Get Ahead Get Certified Chapter 8
Passive reconnaissance
A penetration testing method used to collect infomation. It typically uses open-source intelligence. Compare with active reconnaissance. This includes viewing social media news reports, and even the organization's website. If the organization has wireless networks, it could include passively collecting information from the networks such as network SSID's. Because it doesn't engage a target, it isn't illegal. Does not include any tools to send information to targets and analyze their responses. Uses tools to gather information from systems other than the target. For example you can sometimes gain information about a domain name holder using the Whois lookup site. You can also gain information by querying Domain Name System servers
vulnerability scans are generally-
Non intrusive and less invasive than penetration tests. They never attempt to exploit a vulnerability. Because of this a vulnerability scan is much safer to run on a system or network because it is significantly less likely that it will affect services
Penetration testing is intrusive and vulnerability scanning is-
Nonintrusive.
scans can either be intrusive or-
Nonintrusive. You can also think of these as invasive and non invasive respectively.
In contrast tools using non intrusive methods will-
Not compromising system
Operating system event logs
OSs have basic logs that record events. on windows these logs are viewable using the Windows Event Viewer. One of the primary logs in a windows system is the Security Log and it functions as a security log, and audit log, and an access log.
ALE
Annualized Loss Expectancy the value of SLExARO
Threats come in different forms, what are the three?
Malicious human threat Accidental Human Threats Environment Threats
Application Logs
Many server applications include logging capabilities within the application. For example, database applications such as Microsoft SQL Server or Oracle Database include logs to record performance and user activity
Wireshark is a free-
Protocol analyzer that you can download from the Wireshark site
A ______ _________ __________ might look at audit logs for files for a proprietary project to see who is accessing the files and what they're doing with the files
Usage auditing review
action assigned to
a risk register may document who has the responsibility to implement controls
transfer
the organization transfers the whole or part of the risk to another entity, such as when you get insurance. another is outsourcing or contracting with a third party.
The authentication log contains information related to successful and unsuccessful logins
var/log/auth.log
Log entries created when the system boots are contained here.
var/log/boot.log
This log contains information on failed login attempts. it can be viewed using the faillog command
var/log/faillog
this log contains a wide variety of general system messages. It includes some messages logged during startup, some messages related to mail, the kernel, and messages related to authentication. It stores general system activity log entries.
var/log/messages
password crackers are one of the many tools security administrators use during a-
vulnerability assessment
action deadline
when the control should be implemented
utmp, wtmpx, and btmpx files! The following bullets describe these files:
• The utmp file maintains information on the current status of the system, including who is currently logged in. The who command queries this file to display a list of users currently logged in. • The wtmp file is an archive of the utmp file. Depending on how it is implemented, it can be a circular file, overwriting itself when it reaches a predetermined size. The last command queries this file to show the last logged-in users. • The btmp file records failed login attempts. The lastb command shows the last failed login attempts.
permission auditing review
-Looks at the rights of permissions assigned to users and helps ensure the principle of least privilege is enforced - reviews identify the privileges (rights and permissions) granted to users, and compares them against what the users need. It can detect privilege create a common problem that violates the principle of least privilege -
Many penetration tests include the following activities:
-passive reconnaissance -active reconnaissance -initial exploitation -privilege escalation -pivot -persistence
If the system is configured as an Apache web server, you can view access and error logs with this directory
/var/log/httpd/
The kernel log contains information logged by the system kernel, which is the central part of the Linux operating system
/var/log/kern.log
In addition to seeing a capture using the Wireshark graphical interface do them as text files information in the text file is usually limited using filters but normally includes the time, source information labeled as SRC, destination information labeled as DST, and sometimes protocol information here's an example
22:33:44, src 192.168.5.55:3389, dst 192.168.7.17:8080, syn/ack time is shown in a 24 hour clock is 10:33 PM and 44 seconds notice the source and destination includes an IP address and a port number. This reiterates importance of knwoing commonly used ports source IP address doesn't always identify the actual attacker. Could be a zombie on a botnet or they could be using PAT (port address translation) that translates public and private IP addresses. If the traffic goes through a device using patc the protocol analyzer only captures the translated IP address not the original IP address.
Automated alerting
A SIEM typically comes with predefined alerts which provide notifications of suspicious events. For example if it detects a port scan on the server it might send an email to an admin group or display the alert on a heads up display. SIEMs also include the ability to create new alerts.
Logs/WORM
A SIEM typically includes methods to prevent anyone from modifying log entries. This is sometimes referred to as write once read many (WORM). As logs are received the SIEM will aggregate and correlate the log entries. After processing the logs it can archive the source logs with write protection.
