Module 2 - Threat Management and Cybersecurity Resources

two most popular data management tools in regards to monitoring logs and alerts from from different sources and generated at different times

- Security Information and Event Management (SIEM) - Security Orchestration, Automation and Response (SOAR).

penetration testing levels (used when pen. testing using external consultants)

- black box - gray box - white box

advantages of using external penetration test consultants

- expertise: contractors that conduct penetration tests have the technical and business expertise to conduct a thorough test. - credentials: contractors usually employ people who hold several security certifications to validate their pen testing knowledge and experience. - experience: contractors know what to look for and how to take advantage of a vulnerability. - focus: Reputable penetration testing firms generally deliver expert security services and are highly focused on the task.

disadvantages of using internal security employees to conduct a penetration test

- inside knowledge: Employees often have in-depth knowledge of the network and its devices. A threat actor, on the other hand, would not have the same knowledge, so an attack from employees would not truly simulate that of a threat actor. - lack of expertise: Employees may not have the credentials needed to perform a comprehensive test. Their lack of expertise may result in few deep vulnerabilities being exposed. - reluctance to reveal: Employees may be reluctant to reveal a vulnerability discovered in a network or system that they or a fellow employee has been charged with protecting.

crowdsourced pen testing

- pen testing that involves a large group of individuals who are not regular employees of the contractor. - These handpicked crowdsourced members of the security community test the security of the client - advantages: - Faster testing, resulting in quicker remediation of vulnerabilities - Ability to rotate teams so different individuals test the system - Option of conducting multiple pen tests simultaneously - relates to bug bounties

disadvantage of using external penetration test consultants

- the usage of the information that is uncovered. - A contractor who conducts a pen test will not only learn about an organization's network and system vulnerabilities but may also receive extremely sensitive information about these systems and how to access them

advantages to using internal security personnel conducting penetration tests

- there is little or no additional cost - the test can be conducted much more quickly - in-house penetration test can be used to enhance the training of employees and raise the awareness of security risks. - When conducting an in-house pen test, an organization often divides security employees into opposing teams to conduct a "war game" - red team - blue team - white team - purple team

scope (rule of engagement parameter)

- what should be tested. - environment: Should the pen test be conducted on the live production environment or simulated env? - live env = more accurate, but may disrupt normal business - simulated env = similar to live env, but more work and cost may be required - internal targets: all internal targets must be clearly identified for an external third-party gray box test or white box test. (Black box testers are responsible for finding internal targets.) These internal targets are owned by the customer, and information about them may include specific IP addresses, network ranges, or domain names. Make sure internal targets are owned by customer (could cause legal issues) - external targets: pen test may include testing a service or an application hosted by a third party. - target locations: Because laws vary among states, provinces, and countries, testing planners must identify the physical location of the targets and, if necessary, adjust the scope of the test. - other boundaries: physical security, social engineering concerns, limits on attack types

The two methods footprinting is accomplished when pen. testing

1. active reconnaissance 2. passive reconnaissance

3 parts of the NIST cybersecurity frameworks

1. framework core: defines the activities needed to attain different cybersecurity results 1a. functions: most basic cybersecurity tasks (ID, protect, detect, respond, recover) 1b. categories: Tasks to be carried out for each of the five functions 1c. subcategories: Tasks or challenges associated with each category 1d. info sources: The documents or manuals that detail specific tasks for users and explain how to accomplish the tasks 2. implementation tiers: 4 tiers that help orgs. ID lvl of security compliance. The higher the tier, the more compliant. 3. profiles: the current status of the organization's cybersecurity measures and the "road maps" toward compliance with the NIST cybersecurity framework -an executive summary of everything an organization has done for the NIST cybersecurity framework

penetration

2nd phase of conducting a pen test - 1. threat actors first conduct reconnaissance against the systems, looking for vulnerabilities. - 2. When a path to a vulnerability is exposed, they gain access to the system through the vulnerability. - 3. Once initial access is gained, the threat actors attempt to escalate to more advanced resources that are normally protected from an application or user. This is called privilege escalation. 4. With the advanced privileges, the threat actors tunnel through the network looking for additional systems they can access from their elevated position (called lateral movement). 5. Threat actors install tools on the compromised systems to gain even deeper access to the network. 6. Threat actors may install a backdoor that allows them repeated and long-term access to the system in the future. access remains through these even if initial vulnerability is corrected 7. Once the backdoor is installed, threat actors can continue to probe until they find their ultimate target and perform their intended malicious action

adversary tactics, techniques, and procedures (TTP)

