Chapter 5 Security Assessment and Testing

Which element of the SCAP framework can be used to consistently describe vulnerabilities? A. CPE B. CVE C. CVSS D. CCE

B. Common Vulnerabilities and Exposures (CVE) provides a standard nomenclature for describing security-related software flaws. Common Configuration Enumeration (CCE) provides a standard nomenclature for discussing system configuration issues. Common Platform Enumeration (CPE) provides a standard nomenclature for describing product names and versions. The Common Vulnerability Scoring System (CVSS) provides a standardized approach for measuring and describing the severity of security-related software flaws.

Which one of the following values for the CVSS attack complexity metric would indicate that the specified attack is simplest to exploit? A. High B. Medium C. Low D. Severe

C. An attack complexity of "low" indicates that exploiting the vulnerability does not require any specialized conditions.

Which one of the following assessment techniques is designed to solicit participation from external security experts and reward them for discovering vulnerabilities? A. Threat hunting B. Penetration testing C. Bug bounty D. Vulnerability scanning

C. Bug bounty programs are designed to allow external security experts to test systems and uncover previously unknown vulnerabilities. Bug bounty programs offer successful testers financial rewards to incentivize their participation.

Ryan is planning to conduct a vulnerability scan of a businesscritical system using dangerous plug-ins. What would be the best approach for the initial scan? A. Run the scan against production systems to achieve the most realistic results possible. B. Run the scan during business hours. C. Run the scan in a test environment. D. Do not run the scan to avoid disrupting the business.

C. Ryan should first run his scan against a test environment to identify likely vulnerabilities and assess whether the scan itself might disrupt business activities.

Bruce is conducting a penetration test for a client. The client provided him with details of their systems in advance. What type of test is Bruce conducting? A. Gray-box test B. Blue-box test C. White-box test D. Black-box test

C. White-box tests are performed with full knowledge of the underlying technology, configurations, and settings that make up the target. Black-box tests are intended to replicate what an attacker would encounter. Testers are not provided with access to or information about an environment, and instead, they must gather information, discover vulnerabilities, and make their way through an infrastructure or systems like an attacker would. Gray-box tests are a blend of black-box and white-box testing. Blue-box tests are not a type of penetration test.

The Security Content Automation Protocol (SCAP) is an effort by the security community, led by the National Institute of Standards and Technology (NIST), to create a standardized approach for communicating security-related information. This standardization is important to the automation of interactions between security components. The SCAP standards include the following:

CCE CPE CVE CVSS XCCDF OVAL

Capture the flag (CTF)

Capture the flag (CTF) exercises are a fun way to achieve training objectives. In a CTF exercise, the red team begins with set objectives, such as disrupting a website, stealing a file from a secured system, or causing other security failures. The exercise is scored based on how many objectives the red team was able to achieve compared to how many the blue team prevented them from executing.

CCE

Common Configuration Enumeration Provides a standard nomenclature for discussing system configuration issues

CPE

Common Platform Enumeration Provides a standard nomenclature for describing product names and versions

CVE

Common Vulnerabilities and Exposures Provides a standard nomenclature for describing security-related software flaws

CVSS

Common Vulnerability Scoring System Provides a standardized approach for measuring and describing the severity of security-related software flaws

Scan Perspective

Comprehensive vulnerability management programs provide the ability to conduct scans from a variety of scan perspectives. Each scan perspective conducts the scan from a different location on the network, providing a different view into vulnerabilites.

Training and exercises

Cybersecurity analysts often participate in training programs that are set up as exercises using a competition-style format, pitting a team of attackers against a team of defenders. 3 teams: Red team, Blue team, and white team

Asset inventory

Cybersecurity professionals use scanning tools to search the network for connected systems, whether they were previously known or unknown, and to build an asset inventory.

Kyle is conducting a penetration test. After gaining access to an organization's database server, he installs a backdoor on the server to grant himself access in the future. What term best describes this action? A. Privilege escalation B. Lateral movement C. Maneuver D. Persistence

D. Backdoors are a persistence tool, designed to make sure that the attacker's access persists after the original vulnerability is remediated. Kyle can use this backdoor to gain access to the system in the future, even if the original exploit that he used to gain access is no longer effective.