Correlation Engine
A software component used to collect and analyze event log data from various systems within the network. It typically aggregates the data looking for common attributes. It then uses advanced analytic tools to detect patterns of potential security events and raise alerts. System administrators can then investigate the alert.
Passively testing security controls
A vulnerability scan that does not attempt to exploit any weaknesses that it finds but only reports back what it uncovers. This ensures that the testing does not interfere with normal operations. Security administrators then assess the vulnerabilities to determine which ones to mitigate. in contrast to penetration test is an active test that attempts to exploit vulnerabilities
there are 3 important figures in quantitative risk assessment
ALE SLE ARO
Privilege Escalation
After gaining access to a low level system or low level account, let's say this account has access to the network but doesn't have any admin privileges, the testers use various techniques to gain more and more privileges on homer's computer and his network. The "One Click Lets Them in" discuss this how advanced persistent threats often use remote access Trojans to gain access to a single system. Attackers trick a user into clicking a malicious link which gives them access to a single computer. Attackers then use various scripts to scan the network looking for vulnerabilities, by exploiting these vulnerabilities the attackers gained more and more privileges on the network. penetration testers use similar tactics depending on how much they are authorized to do, they can also use other methods to gain more and more access to a network.
Initial exploitation
After scanning the target testers discover vulnerabilities. They then take it a step further and look for a vulnerability that they can exploit. Vulnerability scan may discover that a system doesn't have a patch installed for a known vulnerability. The vulnerability allows attackers and testers to remotely access the system and install malware on it. With this knowledge the testers can use known methods to exploit the vulnerability. This gives the testers full access to the system. They can then install additional software on the exploited system.
Capability shared by most SIEMs
Aggregation correlation engine automated alerting automated triggers time synchronization event deduplication logs/WORM
Give some examples of false positives
All ability scanners occasionally report that there is a vulnerability when there is actually not, for example if only ability scan on a server might report the servers missing patches related through a database application, but the server doesn't have a database application installed. This is similar to false positives on IDs or the IDs alerts on an event but the event isn't an actual intrusion. Anti virus scanners can also identify a useful application as malware, even though the application does not have any malicious code. False positives result in higher administrative overhead because admins have to investigate them
Time Synchronization
All servers sending data to the SIEM should be synchronized with the same time. This becomes important when investigating an incident so that security investigators know when the events occurred, also because large organizations can have locations in different time zones. Each of these locations might have servers sending data to a single centralized SIEM. If the server logs use their local time it needs to have a time offset to compensate. One method is to convert all times to Greenwich mean time (GMT), which is the time at the royal observatory in Greenwich London
In addition to basic operating system logs and firewall and router access logs when maintaining systems and networks. These include:
Antivirus logs Application Logs Performance Logs
Some additional logs in a Windows system include:
Application. The application log records events recorded by applications or programs running on the system. Any application has the capability of recording errors in the application log System. The operating system uses the System log to record events related to the functioning of the operating system. When it starts, when it shuts down, information on services starting and stopping, drivers loading or failing, or any other system component event teamed important by the system developers. If a system is attacked may be able to learn details of the attack by reviewing the operating system logs.
Firewall and Router Access Logs
Can manipulate firewalls and routers to log specific information. These logs are useful when troubleshooting connectivity issues and when identifying potnetial intrusions or attacks. Include information on where the packet came from and where its going.
A protocol analyzer can-
Capture and analyze packets on a network. The process of using a protocol analyzer sometimes referred to as sniffing or using a sniffer. Can be used by both admins and attackers to view IP headers and examine packets. Admins can use a protocol analyzer to troubleshoot communication issues between network systems, or identify potential attacks using manipulated or fragmented packets
Tcpdump
Command line packet analyzer. Allows you to capture packets like you can with Wireshark. The difference is that Wireshark is a windows based tool, and tcpdump is executed from the command line. Then the admins use tcpdump to capture the packets and later use Wireshark to analyze the packet capture. Tcpdump only works on Kali Linux. -c represents count and indicates the capture should stop after receiving the specified number of packets -C represents file size and indicates maximum size in millions of bytes of a packet capture. When the file reaches this size tcpdump closes it and starts storing packets in a new file
Attackers can use a protocol analyzer to capture-
Data sent across the network in cleartext such as unencrypted credentials. They can view this data by connecting an unauthorized switch within a network to capture traffic and forward it to a system running a protocol analyzer. If cabling isn't protected they might be able to simply connect to switch above a drop down ceiling.
