Cyber Threat Management - Module 2: Network Security Testing PDF

Summary

This Cisco document covers network security testing, including vulnerability scanners, different types of scans, and command-line diagnostic utilities. It details how security assessments are used for identifying potential threats and vulnerabilities.

Full Transcript

Module 2: Network
Security Testing
Cyber Threat Management (CyberTM)
Module Objectives
Module Title: Network Security Testing
Module Objective: Use tools for network security testing.

Topic Title Topic Objective

Use commands to gather network information and diagnose connectivity
Security Assessments
issues.
Network Security Testing
Describe the techniques used in network security testing.
Techniques
Network Security Testing
Describe the tools used in network security testing.
Tools
Describe how an organization uses penetration testing to evaluate the
Penetration Testing
security of a system.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
2.1 Security Assessments

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Security Assessments
Vulnerability Scanners

A vulnerability scanner assesses computers, computer systems, networks, or applications
for weaknesses. Vulnerability scanners can help to automate security auditing by scanning the
network for security risks and producing a prioritized list to address vulnerabilities.

A vulnerability scanner looks for the following types of vulnerabilities:

Use of default passwords or common passwords
Missing patches
Open ports
Misconfigurations in operating systems and software
Active IP addresses, including any unexpected devices connected

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Security Assessments
Vulnerability Scanners (Cont.)

Vulnerability scanning is key to identifying vulnerabilities, misconfigurations, and a lack
of security controls for organizations with networks that include segments, routers, firewalls,
servers, and other devices.

Commonly used vulnerability scanners on the market include Nessus, Retina, Core Impact and
GFI Lan Guard.

Their functions include:
Performing compliance auditing
Supplying patches and update
Finding misconfiguration
Supporting mobile and wireless devices
Tracking malware
Identifying sensitive data

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Security Assessments
Types of Scans

When evaluating a vulnerability scanner, look at how it is rated for accuracy, reliability, scalability,
and reporting. You can choose a software-based or cloud-based vulnerability scanner.

Vulnerability scanners fall into one of several categories:

Network scanners probe hosts for open ports, enumerate information about users and groups
and look for known vulnerabilities on the network.
Application scanners access application source code to test an application from the inside (they
do not run the application).
Web application scanners identify vulnerabilities in web applications.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Security Assessments
Types of Scans (Cont.)

Intrusive scans try to exploit vulnerabilities and may even crash the target, while a non-
intrusive scan will try not to cause harm to the target.
In a credentialed scan, usernames and passwords provide authorized access to a system,
allowing the scanner to harvest more information. Non-credentialed scans are less invasive and
give an outsider’s point of view.
However, all types of scanners can mistakenly identify a vulnerability where none exists. This
is known as a false positive, while not identifying an existing vulnerability is a false
negative. Credentialed scans return fewer false positives and fewer false negatives.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Security Assessments
Command Line Diagnostic Utilities

There are a number of command line tools used to assess the security position of an organization
such as @Apollo.

ipconfig displays TCP/IP settings (IP address, subnet mask, default gateway, DNS, and
MAC information (ifconfig is the Mac/Linux equivalent).
ping tests network connectivity by sending an ICMP request to a host and determines whether
a route is available to a host.
arp provides a table that maps known MAC addresses to its associated IP address and is a
fast way to find an end device’s MAC address.
tracert traces the route a packet takes to a destination and records the hops along the
way, helping locate where a packet is getting hung up (traceroute is the Mac/Linux equivalent).
nslookup queries a DNS server to help troubleshoot a DNS database (dig is the
Mac/Linux equivalent).

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Security Assessments
Command Line Diagnostic Utilities (Cont.)

netstat displays all the ports that a computer is listening on and can determine active
connections.
nbtstat helps to troubleshoot NetBIOS name resolution problems in a Windows system.
nmap is used in security auditing. It locates network hosts, detects operating
systems, and identifies services.
netcat gathers information from TCP and UDP network connections and can be used
for port scanning, monitoring, banner grabbing and file copying.
hping assembles and analyzes packets and is used for port scanning, path
discovery, OS fingerprinting and firewall testing.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Security Assessments
Security Automation

Let us now look at some information on the automated approaches of Security Information and
Event Management (SIEM) and Security Orchestration Automation and Response (SOAR).

