Cysa+ (CS0-003)

Lesson 5
Implementing Vulnerability Scanning
Methods

Copyright © 2023 CompTIA, Inc. All Rights Reserved. | CompTIA.org

1
Objectives
• Understand industry regulations.
• Explore vulnerability scanning concepts.
• Review security baselines.
• Understand special scanning considerations.
• Review operational technology.

2
Lesson 5

Topic 5A
Explaining Compliance Requirements

Copyright © 2023 CompTIA, Inc. All Rights Reserved. | CompTIA.org

3
Explore Industry Standard Publishers
• National Institute of Standards and Technology (NIST)
• Nonregulatory agency in the United States

• Establishes standards and best practices across science and technology field

• International Organization for Standardization (ISO)

• An independent, non-governmental international organization of
168 national standards bodies
• Developed almost 25000 International Standards

• ISO 27k cybersecurity framework

4
Explain Regulations and Standards
• Using Legal Contracts to Require Standards Compliance
• Enforce compliance with external standards

• Center for Internet Security (CIS) Benchmarks

• A set of security configuration best practices developed by a consensus community
of experts

• Open Web Application Security Project (OWASP)

• A nonprofit foundation

• Their Goal: improve the security of web applications and services

• "OWASP Top 10"

5
Explain Regulations and Standards cont.
• Payment Card Industry Data Security Standard (PCI DSS)
• Global use
• Established and maintained by a consortium of payment card companies
• Controls designed to prevent fraud and protect credit/debit data
• https://www.pcisecuritystandards.org/document_library

6
Explain Regulations and Standards cont.
• Capability Maturity Model Integration (CMMI)
• Five levels of maturity within operational or software capabilities
• Initial
• Managed
• Defined
• Quantitatively Managed
• Optimizing

7
Explaining Compliance Requirements cont.
• Cloud Security Alliance (CSA) STAR Certification
• Security, Trust & Assurance registry (STAR)
• Publicly available
• Describes cloud providers
• Includes CSA STAR assessment details
• Measures the security/privacy controls of a cloud service provider against
the CSA Cloud Controls Matrix (CCM)

8
Important Privacy Regulations
• Children's Online Privacy Protection Act (COPPA)
• A U.S. federal law that applies to children under age 13

• Applies inside and outside of the United States

• General Data Protection Regulation (GDPR)

• Enforces rules for organizations that offer services or collect information for
entities in the European Union (EU)

• Applies inside and outside of the European Union

• Dictates how and where data can be stored
• "The world's toughest privacy laws"
9
Open Web Application Security Project (OWASP)
• Their Mission: raise awareness of the risks of building insecure
software
• Provides free web application security tools, training, and other
materials
• Helps organizations identify and fix application security
vulnerabilities.

10
Open Web Application Security Project (OWASP) cont.
• Most common web application vulnerabilities
• Cross-site scripting (XSS)
• SQL injection
• Path traversal
• Broken authentication and authorization
• Insecure direct object references (IDOR)

11
Open Web Application Security Project (OWASP) cont.

• The OWASP Top 10

1. Broken Access Control
2. Cryptographic Failures
3. Injection
4. Insecure Design
5. Security Misconfiguration
6. Vulnerable and Outdated Components
7. Identification and Authentication Failures
8. Software and Data Integrity Failures (Image courtesy of OWASP Foundation, Inc.)

9. Security Logging and Monitoring Failures

10. Server-Side Request Forgery
https://owasp.org/Top10/

12
Center for Internet Security (CIS) Benchmarks
• Continually updated
• Based on industry research and
feedback
• A robust set of best practices
• Secure configuration of IT systems

• Secure configuration of applications (Image courtesy of CIS Benchmarks™)

• Increase security
• Reduce vulnerabilities
• Improve system performance
13
Payment Card Industry Data Security Standard (PCI DSS)
• Security measures for businesses that accept credit and debit cards
• 12 main requirements (1-6):
1. Install and maintain a firewall.
2. Do not use vendor-supplied defaults.
3. Protect all systems against malicious code.
4. Use and regularly update antivirus software.
5. Develop and maintain a secure web application and data transmission.
6. Protect all systems against loss and unauthorized access.
Continued. on next slide

14
Payment Card Industry Data Security Standard (PCI DSS)
• 12 main requirements (7-12):
7. Regularly monitor and test networks.
8. Track and monitor all system components.
9. Employ strong password management.
10. Regularly review and assess the PCI DSS compliance status.
11. Maintain a PCI compliance policy.
12. Maintain a PCI compliance program with written management authorization.