It's also possible to perform a penetration test to determine how an organization will respond to a compromised system. This allows an organization to-
Demonstrate security vulnerabilities and flaws in policy implementation. Many organizations may have perfect policies on paper. However if employees are consistently following the policies a penetration test can accurately demonstrate the flaws
Because of penetration tests can exploit vulnerabilities, it has the potential to-
Disrupt actual operations and cause system instability. Because of this it's important to strictly define boundaries for a test. Ideally a penetration test will stop right before performing an exploit that can cause damage or result in an outage. However some tests cause unexpected results. For this reason testers often perform penetration tests on test systems rather than live production systems. For example if a penetration test cripples the test server, it accurately demonstrates security vulnerabilities, but it doesn't affect customers.
Tools using intrusive methods can potentially-
Disrupt the operations of a system
Netcat
Does not include native encryption, SSH will secure the session. Admins use it to remotely access Linux systems. Also used for banner grabbing
common types of threat assessments
Environmental Manmade Internal External
some risk assessments use a risk register:
ISO:7003 identifies it as a "record of information about identified risks" PRINCE2 identifies it as "repository for all risks identified and includes additional information about each risk"
penetration tests are intrusive and more-
Invasive and vulnerability scans. They involve proving a system in attempting to exploit any vulnerabilities they discover
Passive doesn't mean that a vulnerability scanner isn't doing anything-
Is probing systems to identify vulnerabilities and other problems. However it doesn't take any action to exploit these vulnerabilities. That doesn't mean you can feel free to run a vulnerability scan on any network simply because it is passive and non intrusive. If you are discovered you might be identified as an attacker and face legal action
Usage auditing refers to-
Logging information on what users do. For example if Homer accesses the file on a network server, the log entry would show his identity, when he accessed the file, what file he accessed, and what computer he used to access the file. He would not be able to refute the recorded action because auditing provides non repudiation
Monitoring logs for event anomalies
Logs record what happened when it happened where it happened and who did it. The primary purpose is to allow someone such as an admin to identify exactly what happened when. They are looking for anomalies. If an attacker tries to log onto account by guessing passwords, security logs will record these attempts as failed logons, which is an event anomaly. After investigating the failed logons admins can determine if the failed logons are part of a normal operation, or security incident. A limiting factor is the amount of disk space available. The goal is to strike a balance between what is needed and the amount of space available for storage.
SIEMs are very useful in large enterprises that have
Massive amounts of data and activity to monitor. Consider an organization with over 1000 servers, when an incident occurs on just one of these servers admins need to know about it as quickly as possible. The SIEM provides continuous monitoring it provides real time reporting. For example in a large network operation center (NOC) it might alert on a large heads up display. A benefit is that the monitoring and reporting is automated with scripts with the SIEM
Nmap
Network scanner. The graphical side of Nmap is Zenmap. Has many capabilities, including identifying all active hosts and their IP addresses in a network, the protocols and services running on each of these hosts, and the operating system of the host. When running the command you include the scan type(s), optional options, and target specifications
network scanners use 6 methods to provide info on hosts within a network
Ping Scan -Arp ping scan --Syn stealth scan ---Port scan ----Service Scan -----OS detection
If they successfully exploit a vulnerability, a penetration test can-
Potentially disrupt services and even take a system down
When using a protocol analyzer need to configure the network interface card on the system to use-
Promiscuous mode. Normally a NIC uses non promiscuous mode and only processes packets directly addressed to its IP address. However when you put in promiscuous mode it processes all packets regardless of the IP address. This allows the protocol analyzer to capture all packets that reach the NIC.
many systems utilize single sign on (SSO) so users don't have to
Provide their credentials again. However their access is still recorded as a log on action.
Defense in Depth
Refers to the security practice of implementing several layers of protection. You must implement security at several different layers. This way if one layer fails you still have additional layers to protect you.
we know ALE=SLExARO, what if wanted to find the SLE or ARO from the ALE?
SLE=ALE/ARO ARO=ALE/SLE
SYN Stealth Scan
SYN is sent out to all IP addresses in its scan range if it receives a response then it knows that host is active with that IP address. instead of sending an ACK packet the scanner sends a RST(reset) response to close the connection
Vendors sell SIEMS as applications that can be installed on-
Systems, and as dedicated hardware appliances.
Three useful tools when performing vulnerability scans and penetration tests
Tcpdump, Nmap, Netcat
White box testing
Testers have full knowledge of the environment for starting. For example they would have access to product documentation, source code, and possibly even log on details.
Gray box testing
Testers have some knowledge of the environment prior to starting. For example they might have access to some network documentation, but not know the full network layout
Vendor diversity
The practice of implementing security controls from different vendors to increase security. Many DMZ's use two firewalls and vendor diversity dictates the use of firewalls from different vendors. For example one firewall could be a Cisco firewall and the other could be a CheckPoint firewall. If a vulnerability is discovered in one of these firewalls an attacker might be able to exploit it. However it's unlikely that both firewalls would develop a vulnerability at the same time.
