Module 3 - Assets Threats & Vulnerabilities (5) - Google Cybersecurity Certificate

State Actors

Are government intelligence agencies.

External vs Internal

External and internal scans simulate an attacker's approach. External scans test the perimeter layer outside of the internal network. They analyze outward facing systems, like websites and firewalls. These kinds of scans can uncover vulnerable things like vulnerable network ports or servers. Internal scans start from the opposite end by examining an organization's internal systems. For example, this type of scan might analyze application software for weaknesses in how it handles user input.

Server-side Request Forgery

Companies have public and private information stored on web servers. When you use a hyperlink or click a button on a website, a request is sent to a server that should validate who you are, fetch the appropriate data, and then return it to you. Server-side request forgeries (SSRFs) are when attackers manipulate the normal operations of a server to read or update other resources on that server. These are possible when an application on the server is vulnerable. Malicious code can be carried by the vulnerable app to the host server that will fetch unauthorized data.

Broken Access Control

Access controls limit what users can do in a web application. For example, a blog might allow visitors to post comments on a recent article but restricts them from deleting the article entirely. Failures in these mechanisms can lead to unauthorized information disclosure, modification, or destruction. They can also give someone unauthorized access to other business applications.

Attack Surface

All the potential vulnerabilities that a threat actor could exploit.

Zero-Day

An exploit that was previously unknown.

Common Vulnerabilities and Exposures List (CVE List)

An openly accessible dictionary of known vulnerabilities and exposures.

CVE Numbering Authority (CNA)

An organization that volunteers to analyze and distribute information on eligible CVEs.

Threat Actor

Any person or group who presents a security risk. This broad definition refers to people inside and outside an organization. It also includes individuals who intentionally pose a threat, and those that accidentally put assets at risk.

Hacker

Any person who uses computers to gain access to computer systems, networks, or data. Similar to the term threat actor, hacker is also an umbrella term. When used alone, the term fails to capture a threat actor's intentions. Types of hackers: Unauthorized hackers - An unauthorized hacker, or unethical hacker, is an individual who uses their programming skills to commit crimes. Authorized, or ethical, hackers - Individuals who use their programming skills to improve an organization's overall security. Semi-authorized hackers - refer to individuals who might violate ethical standards, but are not considered malicious. For example, a hacktivist is a person who might use their skills to achieve a political goal. One might exploit security vulnerabilities of a public utility company to spread awareness of their existence.

Insecure Design

Applications should be designed in such a way that makes them resilient to attack. When they aren't, they're much more vulnerable to threats like injection attacks or malware infections. Insecure design refers to a wide range of missing or poorly implemented security controls that should have been programmed into an application when it was being developed.

Authenticated vs. Unauthenticated

Authenticated and unauthenticated scans simulate whether or not a user has access to a system. Authenticated scans might test a system by logging in with a real user account or even with an admin account. These service accounts are used to check for vulnerabilities, like broken access controls. Unauthenticated scans simulate external threat actors that do not have access to your business resources. For example, a scan might analyze file shares within the organization that are used to house internal-only documents. Unauthenticated users should receive "access denied" results if they tried opening these files. However, a vulnerability would be identified if you were able to access a file.

Vulnerability Assessment Process

Identification Vulnerability analysis Risk assessment Remediation

Identification and Authentication Failures

Identification is the keyword in this vulnerability category. When applications fail to recognize who should have access and what they're authorized to do, it can lead to serious problems. For example, a home Wi-Fi router normally uses a simple login form to keep unwanted guests off the network. If this defense fails, an attacker can invade the homeowner's privacy.

Steps of Practicing an Attacker Mindset

Identify a Target Determine how the target can be accessed Evaluate attack vectors that can be exploited Find the tools and methods of attack

Security Logging and Monitoring Failures

In security, it's important to be able to log and trace back events. Having a record of events like user login attempts is critical to finding and fixing problems. Sufficient monitoring and incident response is equally important.