Grace would like to determine the operating system running on a system that she is targeting in a penetration test. Which one of the following techniques will most directly provide her with this information? A. Port scanning B. Footprinting C. Vulnerability scanning D. Packet capture

B. All of these techniques might provide Grace with information about the operating system running on a device. However, footprinting is a technique specifically designed to elicit this information.

Brian ran a penetration test against a school's grading system and discovered a flaw that would allow students to alter their grades by exploiting a SQL injection vulnerability. What type of control should he recommend to the school's cybersecurity team to prevent students from engaging in this type of activity? A. Confidentiality B. Integrity C. Alteration D. Availability

B. By allowing students to change their own grades, this vulnerability provides a pathway to unauthorized alteration of information. Brian should recommend that the school deploy integrity controls that prevent unauthorized modifications.

bug bounty programs

Deals offered by tech development companies where individuals can receive recognition and compensation for reporting security vulnerabilities associated with an application/system

Rules of engagement (ROE)

Detailed guidelines and constraints regarding the execution of information security testing. The ROE is established before the start of a security test, and gives the test team authority to conduct defined activities without the need for additional permissions. 1. The timeline for the engagement and when testing can be conducted 2. What locations, systems, applications, or other potential targets are included or excluded 3. Data handling requirements for information gathered during the penetration test 4. What behaviors to expect from the target 5. What resources are committed to the test 6. Legal concerns should be addressed, including a review of the laws that cover the target organization, any remote locations, and any service providers who will be in scope 7. When and how communications will occur

XCCDF

Extensible Configuration Checklist Description Format A language for specifying checklists and reporting checklist results

OVAL

Open Vulnerability and Assessment Language A language for specifying low-level testing procedures used by checklists

PCI DSS

Payment Card Industry Data Security Standard

Passive Reconnaissance

Penetration testing technique that seeks to gather information without directly engaging with the target.

Pivoting or lateral movement

Pivoting, or lateral movement, occurs as the attacker uses the initial system compromise to gain access to other systems on the target network.

Privilege escalation

Privilege escalation uses hacking techniques to shift from the initial access gained by the attacker to more advanced privileges, such as root access on the same system.

Penetration testing

Professional hacking to access data and computing power without being granted access; professional pen-testers are hired to identify and repair vulnerabilities and only work once, given written permission to obtain ungranted access.

SCAP

Security Content Automation Protocol

White team

Staff administering, evaluating, and supervising a penetration test or incident response exercise.

Cybersecurity toolkit

You will want to have a network vulnerability scanner, an application scanner, and a web application scanner available for use.

Purple teaming

conducted after an exercise to bring together the red and blue teams for knowledge sharing

Active reconnaissance

directly engage the target in intelligence gathering. These techniques include the use of port scanning to identify open ports on systems, footprinting to identify the operating systems and applications in use, and vulnerability scanning to identify exploitable vulnerabilities.

Qualys's vulnerability scanner

it is a more recently developed commercial network vulnerability scanner that offers a unique deployment model using a software-as-a-service (SaaS) management console to run scans using appliances located both in on-premise datacenters and in the cloud.

threat hunter

threat hunters use the attacker mindset to search the organization's technology infrastructure for the artifacts of a successful attack. They ask themselves what a hacker might do and what type of evidence they might leave behind and then go in search of that evidence

Kevin recently identified a new security vulnerability and computed its CVSS base score as 6.5. Which risk category would this vulnerability fall into? A. Low B. Medium C. High D. Critical

. B. Vulnerabilities with CVSS base scores between 4.0 and 6.9 fit into the medium risk category.

Phases for penetration testing

1. Initial access 2. Privilege escalation 3. Pivoting or lateral movement 4. Persistence

Exam Essentials

1. Many vulnerabilities exist in modern computing environments 2. Threat hunting discovers existing compromises 3. Vulnerability scans probe systems, applications, and devices for known security issues 4. Penetration testing places security professionals in the role of attackers 5. Bug bounty programs incentivize vulnerability reporting 6. Cybersecurity exercises that teams are prepared for security incidents.