Event Deduplication (SIEM)
The process of removing duplicate entries. As an example imagine 10 users receive the same email and choose to save it. An email server using deduplication processing will keep only one copy of the email, but make it accessible to all 10 users. Imagine a NIDS collects data from a firewall and a SIEM collects data from the NIDS and the firewall. The SIEM will store only a single copy of any duplicate log entries, but also ensure that the entries are associated with both devices
Pivot
The process of using various tools to gain additional information. Let's say a tester gains access to homer's computer within a company's network comma the tester can then pivot and use homers computer to gather information on other computers. Homer might have access to network shares filled with files on nuclear power plant operations. The tester can use homer's computer to collect this data and then send it back out of the network from homer's computer. Testers and attackers use pinning techniques together a wide variety of information. Many times the tester must first use privilege escalation to gain more privileges. However after doing so it's possible that the tester can access databases, such as user accounts and password databases, email, and any other type of data stored within a network
Control diversity
The use of different security control types, such as technical controls, administrative controls, and physical controls. Compare with vendor diversity. Remember that there are technical security controls such as firewalls, IDS, in proxy servers to help protect a network. Physical security controls can provide extra protection for the server room or other areas where these devices are located. Admin controls such as vulnerability assessments and penetration tests can help verify that these controls are working as expected.
persistence
The various techniques that allow attackers to stay within our network for weeks, months or even years without being detected. Penetration testing techniques are similar that they maintain persistence within the network. Attackers may use a backdoor into the network. For example a tester may be able to create alternate accounts that can be accessed remotely. In some cases it's also possible to install or modify services to connect back into a system. For example a tester may be able to enable secure shell and then create a method used to log onto a system using SSH.
Performance Logs
These logs can monitor system performance and give an alert when preset performance thresholds are exceeded.
Aggregation
This is combining several dissimilar items into a single item. a SIEM can collect data from multiple sources, such as firewalls, intrusion detection systems, proxy servers, and more. Each of these devices formats the logs differently. However the SIEM can aggregate the data and stored in such a way that it is easy to analyze and search
black box testing
This is the level of knowledge that testers have prior to starting the tests. Black box testers have zero knowledge of the environment prior to starting, they approached the chess with the same knowledge as an attacker. When testing new applications they wouldn't have any prior experience with the application. One testing networks they aren't provided any information or documentation on the network before the tests. Black box testers often use fuzzing to check for application vulnerabilities
Configuring logging of logon attempts is an important security step for system monitoring after configuring logging a system records the-
Time and date when a user logs on, and when they access systems within a network. When users first log on to their account, it's recorded as a log on action. Additionally when users access a resource over the network such as a file server it is also recorded as a log on action.
Some other uses of Netcat
Transferring Files: One of the online labs for chapter 3 shows how to create a chat session between two systems. Once this session is open, you can use the connection to copy files between the systems. Port Scanner: You can use Netcat to run a port scan against a single IP address. It allows you to specify the range of ports, such as 10 through 1024 and randomize the port scan to evade detection. It also supports waiting longer periods of time between port checks, again, to evade detection.
Automated Triggers
Triggers causing action in response to a predefined number of repeated events. As an example imagine a trigger for failed logons is set at five. If an attacker repeatedly tries to log onto a server using SSH the server's log will show failed logon attempts. When the SIEM detects more than five failed SSH logons, it can change the environment and stop the attack. it might modify a firewall to block these SSH log on attempts or send a script to the server to temporarily disable SSH. A SIEM includes the ability to modify predefined triggers and create new ones
Accidental Human Threats
Users can accidentally delete or corrupt data, or accidentally access data that they shouldn't be able to access. even admins can take systems offline with configuration changes that were meant to solve one problem but instead created another one
Active Reconnaissance
Uses tools to send data to systems and analyzes the responses. Typically starts by using various scanning tools such as network scanners and vulnerability scanners. Active reconnaissance does engage targets and is almost always illegal. You need authorization to do so. Nmap and Nessus can gather a significant amount of information about networks and individual systems. This includes identifying all IP addresses active in a network, the ports and services active on individual systems, and the operating system running on individual systems.
How to prevent privilege creep
Using role based access control (RBAC) model with group based privileges
what is a configuration compliance scanner?
Verifies that systems are configured correctly, they use a file to identify the proper configuration for systems. When running the scan the scanner will verify the systems have the same configuration defined in the configuration file. this is also known as configuration validation. Security admins configure these tools to automation or scripting methods they automatically run on a set schedule. Nessus, a vulnerability scanner uses plugins to perform configuration compliance scans. They have plugins used to perform against both windows and Unix systems. Admins can create custom audit files to perform custom compliance configuration scans on windows and Unix systems. AutoNessus is a free tool that can be used to automate Nessus scans. Configuration compliance scans typically need to be run as credential scans. This helps ensure they can accurately read the configuration of systems during the scan.
