CompTIA Security+ Study Guide: CH. 5 // Security Assessment and Testing
how to read CVSS:3.0/AV:N/AC:L/PR:N/UR:N/S:U/C:H/I:N/A:N
"CVSS:3.0" vector composed using CVSS version 3 attack vector: ntework attack complexity: low privileges required: none user interaction: none scope: unchanged confidentiality: high integrity: none availability: none
Rules of Engagement (ROE) key elements
-timeline -locations,systems, appllications, or other potential targets included/excluded -data handling -behaviors expected from target -resources committed to target -legal concerns -when and how communications will occur
CVSS score : none
0.0
CVSS score: low
0.1-3.9
SCAP standards include what 6 things
1. common configuration enumeration (CCE) 2. common platform enumeration (CPE) 3. common vulnerabilities and exposures (CVE) 4. common vulnerability scoring system (CVSS) 5. extensible configuration checklist description format (XCCDF) 6. open vulnerability and assessment language (OVAL)
Questions orgs ask to determine scanning process?
1. what is data classification 2. system exposed to internet or public? 3. what services are offered by the system? 4. is the system a production, test, or development system?
CVSS score: medium
4.0-6.9
CVSS score: high
7.0-8.9
CVSS score: critical
9.0-10
Open Vulnerability and Assessment Language (OVAL)
A language for specifying low-level testing procedures used by checklists
System administrators typically prefer agent-based scanning. True or False?
False; installing agents on servers can cause performance or stability issues that make admins worried
CVSS Impact Sub-Score (ISS) calculation
ISS = 1 - [(1-confidentiality)x(1-integrity)x(1-availability)]
Common Platform Enumeration (CPE)
Provides a naming system for describing product names and versions
Common Configuration Enumeration (CCE)
Provides a naming system for system configuration issues.
what is the secure protocol replacement if using FTP
SFTP (secure file transfer protocol
what is the secure protocol replacement if using telnet
SSH (secure shell)
what is SCAP?
Security Content Automation Protocol (SCAP) allows an organization to use automated vulnerability management and security policy compliance metrics.
Common Vulnerability Scoring System (CVSS)
Standard for measuring and describing the severity of security-related software flaws
Common Vulnerabilities and Exposures (CVE)
Standard names for describing security-related software flaws
Does disabling unnecessary plug-ins improve the speed of scans?
Yes
application scanning static testing
analyzes code without executing it
purple team
at the end of exercise, red and blue team get together to shares tactics and lessons learned
What is war driving?
attacker drives by facilities in car equipped with antennas and attempt to eavesdrop on or connect to wireless networks
red team
attacker team
war flying
attempt to eavesdrop or connect to wireless networks with the use of drones or unmanned aerial vehicles (UAVs)
application scanning interactive testing
combines static and dynamic testing--analyzes source code while testers interact with the application through exposed interfaces
weak configuration issues
default settings, unsecured accounts, unnecessary open ports and services, open permissions
blue team
defender team
application scanning dynamic testing
executes code as part of test using a variety of inputs
CVSS exploitability score calculation
exploitability = 8.22 x AttackVector x AttackComplexity x PrivilegesRequired = x UserInteraction
what are 4 controls that might affect scans
firewall settings network segmentation intrusion detection systems intrusion prevention systems
tabletop exercises
gather in a room to walk through response to fictitious exercise scenario
CVSS attack complexity metric
high, low
CVSS privileges required metric
high, low, none
what does footprinting do ?
identify operating systems and applications in use
CVSS impact score calculation
if scope is unchanged in the ISS it is = 6.42x ISS if scope is changed in the ISS it is =7.52 x (ISS-0.029) - 3.25 x (ISS-0.2) to the 15th
Calculating CVSS Base Score
if the impact is 0, the base score is 0 if scope metric is unchanged, calculate base score by adding together the impact and exploitability scores if scope metric is changed, (impact score + exploitability score ) x 1.08 highest base score is 10, if over 10 then set to 10
is an external scan ran from the system or internet
internet
What is white box testing?
known environment test; tests performed with full knowledge of network/target, sometimes have credentials even
extensible configuration checklist description format (XCCDF)
language for specifying checklists and reporting checklists results
reconcile scan results with what other data sources
log reviews, security info and event management (SIEM) , configuration management systems
should public-facing systems have debug mode on?
no; it is a vulnerability and should only be used on private networks
CVSS availability metric
none, low, high
CVSS confidentiality metric
none, low, high
CVSS integrity metric
none, low, high
CVSS user interaction metric
none, required
white team
observers and judges
What is gray box testing?
partially known environment test; blend of white and black box testing. some info on environment but not full access, credentials, etc.
CVSS attack vector metric
physical (P), local (L), adjacent network (A), network (N)
Vulnerability scanners can only be effective if the receive frequent updates to their ______________
plug-ins
influential factors in how org decides to conduct vulnerability scans
risk appetite regulatory requirements technical constraints business constraints licensing limitations
application testing uses what techniques
static testing dynamic testing interactive testing
four of most common vulnerability scanners
tenable's nessus qualys's vulnerability scanner rapid7's nexpose openVAS
What 2 important choices do you have to make when choosing encryption?
the algorithm to use to perform encryption and decryption the encryption key
capture the flag
training event where red team is judged on meeting a set of objectives
CVSS scope metric
unchanged, changed
What is black box testing?
unknown environment test; replicates what an attacker would see. no initial access or info on target network
In a scan, each plug-in performs a check for a specific ___________
vulnerability
What is scan perspective?
where the scan on the network is located
What are 3 types of penetration test types?
white-box black-box gray-box
do vulnerability scanners alert on debug mode?
yes; because of the detailed info on apps, servers, and databases they give, attackers can use the info