3200 Chapter 11 - Security Assessments
Rules of engagement
A document that defines exactly how the penetration test will be carried out.
Common Vulnerabilities and Exposures (CVE)
A list of standardized identifiers for known software vulnerabilities and exposures.
Threat feed
A service that tracks cyber threats across the world and provides real-time updates with IP addresses, URLs, and other relevant information regarding the threats.
Security Orchestration, Automation and Response
A solution stack of compatible software programs that collect data about security threats from multiple sources and respond to low-level security events without human assistance.
Common Vulnerability Scoring System
A system that ranks vulnerabilities based on severity.
Scope of work
A very detailed document that defines exactly what is going to be included in the penetration test. This document is also referred to as the statement of work.
Advisories and bulletins
Advisories and bulletins provide detailed updates on cyber threats. They are usually updated weekly.
Reconnaissance
Also known as footprinting. This is the process of gathering information about a target before beginning any penetration test or security audit.
Heuristic-based detection
Also referred to as behavior, anomaly, or statistical-based detection. This detection method first defines a baseline of normal network traffic and then monitors traffic looking for anything that falls outside that baseline.
Signature-based detection
Also referred to as pattern matching, dictionary recognition, or misuse-detection (MD-IDS). This detection method looks for patterns in network traffic and compares them to known attack patterns called signatures.
You are concerned about protecting your network from network-based attacks on the internet. Specifically, you are concerned about attacks that have not yet been identified or that do not have prescribed protections. Which type of device should you use?
Anomaly-based IDS
What is the most common form of host-based IDS that employs signature or pattern-matching detection methods?
Antivirus software
Open-Source Intelligence (OSINT)
Any data that is collected from publicly available sources such as social media, search engines, company websites, media sources, or public government sources.
Which of the following activities are typically associated with a penetration test?
Attempt social engineering.
You have been hired as part of the team that manages an organization's network defense. Which security team are you working on?
Blue
____ team members are the defense of the system. This team is responsible for stopping the red team's advances.
Blue
As part of a special program, you have discovered a vulnerability in an organization's website and reported it to the organization. Because of the severity, you are paid a good amount of money. Which type of penetration test are you performing?
Bug bounty
What does an IDS that uses signature recognition use to identify attacks?
Comparisons to known attack patterns
____ and ____ are two common command line programs that can be used to download or upload files. An example of using these tools is to download an entire website for offline analysis.Because these tools actively engage with the target, they are considered active reconnaissance tools.
Curl, wget
Intrusion detection system
Device or software that monitors, logs, and detects security breaches, but takes no action to stop or prevent the attack.
Intrusion prevention system
Device that monitors, logs, detects, and can also react to stop or prevent security breaches.
____ is a program that performs DNS enumeration and can find the DNS servers and entries for an organization. This information can help find other information such as usernames, computer names, IP addresses, and more.
Dnsenum
As a security precaution, you have implemented IPsec that is used between any two devices on your network. IPsec provides encryption for traffic between devices. You would like to implement a solution that can scan the contents of the encrypted traffic to prevent any malicious attacks. Which solution should you implement?
Host-based IDS
____ is a security tool that can check connectivity and also analyze the target to gather information.
Hping
Engine
IDS component that analyzes sensor data and events; generates alerts; and logs all activity
Sensor
IDS component that passes data from the source to the analyzer.
____ are special tools that allow a network administrator to scan the entire network to find all connected devices and their IP addresses.
IP scanners
You are concerned about attacks directed at your network firewall. You want to be able to identify and be notified of any attacks. In addition, you want the system to take immediate action to stop or prevent the attack, if possible. Which tool should you use?
IPS
Your organization uses a web server to host an e-commerce site. Because this web server handles financial transactions, you are concerned that it could become a prime target for exploits. You want to implement a network security control that analyzes the contents of each packet going to or from the web server. The security control must be able to identify malicious payloads and block them. What should you do?
Implement an application-aware IPS in front of the web server
Which of the following describes a false positive when using an IPS device?
Legitimate traffic being flagged as malicious
Which step in the penetration testing life cycle is accomplished using rootkits or Trojan horse programs?
Maintain access
You want to use a tool to scan a system for vulnerabilities, including open ports, running services, and missing patches. Which tool should you use?