Identifying Lack of Security Controls
Vulnerability scanners can also identify missing security controls, such as lack of up-to-date patches or the lack of antivirus software. Although many patch management tools include the ability to verify systems or up to date with current patches, vulnerability scanners provide an additional check to detect unpatched systems
what is the difference between a credentialed and a non credentialed scan
Vulnerability scanners can run as a credentialed scan using the credentials of an account, or as non credential without any user credentials. Hackers typically do not have credentials of an internal account, so when they run scans against systems, they run non credential scans. Security admins often run credentialed scans with the privileges of an administrator account. This allows the scan to check security issues at a much deeper level than a non credentialed scan. Credential scan has easier access to internal workings of systems so it results in a lower impact on tested systems, along with more accurate test results in fewer false positives. Attackers typically start without any credentials but use privilege escalation techniques to gain admin access. This allows them to run a credential scan against a network if desired. Admins will typically run a non credentialed scan to see what an attacker without credentials would see.
security and configuration errors
Vulnerability scans can also check the system against a configuration or security baseline to identify unauthorized changes. do this periodically to find unauthorized changes. you can also see if rebuilt systems are missing key security settings you can also scan systems right before or after a deployment.
logs create an audit trail of-
What happened. Usage auditing reviews often done to recreate the audit trail or reconstruct what happened in the past. For example; if someone leaks proprietary information outside the organization, investigators can look at the auditing files to see who accessed the information, what they did with it ( such as printing it) and when they did so
The Security Log records auditable events such as-
When a user logs on or off, or when a user accesses a resource. Some auditing is enabled by default in some systems, but administrators can add additional auditing. The Security Log records audited events as successes or failures. Success indicates an audit event completed successfully, such as a user successfully logging on or successfully deleting a file. Failure indicates that a user tried to perform an action but failed, such as failing to log on or trying to delete a file but receiving a permission error instead.
Auditing includes much more than when a user access to a file. It also includes-
When a user logs on, accesses a network share, reads a file, modifies a file, creates a file, prints a file, accesses a website via proxy server, and much more.
It's important to obtain what when doing vulnerability testing ?
Written authorization. Very important to get it in writing. An organization may perceive a well meaning admin performing an unauthorized penetration test is a Black Hat or Gray hat attacker. Most organizations use a written rules of engagement document when hiring outside security professionals to perform the test. The rules of engagement document identifies the boundaries of the penetration test. if the testing does result in an outage email the testers follow the rules of engagement, repercussions are less likely
Example of a Wireshark capture
You can see 150 packets, packet 121 is selected in the top pane. The top pane shows the source and destination IP addresses and the server message block SMB protocol. Many networks use SMB to send files over the network, and this packet includes the contents of that file. 1) occasionally attackers manipulate flags within the headers for different types of attacks and the protocol analyzer allows you to verify header manipulation attacks 2) you can see the source and destination IP addresses within the IP header field. You can expand the Ethernet II section to show media access control addresses of the source and destination computers 3) you can view the unencrypted credentials because SMB sends it in cleartext
Linux Logs
You can view logs in Linux using the System Log Viewer by using the cat command from the terminal
SIEM provides-
a centralized solution for collecting, analyzing, and managing data from multiple sources They combine the services of security event management (SEM) and security information management (SIM) provides long term storage of data along with methods of analyzing the data looking for trends, or creating reports needed to verify compliance of laws or regulations
vulnerability scanners utilize-
a database or dictionary of known vulnerabilities and test systems against this database
Some Linux distributions include the utmp, wtmp, and btmp files (or the utmpx, wtmpx, and btmpx variants). They are created so that-
administrators can answer questions such as who is currently logged in, who has logged in recently, and what accounts have failed login attempts. They are typically within the /var/log folder but might be elsewhere.
