IB CS P3 Vocab

Vocabulary for IB Computer Science Paper 3 M26 & N26

What is PTES/PenTES?

Penetration Testing Execution Standard

What is PenTES for?

A framework for conducting penetration testing; a structured approach to testing and reporting results

How many phases in PenTES?

7 phases

Phase 1 is…?

Pre-engagement interactions

What happens in phase 1?

Preperation, getting document approvals, putting together needed tools

Why is phase 1 important?

Needed so that testing aligns with security needs and operational requirements of system

Aspects of Phase 1

1.1 Goal setting and identifying targets

1.2 Defining scope and rules of engagement

1.3 Testing approaches

1.1 Goal setting and identifying targets

Objectives established after finding key concerns; specific targets and high risk areas identified

1.1 Examples of key concerns

Patient data integrity

Uninterrupted service delivery

Compliance with health sector regulations

1.1 Examples of high risk areas

Patient record databases

IoT enabled medical devices

1.2 Defining scope and rules of engagement

Confirms which parts of the system are being tested to avoid disruption; rules of engagement agreed upon by team and client to understand methods and extent of PenTES

1.3 Testing approaches

Black box testing

White box testing

Grey box testing

Black box testing

Attack simulated from perspective of an uninformed external hacker, looks at surface level issues

White box testing

Analysis with full in-depth information of client’s system, requires access to network diagrams, system configurations, and known issues

Grey box testing

Mixture of black and white testing, uses partial knowledge of systems. Simulates inside threat or external attack with partial insider info

Phase 2 is…?

Intelligence gathering

What happens in phase 2?

Team collects data from outside sources like social media or official records to be then analysed. Categorised as OSINT.

What is OSINT?

Open-Source Intelligence (Phase 2)

Aspects of Phase 2

2.1 OSINT Techniques

2.2 Other Techniques

2.1 OSINT Techniques

Utilisation of tools and sources like search engines, social media, forums, internet-facing resources

2.1 Examples of info gathered with OSINT Techniques

Employee details - Found through employee social media, specifically IT/Admin staff

Technology usage - Insight into client software and hardware, through forums

Security policies - Looks at publicly available security policy amd procedures

2.2 Other Techniques

Targeted information

Network Scanning + Mapping

Social Engineering reconnaissance

2.2 Targeted Information

Uses advanced search techniques (search engine dorking) to find exposed sensitive files or login portals

Search engine dorking

Technique using complex search queries to find information not easily accessible with normal searches

2.2 Network Scanning + Mapping

Using advanced network mapping to learn network topologies (servers, firewalls, other devices). IP addresses of all devices on network catalogued to understand scope of network.

2.2 Examples of key network scanning and mapping activities

Port scanning - technique to identify open ports and services on target network device

OS detection - Remote scanning of target host that sends back details of the OS if there is a match

Network topology mapping - Graphing a network’s topology with all its nodes and links

2.2 Social engineering reconnaissance

Uses vishing (voice phishing) or pretexting (uses a false scenario/pretext to get sensitive info) to get information from employees

Phase 3 is…?

Threat modelling

What happens in phase 3?

Potential threats and/or vulnerabilities are identified, strategies to stop them are developed; a detailed threat analysis is conducted

Aspects of Phase 3

3.1 Identifying potential adversaries

3.2 Assessing hacker capabilities and intentions

3.3 Methods of exploitation

3.4 Valuable asset evaluation

3.5 Prioritization of security efforts

3.1 Identifying potential adversaries

Determines who might target the network; e.g. cybercriminals seeking patient data or insiders with network access

3.2 Assessing hacker capabilities and intentions

Analyse what potential hackers are capable of and how they might use accessed data.

3.3 Methods of exploitation

Document how hackers might exploit system weaknesses; e.g. malware deployment, social engineering attacks, network attacks

3.4 Valuable asset exploitation

Determine which assets are most critical and look at potential impact of compromise; e.g. EHRs

3.5 Prioritization of security efforts

Use prior analysis to guide the focus of PenTES; most valuable and vulnerable areas get the most attention.

Phase 4 is…?

Vulnerability analysis

What happens in phase 4?