Nessus
____ is a proprietary vulnerability scanner that is developed by Tenable. It can be used to scan the target for any known vulnerabilities, which can be exploited to gain access to the target.
Nessus
You want to identify all devices on a network along with a list of open ports on those devices. You want the results displayed in a graphical diagram. Which tool should you use?
Network mapper
Gathering as much personally identifiable information (PII) on a target as possible is a goal of which reconnaissance method?
OSINT
The ____ framework is a collection of resources and tools that are separated by common categories. The OSINT Framework makes it easy to gather all sorts of information, making the initial reconnaissance process much more efficient.
OSINT
Which type of reconnaissance is dumpster diving?
Passive
Black box test
Penetration test in which the ethical hacker has no information regarding the target or network. This type of test best simulates an outside attack and ignores the insider threats.
White box test
Penetration test in which the ethical hacker is given full knowledge of the target or network. This test allows for a comprehensive and thorough test, but is not very realistic.
Gray box test
Penetration test in which the ethical hacker is given partial information of the target or network, such as IP configurations, email lists, etc. This test simulates the insider threat.
Which of the following uses hacking techniques to proactively discover internal vulnerabilities?
Penetration testing
An active IDS system often performs which of the following actions? (Select two.)
Performs reverse lookups to identify an intruder, Updates filters to block suspect traffic.
____ is a command line tool that is used to perform a connection test between two network devices.
Ping
Which phase or step of a security assessment is a passive activity?
Reconnaissance
False negative
Scan results that indicate no vulnerability when a vulnerability exists.
False positive
Scan results that indicated a vulnerability, but there is none.
Which of the following is a very detailed document that defines exactly what is going to be included in the penetration test?
Scope of work
Which of the following tools can be used to see if a target has any online IoT devices without proper security?
Shodan
____ is a popular search engines for internet-connected devices. Users are able to search for specific types of devices and locations. This information can be used to see if a target has any online devices without proper security.
Shodan
Which IDS method searches for intrusion or attack attempts by recognizing patterns or identifying entities listed in a database?
Signature-based IDS
____ is a automated scanner that can be used to enumerate and scan for vulnerabilities. It combines the functions of many tools and can be used to find information such as DNS information, open ports, running services, and more
Sn1per
IP scanners
Special tools that allow a network administrator to scan the entire network to find all connected devices and their IP addresses.
Security information and event management
Special tools that gather network information and aggregate it into a central place. SIEM systems can actively read the network information and determine if there is a threat.
What is the primary purpose of penetration testing?
Test the effectiveness of your security perimeter.
Packet sniffing
The act of capturing data packets transmitted across the network and analyzing them for important information.t.
Eavesdropping
The act of covertly listening in on a communication between other people.
War driving
The act of driving around with a wireless device looking for open vulnerable wireless networks.
War flying
The act of using drones or unmanned aerial vehicles to find open wireless networks.
Threat hunting
The human-based, methodical search and monitoring of the network, systems, and software in order to detect any malicious or suspicious activity that has evaded the automated tools.
Vulnerability scan
The process of capturing and analyzing packets to identify any security weaknesses in a network, computer system, local applications, and even web applications.
Passive reconnaissance
The process of gathering information by interacting with the target in some manner.
Intelligence fusion
The sharing of information between multiple government agencies and private security firms.
Which of the following describes the worst possible action by an IDS?
The system identified harmful traffic as harmless and allowed it to pass without generating any alerts.
Bug bounty
These unique tests are setup by organizations such as Google, Facebook, and others. Ethical hackers can receive compensation by reporting bugs and vulnerabilities they discover.
The process of walking around an office building with an 802.11 signal detector is known as:
War driving
You have been promoted to team lead of one of the security operations teams. Which security team are you now a part of?
White
You have been hired to perform a penetration test for an organization. You are given full knowledge of the network before the test begins. Which type of penetration test are you performing?
