8 - Vulnerability Management
Center for Internet Security (CIS)
A not-for-profit organization (founded partly by SANS). It publishes the well-known "Top 20 Critical Security Controls" (or system design recommendations). Also produces benchmarks for various aspects of cybersecurity.
Hashcat
A password recovery tool, if you view its use as benign, or a password cracking tool, if used with malicious intent. At one point in its development, was rewritten to take advantage of the processing power available in graphics processing units (GPUs). A cracking "rig" set up with multiple graphics adapters is capable of brute forcing eight-character passwords within hours.
Vulnerability Identification Processes
1. Collect a predetermined set of target attributes, such as specific parameters or rules for a firewall, or the security policy for a Windows server. 2. Analyze and document the differences between the current configuration and the baseline. 3. Report on the results.
Host Hardening Security Checklist
1. Remove (or disable) devices that have no authorized function. These could include a legacy modem or floppy disk or standard optical disk drives, USB ports, and so on. 2. Install OS and application patches and driver/firmware updates (when they have been tested for network compatibility) according to a regular maintenance schedule. Patches for critical security vulnerabilities may need to be installed outside the regular schedule. 3. Uninstall all but the necessary network protocols. 4. Uninstall or disable services that are not necessary (such as local web server or file and print sharing) and remove or secure any shared folders. 5. Enforce Access Control Lists on resources, such as local system files and folders, shared files and folders, and printers. 6. Restrict user accounts so that they have least privilege over the workstation (especially in terms of installing software or devices). 7. Secure the local administrator or root account by renaming it and applying a strong password. 8. Disable unnecessary default user and group accounts (such as the Guest account in Windows) and verify the permissions of system accounts and groups (removing the Everyone group from a folder's ACL, for instance). 9. Install malware protection software and configure it to receive definition updates regularly. Security software should also be configured so that the user cannot disable it and so that it automatically scans files on removable drives that have been downloaded from the Internet, or received as email/IM file attachments.
Verification of Mitigation
A remediation action is not complete until you have tested that the fix provides complete mitigation of the vulnerability. In some cases, this may simply be a case of rescanning the host with the latest vulnerability feed. More complex cases might require advanced assessment, such as pen testing, to validate that potential attack vectors have been closed.
CVSS Base Metric: Attack Complexity (AC)
High (H) or Low (L) This represents conditions that might frustrate a successful exploit that the attacker cannot easily control.
Qualys
A cloud-based service. Users install sensors at various points in their network, which can include cloud locations, and the sensors upload data to the cloud platform for analysis. The sensors can be implemented as agent software running on a host, as a dedicated appliance, or as a virtual machine (VM) running on a platform such as VMware. You can also deploy passive network sensors, out-of-band sensors for air-gapped hosts, and agents for cloud infrastructure and container apps. As well as the network vulnerability scanner, there is an option for web application scanning.
Common Weakness Enumeration (CWE)
A community-developed list of software and hardware weakness types. It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation, and prevention efforts.
Common Attack Pattern Enumeration and Classification (CAPEC)
A comprehensive dictionary of known patterns of attack employed by adversaries to exploit known weaknesses in cyber-enabled capabilities. It can be used by analysts, developers, testers, and educators to advance community understanding and enhance defenses. Comparable to the ATT&CK database, but focuses on application security and exploit techniques specifically, while ATT&CK is a tool for understanding adversary behaviors within a network intrusion event.
Inhibitors to Remediation: Service level agreement (SLA)
A contractual agreement setting out the detailed terms under which an ongoing service is provided. The terms are binding on both parties, and in any dispute a court will consider a strict interpretation of the terms.
Compensating Controls
A control that replaces a control specified in a compliance framework. The framework might allow the use of a compensating control if there are sound technical or business reasons for not deploying the recommended control. The control must give the same level of security assurance as the control it is replacing. Completely isolating an unpatchable system from the network could be an example of a __________ control, but the procedures for ensuring this isolation must be robust and demonstrable.
Common Vulnerabilities and Exposures (CVE)
A dictionary of vulnerabilities in published operating systems and applications software (cve.mitre.org). There are several elements that make up a vulnerability's entry in the CVE: Each vulnerability has an identifier that is in the format: CVE-YYYY-####, where YYYY is the year the vulnerability was discovered, and #### is at least four digits that indicate the order in which the vulnerability was discovered. A brief description of the vulnerability. A reference list of URLs that supply more information on the vulnerability. The date the vulnerability entry was created.
Common Vulnerability Scoring System (CVSS)
A free and open industry standard for assessing the severity of computer system security vulnerabilities. Attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to threat. Scores are calculated based on a formula that depends on several metrics that approximate ease of exploit and the impact of exploit. Scores range from 0 to 10, with 10 being the most severe.
