Module 2 Quiz | Information Security ITEC 3300

ape together strong

Red Team

a pen testing team that scans for vulnerabilities and then exploits them

Bug Bounty

monetary rewards given for uncovering a software vulnerability.

They allow organizations to identify/remediate vulnerabilities before the public is aware of it, reducing the spread and intensity of the abuse

Penetration Testing

a type of test that attempts to exploit vulnerabilities just as a threat actor would

White Team

a pen testing team that enforces the rules of the pen testing

Purple Team

a pen testing team that provides real time feedback between the Red and Blue teams to enhance the testing

Blue Team

a pen testing team that monitors for the Red Team attacks and shores up defenses as necessary

Gray Box

a pen testing level in which the testers are given LIMITED knowledge of the network and some elevated privileges

Black Box

a pen testing level in which the testers have NO KNOWLEDGE of the network and no special privileges.

This is the most accurate simulation of what a real threat actor would do.

White Box

a pen testing level in which testers are given FULL KNOWLEDGE of the network and the source code of the applications

Rules of Engagement

limitations or parameters in a pen test. without them, a pen test can easily veer off course

Cleanup

returning all systems back to normal following a penetration test

Footprinting

gathering information from outside the organization

War Driving

searching for wireless signals from an automobile or on foot while using a portable computing device

Persistence

a process in which a load balancer creates a link between an endpoint and a specific network server for the duration of the session.

Refers to the maintenance of access for a prolong period of time without being identified.

War Flying

similar to war driving, an efficient means of discovering Wi-Fi signal using drones

Drones

An unmanned aerial vehicle (UAV) without a human pilot on board to control its flight.

Passive Reconnaissance

searching online for publicly accessible information. the tester does not engage or interact with the system.

What does UAV stand for?

unmanned aerial vehicle

Open Source Intelligence (OSINT)

publicly accessible information

Privilege Escalation

moving to more advanced resources that are normally protected from an application user

Lateral Movement

gradually moving through/gaining access a network looking for additional systems threat actors can access from their elevated position

Pivoting

refers to attacking or taking control of a system through another compromised system.

The compromised system is often a trusted system that belongs to the same network.

Vulnerability Scan

A frequent and ongoing process, often automated, that continuously identifies vulnerabilities and monitors cybersecurity progress.

Non-Credentialed Scan

a vulnerability scan that provides no authentication information to the tester

Credentialed Scan

A scan where valid authentication credentials (usernames and passwords) are supplied to the vulnerability scanner to mimic the work of a threat actor who possesses these credentials

Intrusive Scan

A vulnerability scan that attempts to employ any vulnerabilities which it finds, much like a threat actor would

Configuration Review

An examination of the software settings for a vulnerability scan

Non-intrusive Scan

a vulnerability scan that doesn’t attempt to exploit the vulnerability and instead only records that it was discovered

Log

a record of events that occur

False Negative

failure to raise an alarm when there is a problem

Common Vulnerabilities and Exposures (CVE)

a tool that identifies vulnerabilities in operating systems and application software

Common Vulnerability Scoring System (CVSS)

a numeric rating system of the impact of a vulnerability

False Positive

raising an alarm when there’s no problem

Log Reviews

the analysis of log data

User Behavior Analysis

looking at the normal behavior of users and how they interact with systems to create a picture of typical activity

Sentiment Analysis

the process of computationally identifying and categorizing opinions in order to determine the writer’s attitude towards a particular topic

Security Information and Event Management (SIEM)

a tool that consolidates real time security monitoring and management of security information with analysis and reporting of security events.

Security Orchestration, Automation, and Response (SOAR)

a tool designed to help security teams manage and respond to the very high number of security warnings by combining comprehensive data gathering/analytics in order to automate incident response

Maneuvering

conducting unusual behavior when threat hunting

Threat Feeds

cybersecurity data feeds that provide information on the latest threats

Fusion Center

a formal repository of information from enterprises and the government used to share information on the latest attacks

Threat Hunting

proactively searching for cyber threats that thus far have gone undetected in a network

Framework

a series of documented processes used to define policies and procedures for implementation and management of security controls in an enterprise environment

ISO 27002

a “code of practice” for information security management within an organization and contains 114 different control recommendations

NIST Risk Management Framework (RMF)

a guidance document designed to help organizations assess and manage risks to their information and systems

ISO 27001

a standard that provides requirements for an information security management system (ISMS)

NIST Cybersecurity Framework (CSF)

a measuring stick against which companies can compare their cybersecurity practices relative tot he threats they face

ISO 27701

an extension to ISO 27001 and is a framework for managing privacy controls to reduce the risk of privacy breaches

ISO 31000

a standard that contains controls for managing and controlling risk

SSAE SOC 2 Type II

a standard for reports on internal controls report that reviews how a company safeguards customer data and how well those controls are operating

SSAE SOC 2 Type III

a standard for reports on internal controls that can be freely distributed

Center for Internet Security (CIS)

a nonprofit community-driven organization that publishes a set of prioritized security controls which provide a framework for organizations to improve their overall cybersecurity posture

