MODULE 2

Avd Info QuaSsurance

Vulnerability scanners

assesses computers, computer systems, networks, or applications for weaknesses. It can help to automate security auditing by scanning the network for security risks and producing a prioritized list to address vulnerabilities.

• Use of default passwords or common passwords

• Missing patches

• Open ports

• Misconfigurations in operating systems and software

• Active IP addresses, including any unexpected devices connected

A vulnerability scanner looks for the following types of vulnerabilities:

Vulnerability scanning

key to identifying vulnerabilities, misconfigurations, and a lack

of security controls for organizations with networks that include segments, routers, firewalls,

servers, and other devices.

• Nessus

• Retina

• Core Impact

• GFI Lan Guard

Commonly used vulnerability scanners on the market:

Network scanners

it probe hosts for open ports, enumerate information about users and groups

and look for known vulnerabilities on the network.

Application scanners

it access application source code to test an application from the inside (they do not run the application).

Web application scanners

scanners that identify vulnerabilities in web applications.

False positive

Identifying a vulnerability where none exists.

False negative

not identifying an existing vulnerability

Intrusive scans

 it tries to exploit vulnerabilities and may even crash the target

Security Information and Event Management (SIEM) 

use log collectors to aggregate log data from sources such as security devices, network devices, servers, and applications.

Security Orchestration Automation and Response (SOAR)

allow an organization to collect data about security threats from various sources and respond to low-level events without human intervention.

• Threat and vulnerability management

• Security incident response

• Security operations automation

SOAR has three important capabilities:

• Identify internal and external threats

• Monitor activity and resource usage

• Conduct compliance reporting for audits

• Support incident response

The goals of a SIEM system for security monitoring are:

Operations Security

is concerned with the day-to-day practices necessary to first deploy and later

maintain a secure system.

security test and evaluation (ST&E)

is an examination of the protective measures that are placed on

an operational network.

Active reconnaissance

directly interacting with network systems to gather information using many of the tools that are used in penetration testing and vulnerability assessment.

Passive reconnaissance

indirectly learning about the network and network users through searches from information sources that range from Facebook to leaked password details on the dark web.

Penetration testing

simulate attacks from malicious sources. The goal is to determine the feasibility of an attack and consequences if one were to occur.

Network scanning

Includes software that can ping computers, scan for listening TCP ports,

and display which types of resources are available on the network.

Vulnerability scanning

This includes software that can detect potential weaknesses in the tested

systems. These weaknesses can include misconfiguration, blank or default passwords, or potential targets for DoS attacks.

Password cracking

This includes software that is used to test and detect weak passwords that should be changed. Password policies must include guidelines to prevent weak passwords.

Log review

a type of network testing which system administrators should review security logs to identify potential security threats. Filtering software to scan lengthy log files should be used to help discover abnormal activity to investigate.

Integrity checkers

a type of network testing which a system detects and reports on changes in

the system. Most of the monitoring is focused on the file system.

Virus detection

a type of network testing which a virus or anti-malware detection software should be used to identify and remove computer viruses and other malware.

Security Information and Event Management

SIEM stands for

Security Orchestration Automation Response

SOAR stands for

Nmap/Zenmap
SuperScan
SIEM
GFI LANguard
Tripwire
Nessus
L0phtCrack
Metasploit

Network Testing Tools:

Nmap

is a commonly used, low-level scanner that is

available to the public. It has an array of

excellent features which can be used for network mapping

and reconnaissance.

SuperScan

is a Microsoft Windows port scanning tool. It runs on most versions of Windows and requires administrator privileges.

pen testing

a testing that simulates methods that an attacker would use to

gain unauthorized access to a network and compromise the systems and allows an organization to understand how well it would tolerate a real attack.

Black box testing

is the least time consuming and the least expensive. The specialist has no knowledge of the inner system and tries to attack it from the view of a regular user.

Gray box testing

is a combination of black box and white box testing. The specialist will have some limited knowledge about the system, so it is a partially known environment.

White box testing

is the most time consuming and the most expensive because it is conducted by a specialist with knowledge of how the system works.

Planning
Discovery
Attack
Report

4 phases of pen testing:

planning

this phase establishes the rules of engagement for conducting the test

discovery

this phase includes conducting reconnaissance on the target to gain information.

Attack

At this phase, you seek to gain access or penetrate the system using the

information gathered in the previous phase. 

persistence

The tester may try to install additional tools or plant a

backdoor — this process is known as

Reporting 

At this phase, the tester delivers to the organization detailed documentation that includes the vulnerabilities identified, actions taken and the results.

Packet analyzers

they intercept, and log network traffic. They perform the below functions —

either for legitimate purposes like troubleshooting or illegitimate purposes such as compromising data. Most common example is Wireshark.