Server-Based Scanner
A group of scanners will be managed by an administration server where the scan types and frequency are configured and reports are received and processed.
Nmap Port Scan: TCP connect (-sT)
A half-open scan requires Nmap to have privileged access to the network driver so that it can craft packets. If privileged access is not available, Nmap has to use the OS to attempt a full TCP connection. This type of scan is less stealthy.
Responder
A man-in-the-middle type tool that exploits name resolution on Windows networks. If a Windows host cannot resolve a domain or host name via a DNS server, by default it falls back to querying other hosts on the local segment using Link Local Multicast Name Resolution (LLMNR), and if that fails, via the NetBIOS over TCP/IP Name Service (NBT-NS). Designed to intercept LLMNR and NBT-NS requests and return the attacker's host IP as the name record, causing the querying host to establish a session with it. For a protocol such as Windows File Sharing/Server Message Block (SMB), this will allow the attacker to retrieve password hashes and try to crack them.
Full/Deep Assessment Scan
A more comprehensive scan can be configured by forcing the use of all (or more) plug-in types. The scanning of each host takes longer, and there may be more risk of service disruption. It is also likely to be configured to ignore previous results and rescan for each type of vulnerability.
Why might an SLA be a barrier to remediating a vulnerability?
A service level agreement (SLA) is likely to specify maximum downtime periods or minimum uptime guarantees. If remediating the vulnerability will cause downtime, the SLA may be breached. Also, maintenance windows might restrict the timing of service intervals. It is best to agree to exceptions in the SLA so that critical vulnerabilities can be patched promptly.
Common Platform Enumeration (CPE)
A structured naming scheme for information technology systems, software, and packages. Based upon the generic syntax for Uniform Resource Identifiers, CPE includes a formal name format, a method for checking names against a system, and a description format for binding text and tests to a name. Operating systems, applications, and hardware devices. Now maintained by NIST (nvd.nist.gov/products/cpe). Expressed as a URI in the following format: cpe:/{part}:{vendor}:{product}:{version}:{update}: {edition}:{language}
Inhibitors to Remediation: Legacy system
A system that is no longer supported by its developer or vendor; also referred to as an end-of-life system. End-of-life systems no longer receive security updates and so represent a critical vulnerability if any remain in active use.
National Vulnerability Database
A vulnerability database. NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation (SCAP), which is a synthesis of interoperable specifications derived from community ideas.
Agent-Based Scanning
A vulnerability management system may use agent-based scanning to supplement the network-based scanners. An agent is software installed locally to each host. The agent is managed by the administration server and runs scans and sends reports according to the set schedule.
Nmap Scripting Engine (NSE)
Allows users to write (and share) simple scripts (using the Lua programming language ) to automate a wide variety of networking tasks. Those scripts are executed in parallel with the speed and efficiency you expect from Nmap. Users can rely on the growing and diverse set of scripts distributed with Nmap, or write their own to meet custom needs.
Open Vulnerability and Assessment Language (OVAL)
An XML schema for describing system security state and querying vulnerability reports and information.
Extensible Configuration Checklist Description Format (XCCDF)
An XML schema for developing and auditing best-practice configuration checklists and rules. Previously best-practice guides might have been written in prose for system administrators to apply manually. Provides a machine-readable format that can be applied and validated using compatible software.
Nmap Port States: Open
An application on the host is accepting connections.
hping
An open-source spoofing tool that provides a pen tester with the ability to craft network packets to exploit vulnerable firewalls and IDSs.
How do you distinguish non-critical from critical systems?
Analyze business processes and identify the ones that the business could not afford not to run. The assets that support these essential services and functions are critical assets.
Nmap: TCP Idle scanning (-sI)
Another way to make a scan stealthy is to use a so-called "zombie" host to appear to start the scan, disguising the identity of the host used to launch the scan. This type of scan takes much longer to complete than ordinary ping detection. Another masking option is to use the -d switch to add a number of decoy source IP addresses.
Attack Surface
Any area where an unauthenticated user can run or input code into the system. This is split into three areas: network, software and human. While they are technically only a measure of how unauthenticated users can access the system, another attack can come from a trusted employee. There are ways of reducing an attack, such as making fewer functions to which users can add code, having less code in general, and splitting up these functions so only trusted users can access them. Reducing this does not reduce the damage an attack can inflict, only the odds that an attack will occur.
CVSS Base Metric: Confidentiality (C), Integrity (I), and Availability (A)
High (H), Medium (M), or Low (L) Where the metrics above assess exploitability, these three separate metrics measure impacts to the CIA triad.