Vulnerabilities that could be used by a hacker are identified and confirmed through manual and automated tools; guides next steps of PenTES

Aspects of Phase 4

4.1 Scanning

4.2 Manual examination

4.3 Assessment of weaknesses

4.4 Prioritisation

4.1 Scanning

Team uses automated tools to quickly find known vulnerabilities; e.g. unpatched software or insecure configurations

4.2 Manual examination

Combines automation with manual checks to detect subtler flaws and vulnerabilities that need expert analysis

4.3 Assessment of weaknesses

Evaluates vulnerabilities found to see potential impact of hacker exploitation

4.4 Prioritisation

Determines which flaws are most important based on factors like ease of exploitation and potential damages

Phase 5 is…?

Exploitation

What happens in phase 5?

Attempts are made to breach the system with vulnerabilities from phase 4.

Aspects of Phase 5

5.1 Targeted Breaching Attempts

5.2 Exploit development

5.3 Employing various techniques

5.4 Assessing impact

5.1 Targeted Breaching Attempts

Team uses specific techniques to exploit known vulnerabilitie, test defenses

5.2 Exploit development

Team crafts custom scripts/tools tailored to specific known vulnerabilities. Shellcode is executable code that does this allowing an attacker to gain elevated priveliges (local) or target a remote machine’s process on a shared network.

5.3 Employing various techniques

Team will use some or all of the listed techniques depending on known vulnerabilities; SQL injection, cross-site scripting (X-SS), buffer overflow attacks, password cracking tools.

5.4 Assessing the impact

Now, team tries to understand the potential damages or access that can be caused by successful exploitation

Phase 6 is…?

Post-exploitation

What happens in phase 6?

If access is gained from phase 5, the focus is now on keeping control of the system and getting data from it; let's team to comprehend full scope and scale of a breach

Aspects of Phase 6

6.1 Data Access and analysis

6.2 Privilege escalation

6.3 Establishing persistence

6.4 Operational impact assessment

6.5 System forensics and malware analysis

6.1 Data access and analysis

Investigated the types of sensitive data available after a breach; e.g. patient records, admin data, confidential information

6.2 Privilege escalation

Examines how escalating user privileges can increase access within the network

6.3 Establishing persistence

Evaluated ways a hacker could maintain access to the network long term; evaluates possible severity of breach

6.4 Operational impact assessment

Assess potential impact of breach on hospital services and patient safety

6.5 System forensics and malware analysis

Analyse any traces left by exploitation process by looking at system logs or looking at changes made to system configurations (system forensics): also through detecting malware implants

Phase 7 is…?

Reporting

What happens in phase 7?

Everything prior is documented and presented to the client in a report.

Aspects of Phase 7

7.1 Vulnerability and exploitation details

7.2 Actionable recommendations

7.3 Security posture assessment

7.1 Vulnerability and exploitation details

Part of the report that gives an overview of vulnerabilities found, methods used to exploit them, and possible impact

7.2 Actionable recommendations

Provides suggestions prioritised for mitigating security risks and strengthening network defenses

7.3 Security posture assessment

Holistic analysis of overall strengths and weaknesses, offering future focus and areas for improvement

Outcome of Phase 7

Allows team to develop response plan (includes incident detection, response strategies, recovery processes); guides clients efforts in improving cybersecurity and responses to hackers

Ethical considerations

When doing any PenTES, ethics are vital especially in healthcare. This includes:

• proper authorisation

• data confidentiality and integrity

• non-disruption of services

• reporting and responsiveness

Malware

Software designed to disrupt, damage, or provide unauthorised access to a system.

Uninterrupted service delivery

No downtime, no interruptions, minimal lag when accessing patient information

Hacker

Person who breaks into computer systems

Security posture assessment

(Outcome of Phase 2) In-depth analysis of a system’s internal and external defenses to evaluate overall effectiveness of security measures.

