Identifying Vulnerabilities (2 of 3) | CISSP Domain 6

hey I'm Rob Witcher from destination certification and I'm here to help you pass the cisp exam we're going to go through a review of the major topics related to vulnerability assessment and penetration testing in domain 6 to understand how they interrelate and to guide your studies this is the second of three mindmap videos for domain 6 I've included links to the other mindmap videos in the description below these mind maps are one part of our complete cisp Master [Music] Class every system has vulnerabilities vulnerability assessment and penetration testing are an important part of testing a

system to look for these vulnerabilities to identify classify and prioritize remediation vulnerability assessments and penetration tests are very similar and start out exactly the same way identifying potential vulnerabilities and Reporting on them to understand the potential impact of the organization and prioritize mediation in a vulnerability assessment once a potential vulnerability has been identified we skip straight to reporting in a penetration test we identify potential vulnerabilities and then we attempt to exploit them to verify if the vulnerability truly exists and can be exploited and thus eliminating false positives vulnerability assessments tend to be faster and more

automated but generate more false positives penetration tests are slower and tend to be more manual and have much higher likelihood of negatively impacting a system but they provide a much clearer picture of the security of a system here is the process we go through to conduct vulnerability assessments and Pen tests we start with reconnaissance which is a passive activity the organization being assessed cannot detect anything at this step because the assessor is gathering publicly available information from sources like job postings LinkedIn profiles and DNS records enumeration is do this step can potentially detected by the

organization the assessor is enumerating systematically walking through IP address ranges and ports to look for live systems that are offering Services vulnerability analysis is where the assessor determines the exact version of a system and identifies potential vulnerabilities that could be exploited we'll talk about how Banner grabbing and fingerprinting can be used to identify the version of a system in a few minutes if we're performing a vulnerability assessment then the assessor will skip the execution step and go straight to reporting in a pen test however the execution step is where the assessor attempts to exploit any

vulnerabilities that have been identified actually break into the system and documenting findings is all about reporting on vulnerabilities identified the potential impact of the organization and prioritization and tailoring reports to various audiences now let's go through some testing techniques that we can use we can mix and match these different techniques to achieve different types of tests we can simulate an outsider hacker or malicious is Insider as examples perspective is about where the ethical hacker where the assessor is performing the test from internal means the testing is performed from within the organization's Network simulating that the

attacker the assessor being inside the network external means the testing is being performed from outside the organization's Network simulating the attacker being outside the firewall typically out on the internet there are a couple of major approaches that can be used in conducting these tests in a blind test we give the ethical hacker the assessor very little information on the system to be tested perhaps just an IP address the ethical hacker is blind double blind means not only do we not give the ethical hacker the assessor any information we also don't tell the organization's security operations

team that the hack is occurring double blind tests not only what the assessor can get into but also how effectively the organization can detect and respond to the attack knowledge is all about how much information we give to the ethical hacker to the assessor in zero knowledge or blackbox testing the Tester the assessor is given zero knowledge on the system and must rely on publicly available information and whatever they can deduce this simulates an outsider trying to break in zero knowledge and blind tests are the same thing in partial knowledge or graybox testing the tester

is given the assessor has given a little bit of knowledge maybe a user account potentially even elevated privileges on the system and some basic info on the system and network architecture this is to make the testing more efficient listen really carefully to this next one full knowledge white box open box clear box testing these names are all synonymous is where the Tester the assessor is given full access to the system including Source Code full credentials and full detailed architectural documentation white box test ing is much more focused on going through the source code in detail

there are a couple of different types of scans that we can perform with vulnerability assessment tools like a nessus or rapid 7 a credentialed or authenticated scan is where we give the scanning tool the credentials necessary to log into the system or systems being scanned a credential scan can take a deeper look into the exact configuration of a system because it can log into the system and thus helps eliminate false positives I can also help with Baseline compliance checks an uncredentialed scan as you can probably guess means we don't give the scanning tool the credentials

necessary to log into the system at scanning this is more of a simulation of an external attacker and what vulnerabilities can be identified from outside the system with no access a critical requirement in identifying vulnerabilities is knowing the exact version of the operating system and applications different versions of software are vulnerable to different things Banner grabbing is where we intentionally get the system to generate something like an error message like say in error 404 file not found on a web server and then look at the error message to see if the version number of the

system is listed systems should be configured to not show this information fingerprinting is far more subtle by either passively monitoring Network traffic coming from the system or actively sending a few specifically crafted packets and then looking at the responses we can carefully evaluate the exact structure and the contents of the packets different versions of systems different versions of software will craft packets in subtly different ways allowing us to fingerprint and figure out the exact version of a system when reporting on vulnerabilities there are a couple of different important numbers that should be included the cve

or common vulnerabilities and exposure number is a unique identifier for each vulnerability and a there is a public database of all these vulnerabilities that is maintained each vulnerability that is being discovered has a unique CDE number assigned to it the cdss or common vulnerability scoring system is a standard for assessing the severity of a vulnerability from zero which means me no big deal all the way up to 10 which means everyone should be running screaming ASAP the security content automation protocol is a whole bunch of interoperable specifications to help organizations automate vulnerability management and policy

compliance evaluation finally false positives and false negatives are important challenges that we need to deal with so let's define them here a false positive is where we identify potential vulnerability and upon further investigation we realize there is no vulnerability so we've spent a bunch of time chasing something that wasn't actually there a little Annoying false negatives are far far worse this is where a vulnerability exists and our tools don't identify it we are blind to the vulnerability this is danger inous so we really don't want false negatives all right that is an overview of vulnerability

assessments and penetration testing within domain 6 covering the most critical Concepts you need to know for the exam like these mind map summary videos our cisp Master Class delves into all the details you can learn more about our cisp masterclass here at desert.com cisp link is in the description below as [Music] well