CVSS Score of 7.0+
High Severity
Vulnerability Feed
As with antimalware software, a vulnerability scanner needs to be kept up to date with information about known vulnerabilities. This information is often described as a _________, though the Nessus tool refers to these feeds as plug-ins, and Greenbone/OpenVAS refers to them as network vulnerability tests (NVTs). Often the vulnerability feed forms an important part of scan vendors' commercial models as the latest updates require a valid subscription to acquire.
Common Configuration Enumeration (CCE)
Assigns unique entries to configuration guidance statements and configuration controls to improve workflow by facilitating fast and accurate correlation of configuration issues present in disparate domains. In this way, it is similar to other comparable data standards such as the Common Vulnerability and Exposure (CVE®) List, which assigns identifiers to publicly known system vulnerabilities. Now maintained by NIST (nvd.nist.gov/config/cce).
Nmap Port Scan: Port range (-p)
By default, Nmap scans 1,000 commonly used ports. Use the -p argument to specify a port range. You can also use --exclude-ports.
How is scan scope most likely to be configured?
By specifying a target IP address or IP address range. Different products have different methods of storing this information (as groups or targets, for instance).
airodump-ng
Capture 802.11 frames. Use this output to identify the MAC address of the access point (its Basic Service Set ID) and the MAC address of a victim client device.
What is a CPE?
Common Platform Enumeration (CPE) is a standardized way of referring to OS and application software and hardware appliances, maintained by NIST.
Configuration Baseline
Comprises the recommended settings for services and policy configuration for a server operating in a particular application role (web server, mail server, file/print server, and so on). The scanner uses the template to compare to the host configuration and report any deviations. A deviation should either be remediated to mitigate the vulnerability, or if this is not possible, classified as an accepted risk and managed as an exception.
CVSS Score of 9.0+
Critical Severity
Does a CVSS score of 9.1 represent a critical vulnerability or a low-priority finding?
Critical vulnerability.
Reaver
Designed to exploit the Wi-Fi Protected Setup (WPS) mechanism. WPS is designed to simplify the process for clients to join a preshared key-protected wireless network. The implementation of the PIN-based security WPS mechanism is flawed, making brute force attacks against it feasible in a time frame of a few hours. WPS should not be used in an enterprise context. On a home network, the feature should be disabled unless the access point supports some mitigating control, such as rate-limiting attempts to authenticate by PIN.
aircrack-ng
Extract the authentication key and try to retrieve the plaintext, using a dictionary or brute force attack.
True or false? A port that is reported as "closed" by Nmap is likely to be one protected by a firewall.
False. A closed port responds to probes with an RST because there is no service available to process the request. This means that the port is accessible through the firewall. A port blocked by a firewall is in the "filtered" state.
Nmap Port States: Filtered
Filtered—Nmap cannot probe the port, usually because a firewall is silently discarding the probes.
aireplay-ng
Inject frames to perform an attack to obtain the authentication credentials for an access point. This is usually performed using a deauthentication attack. Forcing the victim station to reauthenticate generates the required traffic. A deauthentication attack can also be used for DoS. aireplay-ng --deauth 0 1 -a [APMAC/BSSID] -c [VictimMAC] wlan0
Inhibitors to Remediation: Proprietary system
Either a system that was developed in-house, or one that is not widely marketed. This type of system presents a risk because support resources are limited, often to the original development team. If those support resources are no longer contactable, the system can become unpatchable.
airmon-ng
Enable and disable monitor mode.
Which security controls support hardening?
Hardening depends on configuration baselines so that any unnecessary ports, services, and interfaces can be disabled and appropriate settings and permissions applied to software and the file system. Effective patch management procedures and endpoint security products are also important.
Nmap Output: Interactive
Human-readable output designed to be viewed on-screen.
Nmap Output: Normal (-oN)
Human-readable output directed to a file for analysis later.
Asset Criticality
Identified through the processes of system identification and risk assessment. The nature of an asset will also determine the tools you use to detect and manage its vulnerabilities.
hping: Traceroute
If ICMP is blocked on a local network, hping offers alternative ways of mapping out network routes. hping can use arbitrary packet formats, such as probing DNS ports using TCP or UDP, to perform traces. As with ICMP, the TTL value is manipulated to identify each host on the path between source and destination machines.
Special Considerations for Scanning: Intrusion Prevention System (IPS), Intrusion Detection System (IDS), and Firewall Settings
In addition to host or application credentials, you need to ensure that the vulnerability scanner can work in conjunction with other security systems. An agent-based scanner will need to be able to communicate with the management server through firewalls using appropriate port ranges. The operation of agent-based scans may also be blocked by intrusion detection/prevention systems or antimalware systems unless appropriate exclusions are configured.