Security Information and Event Management (SIEM) systems use log collectors to aggregate log
data from sources such as security devices, network devices, servers, and applications. Logs can
generate many events in a day, so SIEM systems help to reduce event volume by combining similar
events to reduce the event data load. SIEM identifies deviations from the norm and then takes the
appropriate action.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Security Assessments
Security Automation (Cont.)
The goals of a SIEM system for security monitoring are:

Identify internal and external threats
Monitor activity and resource usage
Conduct compliance reporting for audits
Support incident response

When the SIEM system detects a potential issue, it might log additional information, generate
an alert, and instruct other security controls to stop an activity’s progress. Advanced SIEM
systems include user and entity behavior analytics that look for patterns that rely on human
sentiment to recognize a threat before it becomes a threat.

The amount of data logged from critical systems is an important consideration when
implementing a SIEM system since you need to review the reports generated. SIEM systems are
costly to purchase and maintain and are only cost-effective if the organization has millions of
events generated in a day.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Security Assessments
Security Automation (Cont.)

Security Orchestration Automation and Response (SOAR) tools allow an organization to collect data
about security threats from various sources and respond to low-level events without human
intervention. SOAR has three important capabilities:

Threat and vulnerability management
Security incident response
Security operations automation

An organization can integrate SOAR in to its SIEM solution.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Security Assessments
Packet Tracer - Use Diagnostic Commands
Get a real-world, firsthand experience by downloading the Packet Tracer file on your own
laptop or desktop computer and following the instructions.

In this Packet Tracer activity, you will meet the following objectives:

Part 1: Gather End User Device Settings
Part 2: Gather Information about Network Devices
Part 3: Diagnose Connectivity Issues

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
2.2 Network Security Testing
Techniques

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Network Security Testing Techniques
Operations Security
Operations security is concerned with the day-to-day practices necessary to first deploy and later
maintain a secure system.

All networks are vulnerable to attack if the planning, implementation, operations, and maintenance
of the network do not adhere to operational security practices.

Operations security starts with the planning and implementation process of a network.

During these phases, the operations team analyzes designs, identifies risks and vulnerabilities,
and makes the necessary adaptations.

The actual operational tasks begin after the network is set up and include the continual
maintenance of the environment.

These activities enable the environment, systems, and applications to continue to run correctly and
securely.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Network Security Testing Techniques
Operations Security (Cont.)
Some security testing techniques are manual, and others are
highly automated. Regardless of the type of testing, the staff that sets up and conducts
the security testing should have significant security and networking knowledge in
these areas:

Operating systems
Basic programming
Networking protocols, such as TCP/IP
Network vulnerabilities and risk mitigation
Device hardening
Firewalls
IPSs

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Network Security Testing Techniques
Testing and Evaluating Network Security

The effectiveness of an operations security solution can be tested without waiting for a real
threat to take place. Network security testing makes this possible. Network security testing is
performed on a network to ensure all security implementations are operating as expected.
Typically, network security testing is conducted during the implementation and operational stages,
after the system has been developed, installed, and integrated.

Security testing provides insight into various administrative tasks, such as risk analysis
and contingency planning. It is important to document the results of security testing and make
them available for staff involved in other IT areas.

During the implementation stage, security testing is conducted on specific parts of the
network. After a network is fully integrated and operational, a Security Test and Evaluation (ST&E)
is performed. An ST&E is an examination of the protective measures that are placed on
an operational network.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Network Security Testing Techniques
Testing and Evaluating Network Security (Cont.)
Objectives of ST&E include the following:

Uncover design, implementation, and operational flaws that could lead to the violation of the
security policy.
Determine the adequacy of security mechanisms, assurances, and device properties to
enforce the security policy.
Assess the degree of consistency between the system documentation and its
implementation.

Tests should be repeated periodically and whenever a change is made to the system. For
security systems that protect critical information or protect hosts that are exposed to constant threat,
security testing should be conducted more frequently.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Network Security Testing Techniques
Types of Network Tests

Threat actors use reconnaissance techniques to learn about networks as they
search for vulnerabilities.
Similarly, network testers use reconnaissance to find out what hackers can learn.
Active reconnaissance means directly interacting with network systems to gather
information using many of the tools that are used in penetration testing and vulnerability
assessment.
Passive reconnaissance means indirectly learning about the network and network
users through searches from information sources that range from Facebook to leaked password
details on the dark web.
It frequently involves the use of open-source intelligence (OSINT) information resources.
Network security testing requires cybersecurity personnel to think like threat actors
and discover vulnerabilities before the real threat actors can exploit them.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Network Security Testing Techniques
Types of Network Tests (Cont.)
After a network is operational, you must access its security status. Many security tests can
be conducted to assess the operational status of the network:

Penetration testing - Network penetration tests, or pen testing, simulate attacks from
malicious sources. The goal is to determine the feasibility of an attack and consequences if
one were to occur. Some pen testing may involve accessing a client’s premises and using
social engineering skills to test their overall security posture.
Network scanning - Includes software that can ping computers, scan for listening TCP ports,
and display which types of resources are available on the network. Some scanning software can
also detect usernames, groups, and shared resources. Network administrators can use this
information to strengthen their networks.
Vulnerability scanning - This includes software that can detect potential weaknesses in the tested
systems. These weaknesses can include misconfiguration, blank or default passwords, or potential
targets for DoS attacks. Some software allows administrators to attempt to crash the system
through the identified vulnerability.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Network Security Testing Techniques
Types of Network Tests (Cont.)
Password cracking - This includes software that is used to test and detect weak
passwords that should be changed. Password policies must include guidelines to prevent weak
passwords.
Log review - System administrators should review security logs to identify
potential security threats. Filtering software to scan lengthy log files should be used to help
discover abnormal activity to investigate.
Integrity checkers - An integrity checking system detects and reports on changes in
the system. Most of the monitoring is focused on the file system. However, some checking
systems can report on login and logout activities.
Virus detection - Virus or antimalware detection software should be used to identify
and remove computer viruses and other malware.

Note: Other tests, including War-dialing and War-driving, are considered to be legacy, but should still
be accounted for in network testing.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Network Security Testing Techniques
Applying Network Test Results
Network security testing results can be used in several ways:

To define mitigation activities to address identified vulnerabilities
As a benchmark to trace the progress of an organization in meeting security requirements
To assess the implementation status of system security requirements
To conduct cost and benefit analysis for improvements to network security
To enhance other activities, such as risk assessments, certification, and authorization (C&A), and
performance improvement efforts
As a reference point for corrective action

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
2.3 Network Security Testing
Tools

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Network Security Testing Tools
Network Testing Tools

There are many tools available to assess the security of systems and networks. Some of these tools
are open source while others are commercial tools that require licensing.

Software tools that can be used to perform network testing include:

Nmap/Zenmap - This is used to discover computers and their services on a network,
therefore creating a map of the network.
SuperScan - This port scanning software is designed to detect open TCP and UDP
ports, determine what services are running on those ports, and to run queries, such as whois,
ping, traceroute, and hostname lookups.
SIEM (Security Information Event Management) - This is a technology used in
enterprise organizations to provide real time reporting and long-term analysis of security events.
GFI LANguard - This is a network and security scanner which detects vulnerabilities.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Network Security Testing Tools
Network Testing Tools (Cont.)

Tripwire - This tool assesses and validates IT configurations against internal
policies, compliance standards, and security best practices.
Nessus - This is a vulnerability scanning software, focusing on remote
access, misconfigurations, and DoS against the TCP/IP stack.
L0phtCrack - This is a password auditing and recovery application.
Metasploit - This tool provides information about vulnerabilities and aids in penetration
testing and IDS signature development.

Note: Network testing tools evolve at a rapid pace. The preceding list includes legacy tools,
and its intent is to provide an awareness of the several types of tools available.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Network Security Testing Tools
Nmap and Zenmap

Nmap is a commonly used, low-level scanner that is available to the public. It has an array of
excellent features which can be used for network mapping and reconnaissance.

The basic functionality of Nmap allows the user to accomplish several tasks, as follows:

Classic TCP and UDP port scanning - This searches for different services on one host.
Classic TCP and UDP port sweeping - This searches for the same service on multiple hosts.
Stealth TCP and UDP port scans and sweeps - This is like classic scans and sweeps, but harder
to detect by the target host or IPS.
Remote operating system identification - This is also known as OS fingerprinting.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Network Security Testing Tools
Nmap and Zenmap (Cont.)

Advanced features of Nmap include protocol scanning, known as Layer 3 port scanning.
This feature identifies Layer 3 protocol support on a host. Examples of protocols that can be
identified include GRE and OSPF.

While Nmap can be used for security testing, it can also be used for malicious purposes.
Nmap has an additional feature that allows it to use decoy hosts on the same LAN as the target
host, to mask the source of the scan.

Nmap has no application layer features and runs on UNIX, Linux, Windows, and OS X.
Both console and graphical versions are available. The Nmap program and Zenmap GUI can
be downloaded from the internet.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Network Security Testing Tools
SuperScan
SuperScan is a Microsoft Windows port scanning tool. It runs on most versions of Windows
and requires administrator privileges.

SuperScan version 4 has a number of useful features:
Adjustable scanning speed
Support for unlimited IP ranges
Improved host detection using multiple ICMP methods
TCP SYN scanning
UDP scanning (two methods)
Simple HTML report generation
Source port scanning
Fast hostname resolution
Extensive banner grabbing capabilities
Massive built-in port list description database
IP and port scan order randomization
A selection of useful tools, such as ping, traceroute, and whois
Extensive Windows host enumeration capability

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Network Security Testing Tools
SuperScan (Cont.)

