Cybersecurity Essentials - Module 23 Cheat Sheet

# Module 23: Network Security Testing :::success Here is a cheat sheet generated from the course content using ChatGPT. It recaps the main concepts of each module, definitions and examples. At the end of (almost) each part, you will find a link to online related flashcards. ::: ### 23.1 Security Assessments Cheat Sheet --- #### 23.1.1 Vulnerability Scanners - **Purpose**: Assess systems, networks, and applications for weaknesses by automating security auditing. - **Functions**: - Compliance auditing - Patch and update management - Identifying misconfigurations and sensitive data - Tracking malware - Supporting mobile and wireless devices - **Common Vulnerabilities Detected**: - Default or weak passwords - Missing patches - Open ports - Misconfigurations in operating systems or software - Unexpected connected devices - **Common Tools**: Nessus, Retina, Core Impact, GFI LanGuard. --- #### 23.1.2 Types of Scans 1. **Categories**: - **Network Scanners**: Probe hosts for open ports, user/group data, and known vulnerabilities. - **Application Scanners**: Test application source code without running it. - **Web Application Scanners**: Identify vulnerabilities in web applications. 2. **Intrusive and Credentialed Scans**: - **Intrusive Scans**: Attempt to exploit vulnerabilities but may harm the target. - **Non-Intrusive Scans**: Avoid causing harm to the target. - **Credentialed Scans**: Use valid credentials for deeper insight, reducing false positives and negatives. - **Non-Credentialed Scans**: Provide an external view of the system. - **False Positives**: Report vulnerabilities that do not exist. - **False Negatives**: Fail to identify actual vulnerabilities. --- #### 23.1.3 Command Line Diagnostic Utilities - **ipconfig/ifconfig**: Displays TCP/IP configuration, including IP address and DNS details. - **ping**: Tests network connectivity by sending ICMP requests to a host. - **arp**: Maps MAC addresses to IP addresses. - **tracert/traceroute**: Traces the route a packet takes to its destination, recording hops. - **nslookup/dig**: Queries DNS servers to troubleshoot DNS database issues. - **netstat**: Displays active connections and ports a computer is listening on. - **nbtstat**: Troubleshoots NetBIOS name resolution on Windows systems. - **nmap**: Security auditing tool for locating network hosts, detecting operating systems, and identifying services. - **netcat**: Handles port scanning, banner grabbing, monitoring, and file copying. - **hping**: Analyzes packets for port scanning, path discovery, OS fingerprinting, and firewall testing. --- #### 23.1.4 Security Automation 1. **Security Information and Event Management (SIEM)**: - **Purpose**: Aggregates and analyzes logs from security and network devices, servers, and applications. - **Goals**: - Identify internal/external threats - Monitor activity and resource usage - Conduct compliance reporting - Support incident response - **Features**: - Combines similar events to reduce data load. - Detects deviations from norms and triggers alerts or mitigation actions. - Advanced systems include user and entity behavior analytics for proactive threat detection. - **Challenges**: - Requires significant data volume to justify costs. - Needs manual review of generated reports. 2. **Security Orchestration Automation and Response (SOAR)**: - **Purpose**: Automates security operations and responses to low-level events. - **Capabilities**: - Threat and vulnerability management - Security incident response - Security operations automation - **Integration**: Can be combined with SIEM for comprehensive security automation. >[!Warning]Recap >A vulnerability scanner assesses computers, computer systems, networks, or applications for weaknesses. Commonly used vulnerability scanners on the market include Nessus, Retina, Core Impact and GFI LanGuard. Vulnerability scanners may be network scanners, application scanners or Web application scanners. Intrusive scans try to exploit vulnerabilities and may even crash the target. In a credentialed scan, usernames and passwords provide authorized access to a system, allowing the scanner to harvest more information. Command line tools that can be used to assess vulnerability include ipconfig, ping, arp, tracert, nslookup, netstat, nbtstat, nmap, netcat, and hping. SIEM systems use log collectors to aggregate log data from sources such as security devices, network devices, servers, and applications. SOAR tools allow an organization to collect data about security threats from various sources, and respond to low-level events without human intervention. ### 23.2 Network Security Testing Techniques --- #### 23.2.1 Operations Security - **Definition**: Day-to-day practices to deploy and maintain a secure system. - **Phases**: - **Planning and Implementation**: Analyze designs, identify risks, and adapt for vulnerabilities. - **Operational Tasks**: Ongoing maintenance to ensure systems and applications run securely. - **Required Expertise for Security Testing**: - Operating systems - Basic programming - TCP/IP networking protocols - Network vulnerabilities and mitigation - Device hardening - Firewalls and Intrusion Prevention Systems (IPS) --- #### 23.2.2 Testing and Evaluating Network Security - **Purpose**: Ensure all security implementations operate as expected before real threats occur. - **Types of Security Testing**: - **Implementation Testing**: Focuses on specific network components during deployment. - **Operational Testing**: Security Test and Evaluation (ST&E) examines protective measures on the operational network. - **ST&E Objectives**: - Identify design, implementation, and operational flaws. - Assess security mechanisms, assurances, and device properties. - Ensure system documentation aligns with its implementation. - **Frequency**: - Periodic testing is essential. - Test whenever system changes are made. - Critical systems require more frequent testing. --- #### 23.2.3 Types of Network Tests 1. **Reconnaissance Techniques**: - **Active Reconnaissance**: Directly interacting with systems using tools for penetration testing and vulnerability assessment. - **Passive Reconnaissance**: Indirectly gathering data (e.g., OSINT, social media, leaked credentials on the dark web). 