Domain 1
What is a credentialed vs non credentialed scan? Vs internal and external scan?
Credentialed scans are able to log on to the target system and directly retrieve configuration information, provides most accurate results of the scan Unauthenticated scans must rely on external indications of configuration settings, which are not as accurate. External vs internal scan will not have a direct impact on the scanners ability to read configuration information/settings
Which XSS scripting can external Vulnerability scanners detect easily?
Cross site scripting and cross script request forgery. The scanners can obtain visual confirmation of a successful attack.
What is Stored XSS?
Cross site scripting. This is the most dangerous type because it originates from the websites database. This often happens when a website allows user input that is not sanitized, inserted into the database.
What does RunAs command do?
It allows administrators to execute commands using the privileges of another user in Windows. Sudo is the linux equivalent.
What is a playbook?
It contains procedures used during a particular type of cybersecurity incident. CSIRT or IR Plan occurs at a higher level
What does FISMA dictate regarding the frequency of a scan?
It does not specify any requirements regarding the frequency of a scan. It states that agencies must conduct scans of info systems and hosted apps when new vulnerabilities potentially affect the system/apps identified and reported
What does passthru() do in PHP?
It executes what gets entered into the input then passing the output directly back to the browser
Why is ASV needed?
It is a Approved Scanning Vendor which is required to meet PCI DSS obligations
Why do we use XML?
It is a markup language that is used for storing and transporting data. It is platform-independent and programming language independent thus it can support any system and many technologies. XML can changed at any point in time without effecting data presentation Does not need conversion when transferring to different systems
What is HTTP Trace?
It is a support method on all web servers which needs to be turned off. HTTP trace must be turned off or else an attack can steal cookie data via Javascript when the document.cookie is disabled or not supported by the client. This occurs when an attacker is posts a malicious link to a forum, then once clicked, the HTTP trace call collects the users cookie info from the server The HTTP TRACE method performs a message loop-back test along the path to the target resource, providing a useful debugging mechanism.
What is Secure RPC?
It is an authentication method that authenticates both the host and the user who is making a request for a service which uses DFH authentication and DES Encryption. --
What is an Allow List in injections?
It is an input list that is compared to a list of safe input or characters. Application throws an error if rejected
What is a common name?
It is the domain name you wish to secure your certificate with. It is also known as the FQDN, it is the characteristic value in the Distinguished Name
What is risk appetite?
It is the organizations decision on how much risk it can tolerate whether it can tolerate a lot of medium and low risks severities or not
What is pinning?
It is the process of associating a host with their expected X.509 Certificate or public key Leverages the knowledge of the pre-existing relationship between the user and an organization or service to help make better security decisions.
What is the purpose of a honeypot?
It is to gather information about techniques and tools used by attackers. Typically used to analyze useful information to build IDS and IPS rules
What is the purpose of a domain controller?
It validates users on a network, including group policies, credentials and computer names and validate user access
What is port 636
LDAP
What is port 389?
LDAP - Active Directory (Windows), e-Directory (Novell), Open Directory (Apple)
What is reflected XSS?
Malicious payload that is part of the victims request to the website. The website includes this payload in response back to the user An attacker needs to trick a victim into clicking a URL to execute their malicious payload
What is Cross-Site Scripting (XSS) attacks?
Malicious scripts are injected into websites on the browser side script which will send to a different user. The end user will think the script came from a trusted source, so the malicious script can access any cookies, session tokens or other sensitive information retained by the browser and used with that site
What can effect the network bandwidth of a scan?
Max number of simultaneous hosts per scan has a bigger impact on total bandwidth Safe checks and stopping the scan of unresponsive hosts will help with single or lower amount of hosts.
What can an attacker do with a buffer overflow attack?
May allow an attacker to gain control of the server and access information above their authorization level by executing arbitrary code
What is port 1433?
Microsoft SQL server
Which protocol interconnects SCADA systems?
Modbus protocol
Interpret the following: mount rhinousb.dd /mnt/usb -t auto -o loop, noexec, ro
Mount the file system -t auto: auto recognize -o : loop the device noexec : non-executable ro : read only
What are orphaned rules in firewall configurations?
Rules that once allowed access to resources in support of business requirements, but which have become unnecessary because of a change in requirements or technical implementation
What can occur if there is improper input validation and attackers can execute malicious commands in the users web browser?
Stored XSS This could be including javascript in "guestbook entries" or any type of entries.
What can occur after a serialization attack?