CVE List Criteria

Independent of other issues Recognized as a potential security risk Submitted with supporting evidence Only affect one codebase

Cryptographic Failures

Information is one of the most important assets businesses need to protect. Privacy laws such as General Data Protection Regulation (GDPR) require sensitive data to be protected by effective encryption methods. Vulnerabilities can occur when businesses fail to encrypt things like personally identifiable information (PII). For example, if a web application uses a weak hashing algorithm, like MD5, it's more at risk of suffering a data breach.

Information vs Intelligence

Information refers to the collection of raw data or facts about a specific subject. Intelligence, on the other hand, refers to the analysis of information to produce knowledge or insights that can be used to support decision-making. For example, new information might be released about an update to the operating system (OS) that's installed on your organization's workstations. Later, you might find that new cyber threats have been linked to this new update by researching multiple cybersecurity news resources. The analysis of this information can be used as intelligence to guide your organization's decision about installing the OS updates on employee workstations. In other words, intelligence is derived from information through the process of analysis, interpretation, and integration. Gathering information and intelligence are both important aspects of cybersecurity.

Injection

Injection occurs when malicious code is inserted into a vulnerable application. Although the app appears to work normally, it does things that it wasn't intended to do. Injection attacks can give threat actors a backdoor into an organization's information system. A common target is a website's login form. When these forms are vulnerable to injection, attackers can insert malicious code that gives them access to modify or steal user credentials.

Limited vs Comprehensive

Limited and comprehensive scans focus on particular devices that are accessed by internal and external users. Limited scans analyze particular devices on a network, like searching for misconfigurations on a firewall. Comprehensive scans analyze all devices connected to a network. This includes operating systems, user databases, and more. Pro tip: Discovery scanning should be done prior to limited or comprehensive scans. Discovery scanning is used to get an idea of the computers, devices, and open ports that are on a network.

OSINT (Open Source Intelligence)

OSINT is the collection and analysis of information from publicly available sources to generate usable intelligence. It's commonly used to support cybersecurity activities, like identifying potential threats and vulnerabilities.

Intelligence Improves Decision Making

OSINT plays a significant role in information security (InfoSec), which is the practice of keeping data in all states away from unauthorized users. For example, a company's InfoSec team is responsible for protecting their network from potential threats. They might utilize OSINT to monitor online forums and hacker communities for discussions about emerging vulnerabilities. If they come across a forum post discussing a newly discovered weakness in a popular software that the company uses, the team can quickly assess the risk, prioritize patching efforts, and implement necessary safeguards to prevent an attack. Here are some of the ways OSINT can be used to generate intelligence: To provide insights into cyber attacks To detect potential data exposures To evaluate existing defenses To identify unknown vulnerabilities Collecting intelligence is sometimes part of the vulnerability management process. Security teams might use OSINT to develop profiles of potential targets and make data driven decisions on improving their defenses.

Simulating Threats

One method of applying an attacker mindset is using attack simulations. These activities are normally performed in one of two ways: proactively and reactively. Both approaches share a common goal, which is to make systems safer. Proactive simulations assume the role of an attacker by exploiting vulnerabilities and breaking through defenses. This is sometimes called a red team exercise. Reactive simulations assume the role of a defender responding to an attack. This is sometimes called a blue team exercise. Each kind of simulation is a team effort that you might be involved with as an analyst. Proactive teams tend to spend more time planning their attacks than performing them. If you find yourself engaged in one of these exercises, your team will likely deploy a range of tactics. For example, they might persuade staff into disclosing their login credentials using fictitious emails to evaluate security awareness at the company. On the other hand, reactive teams dedicate their efforts to gathering information about the assets they're protecting. This is commonly done with the assistance of vulnerability scanning tools.

Penetration Test

Or pen test, is a simulated attack that helps identify vulnerabilities in systems, networks, websites, applications, and processes. The simulated attack in a pen test involves using the same tools and techniques as malicious actors in order to mimic a real life attack. Since a pen test is an authorized attack, it is considered to be a form of ethical hacking. Unlike a vulnerability assessment that finds weaknesses in a system's security, a pen test exploits those weaknesses to determine the potential consequences if the system breaks or gets broken into by a threat actor. For example, the cybersecurity team at a financial company might simulate an attack on their banking app to determine if there are weaknesses that would allow an attacker to steal customer information or illegally transfer funds. If the pen test uncovers misconfigurations, the team can address them and improve the overall security of the app.

