Chapter 7 Analyze Vulnerabilities
Verification
A phase of retesting the system to verify that patching and hardening was effective.
Vulnerability assessment
A phase of testing the network for vulnerabilities.
Monitoring
A phase where continuous monitoring of systems is implemented.
Which of the following best describes active scanning?
A scanner transmits to a network node to determine exposed ports and can also independently repair security flaws.
Active scanning
An active scan transmits to the nodes within a network to determine exposed ports and can independently repair security flaws. It can also simulate an attack to test for vulnerabilities and can repair weak points in the system.
Vulnerability report
A report generated by a vulnerability assessment tool that gives information such as weak passwords, open ports, and lack of encryption. It also provides suggestions for remediation.
Vulnerability assessment tool
A service or program that tests systems and devices for weaknesses that could be exploited.
Open source tool
A tool that is free to use and can be modified and shared.
The results section of an assessment report contains four sub-topics. Which of the following sub-sections contains the origin of the scan?
Classification
Rose, an ethical hacker, has created a report that clearly identifies her findings and recommendations for locking down an organization's systems and patching problems. Which of the following phases of the vulnerability management life cycle is she working in?
Risk assessment
Remediation
A phase of patching, hardening, and correcting weaknesses.
Which of the following assessment types can monitor and alert on attacks but cannot stop them?
Passive
Which of the following includes a list of resolved vulnerabilities?
Security vulnerability summary
Operating system flaws
Flaws in the OS can leave a system susceptible to malicious applications such as viruses, Trojan horses, and worms through scripts, undesirable software, or code. Firewalls, minimal software application usage, and regular system patches create protection from this form of attack.
It may be tempting for an organization to feel secure after going through the process of penetration testing and the corrections and hardening that you must perform. Which of the following should you help them to understand?
Hackers have time on their side, and there will always be new threats to security.
Open services
Ports and services must be checked regularly to prevent unsecure, open, or unnecessary ports, which can lead to attacks on connected nodes or devices, loss of private information, or even denial of service.
New vulnerabilities
Scans can only identify known vulnerabilities. This give an attacker that uses a new attack an advantage, as scans are written only for vulnerabilities that have been previously exploited.
Passive assessment
Using sniffer traces from a remote system, you can determine the operating system of the remote host as well as a list of the current network work. Wireshark is a common tool for this type of information gathering and analysis.
In a world where so much private information is stored and transferred digitally, it is essential to proactively discover weaknesses. An ethical hacker's assessment sheds light on the flaws that can open doors for malicious attackers. Which of the following types of assessments does an ethical hacker complete to expose these weaknesses?
Vulnerability assessment
Jaxon, a pentester, is discovering vulnerabilities and design flaws on the Internet that will open an operating system and applications to attack or misuse. Which of the following tasks is he accomplishing?
Vulnerability research
On your network, you have a Windows 10 system with the IP address 10.10.10.195. You have installed XAMPP along with some web pages, php, and forms. You want to put it on the public-facing internet, but you are not sure if it has any vulnerabilities. On your Kali Linux system, you have downloaded the nmap-vulners script from GitHub. Which of the following is the correct nmap command to run?
nmap --script nmap-vulners -sV 10.10.10.195
You are an ethical hacker contracting with a medical clinic to evaluate their environment. Which of the following is the first thing you should do?
Define the effectiveness of the current security policies and procedures.
Which of the following solutions creates the risk that a hacker might gain access to the system?
Service-based
Tree-based
With a tree-based assessment, you have a preset plan for testing and scanning based on some previous knowledge of the system. You then choose specific modes of testing for each operating system and machine.
Cybersecurity and Infrastructure Security Agency (CISA)
A large government-sponsored organization that provides many resources for cyber security.
Point in time
A scan can only obtain data for the time period when it runs. For example, some weaknesses may be exposed only when systems are operating at peak capacity, at certain times of day, or even at certain times of the year.
Common Vulnerability Scoring System (CVSS)
A system that categorizes vulnerabilities by threat level.