2. **Common Security Tests**: - **Penetration Testing**: Simulates attacks to evaluate attack feasibility and consequences. May include social engineering. - **Network Scanning**: Identifies active systems, open ports, shared resources, and usernames to strengthen network security. - **Vulnerability Scanning**: Detects misconfigurations, default passwords, and potential DoS targets. - **Password Cracking**: Identifies weak passwords; password policies must prevent them. - **Log Review**: Filters and analyzes security logs for abnormal activity. - **Integrity Checkers**: Detect and report system changes, focusing on file systems and login/logout activities. - **Virus Detection**: Identifies and removes malware using antivirus software. - **Legacy Tests**: - **Wardialing**: Dialing phone numbers to identify active modems. - **Wardriving**: Locating wireless networks by driving through areas. --- #### 23.2.4 Applying Network Test Results 1. **Mitigation**: - Define actions to address identified vulnerabilities. 2. **Benchmarking**: - Track progress toward meeting security requirements. 3. **Implementation Assessment**: - Evaluate the status of system security requirements. 4. **Cost-Benefit Analysis**: - Conduct analysis for network security improvements. 5. **Risk and Certification Enhancement**: - Support risk assessments, certification, and authorization efforts. 6. **Corrective Action Reference**: - Use test results to guide remediation activities. >[!Warning]Recap >Operations security is concerned with the day-to-day practices necessary to first deploy and later maintain a secure system. Operations security starts with the planning and implementation process of a network. Typically, network security testing is conducted during the implementation and operational stages, after the system has been developed, installed, and integrated. It is performed on a network to ensure all security implementations are operating as expected. An ST&E is an examination of the protective measures that are placed on an operational network. Types of network tests include: penetration, network scanning, vulnerability scanning, password cracking, log review, integrity checkers, and virus detection. ### 23.3 Network Security Testing Tools --- #### 23.3.1 Network Testing Tools Network testing tools help assess and secure systems and networks. These tools can be open-source or commercial. - **Nmap/Zenmap**: Discovers computers and services, creating a network map. - **SuperScan**: Detects open TCP/UDP ports, retrieves service information, and performs queries like whois and traceroute. - **SIEM (Security Information Event Management)**: Provides real-time reporting and long-term analysis of security events. - **GFI LANguard**: Network and security scanner for detecting vulnerabilities. - **Tripwire**: Validates IT configurations against compliance standards and policies. - **Nessus**: Focuses on vulnerability scanning, misconfigurations, and DoS risks. - **L0phtCrack**: Password auditing and recovery tool. - **Metasploit**: Identifies vulnerabilities and assists in penetration testing and IDS signature development. --- #### 23.3.2 Nmap and Zenmap Nmap is a low-level scanner widely used for network mapping and reconnaissance. - **Basic Features**: - **TCP/UDP Port Scanning**: Searches for services on a single host. - **Port Sweeping**: Searches for the same service across multiple hosts. - **Stealth Scanning**: Harder to detect by targets or IPS. - **OS Fingerprinting**: Identifies the operating system remotely. - **Advanced Features**: - **Protocol Scanning**: Identifies Layer 3 protocols (e.g., GRE, OSPF). - **Decoy Hosts**: Masks scan sources using decoys on the same LAN. - **Compatibility**: - Runs on UNIX, Linux, Windows, and OS X. - Both console and GUI (Zenmap) versions available. Nmap is a powerful security tool but can also be misused for malicious purposes. --- #### 23.3.3 SuperScan SuperScan is a Windows-based port scanning tool with powerful features for network vulnerability assessment. - **Features**: - Adjustable scanning speed and support for unlimited IP ranges. - Improved host detection using multiple ICMP methods. - TCP SYN and UDP scanning (two methods). - HTML report generation and source port scanning. - Extensive banner grabbing and port description database. - Tools for ping, traceroute, and whois queries. - Randomized IP and port scan order. - Advanced Windows host enumeration capabilities. SuperScan is effective for penetration testing and identifying vulnerabilities but may not anticipate all security problems. --- #### 23.3.4 SIEM (Security Information and Event Management) SIEM technology helps enterprise organizations manage and analyze security events in real-time and over the long term. - **Core Functions**: - **Correlation**: Analyzes logs and events across systems to speed threat detection and response. - **Aggregation**: Reduces event data volume by consolidating duplicates. - **Forensic Analysis**: Provides a comprehensive view of security events for investigation. - **Retention**: Offers real-time monitoring and long-term summaries for compliance and audits. - **Key Details Provided**: - **User Information**: Name, authentication status, location, authorization group, quarantine status. - **Device Information**: Manufacturer, model, OS version, MAC address, connection method, location. - **Posture Information**: Compliance with policies, antivirus versions, OS patches, mobile device management adherence. - **Critical Questions Addressed**: - Who is associated with the event? - Does the user have access to sensitive resources? - Is the device compliant with corporate security policies? - Does the event pose a compliance issue? SIEM integrates with tools like Cisco Identity Services Engine (ISE) for advanced monitoring and is essential for modern network security management. :::danger **Check Your Understanding** :ballot_box_with_check: You can find the answers to the quiz by clicking [here](https://itexamanswers.net/22-2-5-check-your-understanding-identify-network-security-testing-tools-answers.html). ::: >[!Warning]Recap >Software tools that can be used to perform network testing include: Nmap/Zenmap, SuperScan, SIEM, GFI LANguard, Tripwire, Nessus, L0phtCrack, and Metasploit. Nmap provides classic TCP and UDP port scanning and sweeping, Stealth TCP and UDP port scans and sweeps, and remote operating system ID. SuperScan is a Microsoft Windows port scanning tool. It runs on most versions of Windows and requires administrator privileges. SIEM provides correlation, aggregation, forensic analysis and retention. ### 23.4 Penetration Testing --- #### 23.4.1 Penetration Testing Penetration testing (pen testing) involves simulating real-world attack techniques to identify and address vulnerabilities before malicious actors exploit them. - **Key Characteristics**: - Tests systems by mimicking attacker techniques. - Involves permission-based hacking of networks, websites, or servers. - Goes beyond vulnerability scanning by actively exploiting weaknesses. - **Testing Levels**: - **Black Box Testing**: - Tester has no prior knowledge of the system. - Mimics an external attacker. - Least time-consuming and expensive. - **Gray Box Testing**: - Tester has partial knowledge of the system. - Combines black box and white box techniques. - **White Box Testing**: - Tester has full knowledge of the system. - Mimics an insider or informed attacker. - Most time-consuming and expensive. --- #### 23.4.2 Penetration Phases Penetration testing is conducted in four structured phases: 1. **Planning**: - Define rules of engagement, objectives, and scope. 2. **Discovery**: - Gather information about the target. - **Passive Reconnaissance**: Use public sources to collect information (footprinting). - **Active Reconnaissance**: Engage directly with the system (e.g., port scanning). 3. **Attack**: - Exploit vulnerabilities to gain unauthorized access. - Techniques include: - Escalating privileges. - Lateral movement across systems (pivoting). - Installing tools/backdoors (persistence). - Clean up traces left behind. 4. **Reporting**: - Provide detailed documentation with: - Identified vulnerabilities. - Exploitation techniques used. - Outcomes and remediation suggestions. --- #### 23.4.3 Exercise Types Organizations may organize penetration exercises involving competing teams: ![image](https://hackmd.io/_uploads/Hkoh7q2Vkg.png) - **Red Team**: Simulates adversaries attempting to breach systems undetected. - **Blue Team**: Defends against attacks from the red team. - **White Team**: - Neutral overseers defining rules and monitoring activities. - Focused on governance and compliance. - **Purple Team**: Collaborative efforts between red and blue teams to strengthen defenses. --- #### 23.4.4 Bug Bounty Programs - Public initiatives to identify vulnerabilities. - Invite external participants (e.g., ethical hackers) to test systems. - Often include monetary rewards for discovered bugs. --- #### 23.4.5 Packet Analyzer Packet analyzers, or sniffers, monitor and log network traffic. They can be used for both legitimate purposes (e.g., troubleshooting) and malicious purposes (e.g., data theft). - **Functions**: - Analyze network problems. - Detect network intrusions and misuse. - Isolate exploited systems. - Log traffic for analysis. --- #### 23.4.6 Protocol Analyzer Output Sniffing involves intercepting and examining network traffic, regardless of its intended destination. - **Techniques**: - Observes all or targeted network traffic (e.g., protocols, services, or credentials). - Can modify traffic during analysis. - **Applications**: - **Legitimate**: - Used by network administrators for troubleshooting, bandwidth analysis, and traffic monitoring. - **Malicious**: - Criminals use sniffing tools to intercept sensitive data. - **Prevention**: - Enforce strict physical security to prevent unauthorized sniffers from being introduced to the network. >[!Warning]Recap >Penetration testing, or pen testing, is a way of testing the areas of weaknesses in systems by using various malicious techniques. A penetration test simulates methods that an attacker would use to gain unauthorized access to a network and compromise the systems and allows an organization to understand how well it would tolerate a real attack. There are four phases that make up a penetration test: 1 Planning, 2. Discovery, 3. Attack, and 4. Reporting. Some organizations create competing teams to conduct penetration exercises that are longer than a penetration test. There is usually a red team (trying to attack the system) and a blue team (trying to defend the system). Packet analyzers, or packet sniffers, intercept, and log network traffic. Sniffing is not only used for malicious purposes. It is also used by network administrators, who can analyze network traffic, identify bandwidth issues, and troubleshoot other network issues using sniffers.