Penetration testing
assesses deployed security control from the system or network. Starts with passive reconnaissance such as a vulnerability scan, but takes it a step further and tries to exploit vulnerabilities by simulating or performing an attack. Typically performed to demonstrate the actual security vulnerabilities within the system. This helps determine the impact of a threat against the system. In other words helps determine the extent of the damage an attacker could inflict by exploiting a vulnerability.
what does a network scanner do?
attempts to provide information about hosts on a network. most popular are Nmap and Netcat and Nessus
open ports
can be a vulnerability if not being actively managed. for example all web servers do not use FTP so port 20 and 21 are open it means it has a vulnerability with FTP. Telnet uses port 23 so if it's open an attacker can try and connect to server using Telnet
to view the authentication log (auth.log) you can use the following command:
cat/var/log/auth.log
a threat is a potential-
danger
Netcat banner grabbing command example
echo "" | nc -vv -n -w1 72.52.206.134 80 nc=netcat -vv=verbose level -n=to not resolve host names -w1 to wait no more than 1 second for a reply The command connects port 80 of the system with an IP address of 72.52.206.134. The echo "" sends a blank command to the server and the pipe symbol (|) tells Netcat to send the command after establishing the connection.
example of banner
find this on PC page 356
The location of the SIEM ( and the location of its correlation engine) varies based on-
how the SIEM is used. However it's common to locate the SIEM within the private network, even if it is collecting some data from the DMZ. The internal network will provide the best protection for the logged data. In very large organizations aggregation processes in the correlation engine can consume a lot of processing power so organizations sometimes offload these processes to another server. The primary SIEM appliance can then focus on alerts and triggers.
security controls or mitigation steps
implement a RAID-1 to protect the harddrive hosting the OS. implement A RAID6 to protect the data
Antivirus Logs
log all antivirus activity, including when scans were run and if any malware was detected. These logs also identify if malware was removed or quarantined.
Environment Threats
long term power failure that leads to chemical spills, pollution or other possible threats to the environment. also includes natural threats such as earthquake, tornado, landslides, hurricane, electrical storms and others
who is responsible for residual risk?
management and senior level. they have to make sure the risk meets their organizational goals. they decide how much money, hardware and time to dedicate
Example Nmap command
nmap -t4 -A -v 192.168.0.0/24 notice that it has three switches -T4, -A, and -v T4: T4 refers to the speed of the scan. Valid switches are T0 through T5 with T0 being the slowest and T5 being the fastest. Faster scans are likely to be detected, while slower scans may not be detected. A: The -A switch indicates the scan should include OS detection, version detection, script scanning, and traceroute -v: The -v switch indicates the verbosity level. You can get more data output by using -vv or -vvv
Privilege Creep (Permission Bloat)
occurs when a user is granted more and more privileges due to changing job requirements, but unneeded privileges are never removed.
sensitive data
some scanners include a DLP system to detect sensitive data sent over the network. they can scan for things such as socials and keywords to find sensitive data
SLE
the cost of a single loss
most vulnerability scanners can combine multiple features into a single tool. a vulnerability scan often includes the following 4 actions
-identify vulnerabilities -identify misconfigurations -passively test security controls -identify lack of security controls
risk score with security controls
10 out of 100. with a RAID 1 and 6 in place the likelihood of occurence is now low, but the impact remains high. 1x10=10
When a router is broadcasting on two channels what is the width?
20+20hz so 40hz one channel would be 20
risk score
50 out of 100. medium-5(likelihood) x 10(impact)=50 an organization can assign any values they like, this is just example
network mapping
A process used to discover devices on a network, including how they are connected. often done as part of a network scan but only focuses on connectivity. in contrast a full network scan includes open ports, running services and OS details. some tools such as Zenmap provide you with a graphical representation of the network.
Service Scan
A scan that is like a port scan, but it goes a step further. port Scan will identify the open ports and the service Scan will send a command to the web server (let's pretend its port 80) of Get/ if HTTP is running on port 80 then the server will respond verifying it's identity.
Internal Threat Assessment
A threat assessment that evaluates threats from within an organization, whether it's malicious employees, human error potential, or hardware failure
ARO
Annualized Rate of Occurrence this indicates how many times per year this loss will occur
examples of vulnerabilities
Lack of updates Default configurations Lack of malware protection or updated definitions Lack of firewalls Lack of organizational policies
other standards used by vulnerability scanners include-
SCAP (security content automation protocol) that utilize the NVD (national vulnerability database) this is a database of the common misconfigurations, security related software flaws, and impact ratings or risk scores. the risk score quantifies risks allowing experts to prioritize them.
key part of vulnerability assessment
Vulnerability scanner. used to identify which systems are susceptible to attacks. they identify a wide range of weaknesses and known security issues that attackers can exploit.
