CompTIA Security+ 701 Study Guide Ch. 5 Notes

CompTIA Ch. 5 Notes

Vulnerability Management Programs

These play a crucial role in identifying, prioritizing, and remediating vulnerabilities in our environments.

What factors come into play when an organization is trying to decide the frequency in which they conduct their vulnerability scans?

• Risk Appetite

• Regulatory Requirements

• Technical Constraints

• Business Constraints

• Licensing Limitations

Risk Appetite

An organization’s willingness to tolerate risk within the environment.

Regulatory Requirements

The rules and standards imposed by governmental or industry entities that dictate how organizations must manage data and security practices.

Technical Constraints

Limitations imposed by technology infrastructure and capabilities that affect the implementation of security measures.

Business Constraints

Limitations that affect business operations, including financial, legal, and resource-related factors.

Licensing Limitations

Restrictions on the use of software or technology due to legal agreements or regulatory requirements that limit how products can be utilized within an organization.

Basic Vulnerability Scans

• These scans run over a network, probing a system from a distance.

• This would provide a realistic view of the system’s security by simulating what an attacker might see from another network vantage point.

Credentialed Scans

These types of scans would access operating systems, databases, and applications.

Agent-Based Scanning

Where administrators install small software agents on each target server. These agents then conducts scans of the server configuration, providing an “inside-out” vulnerability scan, and then report information back to the vulnerability management platform for analysis and reporting.

Scan Perspectives

Refers to the vantage point or approach taken when conducting a security scan.

What are some controls that might affect scan results?

• Firewall settings

• Network segmentation

• Intrusion detection systems (IDSs)

• Intrusion prevention systems (IPSs)

What does SCAP mean?

Security Content Automation Protocol

The SCAP standards include what?

• Common Configuration Enumeration (CCE)

• Common Platform Enumeration (CPE)

• Common Vulnerabilities and Exposures (CVE)

• Common Vulnerability Scoring System (CVSS)

• Extensible Configuration Checklist Description Format (XCCDF)

• Open Vulnerability and Assessment Language (OVAL)

Common Configuration Enumeration (CCE)

Provides a standard nomenclature for discussing system configuration issues.

Common Platform Enumeration (CPE)

Provides a standard nomenclature for describing product names and versions.

Common Vulnerabilities and Exposures (CVE)

Provides a standard nomenclature for describing security-related software flaws.

Common Vulnerability Scoring System (CVSS)

Provides a standardized approach for measuring and describing the severity of security-related software flaws.

Extensible Configuration Checklist Description Format (XCCDF)

A language for specifying checklists and reporting checklist results.

Open Vulnerability and Assessment Language (OVAL)

A language for specifying low-level testing procedures used by checklists.

Network Vulnerability Scanners

• Capable of probing a wide range of network-connected devices

• Reach out to any systems connected to the network

• Then attempt to determine the type of device and its configuration

• Then it launches targeted tests designed to detect the presence of any known vulnerabilities on said devices.

Application testing tools

These are tools that analyze custom-developed software to identify common security vulnerabilities.

Application testing occurs using what three techniques?

• Static testing

• Dynamic testing

• Interactive testing

Static Testing

This analyzes code without executing it.

Dynamic Testing

This executes code as part of the test, running all the interfaces that the code exposes to the user with a variety of inputs.

Interactive Testing

This combines static and dynamic testing, analyzing the source code while testers interact with the application through exposed interfaces.

Web application vulnerability scanners are

Specialized tools used to examine the security of web applciations.

What web-specific vulnerabilities does a web application scanner test for?

• SQL injection

• Cross-site scripting (XSS)

• Cross-site request forgery (CSRF)

Common Vulnerability Scoring System

The industry standard for assessing the severity of security vulnerabilities.

What are the 8 measures that analysts score new vulnerabilities with?

• Attack Vector Metric

• Attack Complexity metric

• Privileges Required Metric

• User Interaction Metric

• Confidentiality Metric

• Integrity Metric

• Availability Metric

• Scop Metric

Attack Vector Metric

Describes how an attack would exploit the vulnerability and is assigned a value based on whether the attack is physical, adjacent network, or internet-based.

Attack Complexity Metric

Describes the difficulty of exploiting the vulnerability and is assigned according to the conditions that are required to successfully exploit the vulnerability, which can range from low to high complexity.