Report Validation: Identify exceptions
In some cases, you'll have chosen to accept or transfer the risk of a specific vulnerability because it fits within your risk appetite to do so. Nevertheless, the scanner may still produce this vulnerability in its report. You can therefore mark this item as an exception so that it won't contribute to your remediation plan. For example, a scanner may tell you that port 80 is open on your web server. This is certainly a common vector of attack, but the port must remain open so that the system can fulfill its function.
Which inhibitor to remediation has been omitted from the following list? Memorandum of understanding (MoU), service level agreement (SLA), organizational governance, business process interruption, degrading functionality, proprietary systems.
Legacy system—A system that is no longer supported by its developer or vendor, also referred to as an end-of-life system. End-of-life systems no longer receive security updates and so represent a critical vulnerability if any remain in active use.
Compliance Scans and Regulatory Requirements
Legal and regulatory environments will usually be accompanied by a security framework or checklist of the controls and configuration settings that must be in place. Security software products such as IDS, SIEM, and vulnerability scanners can often be programmed with compliance templates and scanned for deviations from the template. Some sources of external compliance may dictate a scanning frequency that your organization must follow; others take a more hands-off approach and simply require that you have a plan in place to scan at certain intervals.
hping: Host/port detection and firewall testing
Like Nmap, hping can be used to probe IP addresses and TCP/UDP ports for responses. Send a single SYN packet to port 80 (-c determines the count)—Expect a SYN ACK response if the port is open. A closed port may receive an RST or may be dropped silently. hping3 -S -p80 -c1 10.1.0.254 Send ACK—Expect an RST response if the port is open. Most modern firewalls will detect this type of scan and not respond, however. hping3 -A 10.1.0.254 -p 80 -c 1
CVSS Score of 0.1+
Low Severity
Inhibitors to Remediation: Organizational Governance
May make it difficult for security personnel to implement remediation if higher-level decision makers do not sign off on the fixes. They may not understand the importance of remediating the affected component, or they may decide that the suggested remediation is not worth the time and expense. Formal change control procedures are an example of the sort of organizational governance factors that can prove an inhibitor to deploying remediating controls. Prohibitive cost (monetary, employee time, or both) is also likely to be a strong inhibiting factor.
Passive Scanning
Means analyzing indirect evidence resulting from a certain configuration, such as the types of traffic generated by a device or their behavior, for example. A _____ scanner, such as Zeek, intercepts network traffic (usually via a mirroring port) and tries to identify policy deviations or Common Vulnerabilities and Exposures (CVE) matches. This type of scanning has the least impact on the network and on hosts but is less likely to identify vulnerabilities comprehensively. May be used where an attacker is trying to scan your network stealthily. May use as a technique where active scanning poses a serious risk to system stability, such as scanning print devices, VoIP handsets, or embedded systems networks.
Active Scanning
Means probing the device's configuration using some sort of network connection with the target. This consumes more network bandwidth and runs the risk of crashing the target of the scan or causing some other sort of outage. This scanning can take various forms, including non-credentialed versus credentialed, and agent-based versus server-based.
Risk Acceptance
Means that no countermeasures are put in place, either because the level of risk does not justify the cost or because there will be unavoidable delay before the countermeasures are deployed. In this case you should continue to monitor the risk (as opposed to ignoring it).
CVSS Score of 4.0+
Medium Severity
What is a plug-in in the context of vulnerability management?
Plug-in refers to vulnerability feeds in Tenable Nessus. A vulnerability feed contains information about new exploits and security patches.
Patching
Most individual systems are configured to check for and install ________ automatically. The major OS and applications software products are well-supported in terms of vendor-supplied fixes for security issues. Enterprise networks need to be cautious about this sort of automated deployment, however. There can also be performance and management issues when multiple applications run update clients on the same host. These issues can be mitigated by deploying an enterprise patch management suite. Some suites, such as Microsoft's System Center Configuration Manager (SCCM)/ Endpoint Manager (docs.microsoft.com/en-us/configmgr), are vendor-specific while others are designed to support third-party applications and multiple OSs.
Special Considerations for Scanning: Segmentation
Most networks are divided into separate zones, represented by virtual LANs (VLANs) and IP subnets. When you perform vulnerability scanning across a __________ network, you need to consider the requirements and limitations: A server-based scanner must be able to communicate with remote subnets, possibly including multiple VLANs, and through one or more firewalls. Alternatively, multiple scanning host nodes can be deployed in multiple segments and configured to report back to a central management server. An agent-based scanner must be able to communicate reports to the management server. With server-based scanners, you also need to consider potential bandwidth impacts on network links. Use scheduling to scan different computer groups at different times. Most scanning software has the option to configure bandwidth throttling to prevent scans from overutilizing a network link.