A database of the behavior of threat actors and how they orchestrate and manage attacks.

standard

A document approved through consensus by a recognized standardization body. - provides for frameworks, rules, guidelines, or characteristics for products or related processes and production methods. - compliance is not mandatory, but there may be restrictions for those organizations that do not comply.

fusion center

A formal repository of information from enterprises and the government used to share information on the latest attacks.

vulnerability scan

A frequent and ongoing process, often automated, that continuously identifies vulnerabilities and monitors cybersecurity progress. - is a cyclical process of ongoing scanning and continuous monitoring to reduce the attack surface - purpose: reduces attack surface - procedure: Scans to find weaknesses and then mitigate them - frequency: Usually includes ongoing scanning and continuous monitoring - personnel: Uses internal security personnel - process: Usually is automated, with a handful of manual processes - goal: Aims to identify risks by scanning systems and networks - final report audience: Includes an executive summary for less technical audiences and technical details for security professionals - looks for a vulnerability by comparing the software it scans against a set of known vulnerabilities. Such monitoring requires access to an updated database of vulnerabilities, like the CVE

NIST Risk Management Framework (RMF)

A guidance document designed to help organizations assess and manage risks to their information and systems. - viewed as comprehensive road map that organizations can use to seamlessly integrate their cybersecurity, privacy, and supply-chain risk management processes.

NIST Cybersecurity Framework (CSF)

A measuring stick against which companies can compare their cybersecurity practices relative to the threats they face. - elements: - identify - protect - detect - respond - recover

Common Vulnerability Scoring System (CVSS)

A numeric rating system of the impact of a vulnerability. - used by CVE - numeric scores are generated using a complex formula that considers variables such as the access vector, attack complexity, authentication, confidentiality of the data, and the system's integrity and availability. - vulnerabilities with highest score are generally considered to require early attention.

white box

A penetration testing level in which the testers are given full knowledge of the network and the source code of applications. - main task is to Identify potential points of weakness - advantages: Focus directly on systems to test for penetration - disadvantages: This approach does not provide a full picture of the network's vulnerabilities

gray box

A penetration testing level in which the testers are given limited knowledge of the network and some elevated privileges. - main task is to focus on systems with the greatest risk and value to the organization - advantages: More efficiently assess security instead of spending time trying to compromise the network and then determining which systems to attack - disadvantages: This head start does not allow testers to truly emulate what a threat actor may do

black box

A penetration testing level in which the testers have no knowledge of the network and no special privileges. - main task to attempt to penetrate the network - advantages: Emulate exactly what a threat actor would do and see - disadvantages: If testers cannot penetrate the network, then no test can occur - used when pen. testing with external consultants

white team (pen. testing war games)

A penetration testing team that enforces the rules of the penetration testing. - referees - Makes notes of the Blue Team's responses and the Red Team's attacks.

blue team (pen. testing war games)

A penetration testing team that monitors for Red Team attacks and shores up defenses as necessary. - defenders - Scans log files, traffic analysis, and other data to look for signs of an attack.

purple team (pen. testing war games)

A penetration testing team that provides real-time feedback between the Red and Blue Teams to enhance the testing. - bridge - The Blue Team receives information that can be used to prioritize and improve their ability to detect attacks while the Red Team learns more about technologies and mechanisms used in the defense.

red team (pen. testing war games)

A penetration testing team that scans for vulnerabilities and then exploits them. - attackers - Has prior and in-depth knowledge of existing security, which may provide an unfair advantage

persistence

A process in which a load balancer creates a link between an endpoint and a specific network server for the duration of a session. - defined as determination, resolve, and perseverance. - Pen testers should be prepared for spending long hours and even days searching for vulnerabilities that they might not discover when pen. testing or planning for one

European Union General Data Protection Directive (GDPR)

A regulation regarding data protection and privacy in the European Union and the European Economic Area (EEA). - Its aim is to give individuals control over their personal data, to address the transfer of personal data to areas outside the EU and EEA, and to simplify the regulatory environment for international business by creating a single regulation across all EU members.

Credential Vulnerability Scan

A scan in which valid authentication credentials, such as usernames and passwords, are supplied to the vulnerability scanner to mimic the work of a threat actor who possesses these credentials. - are slower but can provide a deeper insight into the system by accessing a fuller range of the installed software and examining the software's configuration settings and current security posture.