Which of the following are the three metrics used to determine a CVSS score?
Base, temporal, and environmental
Unpatched servers
Hackers gain access to data in a system through misconfigured or unpatched servers. Since servers are integral part of an organization's infrastructure, this vulnerability creates a central route for access to sensitive data and operations. Fixing bugs, patching, and simply updating software can block an attack.
Active assessment
In an active assessment, specifically created packets are sent to target nodes to determine the OS of the domain, the hosts, the services, and the vulnerabilities in the network. nmap is a useful tool for this assessment.
Inference-based
In an inference-based approach, you test and discover information as you go. You then adjust your scans according to the information you discover.
Application
Application-level scans allow the ethical hacker to scrutinize completed applications when the source code is unknown. Every application should be examined for input controls and data processing.
Which of the following would be the best open-source tool to use if you are looking for a web server scanner?
Nikto
Default usernames and passwords
Passwords should always be immediately changed after installation or setup. Passwords should always be kept secret.
Which of the following best describes the verification phase of the vulnerability management life cycle?
Proves your work to management and generates verifiable evidence to show that your patching and hardening implementations have been effective.
CVSS calculator
A calculator for determining risk level of vulnerabilities based on base, temporal, and environmental metrics.
National Vulnerability Database (NVD)
A government-sponsored, detailed database of known vulnerabilities.
Wireless network assessment
A hacker can access sensitive information even from outside a building by sniffing network packets that are transmitted wirelessly through radio waves. Generally, a hacker will obtain the SSID (the name assigned to the wireless network) through sniffing and use it to hack the wireless network without ever entering the building. These assessments analyze the network for patching errors, authentication and encryption problems, and unnecessary services.
There are two non-government sites that provide lists of valuable information for ethical hackers. Which of the following best describes the Full Disclosure site?
A mailing list that often shows the newest vulnerabilities before other sources.
Karen received a report of all the mobile devices on the network. This report showed the total risk score, summary of revealed vulnerabilities, and remediation suggestions. Which of the following types of software generated this report?
A vulnerability scanner
This government resource is a community-developed list of common software security weaknesses. They strive to create commonality in the descriptions of weaknesses of software security. Which of the following government resources is described?
CWE
First, you must locate the live nodes in the network. Second, you must itemize each open port and service in the network. Finally, you test each open port for known vulnerabilities. These are the three basic steps in which of the following types of testing?
Penetration
Risk assessment
A phase of evaluating the found vulnerabilities for threat level.
This type of assessment evaluates deployment and communication between the server and client. It is imperative to develop tight security through user authorization and validation. Open-source and commercial tools are both recommended for this assessment. Which of the following types of vulnerability research is being done?
Application flaws
The list of cybersecurity resources below are provided by which of the following government sites? Information exchange Training and exercises Risk and vulnerability assessments Data synthesis and analysis Operational planning and coordination Watch operations Incident response and recovery
CISA
Passive scanning
A passive scan tries to find vulnerabilities without directly interacting with the target network. The scan identifies vulnerabilities via information exposed by systems in their normal communications. You can set a scanner to scan constantly or at specific times.
Full disclosure
A public, vendor-neutral forum for the discussion of vulnerabilities and threats that often has the newest information. It also has tools, papers, news, and events related to vulnerabilities and threats.
Buffer overflows
A buffer is a temporary data storage area with limited space. Overflows occur when more data is attempted to be stored than the program was written for. Error checking should identify this problem. When overflow occurs, it can allow hackers to cause data to flow to other memory areas and to access database files or alter system files. System crashing or instability can also occur.
As an ethical hacker, you are looking for a way to organize and prioritize vulnerabilities that were discovered in your work. Which of the following scoring systems could you use?