Criminal Syndicates

Refer to organized groups of people who make money from criminal activity.

Shadow IT

Refers to individuals who use technologies that lack IT governance. A common example is when an employee uses their personal email to send work-related communications.

Advanced Persistent Threats

Refers to instances when a threat actor maintains unauthorized access to a system for an extended period of time. The term is mostly associated with nation states and state-sponsored actors. Typically, an APT is concerned with surveilling a target to gather information. They then use the intel to manipulate government, defense, financial, and telecom services.

Competitors

Refers to rival companies who pose a threat because they might benefit from leaked information.

Vulnerability Assessment

The internal review process of an organization's security systems.

Attack Vectors

The pathways attackers use to penetrate security defenses.

Vulnerability Management

The process of finding and patching vulnerabilities.

Security Hardening

The process of strengthening a system to reduce its vulnerabilities and attack surface.

OSINT Tools

There's an enormous amount of open-source information online. Finding relevant information that can be used to gather intelligence is a challenge. Information can be gathered from a variety of sources, such as search engines, social media, discussion boards, blogs, and more. Several tools also exist that can be used in your intelligence gathering process. Here are just a few examples of tools that you can explore: VirusTotal is a service that allows anyone to analyze suspicious files, domains, URLs, and IP addresses for malicious content. MITRE ATT&CK® is a knowledge base of adversary tactics and techniques based on real-world observations. OSINT Framework is a web-based interface where you can find OSINT tools for almost any kind of source or platform. Have I been Pwned is a tool that can be used to search for breached email accounts. There are numerous other OSINT tools that can be used to find specific types of information. Remember, information can be gathered from a variety of sources. Ultimately, it's your responsibility to thoroughly research any available information that's relevant to the problem you're trying to solve.

Learning From Varied Perspectives

These authorized attacks are performed by pen testers who are skilled in programming and network architecture. Depending on their objectives, organizations might use a few different approaches to penetration testing: Red team tests simulate attacks to identify vulnerabilities in systems, networks, or applications. Blue team tests focus on defense and incident response to validate an organization's existing security systems. Purple team tests are collaborative, focusing on improving the security posture of the organization by combining elements of red and blue team exercises. Red team tests are commonly performed by independent pen testers who are hired to evaluate internal systems. Although, cybersecurity teams may also have their own pen testing experts. Regardless of the approach, penetration testers must make an important decision before simulating an attack: How much access and information do I need?

Defending Attack Vectors

Educating users Applying the principle of least priveledge Using the right security controls and tools Building a diverse security team

Exploit

A way of taking advantage of a vulnerability.

Vulnerability

A weakness that can be exploited by a threat.

OWASP

A nonprofit foundation that works to improve the security of software. OWASP is an open platform that security professionals from around the world use to share information, tools, and events that are focused on securing the web.

MITRE

A collection of non-profit research and development centers.

Defense in Depth

A layered approach to vulnerability management that reduces risk. Strategy: Perimeter Layer Network Layer Endpoint Layer Application Layer Data Layer

Common Vulnerability Scoring System (CVSS)

A measurement system that scores the severity of a vulnerability.

Exposure

A mistake that can be exploited by a threat.

Common Vulnerabilities

Businesses often make critical security decisions based on the vulnerabilities listed in the OWASP Top 10. This resource influences how businesses design new software that will be on their network, unlike the CVE® list, which helps them identify improvements to existing programs. These are the most regularly listed vulnerabilities that appear in their rankings to know about:

Insider Threats

Can be any individual who has or had authorized access to an organization's resources. This includes employees who accidentally compromise assets or individuals who purposefully put them at risk for their own benefit.

Access Points

Each threat actor has a unique motivation for targeting an organization's assets. Keeping them out takes more than knowing their intentions and capabilities. It's also important to recognize the types of attack vectors they'll use. For the most part, threat actors gain access through one of these attack vector categories: Direct access, referring to instances when they have physical access to a system Removable media, which includes portable hardware, like USB flash drives Social media platforms that are used for communication and content sharing Email, including both personal and business accounts Wireless networks on premises Cloud services usually provided by third-party organizations Supply chains like third-party vendors that can present a backdoor into systems Any of these attack vectors can provide access to a system. Recognizing a threat actor's intentions can help you determine which access points they might target and what ultimate goals they could have. For example, remote workers are more likely to present a threat via email than a direct access threat.

