Lesson 1 Scoping Organizational/Customer Requirements

Discuss the significance of NIST SP 800-115.

"Technical Guide to Information Security Testing and Assessment" and contains a great deal of relevant information about PenTesting planning, techniques, and related activities.

With PCI DSS a merchant is ranked according to the number of transactions completed in a year. Describe a Level 1 merchant.

A Level 1 merchant is a large merchant with over six million transactions a year.

Open Web Application Security Project (OWASP)

A charity and community publishing a number of secure application development resources

Common Weakness Enumeration (CWE)

A dictionary of software-related vulnerabilities maintained by the MITRE Corporation

unauthorized hacker

A hacker operating with malicious intent

ATT&CK (Adversarial Tactics, Techniques & Common Knowledge)

A knowledge base maintained by the MITRE Corporation for listing and explaining specific adversary tactics, techniques, and procedures.

MITRE Corporation

A non-profit organization that manages research and development centers that receive federal funding from entities like the DoD and NIST.

Common Vulnerability Scoring System (CVSS)

A risk management approach to quantifying vulnerability data and then taking into account the degree of risk to different types of systems or information.

Intrusion Detection System (IDS)

A software and/or hardware system that scans, audits, and monitors the security infrastructure for signs of attacks in progress.

Penetration Testing Execution Standard (PTES)

A standard established in 2009 that covers seven areas of penetration testing and includes an accompanying technical guide.

National Vulnerability Database (NVD)

A superset of the CVE database, maintained by NIST

unified threat management (UTM)

All-in-one security appliances and agents that combine the functions of a firewall, malware scanner, intrusion detection, vulnerability scanner, data loss prevention, content filtering, and so on.

The team is involved with planning a PenTest exercise for 515support.com. Management has asked the team to run a series of scans at a satellite facility. Once the team is on site and begins testing, one of the team members shows you the result of the vulnerability scan. After examining the scan, you realized the team member has scanned the wrong network. How should you proceed?

Although this was an accident, you should immediately notify the team lead, as the test was outside of the scope of the PenTest.

Principle of Least Privilege

Basic principle of security stating that something should be allocated the minimum necessary rights, privileges, or information to perform its role.

Access Control Lists (ACL)

Collection of access control entries (ACEs) that determines which subjects (user accounts, host IP addresses, and so on) are allowed or denied access to the object and the privileges given (read only, read/write, and soon).

Open-source Security Testing Methodology Manual (OSSTMM)

Developed by the Institute for Security and Open Methodologies (ISECOM), this manual outlines every area of an organization that needs testing, as well as goes into details about how to conduct the relevant tests.

NIST

Develops computer security standards used by US federal agencies and publishes cybersecurity best practice guides and research.

Management has gathered the team leaders at 515support.com and outlines the importance of conducting PenTesting exercise. Your supervisor has asked the group why PenTesting is important. How would you respond?

Formalized PenTesting Provides a way to evaluate cyberhealth and resiliency with the goal of reducing overall organizational risk.

Threat actors follow the same main process of hacking as a professional PenTester: Reconnaissance, Scanning, Gain Access, Maintain Access, and Cover Tracks. What steps are added during a structured PenTest?

Formalized PenTesting includes 1) Planning and scoping along with 3) Analysis and reporting.

Payment Card Industry Data Security Standard (PCI DSS)

Information security standard for organizations that process credit or bank card payments

Management at 515support.com has been working hard at ensuring employees are well trained in identifying a phishing email. Concurrently the IT team has implemented strong spam filters to prevent phishing emails from getting to their employees. What is the RISK of an employees falling victim to a phishing attack using the following information? 75% = THREAT of a phishing email reaching an employee 40% = VULNERABLE employees that might fall for a phishing attack

Knowing that RISK = THREAT x VULNERABILITY, there is a 30% chance that the employees will fall victim to a phishing attack.

Risk

Likelihood and impact (or consequence) of a threat actor exercising a vulnerability

Explain how the MITRE ATT&CK Framework provides tools and techniques specific to PenTesting.

Once in the MITRE ATT&CK Framework, you will see many columns in the matrix that describe various tasks that are completed during the PenTest.

Part of completing a PenTesting exercise is following the imposed guidelines of various controls, laws, and regulations. Summarize Key takeaways of PCI DSS.

Payment Card Industry Data Security Standard (PCI DSS) specifies the controls that must be in place to securely handle credit card data. Controls include methods to minimize vulnerabilities, employ strong access control, along with consistently testing and monitoring the infrastructure.

The team is involved with planning a PenTest exercise for 515support.com. Management is concerned that the loading dock is vulnerable to a social engineering attack, whereby someone can gain access to the building by asking someone who is on a smoking break. Prior to conducting the tests, what should the team do to prepare for the test.

Prior to beginning the test they should ask appropriate questions, such as: Who will notify security personnel that the team is using a social engineering exercise to gain access into the building? How many individuals should be testing to see if this type of exploit is possible? Can you provide a nonworking key card to make the ploy more believable?

General Data Protection Regulation (GDPR)

Provisions and requirements protecting the personal data of European Union (EU) citizens. Transfers of personal data outside the EU Single Market are restricted unless protected by like-for-like regulations, such as the US's Privacy Shield requirements.

With PCI DSS, a Level 1 merchant must have an external auditor perform the assessment by an approved _____.

Qualified Security Assessor (QSA).

Describe some of the resources available at NIST.

Resources for the cybersecurity professional that include the Special Publication 800 series, that deals with cyber security policies, procedures, and guidelines

Common Vulnerabilities and Exposures (CVE)

Scheme for identifying vulnerabilities developed by MITRE and adopted by NIST.

Intrusion Prevention System (IPS)

Security appliance or software that combines detection capabilities with functions that can actively block attacks.

Another regulation that affects data privacy is GDPR, which outlines specific requirements on how consumer data is protected. List two to three components of GDPR.

Some of the components of this law includes: Require consent means a company must obtain your permission to share your information. Rescind consent allows a consumer to opt out at any time. Global reach—GDPR affects anyone who does business with residents of the EU and Britain. Restrict data collection to only what is needed to interact with the site. Violation reporting—a company must report a data breach within 72 hours

Compare and contrast CVE and CWE.

The CWE is a dictionary of software-related vulnerabilities maintained by the MITRE Corporation that includes a detailed list of weaknesses in hardware and software. CVE refers to specific vulnerabilities of particular products.

When using a structured approach to PenTesting, each step will serve a purpose with the goal of testing an infrastructure's defenses by identifying and exploiting any known vulnerabilities. List the four main steps of the CompTIA Pen Testing process.

The CompTIA PenTesting process goes through a series of steps that include: Planning and scoping Information gathering and vulnerability scanning Attacks and exploits Reporting and communication

risk analysis

The security process used for assessing risk damages that can affect an organization.

A couple of your colleagues thought it might be a good idea to share some guidance on how the team should conduct themselves during the PenTesting process. What topics should be covered so that all members exhibit professional behavior before, during and after the PenTest?

The team will need to clearly understand that they are to maintain confidentiality before, during, and after a PenTest exercise. Once the testing begins the team will want to proceed with care and notify the team lead if they have observed any illegal behavior.

What should a company with over 250 employees do to be compliant with the GDPR?

Under GDPR, any company with over 250 employees will need to audit their systems and take rigorous steps to protect any data that is processed within their systems, either locally managed or in the cloud.