CVSS
You are the IT security administrator for a small corporate network. You perform regular vulnerability scans on your network. Recently, you added a new network security appliance (NSA) to the network. You used the ITAdmin workstation when you configured the NSA. In this lab, your task is to: Run a vulnerability scan for the network security appliance (NSA) (198.28.56.18) using Security Evaluator on the taskbar. Remediate the vulnerabilities found in the vulnerability report on the NSA.Rename the cisco user account using the following parameters:Set a username of your choice.Set a password of your choice.Set the idle timeout to 15 minutes or less.Set LAN access only for your user (no WAN access).Allow access to your user only from the ITAdmin workstation (192.168.0.31). Re-run a vulnerability scan to make sure all of the issues are resolved.
Complete this lab as follows: Run a Security Evaluator report as follows:From the taskbar, open Security Evaluator.Next to Local Machine, select the Target icon to select a new target.Select IPv4 Address.Enter 198.28.56.18.Click OK.Select the Status Run/Rerun Security Evaluation icon to run the security evaluation.Review the results to determine which issues you need to resolve on the NSA. From the taskbar, open Chrome. Maximize Chrome for easier viewing. In the URL field, type 198.28.56.18 and press Enter. In the Security Appliance Configuration utility, enter cisco as the username. Enter cisco as the password. Select Log In. Rename the cisco user account as follows:From the Getting Started (Basic) page, select Change Default Admin Password and Add Users.Select Edit for the cisco username.In the User Name field, enter the username you chose.Select Check to Edit Password.In the Enter Current Logged in Administrator Password field, enter cisco.In the New Password field, enter the password you choose.In the Confirm New Password field, enter the password to confirm the new password.Enter the idle timeout.Click Apply. Edit user policies as follows:Under Edit User Policies, select Login to configure a login policy.Select Deny Login from WAN Interface.Click Apply. Define network access as follows:Under Edit User Policies, select By IP to configure IP address restrictions for login.Under Defined Addresses, select Add.In the Source Address Type field, make sure IP Address is selected.In the Network Address/IP Address field, enter 192.168.0.31 for ITAdmin.Click Apply.Select Allow Login only from Defined Addresses.Click Apply to close the dialog. Verify that all the issues were resolved using the Security Evaluator feature on the ITAdmin computer as follows:From the taskbar, open Security Evaluator.In Security Evaluator, select Status Run/Rerun Security Evaluation icon to rerun the security evaluation.Remediate any remaining issues.
Design flaws
Every operating system or device has bugs or defects in its design. Hackers take advantage of design flaws such as broken authentication and access control, cross-site scripting, insufficient logging and monitoring, and incorrect encryption.
Application flaws
Flaws in the validation and authorization of users present the greatest threat to security in transactional applications. This type of assessment evaluates deployment and communication between the server and client. It is imperative to develop tight security through user authorization and validation. Both open-source and commercial tools are recommended for this assessment.
Which of the following assessment types focus on all types of user risks, including threats from malicious users, ignorant users, vendors, and administrators?
Host-based assessment
Which of the following assessment types relies on each step to determine the next step, and then only tests relevant areas of concern?
Inference-based
Which of the following government resources is a dictionary of known patterns of cyberattacks used by hackers?
CAPEC
Default settings
It is important to check default settings, especially for default SSIDs and admin passwords. If a company never changes the default admin passwords or the default SSID to combinations unique to the company, it is very simple for an attacker to gain access to the network.
Jessica, an employee, has come to you with a new software package she would like to use. Before you purchase and install the software, you would like to know if there are any known security-related flaws or if it is commonly misconfigured in a way that would make it vulnerable to attack. You only know the name and version of the software package. Which of the following government resources would you consider using to find an answer to your question?
NVD
Which of the following best describes Qualys Vulnerability Management assessment tool?
It is a cloud-based service that keeps all your data in a private virtual database.
You are looking for a vulnerability assessment tool that detects vulnerabilities in mobile devices and gives you a report containing a total risk score, a summary of revealed vulnerabilities, and remediation suggestions. Which of the following vulnerability assessment tools should you use?
SecurityMetrics Mobile
Which of the following phases of the vulnerability management lifecycle implements patches, hardening, and correction of weaknesses?
