By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
Objective: Given a scenario, implement measures to meet security requirements. The focus of this guide is to ensure you are aware of tools and features to best ensure that you are implementing measures to meet security requirements. The first section focuses on vulnerabilities and the tools and techniques to find and resolve these vulnerabilities. This guide will also describe security patches, including hot fixes, virtual patches, signature updates, and rollups. Lastly, you will learn about different topics such as handling default accounts to understanding the impact that security tools have on systems and services. Topics: - Tools - Vulnerability Assessment - Security Patches - Risk Register - Prioritization of Patch Applications - Deactivate Default Accounts - Impacts of Security Tools on Systems and Services 1. The nmap utility is a ____ scanner. 2. A scan for default user accounts is called a _____ scan. 3. An _____-based scan is one that is run from an application that is installed locally on a resource. 4. A virtual patch is a type of _____ patch. Answers: 1. Port 2. Credential 3. Agent 4. Hot fix Tools This section focuses on different categories of scanning tools that you may use in your cloud infrastructure. Specifically, you will learn about vulnerability scanners and port scanners. Vulnerability Scanners Vulnerability scanners are tools that can automatically scan resources within your cloud infrastructure looking for possible vulnerabilities. These scanners use known exploits to test the cloud resources for these weaknesses and generate reports. The most well-known types of vulnerability scanners are related to the Open Web Application Security Project (OWASP), an organization that supports the development of tools and procedures that are designed to improve the security of software. Additional vulnerability scanners are covered, including default and common credential scans, credentialed scans, network-based scans, and agent-based scans. Port Scanners A port scanner is a tool that probes network ports on a system to determine which logical ports are open. In this case, “open” means that the system will respond to a communication attempt on the port. Attackers use port scanners to find possible ways to infiltrate a system. Because you are responsible for the security of a cloud environment, you should use port scanners to ensure that the logical ports on virtual machines (VMs) and other services are not open unless they are meant to be open. One of the most popular port scanning tools is called nmap. It can be configured to scan for a variety of ports via different protocols, such as TCP, IP, and ICMP. Note that, legally, port scanning can be considered as an attack by itself. Be sure you have the rights to scan the ports of a system before using a port scanning tool. Vulnerability Assessment The goal of using vulnerability scanners is to generate a vulnerability assessment. This report is a review of the potential weaknesses of a system. The assessment consists of four phases: - Identification: During this phase, you use vulnerability scanners. - Analysis: Using the data gathered from the vulnerability scanners, in this phase you determine the root cause of the weaknesses. - Risk assessment: Using a ranking score, in this phase you determine which vulnerabilities are the most severe and develop a plan to address these vulnerabilities. - Remediation: In this phase, you implement the plan. The rest of this section provides details about specific types of vulnerability scans. Default and Common Credential Scans The concept of a credential scan (not to be confused with a credentialed scan, discussed next) is to scan for common user accounts. For example, the most common user account on a Linux-based system is the root user account because it exists on Linux systems by default (it also provides the highest privileged access to the system). Attackers will use brute-force scans to determine which user accounts exist. This technique works because many authentication tools provide a different error message to indicate when an account doesn’t exist versus when an incorrect password is provided during an attempted login. After determining that a system has an account with a specific name, the attacker attempts a second attack to guess the account password. Note that default accounts are the ones that exist by default on a system, like the root user account on Linux systems or the Administrator account on Microsoft Windows systems. Common accounts are not on the system by default but are commonly created accounts, like those with simple usernames like bob, sue, and ted. Credentialed Scans A credentialed scan is different from a credential scan, even though they look similar in name. In a credentialed scan, vulnerability scanning tools are used by an account that is actually logged in to the system (or sometimes network) being scanned. For example, if you were trying to find vulnerabilities on your own cloud resource, you could run a scan from a remote system, or you could log in to the resource using a credential (user account) that you have access to. The results of a credentialed scan indicate what would be vulnerable if an attacker were able to gain access to the system (successfully attack a user account). Network-Based Scans The purpose of a network-based scan is to scan the network itself looking for vulnerabilities in the network across devices or platforms. Agent-Based Scans An agent-based scan is executed from an application that is installed locally on a PC. It is often compared to a credentialed scan, but an agent-based scan doesn’t use a credentialed account; instead, it runs as a system application. It also is typically run with administrative privileges, so it may have the capability to run