Privileges Required Metric

Indicates the level of access or permissions needed to exploit a vulnerability, categorized as none, low, or high.

User interaction Metric (UI)

Describes whether the attacker needs to involve another human in the attack.

Confidentiality Metric

Describes the type of information disclosure that might occur if an attacker successfully exploits the vulnerability. The metric is assigned: None, Low, or High.

Integrity Metric (I)

Describes the type of information alteration that might occur if an attacker successfully exploits the vulnerability. If a vulnerability is exploited, categorized as None, Low, or High.

Availability Metric (A)

Describes the type of disruption that might occur if an attacker successfully exploits the vulnerability. This impact is categorized as None, Low, or High.

Scope Metric (S)

Describes whether the vulnerability can affect system components beyond the scope of the vulnerability. This impact is categorized as None, Low, or High.

VCSS Vector

This uses a single-line format to convey the rating of a vulnerability on all eight of the metrics described in the VCVS scale, providing a quick overview of the potential impact across various dimensions.

CVSS Base Score

A single number that is calculated that represents the overall risk posed by the vulnerability.

CVSS Qualitative Security Rating Scale

• 0.0 - None

• 0.1-3.9 - Low

• 4.0-6.9 - Medium

• 7.0-8.9 - High

• 9.0-10.0 - Critical

False Positive Error

This is when a scanner reports a vulnerability that does not exist.

Positive Error

When the vulnerability scanner reports a vulnerability.

What are some valuable information sources for reconciling scan results?

• Log reviews

• Security information and event management (SIEM)

• Configuration management systems

What should an organization do if they must continue to use an unsupported operating system?

• Isolate the system as much as possible

• Preferably not connecting it to any network

• Applying as many compensating security controls as possible

Good vulnerability response and mediation practices include what:

• Patching

• Insurance

• Segmentation

• Compensating controls

• Exceptions

• Exemptions

What are some examples of weak configuration settings on systems, applications, or even devices?

• The use of default settings that pose a security risk, such as administrative set up pages that are meant to be disabled before moving a system into production.

• Presence of default credentials or unsecured accounts

• Open service ports that are not necessary to support normal system operations

• Open permissions that allow users access that violates the principle of least privilege

For insecure protocols, what is the best practice in terms of securing an environment?

• By simply switching to more secure protocols.

• Example: Use SSH, SFTP, and FTPS instead of Telnet or FTP

Penetration tests

Authorized, legal attempts to defeat an organization’s security controls and perform unauthorized activities

What are some benefits of penetration testing?

• Provides us with knowledge that we can’t obtain elsewhere

• In the event that attackers are successful, penetration testing provides us with an important blueprint for remediation

• Can provide us with essential, focused information on specific attack targets

What are the four major categories of penetration testing?

• Physical Penetration Testing

• Offensive Penetration Testing

• Defensive Penetration Testing

• Integrated Penetration Testing

Physical Penetration Testing

Focuses on identifying and exploiting vulnerabilities in an organization’s physical security controls.

Offensive Penetration Testing

This is a proactive approach where security professionals act as attackers to identify and exploit vulnerabilities in an organization’s networks, systems, and applications.

Defensive Penetration Testing

This focuses on evaluating an organization’s ability to defend against cyberattacks.

Integrated Penetration Testing

This combines aspects of both offensive and defensive testing to provide a comprehensive assessment of an organization’s security posture,

Three typical classifications are used to describe how much information knowledge testers have. What are they?

• Known Environment

• Unknown Environment

• Partially Know Environment

Known Environment

These tests are tests performed with full knowledge of the underlying technology, configurations, and settings that make up the target.

Unknown Environment

These tests are intended to replicate what an attacker would encounter.

Partially Known Environment

These tests are a blend of known and unknown environment testing

What are some rules of engagement (RoE)?

• The timeline for the engagement and when testing can be conducted.

• What locations, systems, applications, or other potential targets are included or excluded.

• Data handling requirements for information gathered during the penetration test.

• What behaviors to expect from the target.

• What resources are committed to the test.

• Legal concerns should also be addressed.

• When and how communications will occur.

Passive Reconnaissance

This technique seeks to gather information without directly engaging the target.