Security Misconfiguration

Misconfigurations occur when security settings aren't properly set or maintained. Companies use a variety of different interconnected systems. Mistakes often happen when those systems aren't properly set up or audited. A common example is when businesses deploy equipment, like a network server, using default settings. This can lead businesses to use settings that fail to address the organization's security objectives.

Software and Data Integrity Failures

Software and data integrity failures are instances when updates or patches are inadequately reviewed before implementation. Attackers might exploit these weaknesses to deliver malicious software. When that occurs, there can be serious downstream effects. Third parties are likely to become infected if a single system is compromised, an event known as a supply chain attack. A famous example of a supply chain attack is the SolarWinds cyber attack (2020) where hackers injected malicious code into software updates that the company unknowingly released to their customers.

Vulnerability Scanner

Software that automatically compares known vulnerabilities and exposures against the technologies on the network. In general, these tools scan systems to find misconfigurations or programming flaws. Perimeter Layer - like authentication systems that validate user access Network Layer - which is made up of technologies like network firewalls and others Endpoint Layer - which describes devices on a network, like laptops, desktops, or servers Application Layer - which involves the software that users interact with Data Layer - which includes any information that's stored, in transit, or in use When a scan of any layer begins, the scanning tool compares the findings against databases of security threats. At the end of the scan, the tool flags any vulnerabilities that it finds and adds them to its reference database. Each scan adds more information to the database, helping the tool be more accurate in its analysis.

Vulnerability Scanner Example

Vulnerability scanners are frequently used in the field. Security teams employ a variety of scanning techniques to uncover weaknesses in their defenses. Reactive simulations often rely on the results of a scan to weigh the risks and determine ways to remediate a problem. For example, a team conducting a reactive simulation might perform an external vulnerability scan of their network. The entire exercise might follow the steps you learned in a video about vulnerability assessments: Identification: A vulnerable server is flagged because it's running an outdated operating system (OS). Vulnerability analysis: Research is done on the outdated OS and its vulnerabilities. Risk assessment: After doing your due diligence, the severity of each vulnerability is scored and the impact of not fixing it is evaluated. Remediation: Finally, the information that you've gathered can be used to address the issue. During an activity like this, you'll often produce a report of your findings. These can be brought to the attention of service providers or your supervisors. Clearly communicating the results of these exercises to others is an important skill to develop as a security professional.

Performing Scans

Vulnerability scanners are meant to be non-intrusive. Meaning, they don't break or take advantage of a system like an attacker would. Instead, they simply scan a surface and alert you to any potentially unlocked doors in your systems. Note: While vulnerability scanners are non-intrusive, there are instances when a scan can inadvertently cause issues, like crash a system. There are a few different ways that these tools are used to scan a surface. Each approach corresponds to the pathway a threat actor might take. Next, you can explore each type of scan to get a clearer picture of this.

Vulnerable and Outdated Components

Vulnerable and outdated components is a category that mainly relates to application development. Instead of coding everything from scratch, most developers use open-source libraries to complete their projects faster and easier. This publicly available software is maintained by communities of programmers on a volunteer basis. Applications that use vulnerable components that have not been maintained are at greater risk of being exploited by threat actors.

Partial Knowledge Testing

When the tester has limited access and knowledge of an internal system—for example, a customer service representative. This strategy is also known as gray-box testing.

Closed-box Testing

When the tester has little to no access to internal systems—similar to a malicious hacker. This strategy is sometimes referred to as external, black-box, or zero knowledge penetration testing. Closed box testers tend to produce the most accurate simulations of a real-world attack. Nevertheless, each strategy produces valuable results by demonstrating how an attacker might infiltrate a system and what information they could access.

Open-box Testing

When the tester has the same privileged access that an internal developer would have—information like system architecture, data flow, and network diagrams. This strategy goes by several different names, including internal, full knowledge, white-box, and clear-box penetration testing.