The remediation phase
Run a vulnerability scan for the Office2 workstation using the Security Evaluator on the taskbar. Remediate the vulnerabilities found in the vulnerability report on Office2 as follows:Rename the Administrator account.Disable the Guest account.Set the password for the Mary account to expire.Require a strong password for the Mary account.Unlock the Susan account.Remove the Susan account from the Administrators group.Turn on Windows Firewall for all profiles.Remove the file share on the MyMusic folder. Re-run a vulnerability scan to make sure all of the issues are resolved.
In this lab, your task is to: Run a vulnerability scan for the Office2 workstation using the Security Evaluator on the taskbar. Remediate the vulnerabilities found in the vulnerability report on Office2 as follows: Rename the Administrator account. Disable the Guest account. Set the password for the Mary account to expire. Require a strong password for the Mary account. Unlock the Susan account. Remove the Susan account from the Administrators group. Turn on Windows Firewall for all profiles. Remove the file share on the MyMusic folder. Re-run a vulnerability scan to make sure all of the issues are resolved. Complete this lab as follows: Run a Security Evaluator report as follows: From the taskbar, open Security Evaluator. Next to Local Machine, select the Target icon to select a new target. Select Workstation. From the Workstation drop-down list, select Office2 as the target. Click OK. Select Status Run/Rerun Security Evaluation icon to run the security evaluation. Review the results to determine which issues you need to resolve on Office2. From the top navigation tabs, select Floor 1. Under Office 2, select Office2. On Office2, right-click Start and select Computer Management. Expand Local Users and Groups. Select Users. Rename a user account as follows: Right-click Administrator and select Rename. Enter a new name and press Enter. Disable the Guest account as follows: Right-click Guest and select Properties. Select Account is disabled and then click OK. Set a new password as follows: Right-click Mary and select Set Password.Select Proceed. Enter a new password (12 characters or more). Confirm the new password and then click OK. Click OK. Ideally, you should have created a policy that requires passwords with 12 characters or more. Set a password to expire as follows: Right-click Mary and select Properties. Deselect Password never expires.Select User must change password at next logon and then click OK. Unlock a user account and remove the user from a group as follows:Right-click Susan and select Properties.Deselect Account is locked out and then click Apply.Select the Member of tab.Select the Administrators.Select Remove.Click OK.Close Computer Management. Enable Windows Firewall for all profiles as follows:In the search field on the taskbar, enter Control Panel.Under Best match, select Control Panel.Select System and Security.Select Windows Firewall.Select Turn Windows Firewall on or off.Under Domain network settings, select Turn on Windows Firewall.Under Private network settings, select Turn on Windows Firewall.Under Public network settings, select Turn on Windows Firewall.Click OK.Close Windows Firewall. Remove a file share as follows:From the taskbar, open File Explorer.Browse to C:\\MyMusic.Right-click MyMusic and select Properties.Select the Sharing tab.Select Advanced Sharing.Deselect Share this folder.Click OK.Click OK. Use the Security Evaluator feature to verify that all of the issues on the ITAdmin computer were resolved as follows:From the top navigation tabs, select Floor 1.Select ITAdmin.In Security Evaluator, select Status refresh to rerun the security evaluation.If you still see unresolved issues, select Floor 1, navigate to the Office2 workstation, and remediate any remaining issues.
An ethical hacker is running an assessment test on your networks and systems. The assessment test includes the following items: Inspecting physical security Checking open ports on network devices and router configurations Scanning for Trojans, spyware, viruses, and malware Evaluating remote management processes Determining flaws and patches on the internal network systems, devices, and servers Which of the following assessment tests is being performed?
Internal assessment
Clive, a penetration tester, is scanning for vulnerabilities on the network, specifically outdated versions of Apple iOS. Which of the following tools should he use?
Nessus
Misconfigurations
The primary cause of misconfiguration is human error. Web servers, application platforms, databases, and networks are all at risk of unauthorized access. Areas to check include outdated software, unnecessary services, external systems that are incorrectly authenticated, security settings that have been disabled, and debug enabled on a running application.