Tools, such as Nmap and SuperScan, can provide effective penetration testing on a network
and determine network vulnerabilities while helping to anticipate attack mechanisms.
However, network testing cannot prepare a network administrator for every security problem.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Network Security Testing Tools
SIEM
Security Information Event Management (SIEM) is a technology used in enterprise organizations
to provide real time reporting and long-term analysis of security events. SIEM evolved from
two previously separate products: Security Information Management (SIM) and Security
Event Management (SEM). SIEM can be implemented as software, integrated with Cisco Identity
Services Engine (ISE) or as a managed service.

SIEM combines the essential functions of SIM and SEM to provide:

Correlation - Examines logs and events from disparate systems or applications,
speeding detection of and reaction to security threats.
Aggregation - Aggregation reduces the volume of event data by consolidating duplicate
event records.
Forensic analysis - The ability to search logs and event records from sources throughout
the organization provides more complete information for forensic analysis.
Retention - Reporting presents the correlated and aggregated event data in real-time
monitoring and long-term summaries.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Network Security Testing Tools
SIEM (Cont.)
SIEM provides details on the source of suspicious activity, including:

User information (name, authentication status, location, authorization group, quarantine status)
Device information (manufacturer, model, OS version, MAC address, network connection method,
location)
Posture information (device compliance with corporate security policy, antivirus version, OS
patches, compliance with mobile device management policy)

Using this information, network security engineers can quickly and accurately assess the significance
of any security event and answer the critical questions:

Who is associated with this event?
Is it an important user with access to intellectual property or sensitive information?
Is the user authorized to access that resource?
Does the user have access to other sensitive resources?
What kind of device is being used?
Does this event represent a potential compliance issue?

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
2.4 Penetration Testing

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Penetration Testing
Penetration Testing

Penetration testing, or pen testing, is a way of testing the areas of weaknesses in systems by using
various malicious techniques. A penetration test simulates methods that an attacker would use to
gain unauthorized access to a network and compromise the systems and allows an organization to
understand how well it would tolerate a real attack.
It is important to note that pen testing is different from vulnerability testing,
which only identifies potential problems. Pen testing involves hacking a website, network, or server
with an organization’s permission to try to gain access to resources using various methods that
real-life malicious hackers would use.
One of the primary reasons why an organization would use pen testing is to find and
fix vulnerabilities before the cybercriminals do. Penetration testing is a technique used in
ethical hacking.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Penetration Testing
Penetration Testing (Cont.)

Black box testing is the least time consuming and the least expensive. When conducting
black box testing, the specialist has no knowledge of the inner workings of the system
and attempts to attack it from the viewpoint of a regular user.

Gray box testing is a combination of black box and white box testing. The specialist will
have some limited knowledge about the system, so it is a partially known environment, which
gives some advantage to these hacking attempts.

White box testing is the most time consuming and the most expensive because it is conducted
by a specialist with knowledge of how the system works. It is therefore a known environment
when they attempt to hack into it, emulating a malicious attack by an insider or by someone who
has managed to gain such information beforehand, at the recon stage.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Penetration Testing
Penetration Phases

There are four phases that make up a penetration test.

Phase 1: Planning - Establishes the rules of engagement for conducting the test.

Phase 2: Discovery -
Conducting reconnaissance on the target to gain information. This can include:

Passive techniques, which do not require active engagement with the targeted system and are
referred to as foot printing — for instance, you might look at the organization’s website or other
public sources for information.
Active reconnaissance, such as port scanning, which requires active engagement with the target.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
Penetration Testing
Penetration Phases (Cont.)

Phase 3: Attack - At this phase, you seek to gain access or penetrate the system using the
information gathered in the previous phase. The tester tries to gain escalated privileges and perhaps
delve deeper into the network through lateral movement. To move laterally through the network, the
tester must pivot through multiple systems. The tester may try to install additional tools or plant a
backdoor — this process is known as persistence. The tester will then clean up the system, removing
any signs left behind.

Phase 4: Reporting - At this phase, the tester delivers to the organization detailed documentation that
includes the vulnerabilities identified, actions taken and the results.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Penetration Testing
Exercise Types
Some organizations create competing teams to conduct penetration exercises that are longer than a
penetration test.