Web Application Scanners

1. Nikto 2. Arachni 3. Acunetix 4. Nessus 5. Qualys 6. Nexpose

Factors influencing how often an organization decides to conduct vulnerability scans against its systems

1. Organization's risk appetite 2. Regulatory requirements 3. Technical constraints 4. Business constraints 5. Licensing limitations

Stages of penetration testing

1. Permission ("get out of jail free" card) 2. Reconnaissance : passive or active 3. running the test 4. Cleaning up

Application Scanners

1. Static testing 2. Dynamic testing 3. Interactive testing

Infrastructure Vulnerability scanners

1. Tenable's Nessus 2. Qualys's vulnerability scanner 3. Rapid7's Nexpose 4. OpenVAS

Types of penetration tests

1. White-box aka environment tests 2. Black-box aka unknown environment test 3. Gray box testing aka partially known environment

Security Vulnerabilities

1. patch management 2. Legacy platforms 3. weak configurations 4. Error messages 5. Insecure Protocols 6. weak encryption

weak configurations

1. the use of default settings that pose a security risk, such as administrative setup pages that are meant to be disabled before moving a system to production 2. The presence of unsecured accounts, including both normal user account and unsecured root accounts with administrative privileges. Accounts may be considered unsecured when they either lack strong authentication or use default passwords. 3. Open ports and services that are not necessary to support normal system operations. This will vary based on the function of a server or device but, in general, a system should expose only the minimum number of services necessary to carry out its function. 4. Open permissions that allow users access that violates the principle of least privilege.

Nessus

A network-vulnerability scanner available from Tenable Network Security. Nessus was one of the first vulnerability scanners on the market and remains widely used today.

Tenable's Nessus

A well-known and widely respected network vulnerability scanning product that was one of the earliest products in this field

Tara recently analyzed the results of a vulnerability scan report and found that a vulnerability reported by the scanner did not exist because the system was actually patched as specified. What type of error occurred? A. False positive B. False negative C. True positive D. True negative

A. A false positive error occurs when the vulnerability scanner reports a vulnerability that does not actually exist.

During a vulnerability scan, Brian discovered that a system on his network contained this vulnerability (see image). What security control, if deployed, would likely have addressed this issue? A. Patch management B. File integrity monitoring C. Intrusion detection D. Threat hunting

A. This vulnerability is corrected by a patch that was released by Microsoft in 2017. A strong patch management program would have identified and remediated the missing patch.

During a penetration test, Patrick deploys a toolkit on a compromised system and uses it to gain access to other systems on the same network. What term best describes this activity? A. Lateral movement B. Privilege escalation C. Footprinting D. OSINT

A. Moving from one compromised system to other systems on the same network is known as lateral movement. Privilege escalation attacks increase the level of access that an attacker has to an already compromised system. Footprinting and OSINT are reconnaissance techniques.

Kevin is participating in a security exercise for his organization. His role in the exercise is to use hacking techniques to attempt to gain access to the organization's systems. What role is Kevin playing in this exercise? A. Red team B. Blue team C. Purple team D. White team

A. Offensive hacking is used by red teams as they attempt to gain access to systems on the target network. Blue teams are responsible for managing the organization's defenses. White teams serve as the neutral moderators of the exercise. Purple teaming is conducted after an exercise to bring together the red and blue teams for knowledge sharing.

Persistence

Attackers establish persistence on compromised networks by installing backdoors and using other mechanisms that will allow them to regain access to the network, even if the initial vulnerability is patched

Which one of the following tools is most likely to detect an XSS vulnerability? A. Static application test B. Web application vulnerability scanner C. Intrusion detection system D. Network vulnerability scanner

B. Intrusion detection systems do not detect vulnerabilities; they detect attacks. The remaining three tools could all possibly discover a cross-site scripting (XSS) vulnerability, but a web application vulnerability scanner is the most likely to detect it because it is specifically designed to test web applications.

Interactive testing

This combines static and dynamic testing, analyzing the source code while testers interact with the application through exposed interfaces.

Which one of the following security assessment tools is least likely to be used during the reconnaissance phase of a penetration test? A. Nmap B. Nessus C. Metasploit D. Nslookup

C. Nmap is a port scanning tool used to enumerate open network ports on a system. Nessus is a vulnerability scanner designed to detect security issues on a system. Nslookup is a DNS information gathering utility. All three of these tools may be used to gather information and detect vulnerabilities. Metasploit is an exploitation framework used to execute and attack and would be better suited for the Attacking and Exploiting phase of a penetration test.

