Chapter 8 - 03 - Discuss Vulnerability Assessment - 02_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Information Obtained from the Vulnerability Scanning @ OS version running on computers or devices Open ports and running services i Application and services configuration errors Application and services vulnerabilities N Accounts with weak passwords Missing patches and hotfixes L. All Rights Reserved. Reproduction is Strictly Prohibited Information Obtained from the Vulnerability Scanning Vulnerability scanners are capable of identifying the following information: = The OS version running on computers or devices = |P and Transmission Control Protocol/User Datagram Protocol (TCP/UDP) ports that are listening = Applications installed on computers = Accounts with weak passwords * Files and folders with weak permissions = Default services and applications that might have to be uninstalled = Errors in the security configuration of common applications = Computers exposed to known or publicly reported vulnerabilities = = = = EOL/EOS software information Missing patches and hotfixes Weak network configurations and misconfigured or risky ports Help to verify the inventory of all devices on the network Module 08 Page 1062 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Vulnerability Scanning Approaches Two approaches to network vulnerability scanning: @ Active Scanning @ QO The attacker interacts directly with the target network to find vulnerabilities QO Also known as intrusive scanning O Example: An attacker sends probes and specially crafted requests to the target host in the network to identify vulnerabilities Passive Scanning O The attacker tries to find vulnerabilities without directly interacting with the target network Q Also known as non-intrusive scanning O Example: An attacker guesses the operating system information, applications, and application and service versions by observing the TCP connection setup and teardown Copyright © by EC-{ cil. All Rights Reserved. Reproduction is Strictly Prohibited. Vulnerability Scanning Approaches There are two approaches to network vulnerability scanning: Active Scanning: The attacker interacts directly with the target network to find vulnerabilities. Active scanning helps in simulating an attack on the target network to uncover vulnerabilities that can be exploited by the attacker. This type of scanning is also known as intrusive scanning. Example: An attacker sends probes and specially crafted requests to the target host in the network to identify vulnerabilities. Passive Scanning: The attacker tries to find vulnerabilities without directly interacting with the target network. The attacker identifies vulnerabilities via information exposed by systems during normal communications. Passive scanning identifies the active operating systems, applications, and ports throughout the target network, monitoring activity to determine its vulnerabilities. This approach provides information about weaknesses but does not provide a path for directly combating attacks. This type of scanning is also known as non-intrusive scanning. Example: An attacker guesses the operating system information, applications, and application and service versions by observing the TCP connection setup and teardown. Attackers scan for vulnerabilities using tools such as Nessus, Qualys, GFl LanGuard, and OpenVAS. Vulnerability scanning enables an attacker to identify network vulnerabilities, open ports and running services, application and services configuration errors, and application and service vulnerabilities. Module 08 Page 1063 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Vulnerability Scoring Systems and Databases o = = L3 L3 An open framework for communicating the characteristics and impacts of IT vulnerabilities Common Vulnerability |ts quantitative model ensures repeatable accurate measurement, while enabling users to view the underlying vulnerability characteristics used to generate the scores CVSS v3.0 Ratings [t Common Vulnerability Scoring System Calculator None 0.0 Low 0.1-3.9 et Medium 4.0-6.9 ' l I High Critical 7.0-8.9 9.0-10.0 v 0.0-3.9 Medium 4.0-6.9 High 7.0-10 Scoring System (CVSS) s s CVE-2017-0144 ' e : im = ‘ ' ,. I a ‘“‘ R e —— e ER T https://www first.org https://nvd.nist.gov Cormymen Valnarabilities and Exposures arch CVE List Common Vulnerabilities and Exposures (CVE) A publicly available and free-to-use list or dictionary of standardized identifiers for common software vulnerabilities and exposures Search Download CVE Data Feeds Reques Results Name Description CVE-2019-9565 Druide Antidote RX, HD, 8 before 8,05.2287, 9 before 9.5.3937 and 10 before 10.1.2147 allows remote attackers to steal NTLM hashes or perform SMB relay attacks upon a direct launch of the product, or upon an indirect launch via an integration such as Chrome, Firefox, Word, Outlook, etc. This occurs because the product attempts to access a share with the PLUG-INS subdomaln name; an attacker may be able to use Active Directory Domain Services to register that name. CVE-2019-7097 Adobe Dreamweaver versions 19.0 and earlier have an Insecure protocol Implementation vulnerabllity. Successful exploitation could lead to sensitive data disclosure if smb request Is subject to a relay attack. CVE-2019-6452 Kyocera Command Center RX TASKalfa4501i and TASKalfa5052ci allows remote attackers to abuse the Test button in the machine address book to obtain a cleartext FTP or SMB password. https://cve.mitre.org Copyright © by EC-Council. All Rights Reserved. Module 08 Page 1064 Reproduction Is Strictly Prohibited Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Vulnerability lotmaton Technology Laboratory scoring SYStems and I;ATIONALVULNERABILITVDATABASE Databases (Cont’d) Vulnerability Published Date QUICK INFO National = = vulnexability Datahase (NVD) w0 A U.S. government repository of standards- based vulnerability management data represented using the Security Content Automation Protocol (SCAP) These data enable the automation of Vulnefab"ity -. Impact.. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics " CVSS v1.0 Severit ym Metricst NS L C M legend) ATACkers 1o wtnse the Test Bitton i the enl(||°,",."