15
Payment Card Industry Data Security Standard (PCI DSS) cont.
• Organizations must be audited regularly
• Lower-risk organizations: once per year

• High-risk organizations: once per quarter

• Compliance is measured on a continuum of implementation

• PCI Attestation of Compliance (AoC)
• Demonstrates an organization’s compliance with PCI DSS requirements

• AoC should be completed by a

• Qualified Security Assessor (QSA)

• Merchant (such as a bank) responsible for processing transactions

16
 Review Activity: Compliance Requirements
1. This nonprofit organization is focused on improving the security of
software and publishes a popular top 10 web application security
risks.
2. True or False. ModSecurity is a tool developed by the Center for
Internet Security.
3. What is the name of the document designed to demonstrate an
organization’s compliance with PCI DSS requirements?
4. These best practices are maintained by a group of public and private
sector security experts working with organizations to improve their
information systems security.
17
Lesson 5

Topic 5B
Understanding Vulnerability Scanning
Methods

Copyright © 2023 CompTIA, Inc. All Rights Reserved. | CompTIA.org

18
Explain Assessment Scope Considerations
• External Scans
• View of devices and services from the "outside"
• Unauthenticated access and visibility
• Urgent patching priority

19
Explain Assessment Scope Considerations cont.
• Internal Scans
• "inside" or authenticated access level

• Internal remediation is more methodical, allowing

• Careful testing and evaluation of patches and workarounds

• Scheduling patches to minimize business disruption as appropriate

• Actively exploited, high severity vulnerabilities override normal patch

processes

20
Vulnerability Scanning Devices
• Network hosts • Intermediate systems
• Clients and servers • Routers
• Switches
• Access points
• Firewalls

21
Vulnerability Scanning Attributes
• Patch level
• Security configuration and policies
• Network shares
• Unused accounts
• Weak passwords
• Rogue devices
• Antivirus configuration
• Many other attributes
22
Vulnerability Scanning Attributes cont.
• All Vulnerability scanners can:
• Collect information from devices with or without credentials, allowing the
scanner to authenticate to the device
• Both Noncredentialed/Credentialed have advantages

• Noncredentialed scans
• Simple to implement

• Low impact on the device

• Provide insight regarding vulnerabilities discoverable to non-

authenticated users
23
Vulnerability Scanning Attributes cont.
• Credentialed scans
• Most effective scanner credentials have privileged access

• Comprehensive evaluation of devices

• Installed software

• File system

• Configuration data

• User accounts

• Many other attributes

24
Vulnerability Scanning Attributes cont.
• Credentialed scans
• Can be abused or potentially exposed and stolen

• Overwhelming amount of data in initial phases of vulnerability

scanning program
• Don’t use root, Domain Administrator, or Administrator accounts

• Use purpose-specific, carefully provisioned credentials with only

necessary access

25
Vulnerability Scanning
• Agentless scans
• Simplest to implement

• Collect information from endpoints using

• SSH

• WMI

• SNMP

• Some organizations prohibit WMI and SNMP by policy

• Network firewalls block communication

26
Vulnerability Scanning cont.
• Agent-based
• Require the installation of special-purpose software on endpoints

• Time and effort to test, deploy, and maintain

• Adds a new attack vector

• Additional software to track and patch

• Collect information and pass to the vulnerability scanner

• Improved vulnerability and host configuration data

• Less processing overhead on the vulnerability scanner server

• Simplified communication across network firewalls

27
Active Vulnerability Scanning
• Directly interacting with a device or software
• General purpose vulnerability scanner
• Nessus
• OpenVAS
• Qualys
• Enumerating services
• Banner grabbing
• Content enumeration
• Web application scanners
• Burp Suite
• OWASP ZAP
28
Passive Vulnerability Scanning
• Passive scanning describes
• Identify vulnerabilities without direct interaction

• Network packet capture

• Insecure protocols

• Cleartext credentials

• Inadequate encryption methods

• DNS query data

• Other similar issues

29
Vulnerability Scanning cont.
• Criticality Ranking
• Vulnerability scan provides lots of information

• Rankings of items

• Based on a standardized scoring mechanism

• Help prioritize remediation efforts

• Ranking and prioritization warrants careful analysis

• Some items ranked as informational or low priority may be highly concerning
within the context of the environment