Ping Scan
a ping scan sometimes called a ping sweep sends Internet Control Message Protocol ping to a range of IP addresses in a network. if the host responds the. the Network Scanner knows that there is a host operational with that IP address. most firewalls block ICMP traffic so it can be inconsistent.
as an admin if you know all the authorized APs, how would you find a rogue AP?
a wireless scanner on a laptop. as you saw on the Acrylic Wifi tool the RSSI indicates the strength of the signal, as you walk around the number should get closer to zero, to help you find the AP
a supply chain includes-
all the elements required to sell and produce a product. it isn't only the raw materials required, but the processes required to process and distribute the product
risk assessment
also known as risk analysis. important step that quantitys or qualifies risk. starts by identifying assets and asset values.
what are the risk response techniques?
also known as risk management methods these are: Avoid Transfer Mitigate Accept
OS detection
analyze packets from an IP address to identify the OS. often referred to as TCP/IP fingerprinting. different OSs use different TCP window sizes such as 5840 for Linux and Windows as 8192 just to name a few. they don't rely on a few but multiple responses from routers to make the decision of what an OS is.
lack of malware protection or updated definitions
antivirus and anti-malware solutions are only useful if updated and used in the first place
within the context of risk management a threat is-
any circumstance or event that compromises the CIA triad, whether it be data or a system
what is an asset?
any product, system, resource or process that an organization values
vulnerability
any weakness or flaw in software or hardware OR a weakness in a process that a threat could exploit resulting in a security breach.
Environmental threat assessment
assesses the likelihood and impact of an environmental scenario. if you like in Kansas you are most likely determining the likelihood a tornado will occur and the impact it could have, putting safeguards in place
password cracker
attempts to discover a password. most passwords are encrypted or hashed nowadays. if passwords are protected with weak methods then they can be easily broken
offline password cracker
attempts to discover passwords by analyzing databases or files containing passwords. attackers usually obtain large amounts of files during a data breach, this includes files with hashed or encrypted passwords. they have unlimited time to discover these passwords since they are offline
online password cracker
attempts to discover passwords by guessing them in a brute force attack. they do this by attempting to log onto an account remotely. they also can collect network traffic and attempt to crack any password sent over the network
easy way to create a risk register is to use a table, what categories does it house? let's pretend we are evaluating risks associated with a new e-commerce website that accessed a back end database
category specific risk likelihood of occurrence impact risk score security controls or mitigation steps contingencies risk score with security controls action assigned to action deadline
default configurations
changing systems from their default configurations such as changing the default username and password of a system. if systems arent hardened they are more susceptible to attack
what is MITRE CVE list?
dictionary of publicly known security vulnerabilities and exposures. similar to how antivirus technology detects malware using signatures CVE is funded by the US govt
contingencies
ensure that backups are kept and up to date
External Threat Assessmebt
evaluates threats from outside an organization. this includes attacks from malicious attackers or natural threats
Malicious human threats
everything from script kiddies to APTs. they regularly launch different types of attacks such as network, system and malware attacks
Threat Assessment
helps an organization identify and categorize threats identify and categorize threats helps to identify the threats against organizational assets and the likelihood these threats will occur. it ALSO identifies the potential impact from these threats. once an organization identifies and prioritizes threats it identifies security controls to protect the most important assets first. Because organizations have limited resources and because you can never address all the threats to your organization, you use your resources for higher priority threats
impact
high! if a hard drive fails it will probably disable the entire website
asset value
identifies the worth of the asset to the organization. can be a monetary value or subjective value such as low, medium, or high. this helps organizations focus on high value assets instead of low value assets
in a risk analysis, after you have identified the assets and assets values, what's next?
identifies threats and vulnerabilities and decides the likelihood of a threat attempting to exploit these vulnerabilities. these should be prioritized based on likelihood and potential impact.
high level steps of a vulnerability assessment
identify assets and capabilities prioritize assets based on value identify vulnerabilities and prio them recommend controls to mitigate serious vulnerabilities
lack of organizational policies
if job separation, mandatory vacations and job rotation are not mandatory then organizations are more susceptible to fraud and collusion from employees
lack of firewalls
if network and personal firewalls are not enabled or configured properly then systems are more vulnerable to network and internet based attacks
lack of updates
if systems arent kept up to date with service packs, hot fixes and patches then they are vulnerable to software bugs and flaws
when making a decision. about a purchase to reduce risks, two factors come into play
if the cost of the control is less than the savings, purchase it if the cost of the control is less than the savings, accept the risk
how do quantitative risk assessments think?
in number and dollar signs. asset value is important here. things like revenue value and replacement value are taken into consideration. if a web server that generates $10,000/hr in profit goes down, that means a loss of 10,000 an hr+cost to repair. it can also result in future and current customers finding another vendor and more losses.
many organizations perform vulnerability assessments-
internally, however they can hire external security professionals to perform external assessments
just because something is at risk doesn't mean
it will be attacked.
Risk
likelihood that a threat will exploit a vulnerability
Port Scan
looks for open ports on a system. each open port indicates the underlying protocol being used by the system. port 80 would indicate that http is running and is likely running a web server. port Scan uses well known ports assigned by the IANA.
Weak Passwords
many scanners include password cracker if technical password policy not possible then password cracker can find weak passwords
likelihood of occurrence
medium. this assumes that the installed hard drives are using a RAID disk subsystem.
