Comptia Security+ 601 Chapter 5 Summary
CompTIA Security+ Study Guide: Exam SY0-601 8th Edition, by Mike Chapple & David Seidl
Chapter 5 summary of my notes.
1. Vulnerability Scanning
Vulnerability management programs play a crucial role in identifying, prioritizing, and remediating vulnerabilities in our environments. They use vulnerability scanning to detect new vulnerabilities as they arise and then implement a remediation workflow that addresses the highest-priority vulnerabilities.
The next step is to identify the systems that will be covered by the vulnerability scans. Some organizations choose to cover all systems in their scanning process, whereas others scan systems differently (or not at all) depending on the answers to many different questions, including What is the data classification of the information stored, processed, or transmitted by the system? Is the system exposed to the Internet or other public or semipublic networks? What services are offered by the system? Is the system a production, test, or development system?
professionals use scanning tools to search the network for connected systems, whether they were previously known or unknown, and to build an asset inventory.
Asset inventory and asset criticality information helps guide decisions about the types of scans that are performed, the frequency of those scans, and the priority administrators should place on remediating vulnerabilities detected by the scan.
The organization's risk appetite is its willingness to tolerate risk within the environment.
Regulatory requirements, such as those imposed by the Payment Card Industry Data Security Standard (PCI DSS) or the Federal Information Security Management Act (FISMA), may dictate a minimum frequency for vulnerability scans.
Technical constraints may limit the frequency of scanning. For example, the scanning system may only be capable of performing a certain number of scans per day,
Business constraints may limit the organization from conducting resource-intensive vulnerability scans during periods of high business activity
Licensing limitations may curtail the bandwidth consumed by the scanner or the number of scans that may be conducted simultaneously.
It is important to conduct regular configuration reviews of vulnerability scanners to ensure that scan settings match current requirements.
For example, an organization that does not use the Amazon Linux operating system may choose to disable all checks related to Amazon Linux in their scanning template.
Some plug-ins perform tests that may actually disrupt activity on a production system or, in the worst case, damage content on those systems. These intrusive plug-ins are a tricky situation.
may limit their scans to nonintrusive plug-ins.
One way around this problem is to maintain a test environment containing copies of the same systems running on the production network and running scans against those test systems first.
Basic vulnerability scans run over a network, probing a system from a distance.
Additionally, many security vulnerabilities are difficult to confirm using only a remote scan. Vulnerability scans that run over the network may detect the possibility that a vulnerability exists but be unable to confirm it with confidence, causing a false positive result
administrators can provide the scanner with credentials that allow the scanner to connect to the target server and retrieve configuration information. This information can then be used to determine whether a vulnerability exists, improving the scan's accuracy over non-credentialed alternatives.
Credentialed scans typically only retrieve information from target servers and do not make changes to the server itself.
principle of least privilege by providing the scanner with a read-only account on the server.
some scanners supplement the traditional server-based scanning approach to vulnerability scanning with a complementary agent-based scanning approach. In this approach, administrators install small software agents on each target server. These agents conduct scans of the server configuration, providing an “inside-out” vulnerability scan,
System administrators are typically wary of installing agents
fear that the agent will cause performance or stability issues.
Each scan perspective conducts the scan from a different location on the network, providing a different view into vulnerabilities:
- external scan is run from the Internet,
- Internal scans might run from a scanner on the general corporate network,
- Finally, scanners located inside the datacenter and agents located on the servers offer the most accurate view of the real state of the server by showing vulnerabilities that might be blocked by other security controls on the network.
Controls that might affect scan results include the following: Firewall settings Network segmentation Intrusion detection systems (IDSs) Intrusion prevention systems (IPSs)
The internal and external scans required by PCI DSS are a good example of scans performed from different perspectives.
Administrators should conduct regular maintenance of their vulnerability scanner to ensure that the scanning software and vulnerability feeds remain up-to-date.
Regular patching of scanner software protects an organization against scanner-specific vulnerabilities
Nessus vulnerability in the NIST National Vulnerability Database
vulnerability scanners can only be effective against these vulnerabilities if they receive frequent updates to their plug-ins.
The Security Content Automation Protocol (SCAP) is an effort by the security community, led by the National Institute of Standards and Technology (NIST), to create a standardized approach for communicating security-related information.
This standardization is important to the automation of interactions between security components. The SCAP standards include the following: Common Configuration Enumeration (CCE) Provides a standard nomenclature for discussing system configuration issues Common Platform Enumeration (CPE) Provides a standard nomenclature for describing product names and versions
Common Vulnerabilities and Exposures (CVE) Provides a standard nomenclature for describing security-related software flaws Common Vulnerability Scoring System (CVSS) Provides a standardized approach for measuring and describing the severity of security-related software flaws Extensible Configuration Checklist Description Format (XCCDF) A language for specifying checklists and reporting checklist results Open Vulnerability and Assessment Language (OVAL) A language for specifying low-level testing procedures used by checklists
you will want to have a network vulnerability scanner, an application scanner, and a web application scanner available for use.
Network vulnerability scanners are capable of probing a wide range of network-connected devices for known vulnerabilities.
The following tools are examples of network vulnerability scanners:<ul>
Tenable's Nessus is a well-known and widely respected network vulnerability scanning product that was one of the earliest products in this field.