(cybersecurity) framework

A series of documented processes used to define policies and procedures for implementation and management of security controls in an enterprise environment - most common ones: - National Institute of Standards and Technology (NIST) - International Organization for Standardization (ISO) - American Institute of Certified Public Accountants (AICPA) - Center for Internet Security (CIS) - Cloud Security Alliance (CSA).

cloud controls matrix

A specialized framework (metaframework) of cloud-specific security controls created by cloud security alliance (CSA) - These controls are mapped to the leading standards, best practices, and regulations regarding cloud computing and are generally regarded as the authoritative source of information(reference architecture) about securing cloud resources.

Security Orchestration, Automation, and Response (SOAR)

A tool designed to help security teams manage and respond to the very high number of security warnings and alarms by combining comprehensive data gathering and analytics in order to automate incident response. - different from SIEM because it combines more comprehensive data gathering and analytics to automate incident response.

Security Information and Event Management (SIEM)

A tool that consolidates real-time security monitoring and management of security information with analysis and reporting of security events. - can be a separate device, software that runs on a computer, or even a service provided by a third party - starting point: data input - Data feeds into a SIEM are the standard packet captures of network activity and log collections.

Common Vulnerabilities and Exposures (CVE)

A tool that identifies vulnerabilities in operating systems and application software. - the most popular vulnerability feed - used by vulnerability scanning tools to identify vulnerabilities

penetration testing

A type of test that attempts to exploit vulnerabilities just as a threat actor would. - a single event using a manual process often performed only after a specific amount of time has passed, such as once a year (and sometimes only to comply with regulatory requirements). - This helps to uncover new vulnerabilities, provide a clearer picture of their nature, and determine how they could be used against the organization - Kali Linux is a popular tool for this - purpose: Identifies deep vulnerabilities - procedure: Acts like a threat agent to find vulnerabilities to exploit - frequency: Tests when required by regulatory body or on a predetermined schedule - personnel: Uses external third parties or internal security personnel - process: Uses an entirely manual process - goal: Aims to gain unauthorized access and exploit vulnerabilities - final report audience: Includes several different audiences

intrusive scan

A vulnerability scan that attempts to employ any vulnerabilities which it finds, much like a threat actor would. - are more accurate, but they can impair the target system.

non-intrusive scan

A vulnerability scan that does not attempt to exploit the vulnerability but only records that it was discovered. - cannot determine for certain if an installed service is truly vulnerable; rather, it can only indicate that it might be vulnerable.

non-credentialed vulnerability scan

A vulnerability scan that provides no authentication information to the tester - these scans run faster because they perform fundamental actions such as looking for open ports and finding software that will respond to requests.

difference between active and passive reconnaissance

Active reconnaissance relies on traffic being sent to the targeted system, while passive reconnaissance calls for testers to quietly "make do" with whatever information they can accumulate from public sources.

unmanned aerial vehicle (UAV)

An aircraft without a human pilot on board to control its flight. - also known as drones - used in active recon war flying

reference architecture

An authoritative source of information - the cloud controls matrix by the cloud security alliance is considered this

war flying

An efficient means of discovering a Wi-Fi signal using drones. - type of war driving - type of active reconnaissance - uses drones (UAVs): An unmanned aerial vehicle (UAV) without a human pilot on board to control its flight. - drones used because they can quickly cover a wider area, are not limited to streets and sidewalks, and can easily fly over security perimeters such as fences - preferred means to find Wi-Fi signal

configuration review

An examination of the software settings for a vulnerability scan. - Define the group of target devices to be scanned - Ensure that a scan should be designed to meet its intended goals - Determine the sensitivity level or the depth of a scan—in other words, the type of vulnerabilities being searched for. - Specify the data types to be scanned

Cloud Security Alliance (CSA)

An organization whose goal is to define and raise awareness of best practices to help secure cloud computing environments. - create cybersecurity frameworks (cloud controls matrix)

SIEM time synchronization feature

Because alerts occur over a wide spectrum of time, can show the order of the events.

maneuvering

Conducting unusual behavior when threat hunting. - For example, passwords on an administrator's account are changed every two hours (not a normal activity) to determine if a hidden threat actor is making internal password-cracking attempts.

threat feeds

Cybersecurity data feeds that provide information on the latest threats - outline current threats and attacks

vulnerability feeds

Cybersecurity data feeds that provide information on the latest vulnerabilities. - is a type of data feed: continually maintained databases of the latest cybersecurity incidences.