The attacker uses the serialization attack to gain access to apps/systems/networks or exfiltrate data. Can lead to remote code execution, data compromise, ransomware attacks, DoS attack, server crash, authentication bypass, SQL injection and many more.
What is the main defense to injections?
The main defence for preventing injection attacks is ensuring that user controlled input is not interpreted as queries or commands
What is RPO?
The point in time, prior to a disruption or system outage, to which a mission/business process data can be recovered after an outage. RPO is not considered as part of MTD.
What is DevSecOps?
The process of incorporating and enforcing meaningful security controls without slowing down deployment velocity
What command allows you to know what the users shell is set as?
cat /etc/passwd /etc/os-release for the operating system
What technology allows dynamic reprogramming of computer chips?
eFuse. Developers send commands to computer chips that allow them to be permanently reprogrammed by blowing a fuse
What is BIA's three goals?
1) Determine mission/business process and recovery criticality 2) Identify Resource Requirements 3) Identify recovery priorities for system resources
How do you prevent serialization attacks?
1) Ensure that developers write class-specific serialization methods for sensitive data or for sensitive data to not be serialized (either or) 2) Never deserialize input data, it is not necessary. These are untrusted or unvalidated inputs. DIGITAL SIGS and WEB APP FIREWALLS ensure serialized objects are not tampered with 3) Isolate and run deserialized objects in low privilege environments 4) Maintain a log of deserialization failures and exceptions
What are the typical private IP ranges?
10.x.x.x 172.16.x.x 192.168.x.x
What is a Blind Cross-site scripting?
A form of persistent XSS attack. Attackers payload is saved on the server and victimizes the backend application. ie., a feedback form with a malicious payload which is opened by the backend user/admin. Payload will execute One of the best tools to detect this XSS Hunter
What are FISMA's compliance requirements?
A government legislation that defines a comprehensive framework to protect government info, ops and assets against threats. Compliance includes: Maintain an inventory of IT systems which includes an agency's encrypted cloud Utilize Security Controls: Minimal federal security requirement is FIPS 200 document and appropriate security controls following NIST 800-53. This must then be documented in SSP (system security plan) Categorize Data and Systems according to Risk level Conduct Risk Assessments Certification and accreditation Maintain a system security plan Conduct continuous monitoring
What is promiscuous mode?
A mode where the network card will receive every packet on the interface, regardless of the target MAC address, in order to monitor traffic
What is a critical infrastructure plan?
A set of policies and procedures that serve to protect and recover national assets and mitigate risk and vulnerabilities. These are losses that effect safety, security, economy or health of US.
What is VPC Peering?
A virtual network dedicated to your account based off your Cloud provider. It is logically isolated from other virtual networks. It is a network connection between 2 VPCs that enables you to route traffice between them using a private IPV4 or IPV6 Address.
What is a MOU?
A written agreement designed to ensure that resources are available and organizations are consulted and coordinated the responsibilities of their grant activities. A legal claim cannot be based on the document Cooperatively work together on an agreed project
What can you analyze to determine if an external attacker can exploit a DoS attack?
Analyze the firewall rule logs. It can help determine if services is accessible from external network
What are the core tasks of continuous monitoring?
Analyzing and reporting findings to management Responding to findings by mitigating, transferring or avoiding risks
What is continuous monitoring?
Agencies must monitor systems to detect abnormalities, and perform security impact analysis, ongoing assessment of security controls, status reporting Maintaining ongoing awareness of IS, vulnerabilities, and threats to support organizational risk management decisions. Security controls and organizational risks are assessed and analyzed at a frequency sufficient to support risk-based security decision to protect the org
What is a SLA?
Agreement to help a service provider set a service expectation provided to customers, including the scope, nature, and quality of service which includes the metrics by which the effectiveness of the progress is monitored and approved
How will a vulnerability scanner get the most current vulnerability information?
Automatic updates
Why should SMB be chosen over CIFS?
CIFS has poor security measures, very noisy, poor network performance and lack of functionality. Use the following instead: NFS: Suited for Linux clients NQ: Good for non windows platform, linux, ios and android Samba: Microsoft AD for unix and linux distributions
Which XSS scripting does a Vulnerability scanner have a difficult time to detect?
Blind SQL injections because they do not return results to the attacker but rely on the silent execution of code. Blind SQL asks the database true or false questions and determines the answer based on the applications response. The attacker would then analyze the different responses between true and false statements
What can prevent buffer overflow?