Nmap Port States: Unfiltered
Nmap can probe the port but cannot determine whether it is open or closed. This port state is used with an ACK scan, the purpose of which is to test a firewall ruleset.
CVSS Score of 0
No Severity
CVSS Base Metric: User Interaction (UI)
None (N) or Required (R) Whether an exploit of the vulnerability depends on some local user action, such as executing a file attachment.
CVSS Base Metric: Privileges Required (PR)
None (N), Low (L), or High (H) This represents permissions such as guest, standard user, and administrator.
CVSS Base Metric: Attack Vector (AV)
Physical (P), Local (L), Adjacent network (A), or Network (N) Local means shell access, either interactively or through a remote shell. Adjacent network refers to an attacking host within the same broadcast domain (link-local) as the target. Network refers to a vulnerability that can be exploited from a remote network (different subnet).
Nmap Scripting Engine (NSE) scripting probing examples
OS detection and platform enumeration. Windows user account discovery. Identify logged-on Windows user. Perform basic vulnerability detection. Probe web servers to gather HTTP data and identify web applications. Add geolocation to traceroute probes.
hping: Fragmentation
One firewall/IDS evasion technique is to fragment packets. While this style of attack is unlikely to work against modern systems, it is an example of the way packet crafting can be used to develop intrusion techniques.
Nmap: Sparse scanning (--scan-delay <Time>)
One of the principal means of making a scan stealthy is to collect results over an extended period. You can set Nmap to issue probes with significant delays between each probe to try to defeat intrusion detection systems. Of course, this makes host discovery a lengthy process. You can also configure delays using a timing template (-Tn, where n is a number from 0 to 5, with 0 being slowest). Another IDS evasion technique is to scan the scope in a random order (--randomize-hosts).
OpenVAS
Open-source software, originally developed from the Nessus codebase at the point where Nessus became commercial software. The scanner is part of the Greenbone Community Edition security appliance, as an enterprise product called Greenbone Security Manager (greenbone.net), and as source code or precompiled packages for installation under Linux. Versions for Windows have been maintained in the past, but it is not supported at the time of writing.
Nmap Output: XML (-oX)
Output using XML formatting to delimit the information.
What type of vulnerability scanning is being performed if the scanner sniffs traffic passing over the local segment?
Passive scanning.
What is the function of the -A switch in Nmap?
Performs service detection (verify that the packets delivered over a port correspond to the "well known" protocol associated with that port) and version detection (using the scripts marked "default").
Assessment Scanning Risks
Potentially disruptive to hosts and can generate significant network traffic. This risk is markedly increased when scanning devices other than PC clients and servers. Devices such as printers, VoIP phones, and embedded systems components can react unpredictably to any type of scanning activity (including simple port enumeration), with possible effects including crashes and resets.
Nessus
Produced by Tenable Network Security (tenable.com/products/nessus/nessus-professional), is one of the best-known commercial vulnerability scanners. It is available in on-premises (Nessus Manager) and cloud (Tenable Cloud) versions, as well as a Nessus Professional version, designed for smaller networks. The product is free to use for home users but paid for on a subscription basis for enterprises. As a previously open-source program, Nessus also supplies the source code for many other scanners. Default scans can be performed using the plug-ins from Nessus's subscription feeds. A custom plug-in can be created using Nessus Attack Scripting Language (NASL). Nessus Professional allows remote scanning of hosts while Nessus Manager and Tenable Cloud can work with locally installed agent software.
Mapping/Enumeration and Scope
Refers to the range of hosts or subnets included within a single scan job. This will be configured in the scan as a single IP address or range of IP addresses. If you have a large network, it is sensible to schedule scans of different portions of the network for separate times. This will reduce the impact on network performance and make it easier to analyze the results of each scan. You might also devise scans of limited scope to identify particular issues or meet a particular compliance goal. Asset criticality might also affect scanning scope, with targeted scans of critical assets being scheduled more often.
What can you do to reduce a high number of false positives returned when performing vulnerability scanning?
Remove non-applicable vulnerabilities from the scan, update heuristics baselines, create exceptions, and run credentialed scans.
What methods can you use to validate the results of a vulnerability scan?
Repeat the scan (possibly using a different scanner), review logs and other data sources, and compare to compliance or configuration baselines. You might also attempt to actively exploit a vulnerability using pen testing.
Nmap Port States: Closed|Filtered
Reported by TCP Idle scans that cannot determine whether the port is closed or filtered.