Reference Architecture

an authoritative source of information / a document that outlines recommended ways to integrate IT products and services to create a secure solution

Cloud Controls Matrix

a specialized framework for cloud-specific security controls

Cloud Security Alliance (CSA)

an organization whose goal is to define and raise awareness of best practices to help secure cloud computing environments

Regulations

standards typically developed by established professional organizations or government agencies using the expertise of seasoned security professionals

Payment Card Industry Data Security Standard (PCI DSS)

a compliance standard to provide a minimum degree of security for handling customer card information

Benchmark/Secure Configuration Guides

guidelines for configuring a device or software usually distributed by hardware manufacturers and software developers

European Union General Data Protection Directive (GDPR)

a regulation regarding data protection and privacy in the European Union and the European Economic Area (EEA)

Standard

a document approved through consensus by a recognized standardization body

Platform/Vendor-Specific Guides

guidelines that only apply to specific products

Adversary Tactics, Techniques, and Procedures (TTP)

a database of the behavior of threat actors and how they orchestrate and manage attacks

Requests for Comments (RFCs)

documents that are authored by technology bodies employing specialists, engineers, and scientists who are experts in those areas

Vulnerability Feeds

cybersecurity data feeds include that provide information on the latest vulnerabilities

What are the four A’s?

• Availability

• Authentication

• Authorization

• Accountability

Availability

defined by FISMA as ensuring reliable access to and use of information upon demand by an authorized person

Authentication

the process of verifying identity of user, process, or device

(think of this as your drivers license)

Authorization

the process of giving someone the ability to access a resource

Accountability

the property of being able to TRACE activities on a system to individuals who may be held responsible for their actions

Anti-Accountability

• Logs erased

• Ethics ignored

• No enforcements

• No training

Cybercrime

defined as a crime where a computer is the object of the crime/is used as the tool to commit the offense

Cyber Kill Chain

a model outlining the various phases of common cyber hackers

Zerodium

a company that buys bug information and sells it to government organizations who need specific and tailored solutions to defend against zero-day attacks

Threat Management

securing an organization from attacks. the goal is to take the appropriate steps needed to minimize hostile cyber actions.

Kali Linux

a linux distribution that is a popular penetration testing tool

Creep

an expansion beyond the initial set of the pen tests limitations

Can a penetration test occur without a planning stage?

No pen test should occur without a detailed planning phase

Deep Vulnerabilities

vulnerabilities that are found in penetration testing that are only exposed through actual attacks that use the mindset of a threat actor

Should an organization without a solid cybersecurity defense conduct a penetration test as a first step?

No. A general scan should first be conducted to reveal and address surface vulnerabilities. After that, a more thorough pen test can be performed

Internal Security Personnel

employees who already work within an organization

Advantages of using Internal Security Personnel to conduct a pen test

• little to no additional cost

• tests can be conducted more quickly

• in house pen tests can be used to enhance employee training and raise security awareness

Disadvantages of Internal Security Personnel

• inside knowledge

• lack of expertise

• reluctance to reveal

External Pen Tester Consultants

contracting external third-party pen testing consultants, usually hired by a company that focuses on pen testing.

Advantages of External Consultants

• expertise

• credentials

• experience

• focus

Disadvantages of External Consultants

• a contractor would learn about an organizations network and receive extremely sensitive information about them

• knowledge gained could be sold to a competitor by an unscrupulous employee of the third-party contractor

Advantages of Crowdsourced Pen Testing

• faster testing

• ability to rotate teams

• option of conducting multiple tests simultaneously

Timing Phase

phase of rules of engagement where the timing parameter is set, determining the date and time that testing will occur and if the testing will occur during active business hours

Scope

element of rules of engagement that determines WHAT should be tested and defines the relevant boundaries (targets and environments)

Coalfire

a penetration testing company that had two contractors arrested because they failed to properly communicate that a pen test was occurring

Authorization

the receipt of prior written approval to conduct the pen test. a formal document MUST be signed by all parties before a pen test begins

Exploitation

part of the scope that asks how MUCH pen testers can view and whether or not vulnerabilities found should be exploited or just disclosed

Initiation

organizations must be notified that the pen testing process has begun. DO NOT proceed with pen test without notifying organization

Incident Response

if a pen tester can complete the initial vulnerability assessment without triggering the organizations incident response mechanism, then a critical gap in security has been identified.

Status

provide periodic updates to the organization management instead of waiting until the test is complete.

Emergency

if the pen tester uncovers a critical vulnerability it should be immediately reported to the organizations management while the pen test is paused

Cleanup

following the exploitation of the systems, the pen tester must ensure that everything related to the pen test has been REMOVED

Reporting

once a pen test is complete, a report should be generated to document its objectives, methods used, and results. divided into two parts, executive and technical summary

Executive Summary

a summary designed for a less technical audience–namely those who are in charge of oversight and strategic vision of the security program

Identify overall risk and a breakdown of vulnerabilities exploited

Technical Summary

the second part of the report that is technical in nature and written for security professionals.

Enumeration

performing port scans and resource identification methods