Avoid
not participating in a risky situation or not providing service helps avoid risk. for example a company wants to sell a product that requires that many firewall ports be left open, the buyer decides not to **** with that risky business and goes with another company
specific risk
one of the risks associated with hardware failure could be hard drive failure. there are other potential hardware failures but the remaining columns for this risk will focus on harddrive failure. imagine one drive holds the OS and applications and the other holds data.
two categories of password crackers
online and offline
common misconfigurations and vulnerabilities from vulnerability scanner
open ports weak passwords default accounts and passwords sensitive data security and configuration errors
a risk assessment is a point-
point-in-time assessment or a snapshot. it assesses the risks based on current conditions such as current threats, vulnerabilities, and existing controls
lastly a risk assessment includes
recommendations for what controls to implement to mitigate risks.
primary goal of risk management
reduce risk to an acceptable level
impact
refers to the magnitude of harm that can be caused if a threat exercises a vulnerability
the amount of risk that retains after managing risk
residual risk
Vulnerability assessments can include a wide variety of sources:
reviewing security policies interviewing personnel testing systems
category
risk categories include downtime due to hardware failures, outages from an attack, downtime to database server failure, data breaches and more
when using active scan, a wireless scanner acts more like a-
scanner/cracker and can gain information by querying the AP. as an example it could do a WPS attack to guess the 8 digit pin until it finds it and uses it to discover the PSK (pre-shared key) . wireless scanners in active mode can also use a password cracker using other methods
default username and password
some SQL databases allow blank password for admin. Nessus can see this, and if defaults are used you can crack and correct
mitigate
the organization implements controls to reduce risk. they either reduce the vulnerabilities or the impact of the threat. for example up to date antivirus software mitigates the threat of malware. security guards reduce the risk of an attacker accessing a secure area
Risk Management
the process of identifying, monitoring and limiting risks to a manageable level. doesn't eliminate risks but instead identifies methods to limit or mitigate them
what does a supply chain assessment evaluate?
the raw materials, supply sources and all the processes required to create, sell, and distribute the product. identifies risks such as single points of failure. many organizations have mature supply chains, so if one thing in the line breaks down or goes down they have multiple backups. if this is in place then the assessment would look for ways to improve the supply chain.
final phase of the risk assessment
the report. this is risks identified and the recommended controls. management then decides to implement the controls or accept the risk. results of a risk assessment are highly guarded because of the harm they could have in the wrong hands.
the likelihood the malware will reach the vulnerable system is-
the risk
Manmade Threat Assessment
this evaluates all threats from humans, whether by accident or malicious actors
Banner Grabbing
this is done via Netcat to gain information on remote systems. this is done to find the OS along with information about some applications. if successful the server returns an HTML banner providing information on the server.
overall goal of a vulnerability assessment
to assess the security posture of systems and networks. they identify vulnerabilities or weakness and are part of an overall risk management plan
depending on what the malware does the impact may be-
unbootable computer, loss of data, or a remote controlled computer that has joined a botnet
wireless scanners
use both passive and active scans. passive scans just listen to all traffic being broadcast on known channels within the 2.4-5ghz frequency ranges.
qualitative risk assessment
uses judgement to categorize risks based on likelihood of occurrence and impact likelihood could be thought of as the occurrence that a threat may try to exploit a vulnerability. impact is the magnitude of harm resulting from a risk. it includes the negative results of an event such as the loss of confidentiality, availability, and integrity of a system or data. related to quality which is often a matter of judgement. some use surveys or focus groups which experts give their opinion. they could rate the probability of a web server getting attacked as high and the impact to the business as high as well, or medium or low. for example high=10 and low=1 so the probability a webserver gets attacked and the impact is 10x10=100 but if a library workstation gets attacked is low and low impact 1x1=1 management can look at these numbers and allocate resources to the proper places. challenges with qualitative is gaining consensus, everyone may disagree on likelihood and impact
two most used tools to test networks
vulnerability scanners penetration tests
a system without up to date antivirus software is-
vulnerable to malware. malware written by malicious attackers is the threat
Arp Ping scan
we know that ARP message packets when sent to a host with its IP address will respond with their MAC address. if a host responds, the network scanner knows that the host is operational with that IP address.
when are risk assessments usually performed?
when a new service or application is going to be launched that can increase revenue, they weight the potential gain versus the potential cost to see if it is worth it.
when are site surverys typically done?
when planning or deploying a wireless network. security personnel typically repeat the site surverys to verify the environment hasn't changed
accept
when the cost of a control outweighs the risk, the risk is accepted. even after controls are implemented, the organization accepts residual risk