“""w CVSS va. DS-v"IIyn MR mm VOCROP (AVMAC &S 1 w otrics: PN (V2 legirs Impact Subscore:. Impact Score:.0 Bty sabscorn b8 Exploitability Score: 2 1 Attack Vector (AV): stk Priviteges Regulred (PR): Low AMtack HROWS TR NOTe NVD Last Modified: } \mlnr WA PR management, security measurement, and compliance = 1 Complenity (AC): Usar interaction (LI): Low boew ACcess Vector (AV): W tw ok Access Complexity (ACK: Lovi Confidentisity (€): Portl Authentication (AU) ge Integrity (1): Hone https//nvd.nist.gov Copyright © by EC- il. All Rights Reserved. Reproduction s Strictly Prohibited. Vulnerability Scoring Systems and Databases (Cont’d) Common Wcakncss o Do Enumcratlon 7 List of SaftwareM [Aveut | cwkilst Common Weakness Enumeration (CWE) [ scoring || Community || Wews rvw Nesses. It s0rves re for weakness as identfia | Search | A category system for software vulnerabilities and e weaknesses View the List of Weaknesses by Research Concepts ) by Cuveligmant Concapts | by Aschitactoral Concapts ) Search CWE e Softmare weakness by per noa 1 of the CWE u-am t,n witple kevnn s, separ alvmn t'auuw LSt by beywords(s) or by CWE-ID It is sponsored by the National Cybersecurity ° FFRDC, which is owned by The MITRE Corporation, with support from US-CERT and the National Cyber Security Division of the U.S. Department of Homeland Security [ 5mp ° https:/fewe.mitre.ovg It has over 600 categories of weaknesses, which enable CWE to be effectively employed by the community as a baseline for weakness identification, mitigation, and prevention efforts Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Vulnerability Scoring Systems and Databases Due to the growing severity of cyber-attacks, vulnerability research has become critical as it helps to mitigate the chance of attacks. Vulnerability research provides awareness of advanced techniques to identify flaws or loopholes in the software that can be exploited by attackers. Vulnerability scoring systems and vulnerability databases are used by security analysts to rank information system vulnerabilities and to provide a composite score of the overall severity and Module 08 Page 1065 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools risk associated with identified Exam 212-82 vulnerabilities. Vulnerability databases collect and information about various vulnerabilities present in information systems. maintain Following are some of the vulnerability scoring systems and databases: = Common Vulnerability Scoring System (CVSS) = Common Vulnerabilities and Exposures (CVE) = National Vulnerability Database (NVD) = Common Weakness Enumeration (CWE) Common Vulnerability Scoring System (CVSS) Source: https://www.first.org, https://nvd.nist.gov CVSS is a published standard that provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. The system’s quantitative model ensures repeatable, accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the scores. Thus, CVSS is well suited as a standard measurement system for industries, organizations, and governments that need accurate and consistent vulnerability impact scores. Two common uses of CVSS are prioritizing vulnerability remediation activities and calculating the severity of vulnerabilities discovered on one’s systems. The National Vulnerability Database (NVD) provides CVSS scores for almost all known vulnerabilities. CVSS helps capture the principal characteristics of a vulnerability and produce a numerical score to reflect its severity. This numerical score can thereafter be translated into a qualitative representation (such as low, medium, high, or critical) to help organizations properly assess and prioritize their vulnerability management processes. CVSS assessment consists of three metrics for measuring vulnerabilities: = Base Metric: Represents the inherent qualities of a vulnerability = Temporal Metric: Represents the features that continue to change during the lifetime of the vulnerability. = Environmental Metric: Represents vulnerabilities that are based on a particular environment or implementation. Each metric sets a score from 1-10, with 10 being the most severe. The CVSS score is calculated and generated by a vector string, which represents the numerical score for each group in the form of a block of text. The CVSS calculator ranks the security vulnerabilities and provides the user with information on the overall severity and risk related to the vulnerability. Module 08 Page 1066 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Assessment Techniques and Tools Exam 212-82 Severity Base Score Range None 0.0 Low 0.1-3.9 Medium 4.0-6.9 High 7.0-8.9 Critical 9.0-10.0 Table 8.1: CVSS v3.0 ratings Severity Base Score Range Low 0.0-3.9 Medium 4.0-6.9 High 7.0-10 Table 8.2: CVSS v2.0 ratings f Common Vulnerability Scoring System Calculator version3 CVE-2017-0144 This page shows the components of the CVSS score for example and allows you to refine the CVSS base score. Please read the CVSS standards guide to fully understand how to score CVSS vulnerabilities and to interpret CVSS scores. The scores are computed in sequence such that the Base Score is used to calculate the Temporal Score and the Temporal Score is used to calculate the Environmental Score. Base Scores Temporal Environmental Overall CVSS Base Score: 8.1 10.0 10.0 10.0 10.0 Impact Subscore: 5.9 8.0 8.0 8.0 8.0 Exploitability Subscore: 2.2 6.0 6.0 6.0 6.0 CVSS Temporal Score: NA 4.0 4.0 - 4.0 4.0 CVSS Environmental Score: NA 2.0+ 0.0 2.0+ 0.0 Base Impact Exploitability Temporal Modified Impact Subscore: NA Overall CVSS Score: 8.1 Environmental Modified Impact Overall Show Equations CVSS v3 Vector AVIN/ACH/PRINJ/UEN/S:U/C:H/IH/AH Base Score Metrics Exploitability Metrics Attack Vector (AV)* Adjacent Network (AV:A) Scope (S)* Local (AV:L) Attack Complexity (AC)* Low (AC:L) None (C:N) Low (PR:L) Low (C:L) Integrity Impact (1)* High (PR:H) User Interaction (UI)* IO Impact Metrics Confidentiality Impact (C)* Privileges Required (PR)* TGO Physical (AV:P) Changed (S:C) None (:N) Low (L) (B ACL Availability Impact (A)* Reauired (ULR) None (AN) Low (AL) [EITCNLSR) * - Allbase metrics are required to generate a base score, Figure 8.12: Common Vulnerability Scoring System Calculator Version 3 Module 08 Page 1067 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.