Qualys's vulnerability scanner is a more recently developed commercial network vulnerability scanner that offers a unique deployment model using a software-as-a-service (SaaS) management console to run scans using appliances located both in on-premises datacenters and in the cloud. Rapid7's Nexpose is another commercial vulnerability management system that offers capabilities similar to those of Nessus and Qualys.
The open source OpenVAS offers a free alternative to commercial vulnerability scanners.</ul>
Application scanning tools are commonly used as part of the software development process.
Application testing occurs using three techniques: Static testing analyzes code without executing it. This approach points developers directly
at vulnerabilities and often provides specific remediation suggestions. Dynamic testing executes code as part of the test, running all the interfaces that the code exposes to the user with a variety of inputs, searching for vulnerabilities. Interactive testing combines static and dynamic testing, analyzing the source code while testers interact with the application through exposed interfaces.
Web application scanners are specialized tools used to examine the security of web applications.
Nikto is a popular web application scanning tool. It is an open source tool that is freely available for anyone to use.
Another open source tool available for web application scanning is Arachni.
At the very top of the report, we see two critical details: the name of the vulnerability, which offers a descriptive title, and the overall severity of the vulnerability, expressed as a general category, such as low, medium, high, or critical.
Common Vulnerability Scoring System (CVSS) is an industry standard for assessing the severity of security vulnerabilities. It provides a technique for scoring each vulnerability on a variety of measures. Cybersecurity analysts often use CVSS ratings to prioritize response actions.
attack vector metric describes how an attacker would exploit the vulnerability
attack complexity metric describes the difficulty of exploiting the vulnerability
privileges required metric describes the type of account access that an attacker would need to exploit a vulnerability
user interaction metric describes whether the attacker needs to involve another human in the attack.
confidentiality metric describes the type of information disclosure that might occur if an attacker successfully exploits the vulnerability.
integrity metric describes the type of information alteration that might occur if an attacker successfully exploits the vulnerability.
availability metric describes the type of disruption that might occur if an attacker successfully exploits the vulnerability.
scope metric describes whether the vulnerability can affect system components beyond the scope of the vulnerability.
CVSS vector uses a single-line format to convey the ratings of a vulnerability on all six of the metrics described in the preceding sections.
analysts can calculate the CVSS base score, which is a single number representing the overall risk posed by the vulnerability.
first calculation analysts perform is computing the impact sub-score (ISS). This metric summarizes the three impact metrics
When a scanner reports a vulnerability that does not exist, this is known as a false positive error.
true positive report) or inaccurate (a false positive report). Similarly, when a scanner reports that a vulnerability is not present, this is a negative report. The negative report may either be accurate (a true negative report) or inaccurate (a false
Valuable information sources for this process include the following: Log reviews from servers, applications, network devices, and other sources that might contain information about possible attempts to exploit detected vulnerabilities Security information and event management (SIEM) systems that correlate log entries from multiple sources and provide actionable intelligence Configuration management systems that provide information on the operating system and applications installed on a system
The vulnerability shown in Figure 5.13 highlights the importance of operating a patch management program that routinely patches security issues.
Vulnerability scans may also highlight weak configuration settings on systems, applications, and devices. These weak configurations may include the following: The use of default settings that pose a security risk, such as administrative setup pages that are meant to be disabled before moving a system to production. The presence of unsecured accounts, including both normal user account and unsecured root accounts with administrative privileges. Accounts may be considered unsecured when they either lack strong authentication or use default passwords. Open ports and services that are not necessary to support normal system operations. This will vary based on the function of a server or device but, in general, a system should expose only the minimum number of services necessary to carry out its function. Open permissions that allow users access that violates the principle of least privilege.
Many application development platforms support debug modes that give developers crucial error information needed to troubleshoot applications in the development process.
Threat hunting builds on a cybersecurity philosophy known as the “presumption of compromise.” This approach assumes that attackers have already successfully breached an organization and searches out the evidence of successful attacks.
White-box tests, also referred to as known environment tests, are tests performed with full knowledge of the underlying technology, configurations, and settings that make up the target.
Black-box tests, also referred to as unknown environment tests, are intended to replicate what an attacker would encounter.
Gray-box tests, also referred to as partially known environment tests, are a blend of black-box and white-box testing.
rules of engagement (RoE)
exploits a vulnerability to gain access to the organization's network. Privilege escalation uses hacking techniques to shift from the initial access gained by the attacker to more advanced privileges, such as root access on the same system. Pivoting, or lateral movement, occurs as the attacker uses the initial system compromise to gain access to other systems on the target network. Attackers establish persistence on compromised networks by installing backdoors and using other mechanisms that will allow them to regain access to the network, even if the initial vulnerability is patched.
Red team members are the attackers who attempt to gain access to systems. Blue team members are the defenders who must secure systems and networks from attack. The blue team also monitors the environment during the exercise, conducting active defense techniques. The blue team commonly gets a head start with some time to secure systems before the attack phase of the exercise begins. White team members are the observers and judges. They serve as referees to settle disputes over the rules and watch the exercise to document lessons learned from the test. The white team is able to observe the activities of both the red and blue teams and is also responsible for ensuring that the exercise does not cause production issues.
Purple Teaming At the end of an exercise, it's common to bring the red and the blue teams together to share information about tactics and lessons learned. Each team walks the other through their role in the exercise, helping everyone learn from the process.
Tabletop exercises simply gather participants in the same room to walk through their response to a fictitious exercise scenario.