SQL Injection

A code injection technique used to attack data-driven applications; inputs targeted queries to manipulate and access data. Lack of input validation facilitates this. (Phase 5)

Cross-site scripting (X-SS)

Injecting malicious scripts in applications or websites trusted by a target user. May result in theft of information, malware delivery to patient devices, and session hijacking (taking over an active patient session on the site). (Phase 5)

Buffer overflow attacks

Exploitation of a coding error (buffer overflow), using malinformed inputs to overwrite memory of an application (Phase 5)

Password cracking tools

Tools/code that are used to guess or recover passwords (Phase 5). Examples:

• Hashcat - most popular and advanced password recovery tool with large library of supported devices/software.

• John The Ripper - free password cracking software that combines numerous crackers into one package.

Other sensitive information present in hospitals (Beyond EHRs)

• Patient profiles —> can contain info connected to other agencies based on their conditions and personal life (i.e. social worker intervention) that can implicate other agencies in a data breach

Internet of Medical Things

Specific subset of IoT for healthcare. The network of devices with sensors, processing ability, software and technology that connect and exchange data between devices and the cloud, as well as between the devices themselves in a healthcare setting.

Protected Health Information (PHI)

The specific name for sensitive information in EHRs that HIPAA protects.

CVSS

Common Vulnerability Scoring System. Used to evaluate severity of a vulnerability.

BC&DR

Business Continuity and Disaster Recovery. Wider plans that a cybersecurity response plan falls into.

Health Insurance Portability and Accountability Act

HIPAA

Responsible Disclosure

The process of privately reporting a vulnerability to the vendor before making it public. The ethical hacking counterpart to finding bugs. This improves trust and safety between hackers and organisations.

Non-Disclosure Agreement (NDA)

A legal document that binds the testers to confidentiality - crucial for protecting Personal Health Information (PHI) and details of any vulnerabilities.

Burp Suite

Proprietary software for security assessment and PENTES of web applications. Has a database with known unsafe syntax/key word patterns in HTTP requests.

OWASP

Open Worldwide Application Security Project. Community that publishes open-source information on web application and IoT security.

OWASP ZAP

Zed Attack Proxy. Dynamic application security testing tool that allows the user to manipulate all the traffic that passes through it, including HTTPS encrypted traffic.

Nessus/OpenVAS

Industry standard vulnerability scanners

Port

An entry point that can be closed or opened by a website in a computer. Software at the level of the OS and are 16-bit unassigned integers. They work as a communicator for the devices and the applications. When improperly secured they can allow unauthorised access.

ZigBee Protocol

Protocol/standard for IoT security. Very common, but also very vulnerable as a result.

Stored vs. Reflected XSS

Stored - Code injected directly into a database/server through forum post or user profile. Targets all users on a website.

Reflected - Clicking a link with harmful code. Can manifest as phishing emails. Targets fewer users and results in less damage.

Insider Threat Statistics from Verizon Data Breach Investigations Report 2023

Percentage of data breaches attributable to internal actors was approximately 35%

Methods of Vishing

Caller ID spoofing - Displaying a different number than the one actually calling.

Deepfake voice technology - Impersonating another person to establish trust between visher and victim.

Maltego

An application for OSINT that has a search function, graphing for large data sets, and allows for real-time and active monitoring of social media.

Banner Grabbing

Technique used to grab information of a software’s type and version by reading the banner displayed by a host. Active banner grabbing is done by sending packets to a remote server and reading response data. Passive banner grabbing is done through third-party services and malware.

Shodan

Search engine for IoT devices. “A search engine of search banners” that returns information about the server software, what options the service supports, a welcome message or anything else that the client can find.

Zenmap

A GUI for Nmap that visualises Nmap’s normal output, even alowing users to draw topology maps. This also users to compare two scans and to repeat the same scan multiple times with command profiles.

Nmap

An industry standard network scanner that finds hosts and services on a network by sending packets and analysing responses. It can:

• Fast scan – Performing a basic port scan for fast result.

• Port scanning – Enumerating the open ports on target hosts.

• Ping Scan – Check host by sending ping requests.

• TCP/IP stack fingerprinting – Determining the operating system and hardware characteristics of network devices based on observations of network activity of said devices.

Segmented Network Topology (Most likely for MTPH)

Dividing a network up into several subnets or segments, each acting like a micro network. With network segmentation, administrators can control how traffic flows according to granular policies. Improves performance and security.

Mirai

Malware that “infects” IoT devices for remote access and control.