White box
An ____, also called an IPS, performs the functions of an IDS but can also react when security breaches occur.
active IDS
The ____ command is used in both Windows and Linux. ARP stands for Address Resolution Protocol and is used to match IP addresses to MAC addresses
arp
The ipconfig command (Windows) and the ifconfig command (Linux) are used to display the IP ____ on the local computer.
configuration
In a ____ scan, the scanner uses an administrator or other account's credentials to perform the scan. This method shows a deeper look at the network and is able to identify more vulnerabilities than a non-credentialed scan
credentialed
Which of the following tools can be used to view and modify DNS server information in Linux?
dig
The third phase takes all of the information gathered in the reconnaissance and scanning phases to ____ any discovered vulnerabilities in order to gain access. After gaining access, the pentester can perform lateral moves, pivoting to other machines on the network. The pentester will begin trying to escalate privileges with the goal of gaining administrator access.
exploit
A ____ traffic assessment means that harmful traffic was allowed to pass without any alerts being generated or any actions being taken to prevent or stop it. This is the worst possible scenario.
false negative
A ____ traffic assessment means that the system identified harmless traffic as offensive and generated an alarm or stopped the traffic.
false positive
A ____ scan finds a potential vulnerability and then actively attempts to exploit it. This leads to more accurate results but cannot be done on a live system.
intrusive
Once the pentester has gained access, ____ that access becomes the next priority. This can be done by installing backdoors, rootkits, or Trojans.
maintaining
A ____ traffic assessment means that the system deemed the traffic harmless and let it pass.
negative
The ____ security tool can read and write data across both TCP and UDP network connections. It opens a TCP connection between two devices and can be used to send packets, scan for open ports, and listen in on connections to specific ports.
netcat
Use the ____ command to display a variety of network statistics in both Windows and Linux
netstat
The ____ utility is a network security scanner.
nmap
You need to enumerate the devices on your network and display the network's configuration details. Which of the following utilities should you use?
nmap
With a ____ scan, the security administrator does not authenticate to the system prior to running the scan. This scan shows open ports, protocols, and services that are exposed on a host system. This shows vulnerabilities that an outside attacker might be able to take advantage of.
non-credentialed
A ____ scan is the more common type of scan performed. This method scans the network and lists all potential vulnerabilities but is unable to validate if the system is vulnerable. This type of scan is able to performed on live systems and requires the network defender to take additional actions.
non-intrusive
The ____ and dig commands are used to view and modify DNS settings. These tools can be used to look up DNS server information and also give IP addresses and domain names for a network server.
nslookup
The ____ Windows command line tool combines the tracert and ping tools.
pathping
You need to check network connectivity from your computer to a remote computer. Which of the following tools would be the BEST option to use?
ping
A ____ traffic assessment means that the system detected an attack and the appropriate alarms and notifications were generated or the correct actions were performed to prevent or stop the attack.
positive
Members of the ____ team work on both offense and defense. This team is a combination of the red and blue teams.
purple
The first phase in the pentesting process is ____, also known as footprinting. In this phase, the pentester begins gathering information on the target. This can include gathering publicly available information, using social engineering techniques, or even dumpster diving.
reconnaissance
The ____ team members are the ethical hackers. This team is responsible for performing the penetration tests.
red
The ____ command is used in both Windows and Linux to show the routing table and to make manual changes to the table.
route
____ is used for port scanning. Instead of scanning ports from the hacker machine, it uses exploitation websites to perform port scans. This means the attacker is able to maintain anonymity while scanning the target.
scanless
Running ____ on the target is the second phase. During this phase, the ethical hacker is actively engaged with the target. Enumeration is part of the scanning phase. Enumeration uses scanning techniques to extract information such as: Usernames Computer names Network resources Share names Running services
scans
The final phase is generating the ____ and supporting documentation. After any penetration test, a detailed report must be compiled. Documentation provides extremely important protection for both the penetration tester and the organization.
test results
Which passive reconnaissance tool is used to gather information from a variety of public sources?
theHarvester
____ is a passive reconnaissance tool that is used to gather information from a variety of public sources. The tool gathers emails, names, subdomains, IPs, and URLs using multiple public data sources. These sources include search engines, social media sites, and Shodan.
theHarvester
The _____ tool shows the path a packet takes to reach its destination. Every device the packet passes through is known as a hop.
tracert
The ____ team members are the referees of cybersecurity. This team is responsible for managing the engagement between the red and blue teams. This group typically consists of the managers or team leads.
white