Application scanning

This scanning tool analyze custom-developed software to identify common security vulnerabilities. Application testing should be an integral part of the software development process. Many organizations introduce testing requirements into the software release process, requiring clean tests before releasing code into production.

Which one of the CVSS metrics would contain information about the type of account access that an attacker must have to execute an attack? A. AV B. C C. PR D. AC

C. The privileges required (PR) metric indicates the type of system access that an attacker must have to execute the attack.

Lila is working on a penetration testing team and she is unsure whether she is allowed to conduct social engineering as part of the test. What document should she consult to find this information? A. Contract B. Statement of work C. Rules of engagement D. Lessons learned report

C. The rules of engagement provide technical details on the parameters of the test. This level of detail would not normally be found in a contract or statement of work. The lessons learned report is not produced until after the test.

Which one of the following security assessment techniques assumes that an organization has already been compromised and searches for evidence of that compromise? A. Vulnerability scanning B. Penetration testing C. Threat hunting D. War driving

C. Threat hunting is an assessment technique that makes an assumption of compromise and then searches the organization for indicators of compromise that confirm the assumption. Vulnerability scanning, penetration testing, and war driving are all assessment techniques that probe for vulnerabilities but do not assume that a compromise has already taken place.

Which one of the following techniques would be considered passive reconnaissance? A. Port scans B. Vulnerability scans C. WHOIS lookups D. Footprinting

C. WHOIS lookups use external registries and are an example of open source intelligence (OSINT), which is a passive reconnaissance technique. Port scans, vulnerability scans, and footprinting all require active engagement with the target and are, therefore, active reconnaissance.

Web Application Scanning

These scanners are specialized tools used to examine the security of web applications. These tools test for web-specific vulnerabilities, such as SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF) vulnerabilities. They work by combining traditional network scans of web servers with detailed probing of web applications using such techniques as sending known malicious input sequences and fuzzing in attempts to break the application.

Renee is configuring her vulnerability management solution to perform credentialed scans of servers on her network. What type of account should she provide to the scanner? A. Domain administrator B. Local administrator C. Root D. Read-only

D. Credentialed scans only require read-only access to target servers. Renee should follow the principle of least privilege and limit the access available to the scanner.

Bandwidth

Transmission capacity measure by bit rate

FISMA

Federal Information Security Management Act

Initial access

Initial access occurs when the attacker exploits a vulnerability to gain access to the organization's network.

Static testing

It analyzes code without executing it. This approach points developers directly at vulnerabilities and often provides specific remediation suggestions.

Dynamic testing

It executes code as part of the test, running all the interfaces that the code exposes to the user with a variety of inputs, searching for vulnerabilities.

Rapid7's Nexpose

It is another commercial vulnerability management system that offers capabilities similar to those Nessus and Qualys.

war driving and war flying

Testers use a technique called war driving, where they drive by facilities in a car equipped with high-end antennas and attempt to eavesdrop on or connect to wireless networks. Recently, testers have expanded this approach to the use of drones and unmanned aerial vehicles (UAVs) in a technique known as war flying.

Red team

The "hostile" or attacking team in a penetration test or incident response exercise.

Blue team

The defensive team in a penetration test or incident response exercise.

debug modes

The feature that gives developers crucial error information needed to troubleshoot applications in the development process.

OpenVAS

The open source OpenVAS offers a free alternative to commercial vulnerability scanners.

Vulnerability management

These programs play a crucial role in identifying, prioritizing, and remediating vulnerabilities in our environments. They use vulnerability scanning to detect new vulnerabilities as they arise and then implement a remediation workflow that addresses the highest-priority vulnerabilities. Every organization should incorporate vulnerability management into their cybersecurity program.

Network vulnerability scanning

These scanners are capable of probing a wide range of network-connected devices for known vulnerabilities. They reach out to any systems connected to the network, attempt to determine the type of device and its configuration, and then launch targeted tests designed to detect the presence of any known vulnerabilities on those devices.