group set up to share sector-specific threat intelligence and security best practices among its members. Is also a Threat feed information-sharing organization

Question 15

Open-source intelligence (OSINT)

Answer 15

describes collecting and analyzing publicly available information and using it to support decision-making.

In cybersecurity operations, OSINT is used to identify vulnerabilities and threat information by gathering data from many sources such as blogs, forums, social media platforms, and even the dark web.

Question 16

The deep web and dark web

Answer 16

The deep web is any part of the World Wide Web that is not indexed by a search engine. This includes pages that require registration, pages that block search indexing, unlinked pages, pages using nonstandard DNS, and content encoded in a nonstandard manner. Within the deep web are areas that are deliberately concealed from “regular” browser access.

Dark Net—is a network established as an overlay to Internet infrastructure by software, such as The Onion Router (TOR), Freenet, or I2P, that acts to anonymize usage and prevent a third party from knowing about the existence of the network or analyzing any activity taking place over the network. Onion routing, for instance, uses multiple layers of encryption and relays between nodes to achieve this anonymity.

Dark Web—is sites, content, and services accessible only over a dark net. While there are dark web search engines, many sites are hidden from them. Access to a dark web site via its URL is often only available via “word of mouth” bulletin boards.

Question 17

dark web legitimate purposes

Answer 17

Privacy and Anonymity—The dark web provides a platform for enhanced privacy and anonymity

Access to Censored Information—In countries with strict Internet censorship, the dark web can be an avenue for accessing information that is otherwise blocked or restricted.

Research and Information Sharing—Some academic researchers or cybersecurity professionals may explore the dark web to gain insights into criminal activities and analyze emerging threats to improve cybersecurity operations.

Question 18

Penetration testing

Answer 18

involves human ingenuity and creativity, which allows for discovering complex vulnerabilities that automated tools often miss.

vulnerabilities introduced by the application’s design and implementation and not coding errors can often go unnoticed by automated scanners.

Penetration testers can manipulate an application’s functionality to perform actions in ways not intended by its developers, leading to exploitation

Question 19

Unknown environment testing

Answer 19

previously known as black box, is when the consultant/attacker has no privileged information about the network and its security systems. This type of test requires the consultant/attacker to perform an extensive reconnaissance phase.

Question 20

Known environment testing

Answer 20

previously known as white box, is when the consultant/attacker has complete access to information about the network. These tests are useful for simulating the behavior of a privileged insider threat.

Question 21

partially Known environment testing

Answer 21

previously known as gray box, is when the consultant/attacker has some information. This type of test requires partial reconnaissance on the part of the consultant/attacker.

Question 22

Bug bounty

Answer 22

another proactive strategy and describe when organizations incentivize discovering and reporting vulnerabilities by offering rewards to external security researchers or “white hat” hackers. Both penetration testing and bug bounty programs are proactive cybersecurity practices to identify and mitigate vulnerabilities in a system or application.

bug bounty programs open the testing process to a global community of independent security researchers.

Question 23

Responsible disclosure programs

Answer 23

are established by organizations to encourage individuals to report security vulnerabilities in software or systems, allowing the organization to address and fix these vulnerabilities before they can be exploited maliciously.

Often offer rewards.

Question 24

system/process audits

Answer 24

interrogate the wider use and deployment of products, including supply chain, configuration, support, monitoring, and cybersecurity.

Security audits assess an organization’s security controls, policies, and procedures, often using standards like ISO 27001 or the NIST Cybersecurity Framework as benchmarks.

Question 25

Payment Card Industry Data Security Standard (PCI DSS)

Answer 25

mandates annual and proactive penetration tests for organizations handling cardholder data.