Requests for comments (RFCs)

Documents that are authored by technology bodies employing specialists, engineers, and scientists who are experts in those areas. - info source - describe methods, behaviors, research, or innovations applicable to cybersecurity.

false negative

Failure to raise an alarm when there is a problem.

footprinting

Gathering information from outside the organization. - 1st task of black box and gray box testers when performing pen. test

Benchmark/secure configuration guides

Guidelines for configuring a device or software usually distributed by hardware manufacturers and software developers. - These serve as guidelines for configuring a device or software so that it is resilient to attacks. - Usually, these are platform/vendor-specific guides that only apply to specific products

platform/vendor-specific guides

Guidelines that only apply to specific products.

rules of engagement

Limitations or parameters in a penetration test. - Without these parameters, a penetration test can easily veer off course and not accomplish the desired results, take too long to produce timely results, or test assets that are not necessary to test. - categories: - timing - scope - authorization - exploitation - communication - cleanup - reporting

SIEM user behavior analysis feature

Looking at the normal behavior of users and how they interact with systems to create a picture of typical activity. - ex. A user's account suddenly acting in an unusual fashion, such as a lateral movement between assets, could indicate that a threat actor has compromised that account - SIEM can generate alert for further investigation

lateral movement

Moving through a network looking for additional systems threat actors can access from their elevated position. - privilege escalation, then this

privilege escalation

Moving to more advanced resources that are normally protected from an application or user.

best known and most widely used vulnerability assessment/scanning tool

Nessus

reporting (rule of engagement parameter)

Once the pen test is completed, a report should be generated to document its objectives, methods used, and results. - The report should be divided into two parts based on two separate audiences: 1. executive summary designed for a less technical audience—namely, those who are in charge - often contains a section that identifies the overall risk of the organization and a breakdown of the types of vulnerabilities that were exploited 2. technical in nature and written for security professionals.

threat hunting

Proactively searching for cyber threats that thus far have gone undetected in a network - begins with a critical major premise: threat actors have already infiltrated our network. - It proceeds to find unusual behavior that may indicate malicious activity. - these investigations often use crowdsourced attack data (advisories and bulletins, cybersecurity threat feeds, info from fusion centers)

open source intelligence (OSINT)

Publicly accessible information. - can reveal valuable insight about the system. - used in passive reconnaissance

false positive

Raising an alarm when there is no problem - scan options may not have been well defined or may have been missed in a configuration review, or the scanner might not recognize a control that is already in place to address an existing vulnerability - one way to ID is to correlate the vulnerability scan data with several internal data points. The most common are related log files

cleanup (rule of engagement parameter)

Returning all systems back to normal following a penetration test. - Following the exploitation of the systems outlined in the scope, the pen tester must ensure that everything related to the pen test has been removed - involves removing all software agents, scripts, executable binaries, temporary files, and backdoors from all affected systems. Also, any credentials that were changed should be restored, and any additional usernames created should be removed

difference between SIEM And SOAR

SOARs take it a step further by combining more comprehensive data gathering and analytics to automate incident response. - While a SIEM tends to generate more alerts than a security team may be able to respond to, a SOAR allows a security team to automate incident responses.

war driving

Searching for wireless signals from an automobile or on foot while using a portable computing device. - type of active reconnaissance - different tools: 1. mobile computing device: mobile device with wireless NIC. includes a standard portable computer, a pad computer, or a smartphone. 2. Wireless NIC adapter: external wireless NIC adapter that connects into a USB or other port and has an external antenna jack. 3. Antennas: attaching an external antenna will significantly increase the ability to detect a wireless signal 4. software: Because client utilities and integrated operating system tools provide only limited information about a discovered Wi-Fi, pen testers use more specialized software. 5. GPS: Although this is not required, it does help to pinpoint the location more precisely. - originally derived from war dialing

passive reconnaissance

Searching online for publicly accessible information. - the tester uses tools that do not raise any alarms - may include searching online for publicly accessible information called open source intelligence (OSINT) that can reveal valuable insight about the system.

cybersecurity legislation

Specific legislation or laws can also be enacted by governing bodies that can provide a cybersecurity resource. - These include national, territorial, and state laws. - However, with the number of different entities involved in passing multiple—and even contradictory—legislation, this often leads to a hodgepodge of legislation and is not always a good cybersecurity resource.