Active Reconnaissance

This technique directly engages the target in intelligence gathering.

What are some examples of active reconnaissance when it comes to penetration testing?

• Port scans

• Foot-printing

• Vulnerability scanning

War Driving

Where the penetration tester drives by the facilities in a car equipped with high-end antennas and attempt to eavesdrop on or connect to wireless networks.

War Flying

An expansion of the war driving technique, where the tester uses an aerial vehicle, such as a drone, to detect and analyze wireless networks from the air.

Initial Access

When the attacker exploits a vulnerability to gain access to the organization’s network.

Privilege Escalation

Uses hacking techniques to shift from the initial access gained by the attacker to more advanced privileges, such as root access on the same system.

Pivoting (Lateral Movement)

Occurs as the attacker uses the initial system compromise to gain access to other systems on the target network.

Persistence

Maintenance of access to a system or network over a prolonged period, allowing an attacker to return even after initial vulnerabilities are patched.

What are the three major components of a security assessment program?

• Security tests

• Security assessments

• Security audits

Security tests

Verify that a control is functioning properlyand assess the effectiveness of security measures, identifying vulnerabilities and recommending improvements.

When scheduling security controls for review, information security managers should consider the following factors:

• Availability of security testing resources

• Criticality of the systems and applications protected by the tested controls

• Sensitivity of information contained on tested systems and applications

• Likelihood of a technical failure of the mechanism implementing the control

• Likelihood of a misconfiguration of the control that would jeopardize security

• Risk that the system will come under attack

• Rate of change of the control configuration

• Other changes in the technical environment

• Difficulty and time required to perform a control test

• Impact of the test on normal business operations

Security assessments

These are comprehensive reviews of the security of a system, application, or other tested environment.

Security audits

Use many of the same techniques followed during security assessments but must be performed by independent auditors.

Attestation

This is a formal statement that the auditors have reviewed the controls and found that they are both adequate to meet the control objectives and working properly.

What are the three types of audits?

• Internal

• External

• Third-Party

Internal Audits

These are performed by an organization’s internal audit staff and are typically intended for internal audiences.

What are some of the reasons an internal audit would be conducted?

• Compliance obligations

• Self-assessment of security protocols

• To find gaps within the organization’s security

External Audits

These are performed by an outside auditing firm who serves as an independent third party.

Third-Party Audits

These are conducted by, or on behalf of, another organization.

COBIT

Control Objectives for Information and related Technologies

ISACA

Information Systems Audit and Control Association

CISA

Certified Information Systems Auditor

CISM

Certified Information Security Manager

What are the steps of the vulnerability life cycle?

• Identification

• Analysis

• Response and Remediation

• Validation of Remediation

• Reporting

• Identification

Vulnerability Identification

• When an organization becomes aware of a vulnerability that exists within their environment.

• Identification may come from sources such as:

  • Vulnerability scans

  • Penetration tests

  • Reports from responsible disclosure or bug bounty programs

  • Results of system and process audits

Vulnerability Analysis

After identifying a possible vulnerability in the organization’s environment, cybersecurity professionals next perform an analysis of that report. This includes several core tasks:

• Confirming that the vulnerability exists

• Prioritizing and categorizing the vulnerability using tools such as CVSS and CVE that provide an external assessment of that vulnerability

• Supplementing the external analysis of the vulnerability with organization specific details

Vulnerability Response and Remediation

• Apply a patch or other corrective measure to correct the vulnerability

• Use network segmentation to isolate the affected system so that the probability of an exploit becomes remote

• Implement other compensating controls

• Purchase insurance to transfer the financial risk of the vulnerability to an insurance provider

• Grant an exception or exemption to the system as part of a formal risk acceptance strategy

Validation of Remediation

The process of making sure that the vulnerability is no longer present.

Reporting

The final stage of the vulnerability life cycle.

Reporting may include:

• Summarizing the vulnerabilities identified, analyzed, and remediated, along with their initial severity and impact on the organization

• Providing details on the remediation actions taken, including patches applied, compensating controls implemented, and risk acceptance decisions made

• Highlighting any trends, patterns, or areas requiring further attention, such as recurring vulnerabilities or systems that are particularly susceptible to exploitation

• Offering recommendations for improvements in the vulnerability management process, security policies, or employee training programs