Bound checking, it verifies that user supplied input does not exceed the maximum allowable length before storing it in memory
How can you determine asset criticality?
By assessing asset inventory.
What strategy can be used to immediately report configuration changes to a vulnerability scanner?
CONTINUOUS MONITORING. Agents are installed on monitored systems to immediately report configuration changes to the vulnerability scanner.
What is a poisoning vulnerability and what type of breach is this?
Cache poisoning and poisoning causes the host to connect to an illegitimate server and could result in a violation of Confidentiality .
How can you detect an unpatched web server?
Can be identified by using publicly accessible banner information
What is FISMA's categorization level?
Categorization is based on FISMA's compliance requirements. Must follow the NIST 800-60 guidelines. Agencies must be based on: Low: Low impact system that does not contain sensitive info for safeguarding Moderate: May contain info that will require greater degree of safeguarding. High: A loss or compromise would present a grave risk to the US government
What is the difference between a stored or reflected XSS attack?
Consequences are the same for an XSS attack, the only difference is the payload method used. XSS attacks can lead to disclosure of users session cookies, allowing an attacker to hijack a users session and take over account or installation of trojans or modifying content on the website. Could deface a pharma website or modify press release.
What is a COOP plan?
Continuity of Operations Plan. Restoring an organizations Mission Essential Functions. at an alternate site and performing those functions for up to 30 days before returning to normal operations. If the disruption/threat does not require a relocation, a COOP plan is not needed.
What is deserialization?
Converting serialized info into a complex form, an object that the application will understand
What is the difference between DRP and ISCP?
DRP is site-specific and designed to move the site to a different location ISCP can be activated at systems current location or at an alternate site.
How often should vulnerability scanners be updated?
Daily
How does XSS occur?
Data enters a web app through an untrusted source such as a web request Data is included in dynamic content that is sent to the web user without being validated for malicious content Generally javascript but also includes HTML and flash.
What source of information would least likely be part of a playbook?
Data from a honeypot. Few organizations run honeypots because of the effort required to maintain and analyze the data they generate
What is the purpose of NIST?
Develops and issues standards, guidelines and other publications to assist federal agencies in implementing FISMA IT systems standards, NIST 800 series.
What is a DRP?
Disaster Recovery Plan A physical disruption to service that deny access to primary facility infrastructure for an extended period. Designed to restore operability of the target system, application or computer facility infrastructure at an alternate site after an emergency. Relocation!
What is a DOM-Based XSS?
Document Object Model. A programming interface for HTML and XML documents. It represents the page so that programs can change the document structure, style and content. A web page is a document and this document can either be displayed in the browser window or as the HTML Source
What is the difference between external and internal scanning?
External view provides "attackers eye view" whereas, internal scan may uncover vulnerabilities that would only be exploitable by an insider or an attacker who has gained access to another system on the network
What can you use/logs can you observe to determine whether a service is vulnerable to external networks?
Firewall rules Server logs would only contain info on actual access to the system but whether a server is unreachable from an external address
What is a BCP?
Focuses on sustaining an organizations mission/business process during and after a disruption.
What would a phpinfo file be used for?
For web developers during the initial configuration of a server. Delete it before the production is live!
What is continuous monitoring not tasked for?
Forensics investigations
What are shadow rules in firewall configurations?
Generally indicates a more broad rule matching the criteria is configured above a more specific rule.
What is nmap -P0 ?
Helps with stealth and turns off Ping
How can a serialization attack occur?
If an app deserializes all inputs and does not process all inputs without checks and validation processes in place. Can mainly occur if data transmission is not secured by TLS/SSL protocols which encrypt data in transit. Can also occur through cookie stealing if web session info is stored in a clients cache
What is Stripping Input in injections?
If input contains dangerous characters, these characters are removed before they are processed
What is a reflected (non-persistent) XSS attack?
If reflected off a web server, the script comes out in error message, search result or any other response that requires input sent to the server Can also be delivered through email or some other website where a user clicks on a malicious link
What is ISCP?
Information System Contingency Plan Established procedures for the assessment and recovery of a system following a system disruption. Provides key information for system recovery, including roles and responsibilities, inventory info, assessment procedures, and testing of system
What is a stored (persistent) XSS attack?
Injected script is permanently stored on the target servers, such as database, message forum, visitor log, comment field
What is BIA and what are the three steps in accomplishing its goals?