Nmap Port States: Open|Filtered
Reported by some types of scan (notably UDP and IP protocol) when Nmap cannot determine if the port is open or filtered.
Report Validation: Correlate the scan results with other data sources
Reviewing related system and network logs can also enhance the validation process. As an example, assume that your vulnerability scanner identified a running process on a Windows machine. According to the scanner, the application that creates this process is known to be unstable, causing the operating system to lock up and crash other processes and services. When you search the computer's event logs, you notice several entries over the past couple of weeks indicate the process has failed. Additional entries show that a few other processes fail right after. In this instance, you've used a relevant data source to help confirm that the vulnerability alert is, in fact, valid.
Assessment Scan Workflow
The part of your vulnerability management plan that deals with executing scans and other assessments should answer various questions, including: Who will conduct the scan(s)? When will the assessor conduct the scan(s)? Which systems will the assessor scan? How will these scans impact these systems? Do these systems need to be isolated during the scans, or can the systems remain in production? Who can the assessor contact if they need assistance?
Nmap Port Scan: UDP scans (-sU)
Scan UDP ports. As these do not use ACKs, Nmap needs to wait for a response or timeout to determine the port state, so UDP scanning can take a long time. A UDP scan can be combined with a TCP scan.
Credentialed Scan
Scan is given a user account with log-on rights to various hosts, plus whatever other permissions are appropriate for the testing routines. This sort of test allows much more in-depth analysis, especially in detecting when applications or security settings may be misconfigured. It also shows what an insider attack, or one where the attacker has compromised a user account, may be able to achieve.
Non-credentialed Scan
Scan is one that proceeds by directing test packets at a host without being able to log on to the OS or application. Consequently, the only view obtained is the one that the host exposes to the network. The test routines may be able to include things such as using default passwords for service accounts and device management interfaces, but they are not given privileged access. While you may discover more weaknesses with a credentialed scan, you sometimes will want to narrow your focus to think like an attacker who doesn't have specific high-level permissions or total administrative access. This scanning is often the most appropriate technique for external assessment of the network perimeter.
How do technical constraints impact scanning frequency?
Scanning can cause system instability and consume network bandwidth so is best performed when the network is not heavily utilized or when the target systems are performing critical tasks.
Nmap Port States: Closed
The port responds to probes (with a reset [RST] packet), but no application is available to accept connections.
Describe one advantage and one disadvantage of using the -T0 switch when performing an Nmap scan.
This sets an extremely high delay between probes, which may help to evade detection systems but will take a very long time to return results.
Assessment Scan Scheduling and Constraints
Scanning frequency will depend on internal risk-based compliance. If you determine that you have a greater risk appetite for a certain system or function of the business, you may choose to scan less frequently, and vice versa. In general terms, perform vulnerability assessments when: First deployment of new or updated systems. Identification of new vulnerabilities through penetration tests, or based on general information from vendors, vulnerabilities database, or other sources. Following a security breach. To satisfy a regulatory audit or other oversight requirement. When no assessment has been made within a defined period, at a frequency determined for each scope by your risk assessments. Scanning frequency might also be affected by technical constraints and types of data.
Report Validation: Compare to best practices
Some scanners measure systems and configuration settings against best-practice frameworks (a compliance scan). This might be necessary for regulatory compliance or you might voluntarily want to conform to externally agreed standards of best practice. In some cases though, compliance scans might return results that are not high priority or can be considered low risk.
System Hardening
The process of securing a system by reducing its surface of vulnerability, which is larger when a system performs more functions; in principle a single-function system is more secure than a multipurpose one. Reducing available ways of attack typically includes changing default passwords, the removal of unnecessary software, unnecessary usernames or logins, and the disabling or removal of unnecessary services.
Aircrack-ng
Suite of utilities (aircrack-ng.org) is one of the early tools designed for wireless network security testing. Made up of a number of command-line tools.
Inhibitors to Remediation: Degrading Functionality
The chance that the remediation control will degrade functionality, either temporarily or permanently. Even something as simple as patching a system might involve downtime (a system reboot, for instance). Remediation might permanently affect functionality too; a system might need to be decommissioned, a feature may have to be disabled, more intensive scanning might degrade performance, or stricter procedures might impact current working practices. Degradation of functionality is often the case with systems that are flawed by design—those that did not incorporate security as a fundamental element of the design process. These systems may not be able to operate as desired if security restrictions are placed on them.