30
Understanding Vulnerability Scanning Methods
• Mapping/Enumeration and Scope
• Range of hosts or subnets included within a single scan job
• Single IP address or range of IP addresses
• All software or targeted software packages and services

31
Understanding Vulnerability Scanning Methods cont.
• Benefits and considerations
• Reduce the performance impact

• Easier to analyze results

• Used to identify specific issues or

• Meet a specific compliance goal

• Asset criticality affects scanning scope

• Critical assets scheduled more often

32
Compliance Scans and Regulatory Requirements
• Identify a security framework or checklist of the controls and
configuration settings that must be in place.
• SIEM, and vulnerability scanners can be programmed with
compliance templates
• May dictate scanning frequency

33
Understand Vulnerability Analysis Methods
• Map/Discovery Scan
• Identify devices connected to a network or network segment

• Device Fingerprinting
• Specifically identify details about an individual device

34
Understand Vulnerability Analysis Methods cont.
• Static Analysis
• Manual inspection of source code
• Specialty applications or add-ons to development tools
• Identify well-known coding/method/library problems

35
Understand Vulnerability Analysis Methods cont.
• Understand Vulnerability Analysis Methods
• Dynamic Analysis
• Evaluation of a system or software while it is running
• Manual and automated interactions with running software and services

36
Fuzzing
• Specialty software tools
• Purposely input or injecting malformed data
• A fuzzer tool automatically generates and injects data
• Different number formats,
• Character types,
• Text values, and/or
• Binary values
• Sequences and values known to be problematic
• https://owasp.org/www-community/Fuzzing
37
Reverse Engineering
• Deconstructing software and hardware to determine how it is crafted

• Extract source code,

• Identify software methods and

• Languages used,

• Developer comments,

• Variable names and types,

• System and web calls, and

• Many other elements.

• Adversary can reverse engineer software patches too!

38
Explain Device Hardening Options
• Putting an operating system or application in a secure configuration
• Reduce Attack Surface
• Intended use
• Restrict system access and capabilities

• Balance against access requirements and usability tests

• Best Practice frameworks

• DoD Security Technical Implementation Guides (STIGs)

• CIS Benchmarks
39
Understand Configuration Baselines
• Outlines the minimum set of requirements
• May be based on a framework
• Represents a "measuring stick" for security analysts
• Determine if an endpoint is configured correctly

40
 Review Activity: Vulnerability Scanning Methods
1. What type of scanning describes indirect methods of assessment,
such as inspecting traffic flows and protocols?
2. ______________________________ describes the effort taken
to more specifically identify details about a device.
3. A configuration _____________________________ details the
recommended settings for services and policy configuration for a
device or software operating in a specific role.

41
 Lab Activity
• Assisted Lab: Performing Asset Discovery
• Assisted Lab: Performing Passive Scanning

42
Lesson 5

Topic 5C
Exploring Special Considerations in
Vulnerability Scanning

Copyright © 2023 CompTIA, Inc. All Rights Reserved. | CompTIA.org

43
Explore Special Considerations for Scanning
• Performance Considerations
• Identification of Operating System

• Scanning Interval

• Automated scans (convenience)

• Scan Speed

44
Explore Special Considerations for Scanning cont.
• Performance Considerations cont.
• Vulnerability Database

• Scanning Type

• Authentication

• False Positives

45
Explain Different Types of Industrial Computer Systems
• Critically important computing
infrastructure
• Not scannable using traditional
methods
• Contain exploitable vulnerabilities

• Require special care and consideration

• Strict segmentation or isolation

• Physical security control

• Configuration management (Image © 123RF.com.)

• Integrity/change monitoring
46
Different Types of Industrial Computer Systems cont.
• Operational Technology (OT)
• Industrial Control Systems (ICSs)
• Supervisory Control and Data Acquisition (SCADA)
• Programmable Logic Controller (PLC)

47
 Review Activity: Special Considerations in Vulnerability Scanning
1. True or False. Vulnerability scanning can be performed at any time
because it is a tool used to locate and resolve security issues.
2. ______________________ ____________
_________________________ are used in industrial settings and are a
form of digital computer designed to enable automation in assembly
lines.
3. _______________________ _________________________ is the
hardware and software technologies used to manage physical devices,
processes, and events within an organization.

48
 Lab Activity
• Assisted Lab: Performing Vulnerability Scanning

49
Cysa+ (CS0-003)

Lesson 5
Summary

Copyright © 2023 CompTIA, Inc. All Rights Reserved. | CompTIA.org

50