SIEM sentiment analysis feature

The process of computationally identifying and categorizing opinions, usually expressed in response to textual data, in order to determine the writer's attitude toward a particular topic. - the interpretation and classification of emotions (positive, negative, and neutral) within text data using text analysis techniques. - used when tracking postings threat actors make in discussion forums with other attackers to better determine the behavior and mindset of threat actors. - useful in determining goals and actions of threat actors - often used by businesses while conducting online chats with customers or examining Twitter and other social media

(T/F) vulnerabilities that are not part of the ultimate target can still provide a gateway to that target. This means that no vulnerability is insignificant for a pen tester.

True

(T/F) when a vulnerability is discovered during a penetration test, the work is not finished. Instead, the pen tester must determine how to pivot to another system using another vulnerability to continue moving toward the target.

True

(T/F) The initial system that was compromised—the system through which the attackers first gained entry—most often does not contain the data that is the goal of the attack. Rather, this system only serves as a gateway for entry.

True - Once they are inside the network, the threat actors pivot, or turn, to other systems to be compromised, with the goal of reaching the ultimate target.

exploitation (rule of engagement parameter)

When a vulnerability is uncovered, should it always be exploited? Or are specific areas considered "off limits" so that the tester should not view the related data?

why conduct a pen test?

While a scan of network defenses can help find vulnerabilities, the type of vulnerabilities revealed is different from a penetration test. - A scan usually finds only surface problems to be addressed. - This is because many scans are entirely automated and provide only a limited verification of any discovered vulnerabilities. - A penetration test, on the other hand, can find deep vulnerabilities. - Penetration tests go further and attempt to exploit vulnerabilities using manual techniques. - These deep vulnerabilities can only be exposed through actual attacks that use the mindset of a threat actor. 1. the attacks must be the same (or remarkably similar) as those used by a threat actor; anything less will not uncover the deep vulnerabilities 2. the attacks should follow the thinking of threat actors

Payment Card Industry Data Security Standard (PCI DSS)

a cybersecurity compliance standard to provide a minimum degree of security for handling customer card information. - Requirement 11 of the latest standard (PCI DSS 3.2.1) states that organizations must regularly test security systems and processes using both vulnerability scans and penetration tests

similarity between vulnerability scan and pen test

both should be conducted following a data breach, the launch of a new application, or a major change to the network. - However, because a vulnerability scan is continuous, it may only need to focus on the new application or change to the network.

SIEM event duplication feature

can help filter the multiple alerts from multiple devices into a single alarm.

SIEM aggregation feature

combines data from multiple data sources—such as network security devices, servers, and software applications—to build a comprehensive picture of attacks.

the most dangerous result of poor planning in pen. tests

creating unnecessary legal issues

SSAE SOC 2 Type II (Statements on Standards for Attestation Engagements, System and Organization Controls 2 type II)

cybersecurity framework from American Institute of Certified Public Accountants (AICPA) - A standard for reports on internal controls report that reviews how a company safeguards customer data and how well those controls are operating. - As an audit, it looks at internal controls, policies, and procedures that directly relate to the security of a system at a service organization. - SOC 2 report is designed to determine if service organizations are compliant with the categories of security, availability, processing integrity, confidentiality, and privacy. - SOC 2 report can only be read by the user organizations that rely on the services.

SSAE SOC 2 Type III (Statements on Standards for Attestation Engagements, System and Organization Controls 2 type III)

cybersecurity framework from American Institute of Certified Public Accountants (AICPA) - A standard for reports on internal controls that can be freely distributed - is the same as a SOC 2 Type II except for its distribution. A SOC 3 report can be freely distributed - While a SOC 3 does not give a description of the service organization's system, it can provide interested parties with the auditor's report on whether an entity maintained effective controls over its systems.

(industry) regulations

cybersecurity standards typically developed by established professional organizations or government agencies using the expertise of seasoned security professionals. - these are followed by companies that have similar business processes, resulting in a common set of tested and approved regulations that are under continual review and revision. - process of adhering to them is called regulatory compliance

When researching how an attack recently took place, Nova discovered that the threat actor, after penetrating the system, started looking to move through the network with their elevated position. What is the name of this technique? a. Jumping b. Twirling c. Squaring up d. Lateral movement

d. Lateral movement

When examining the results of a vulnerability scan, you should assess the:

importance of vulnerability as well as its accuracy. - importance: vulnerabilities need to be prioritized so that the most important ones are addressed early on, while others are delayed until later or are not even addressed. - accuracy: make sure to ID false positives and false negatives

SIEM automated alerting and triggers feature

inform security personnel of critical issues that need immediate attention. - A sample trigger may be Alert when a firewall, router, or switch indicates 40 or more drop/reject packet events from the same IP source address within 60 seconds.