Remediation/Mitigation
The overall process of reducing exposure to the effects of risk factors. If you deploy a countermeasure that reduces exposure to a threat or vulnerability, that is risk deterrence (or reduction). Risk reduction refers to controls that can either make a risk incident less likely or less costly (or perhaps both). Reports generated by a vulnerability assessment may offer suggestions as to how to fix any detected security issues. Even if they don't, you'll likely need to put any vulnerabilities through the process of remediation. Remediation is not just an effortless process of applying a quick fix; it's a comprehensive approach to managing the risk that vulnerabilities present to the organization. The goal is to move the organization as close as possible to reaching a level of acceptable risk for a given situation.
How does the regulatory environment affect vulnerability scanning?
The regulator might impose requirements on types of scans and scan frequency to remain compliant.
Inhibitors to Remediation: Business Process Interruption
The suggested remediation method may lead to a necessary business process interruption. In some cases, this type of interruption is considered too much of a risk to the business's operations. Or, the interruption is at least enough of a risk that the remediation, if successful, is not worth implementing. Where the control impacts other business processes, perhaps making it harder for staff in sales or marketing to do their jobs, there may be strong pushback from the owners of those functions. You will need evidence of the necessity of the remediation action to build a convincing case. This evidence is likely to be compiled as part of an incident lessons-learned review and reporting process.
Types of Data
The type of data processed by the target of the scan will also affect the scanning frequency and the scanning technique. Classifying data as sensitive versus non-sensitive helps the vulnerability management program determine how vulnerabilities in data handling should be identified and remediated. If a system processes highly confidential data, it may not be appropriate to configure a credentialed scan, as that will effectively allow the scan administrator privileged access to the host
Security Content Automation Protocol (SCAP)
These tools adhere to standards for scanning processes, results reporting and scoring, and vulnerability prioritization. Commonly used to uphold internal and external compliance requirements. Some tools that are not officially _____-validated have plug-ins that can still export scan data to a _____-compliant format.
Enumeration Tools: Footprinting
These tools map out the layout of a network, typically in terms of IP address usage, routing topology, and DNS namespace (subdomains and hostnames). Can be performed in active, nonstealthy modes to obtain quick results at the risk of detection or by using slow semi-passive and passive techniques.
Enumeration Tools: Fingerprinting
These tools perform host system detection to map out open ports, OS type and version, file shares, running services and applications, system uptime, and other useful metadata. Can be performed by active, semi-passive, and passive tools.
Enumeration Tools: Open-source Intelligence (OSINT)
These tools query publicly available information, mostly using web and social media search tools. This can be considered a fully passive approach.
Nmap Output: Grepable output (-oG)
This delimits the output using one line for each host and tab, slash, and comma characters for fields. This format makes it easier to parse the output using the grep Linux regular expressions command (or any other regex tool).
A mission essential function relies on a server running an unsupported OS, which can no longer be patched. The system can only be accessed from a hardened jump box management station and is physically stored in a lockable cabinet with CCTV monitoring. What type of remediation has been applied in this scenario?
This is a combination of risk acceptance with compensating controls.
Nmap Port Scan: TCP SYN (-sS)
This is a fast technique also referred to as half-open scanning as the scanning host requests a connection without acknowledging it. The target's response to the scan's SYN packet identifies the port state.
Nmap: List scan (-sL)
This lists the IP addresses from the supplied target range(s) and performs a reverse-DNS query to discover any host names associated with those IPs. This can be used to check that you have specified appropriate targets. No probes are directed at the actual hosts.
Nmap: Fragmentation (-f or --mtu)
This technique splits the TCP header of each probe between multiple IP datagrams. The principle is that splitting the header will make it harder for intrusion detection software to analyze. If the sensor attempts to reassemble the packets, that will consume more CPU cycles so that option is sometimes disabled to improve performance. However, as security appliances become more powerful, fragmentation is less likely to succeed as a tactic (and the IDS can be configured to look for unusual fragmentation patterns).
Fast/Basic Assessment Scan
This template is made fast by omitting feed/plug-in classes that are not relevant to the target or that do not need to be assessed. The assessment engine may be able to do this on a "smart" basis, by disabling Windows plug-ins when scanning a Linux host, for instance. It will also omit plug-ins with a higher risk of causing service disruption (that could make an application service crash). These scans can work cumulatively as well, so that results from previous scans are skipped.
Nmap: TCP SYN ping (-PS <PortList>)
To defeat a firewall, the attacker might want to probe ports other than the default HTTP/HTTPS ones. There are numerous other host detection techniques, including TCP ACK, UDP, SCTP INIT, and IP protocol ping.
True or false. The Qualys infrastructure vulnerability management engine is only available as a cloud service.
True, though locally installed agents and sensors can be deployed to gather vulnerability data.
What is the principal challenge in scanning UDP ports?
UDP does not send ACK messages so the scan must use timeouts to interpret the port state. This makes scanning a wide range of UDP ports a lengthy process.