For instance, in such a scenario, there can be three or four teams:
The red team is the adversary, trying to attack the system while remaining unnoticed.
The members of the blue team are the defenders, and they try to thwart the efforts of the red team.
The white team is a neutral team that defines the goals and rules and oversees the exercise.
Members of the white team are less technical but possess knowledge about governance and
compliance. The white team is the referee of this exercise.
Sometimes, there is also a purple team, where members of the red and blue team work together to
identify vulnerabilities and explore ways to improve controls.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
Penetration Testing
Packet Analyzer

Packet analyzers, or packet sniffers, intercept, and log network traffic.

Packet analyzers, or packet sniffers, intercept, and
log network traffic. They perform the below functions —
either for legitimate purposes like troubleshooting
or illegitimate purposes such as compromising data:

Network problem analysis.
Detection of network intrusion attempts.
Isolation of exploited systems.
Traffic logging.
Detection of network misuse.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
Penetration Testing
Protocol Analyzer Output

Sniffing is like eavesdropping on someone.

It occurs when someone is examining all network traffic as it passes through their
NIC, independent of whether the traffic is addressed to them or not. Criminals accomplish
network sniffing using software, hardware, or a combination of the two.

The image shows how sniffing can view all network traffic or target a specific protocol, service
or even string of characters such as a login or password. Some network sniffers observe all
traffic and modify some or all the traffic as well.

Physical security is important in preventing the introduction of sniffers to the
internal network, but sniffing is not only used for malicious purposes. It is also used by network
administrators, who can analyze network traffic, identify bandwidth issues, and troubleshoot other
network issues using sniffers.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
Penetration Testing
Lab - Use Wireshark to Compare Telnet and SSH Traffic
In this Lab, you will meet the following objectives:

Part 1: Use Wireshark to capture web browser traffic.
Part 2: Use Wireshark to capture Telnet traffic.
Part 3: Use Wireshark to capture SSH traffic.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
2.5 Network Security Testing
Summary

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
Network Security Testing Summary
What Did I Learn in this Module?
Security Assessments:
A vulnerability scanner assesses computers, computer systems, networks, or applications
for weaknesses.
Commonly used vulnerability scanners on the market include Nessus, Retina, Core Impact
and GFI LANguard.
Vulnerability scanners may be network scanners, application scanners or Web
application scanners. Intrusive scans try to exploit vulnerabilities and may even crash the target.
In a credentialed scan, usernames and passwords provide authorized access to a system,
allowing the scanner to harvest more information.
Command line tools that can be used to assess vulnerability include ipconfig,
ping, arp, tracert, nslookup, netstat, nbtstat, nmap, netcat, and hping.
SIEM systems use log collectors to aggregate log data from sources such as security
devices, network devices, servers, and applications.
SOAR tools allow an organization to collect data about security threats from various sources
and respond to low-level events without human intervention.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
Network Security Testing Summary
What Did I Learn in this Module? (Cont.)

Network Security Testing Techniques:
Operations security is concerned with the day-to-day practices necessary to first deploy and
later maintain a secure system.
Operations security starts with the planning and implementation process of a network.
Typically, network security testing is conducted during the implementation and operational
stages, after the system has been developed, installed, and integrated.
It is performed on a network to ensure all security implementations are operating as expected.
An ST&E is an examination of the protective measures that are placed on an operational network.
Types of network tests include penetration, network scanning, vulnerability scanning,
password cracking, log review, integrity checkers, and virus detection.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
Network Security Testing Summary
What Did I Learn in this Module? (Cont.)

Network Security Testing Tools:
Software tools that can be used to perform network testing include:
Nmap/Zenmap, SuperScan, SIEM, GFI LANguard, Tripwire, Nessus, L0phtCrack, and Metasploit.
Nmap provides classic TCP and UDP port scanning and sweeping, Stealth TCP and UDP
port scans and sweeps, and remote operating system ID.
SuperScan is a Microsoft Windows port scanning tool.
It runs on most versions of Windows and requires administrator privileges.
SIEM provides correlation, aggregation, forensic analysis, and retention.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
Network Security Testing Summary
What Did I Learn in this Module? (Cont.)
Penetration Testing:
Penetration testing, or pen testing, is a way of testing the areas of weaknesses in systems
by using various malicious techniques.
A penetration test simulates methods that an attacker would use to gain unauthorized access to
a network and compromise the systems and allows an organization to understand how well it
would tolerate a real attack.
There are four phases that make up a penetration test: 1 Planning, 2. Discovery, 3. Attack, and
4. Reporting.
Some organizations create competing teams to conduct penetration exercises that are longer
than a penetration test.
There is usually a red team (trying to attack the system) and a blue team (trying to defend
the system).
Packet analyzers, or packet sniffers, intercept, and log network traffic.
Sniffing is also used by network administrators, who can analyze network traffic, identify
bandwidth issues, and troubleshoot other network issues using sniffers.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53