International Organization for Standardization (ISO)

international cybersecurity standards/frameworks - ISO 27001: A standard that provides requirements for an information security management system (ISMS). - ISO 27002: A "code of practice" for information security management within an organization and contains 114 different control recommendations. - ISIO 27701: An extension to ISO 27001 and is a framework for managing privacy controls to reduce the risk of privacy breach to the privacy of individuals. - ISO 31000: A standard that contains controls for managing and controlling risk.

active reconnaissance

involves directly probing for vulnerabilities and useful information, much like a threat actor would do - For example, unprotected wireless data transmissions from wireless local area networks or Wi-Fi can often be used to gather information or even circumvent security protections - Methods (wireless data transmissions) - war driving - war flying

bug bounties

monetary rewards given for uncovering a software vulnerability. - these take advantage of crowdsourcing, which involves obtaining input for a project by enlisting people from the Internet - also known as crowdsourced pen testing - Not only are exceptionally large rewards now offered, but those paying for rewards are no longer only software developers who want to fix the bugs. - The large bounties have resulted in fierce competition over bugs. - google is a typical software developer who has these - other organizations offering these: - European Commission (EC), which is part of the European Union (EU) and is responsible for essentially managing the daily affairs of the EU - zerodium: "leading exploit acquisition platform for premium zero-days and advanced cybersecurity capabilities." Zerodium buys bug information and then sells it to "mainly government organizations in need of specific and tailored cybersecurity capabilities and/or protective solutions to defend against zero-day attacks." - apple

As a protection, most penetration testing contracts contain a:

nondisclosure agreement (NDA) that states all client information related to the test will be treated as highly confidential and that at the end of the test, all data and storage media is either destroyed or given back to the client.

communication (rule of engagement parameter)

pen tester should communicate with the organization on several occasions during the process: - initiation: Once the pen test has started - incident response: If a pen tester can complete the initial vulnerability assessment without triggering the organization's incident response mechanism, then a critical gap in the security structure has been identified. - status: better to provide periodic status reports to the organization's management. - emergency: If the pen tester uncovers a critical vulnerability, it should be immediately reported to the organization's management

the most important element in pen. testing

planning (the first step) - A lack of planning can result in a flawed penetration test that tries to do too little or too much. - It can also result in creep, which is an expansion beyond the initial set of the test's limitations. - no pen test should ever occur without a detailed planning phase.

Vulnerability scans and the SIEM and SOAR tools that provide dashboards of security incidents are considered as:

reactive - during or after an event occurs, something is noticed, and alarms are sounded.

SIEM logs feature

records of events can be retained for future analysis and to show that the enterprise has been in compliance with regulations.

SIEM correlation feature

searches the data acquired through SIEM aggregation to look for common characteristics, such as multiple attacks coming from a specific source.

timing (rule of engagement parameter)

sets when the testing will occur. - first consideration is the start and stop dates of the test. - When using an external third party, these dates are based on estimates provided by the tester and directly tied to the experience of a tester in a certain area. - Many pen testers recommend adding up to 20 percent more time to the end date to provide a cushion if any interruptions occur in testing. - second consideration involves when the pen testing should take place (normal business hours vs. after business hours or weekend)

disadvantage of active reconnaissance in a pen test

the probes are likely to alert security professionals within the enterprise who do not know about the pen test that something unusual is occurring. - This may result in them "locking down" the network to become more restrictive and thus more difficult to probe.

authorization (rule of engagement parameter)

the receipt of prior written approval to conduct the pen test. - A formal written document must be signed by all parties before a penetration test begins. - Before performing a pen test against cloud service providers and ISPs, remember that while permission may have been granted by the customer to perform a pen test on external targets, permission must also be obtained from the external targets themselves

Threat actors can exploit any vulnerability they uncover, not just a vulnerability on the ultimate target. This means:

they are not defeated if they cannot find a vulnerability on the target; rather, a remote vulnerability can be used to pivot to the final target.

goal of threat management

to take the appropriate steps needed to minimize hostile cyber actions - seeks to answer the question, "What threat can take advantage of a vulnerability to bypass our defenses, and how can we prevent it?"

(T/F) unlike some types of automated vulnerability scanning, penetration tests are manual.

true - however, some attackers are now automating their lateral movements within a compromised system.