CVSS Base Metric: Scope (S)
Unchanged (U) or Changed (C) This indicates whether the exploit affects only the local security context (U) or not (C). For example, a hypervisor vulnerability might allow an exploit from one VM to other VMs.
How do you run a specific Nmap script or category of scripts?
Use the --script argument with the script name or path or category name.
hping: timestamp
Use the timestamp to determine system uptime. hping3 -c2 -S -p80 --tcp-timestamp 10.1.0.254
Discovery Scan
Used to create and update an inventory of assets (enumeration). There will usually be options to perform host and/or service discovery using different methods. Note that these template types do not scan for any vulnerabilities.
Enumeration Tools
Used to identify and scan network ranges and hosts belonging to the target and map out an attack surface. This is performed to gather intelligence that can be turned into an attack strategy, or conversely, when used as a defensive tool, to reduce the attack surface and mitigate potential attack vectors. Involve at least some sort of active connection to the target. An active connection is one where the attacker transmits data to the target. The attacker machine may make obvious TCP connections to a firewall, send repetitive DNS and reverse DNS queries, or transmit phishing emails to targets within the network. Active techniques are those that will be discovered if the victim is logging or otherwise monitoring network and host connections.
Which CVSS base metric has been omitted from the following list? Access vector, access complexity, privileges required, scope, confidentiality, integrity, availability.
User interaction—Whether an exploit of the vulnerability depends on some local user action, such as executing a file attachment.
Nmap Security Scanner
Uses diverse methods of host discovery and fingerprinting. The tool is open-source software with packages for most versions of Windows, Linux, and macOS. It can be run from the command line or via a GUI.
What is packet injection?
Using software to write packets directly to the network stream, often to spoof or disrupt legitimate traffic.
Inhibitors to Remediation: Memorandum of understanding (MoU)
Usually a preliminary or exploratory agreement to express an intent to work together. Not usually intended to have the effect of a binding contract but must be carefully drafted so as not to create binding conditions.
Scanning Technical Constraints
Vulnerability management program needs to conduct regular, ongoing scans as part of the organization's wider continuous monitoring efforts. Ideally, you'd be able to scan as often as you want, but the security team is not allocated infinite time and resources, and it may be under certain __________. Additionally, you need to consider the possibility that certain scans will disrupt the services that hardware and software systems provide. While some techniques have a negligible impact on performance, others may add significant overhead to computing and network resources. A vulnerability scan can consume a lot of network bandwidth and can impose significant processing load on the target, especially when using agent-based scans. Similarly, a server-based scan will impose load on the host CPU and RAM, and performing scans on multiple hosts simultaneously risks overloading the server.
Report Validation: Reconcile results
Vulnerability scanners can misinterpret the information they get back from their probes. For example, a scan might suggest the presence of an Apache web server in a predominantly Windows environment. You would verify the IP of the server and check that host—perhaps a NAS appliance is operating without your knowledge, or perhaps a software application has installed Apache to work on the local host. If you cannot reconcile a finding, consider running a scan using different software to provide confirmation of the result.
Nmap Port Scan: TCP flags
You can scan by setting TCP headers in unusual ways. A Null (-sN) scan sets the header bit to zero, a FIN (-sF) scan sends an unexpected FIN packet, and an Xmas scan (-sX) sets the FIN, PSH, and URG flags. This was a means of defeating early types of firewalls and IDS.
Nmap Fingerprinting Scan
When open ports are discovered, you can use Nmap with the -sV or -A switch to probe a host more intensively to discover the following information: Protocol—Do not assume that a port is being used for its "well known" application protocol. Nmap can scan traffic to verify whether it matches the expected signature (HTTP, DNS, SMTP, and so on). Application name and version—The software operating the port, such as Apache web server or Internet Information Services (IIS) web server. OS type and version—Use the -o switch to enable OS fingerprinting (or -A to use both OS fingerprinting and version discovery). Host name. Device type—Not all network devices are PCs. Nmap can identify switches and routers or other types of networked device, such as NAS boxes, printers, and webcams.
What is the advantage of the Nmap "grepable" output format?
grep is a Linux command for running a regular expression to search for a particular string. Nmap's grepable output is easier for this tool to parse.
hping: Denial of service (DoS)
hping can be used to perform flood-based DoS attacks from randomized source IPs. This can be used in a test environment to determine how well a firewall, IDS, or load balancer responds to such attacks. hping can also be used to perform older network attacks, such as LAND (spoofing the victim's address as both source and destination) and Ping of Death (setting the packet size larger than the maximum allowable 65,535 bytes). While these are not likely to be effective against mainstream OS and network appliances, they can be successful against embedded systems.
