Chapter 5: Security Assessment and Testing

Vulnerability Management

Vulnerability Management

Practice of finding and mitigating the vulnerabilities in computers and networks

Asset Map

Used to identify existing strengths and resources in the target region

Risk appetite

willingness to tolerate risk within the environment

Payment Card Industry Data Security Standard (PCI DSS)

corporate policy for payment card security standards

Federal Information Security Management Act (FISMA)

corporate policy for cybersecurity management

scan sensitivity level

These settings determine the types of checks that the scanner will perform and should be customized to ensure that the scan meets its objectives while minimizing the possibility of disrupting the target environment

Operating System (OS)

The system software that controls the way in which a computer system functions, including the management of hardware, peripherals, and software.

credentialed scanning

-credentialed scan is a scan that is performed by someone with administrative rights to the host being scanned

-Operations are executed on the host itself rather than across the network.

- There is a more definitive list of missing patches.

- Client-side software vulnerabilities are uncovered.

= A credentialed scan can read password policies, obtain a list of USB devices, check antivirus software configurations, and even enumerate Bluetooth devices attached to scanned hosts.

Qualys

A cloud-based vulnerability management solution with installed sensor agents at various points in their network and the sensors upload data to the cloud platform for analysis

Security Content Automation Protocol (SCAP)

A method of using specific protocols and data exchanges to automate the determination of vulnerability management, measurement, and policy compliance across a system or set of systems.

Static Testing

Testing of a software development artifact, e.g., requirements, design or code, without execution of these artifacts, e.g., reviews or static analysis.

dynamic testing

Testing that involves the execution of the software of a component or system.

Interactive Testing

combines static and dynamic testing, analyzing the source code while testers interact with the application through exposed interfaces

Common Vulnerability Scoring System (CVSS)

A risk management approach to quantifying vulnerability data and then taking into account the degree of risk to different types of systems or information.

Attack Vector Metric

A metric that describes how an attacker would exploit a vulnerability.

Attack Complexity Metric

A metric that describes the difficulty of exploiting a vulnerability.

Privileges Required Metric

Describes the type of account access that an attacker would need to exploit a vulnerability

interaction metrics

describes whether the attacker needs to involve another human in the attack.

confidentiality metric

describes the type of information disclosure that might occur if an attacker successfully exploits the vulnerability.

Integrity Metric

describes the type of information alteration that might occur if an attacker successfully exploits the vulnerability

availability metric

describes the type of disruption that might occur if an attacker successfully exploits the vulnerability

Scope Metric

describes whether the vulnerability can affect system components beyond the scope of the vulnerability

CVSS Vector

A vector that uses a single-line format to convey the ratings of a vulnerability on all six of the metrics.

CVSS Base Score

A single number representing the overall risk posed by the vulnerability.

Log reviews

Following a vulnerability scan, it is important to review the log files/reports that list any potential vulnerabilities.

Security Information and Event Management (SIEM)

A method for analyzing risk in software systems. It is a centralized collection of monitoring of security and event logs from different systems. SIEM allows for the correlation of different events and early detection of attacks.

configuration management systems

provide information on the operating system and applications installed on a system

legacy platforms

used to describe systems that are no longer being marketed or supported

Weak configurations

Configuration settings that are not properly implemented, resulting in vulnerabilities

debug modes

The feature that gives developers crucial error information needed to troubleshoot applications in the development process.

File Transfer Protocol (FTP)

A communications method for transferring data between computers on the Internet

Weak encryption

Encryption that is relatively easy or simple to decrypt without the encryption key.

Penetration Testing

Professional hacking to access data and computing power without being granted access; professional pen-testers are hired to identify and repair vulnerabilities and only work once, given written permission to obtain ungranted access.

White box tests

are a type of software test in which the tester understands how the software works internally

black box test

A type of penetration test. Testers have zero knowledge of the environment prior to starting the test. Compare with gray box test and white box test.

Gray Box Testing

Testers have some knowledge of the environment but do not have access to all documentation or data.

Bug Bounty Program

a crowdsourcing initiative that rewards individuals for discovering and reporting software bugs

rules of engagement

established rules or directives used by military forces that define the circumstances, conditions, degree, and manner in which the use of force, or actions which might applied

reconnaissance

exploration to gain knowledge or information

Priviledge escalation

a network intrusion attack that takes advantage of programming errors or design flaws to grant the attacker elevated access to the network and its associated data and applications