Chapter5
20: Name the three teams that participate in a cybersecurity exercise and explain their functions.
20: Red team, blue team, and white team • Red team members are the attackers who attempt to gain access to systems. • Blue team members are the defenders who must secure systems and networks from attack. • White team members are the observers and judges.
2: Give some examples of controls that might affect scan results.
2: Firewall settings, network segmentation, intrusion detection systems (IDS), and intrusion prevention systems (IPS)
3: Name all three techniques used by application testing and explain their differences.
3: Static testing, dynamic testing, interactive testing Static testing analyzes code without executing it. Dynamic testing executes code as part of the test, running all the interfaces that the code exposes to the user with a variety of inputs, searching for vulnerabilities. Interactive testing combines static and dynamic testing, analyzing the source code while testers interact with the application through exposed interfaces.
7: Please interpret the following CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7: • Attack Vector: Network (score: 0.85) • Attack Complexity: Low (score: 0.77) • Privileges Required: None (score: 0.85) • User Interaction: None (score: 0.85) • Scope: Unchanged • Confidentiality: High (score: 0.56) • Integrity: None (score: 0.00) • Availability: None (score: 0.00)
8: What is the function to calculate the impact sub-score?
8: ISS = 1 - [(1 - Confidentiality) x (1-Integrity) x (1-Availability)]
9: How do you calculate the impact score for a vulnerability under CVSS?
9: Impact score = the value of the scope metric * ISS
10: How do you calculate the exploitability score for a vulnerability under CVSS?
10: Exploitability = 8.22 × AttackVector × AttackComplexity × PrivilegesRequired x UserInteraction
11: How do you calculate the CVSS base score for a vulnerability?
11: • If the impact is 0, the base score is 0. • If the scope metric is Unchanged, calculate the base score by adding together the impact and exploitability scores. • If the scope metric is Changed, calculate the base score by adding together the impact and exploitability scores and multiplying the result by 1.08. • The highest possible base score is 10. If the calculated value is greater than 10, set the base score to 10.
15: Name two choices you need to make when you implement encryption.
15: • The algorithm to use to perform encryption and decryption • The encryption key to use with that algorithm
12: Explain true positive, false positive, true negative, and false negative.
12: When a vulnerability scanner reports a vulnerability, this is known as a positive report. This report may either be accurate (a true positive report) or inaccurate (a false positive report). Similarly, when a scanner reports that a vulnerability is not present, this is a negative report. The negative report may either be accurate (a true negative report) or inaccurate (a false negative report).
13: Give three valuable information sources for reconciling scan results.
13: • Log reviews from servers, applications, network devices, and other sources that might contain information about possible attempts to exploit detected vulnerabilities • Security information and event management (SIEM) systems that correlate log entries from multiple sources and provide actionable intelligence • Configuration management systems that provide information on the operating system and applications installed on a system
14: Give some examples of weak configurations.
14: • The use of default settings that pose a security risk • The presence of unsecured accounts, including both normal user accounts and unsecured root accounts with administrative privileges • Open ports and services that are not necessary to support normal system operations • Open permissions that allow users access which violates the principle of least privilege
16: What are the benefits of penetration testing?
16: 1. Penetration testing provides us with knowledge that we can't obtain elsewhere. 2. In the event that attackers are successful, penetration testing provides us with an important blueprint for remediation. 3. Penetration tests can provide us with essential, focused information on specific attack targets.
17: What are three typical classifications that are used to describe penetration test types?
17: White box, black box, gray box
18: List at least three key elements of the rules of engagement for a penetration test.
18: • The timeline for the engagement and when testing can be conducted • What locations, systems, applications, or other potential targets are included or excluded • Data handling requirements for information gathered during the penetration test • What behaviors to expect from the target • What resources are committed to the test • Legal concerns should also be addressed, including a review of the laws that cover the target organization, any remote locations, and any service providers who will be in-scope • When and how communications will occur
19: Identify four key phases of a penetration test.
19: Initial access, privilege escalation, pivoting (lateral movement), and persistence
1: Name five factors that influence how often an organization decides to conduct vulnerability scans against its systems.
1: Risk appetite, regulatory requirements, technical constraints, business constraints, and licensing limitations
4: What information does the output section provide on the report?
4: The output section of the report shows the detailed information returned by the remote system when probed for the vulnerability.
5: What information does the port/hosts section provide on the report?
5: The port/hosts section provides details on the server(s) that contain the vulnerability as well as the specific services on that server that have the vulnerability.
6: List all eight CVSS metrics and describe what kinds of measurements they evaluate.
6: Eight metrics: attack vector metric, attack complexity metric, privileges required metric, user interaction metric, confidentiality metric, integrity metric, availability metric, and scope metric. The first four measures evaluate the exploitability of the vulnerability, whereas the next three evaluate the impact of the vulnerability. The eighth metric discusses the scope of the vulnerability.