NIST 800-53 states it is to correlate the system with critical mission/business process and services provided, and based on that info, characterize the consequence of a disruption. Three goals: 1) Determine mission/business process and recovery criticality 2) Identify Resource Requirements 3) Identify recovery priorities for system resources
Does port scanning provide vulnerability reports?
NO! However, passive networking monitoring will provide a vulnerability report
What is port 1521?
Oracle databases
What is Serialization attack?
Popular serial formats are csv, json and xml. Serialization is a basic function necessary in apps for easy storage and transfer of data Deserialization is the opposite process Serialization attack occurs when an attacker sends a serialized payload into an application or API endpoint. When it gets deserialized by accident or mistakingly, the deserialized malicious payload infects into the in-memory structure.
What does awareness training against phishing protect against?
Prevent an insider from unintentionally posing a risk to the organization by falling victim a phishing attack. An unintentional insider
What is serialization?
Process of converting objects used in programming into simpler, compatible formatting for transmitting between systems or networks for further processing or storage
What is RTO?
Recovery time objective - Maximum amount of time a resource can be unavailable before there is an unacceptable impact on other system resources. This is important and will assist in selecting the technologies for meeting MTD goals.
What is the mechanism of exploiting vulnerable web apps?
Reflected XSS
What should be done if an APT performed a major compromise and a forensic investigation needs to be performed while minimizing the risk to the organizations production system?
Removal however, attackers can detect the change but it provides the best protection possible for the organizations system
What is insecure deserialization?
Replacing data processed by an application with malicious code Will allow for DoS or Remote Code Execution
What is port 445?
SMB/AD over TCP
Which scanner setting will have very little impact on the scan?
Scan sensitivity
How often should PCI DSS Vulnerability Scans be performed?
Scanned quarterly or after any "significant change in the network" ie., Upgrade of firewall or systems
What type of scheduled scan is best practice?
Schedule scans so that run during periods of low activity.
What cookies will clear when a browser is closed?
Session ID's will clear, this is also determined by the expiry timer.
What differences can there be between a test and production environment?
The test environment may not mirror the production environment because of cost, legacy system issues and many other issues like costs. However, they should be configured to be near identical
What is the difference between CIFS and SMB?
They are both Windows File sharing protocols used in storage systems, such as NAS. The difference is that CIFS is a dialect of SMB, a particular implementation of SMB protocol. CIFS is outdated and replaced with SMB 2/3.0 and was originally created to communicate large file sizes over TCP/IP transport.
What is MTD?
Total amount of time the system owner is willing to accept for a mission/business process outage or disruption
How would you get the most recent signatures for a vulnerability scanner?
Update the vulnerability feed.
SQL Injection
User controlled input is passed to SQL queries. Attackers can pass in SQL queries to manipulate the outcome of such queries Access, Modify and Delete information in a database when this input is passed into database queries. This would mean that an attacker can steal sensitive information such as personal details and credentials.
What happens if users try to access a site with a weak hashing algorithm in the certificate?
Users can access it but an error may pop up about the site not being secure
What can server/host based scanning detect?
Vulnerabilities in servers, workstations or other network hosts and provide greater visibility into the configuration settings, out of date softwares, missing security and patch history of scanned systems
Why are session cookies needed?
Web servers use HTTP(s) to communicate which is stateless, attaching these session cookies mean that the server will know who is sending what data. The server can then keep track of users actions.
What is a Command Injection?
When a server-side code (like PHP) in a web application makes a system call on the hosting machine. It is a web vuln that allows an attacker to take advantage of that made system call to executed OS commands on the server. The worse thing that can happen is that reverse shell would be the worse case, this will allow the attacker to enumerate the device and can fingerprint and pivot around the system. Command injection is used for enumeration and pivoting.
What is a birthday attack?
When an attacker is able to discover multiple inputs that generate the same output It is a type of cryptographic attack that exploits mathematics in the probability theory. This attack leads to collisions . A type of brute force attack
What is a syslog?
Widely used protocol to collect data from various systems like web servers, databases and etc., are sent real time data to a centralized destination Allows hosts to forward their log entries to one or more central syslog servers.
What is a SMB?
Windows file transfers and printer sharing with the network operating system LAN manager. This enables computers to access remote windows file sharing on a network as if it were a local hard drive.
What is XML?
a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable.
What is the difference between sudo and su?
su allows you to switch user identities whereas sudo allows you to run as another user without having to switch. Sudo runs similar as "RunAs" in Windows