deeper scans than a credentialed scan. Lastly, it is often scheduled to run periodically, whereas typically a credentialed scan is started manually by a user. Service Availabilities Scans A service availabilities scan is used to determine whether a specific service (web server, database server, mail server, and so on) is available. It may be run within the cloud infrastructure or from outside the cloud infrastructure, depending on whether the service being scanned should be available within the cloud or from outside the cloud. Security Patches A security patch is a specific type of software update that is designed to address a vulnerability. Software updates are normally scheduled in advance; for example, an update for a particular software program may come out every three months. When a vulnerability is made known to the software vendor, the announcement is often not near the date of a regular software update. Even if it were near a regularly scheduled update, the steps to implement the vulnerability fix in the new release might pose a logistical challenge because the update has new changes to the software. A patch is used instead to create a temporary fix to the problem. Patches will be released as needed, often without advance warning. You can keep up with patches by either subscribing to the software vendor’s notification system or viewing Common Vulnerabilities and Exposures (CVE) notices on https://cve.mitre.org/. Hot Fixes When you see the term hot fix, think quick fix. A hot fix isn’t intended to be a long-term solution, but rather something to fix the problem while the software vendor works on a more robust and permanent fix. A virtual patch (see the “Virtual Patches” section) is an example of a hot fix. Scheduled Updates As mentioned previously, a scheduled update isn’t a patch, but it may contain code that addresses vulnerabilities like a patch does. Most likely the vulnerabilities have been addressed via previous patches, but occasionally a new vulnerability is fixed with a scheduled update. Virtual Patches Virtual patches don’t really address a vulnerability directly but make use of another tool like a web application firewall (WAF) to provide a short-term fix to the problem. With a virtual patch, a small application is attached to the software with the goal of blocking access that the vulnerability is currently allowing. Signature Updates Signature update is a term associated with antivirus software. A virus signature is much like a fingerprint of the virus. Antivirus programs use this signature to determine whether a virus has infected a system. Ensuring the antivirus signatures are up to date on a system is a very high priority. Rollups A rollup is a collection of hot fixes. In some cases, the rollup might contain more than just security updates, but the main focus is to address a collection of security or critical issues with a single update. Risk Register A risk register is a document that security professionals and project managers use as part of risk management. It should enable the viewer of the document to determine the impact of a risk versus the probability that the risk activity might take place. Risk registers are often tied to some sort of regulatory compliance and are often requested during a compliance audit. A risk register is often stored in a spreadsheet, but it can also be displayed as a scatterplot graphic. Prioritization of Patch Applications The prioritization of patch applications is determining what patches should be installed first. This process is often strongly associated with the organization’s risk register. Deactivate Default Accounts As mentioned in the “Default and Common Credential Scans” section, default accounts are often subject to attacking attempts. As a result, deactivating these default accounts is a good practice. In some cases, deactivating might not be possible because the default account may be tightly entwined with the operating system or some software packages. In those cases, you should lock down the account as tightly as possible. Here’s an example of locking a default account: the root account on Linux systems is provided administrative rights because it has a user ID (UID) of 0. Any other account with a UID of 0 is also granted administrative rights. So, you can deactivate the root account (lock out the password and change the login shell to /dev/null) after you create another account with a UID of 0 (use an unusual name that isn’t easy to guess, like zen0270). Note that this approach is only partially effective because anyone who is able to access the system with another user account is able to see that there is an alternative administrative account, but this technique makes external attacking attempts more difficult. Impacts of Security Tools on Systems and Services Installing and using security tools may seem like a no-brainer, but they do come with a potential cost. One of the biggest concerns is that an attacker may gain access to your system using a regular user account and then launch the security tools to find vulnerabilities in your environment. Security tools might also have an impact on the performance of a resource. For example, an exhaustive port scan may lead to network connectivity issues on systems within the network, and some of these are production systems. Security tools may also provide a false sense of…well, security. The idea is “we have these great tools that keep us safe, so we aren’t at any risk.” Security tools are only part of an effective security policy and should not be relied on as the complete security policy. Lastly, some security tools are proactive, meaning that they have potential to automatically lock down a system or service if a vulnerability is detected—for example, Internet Protocol Security (IPS) or next-generation firewalls (NGFWs). On one hand, this is a good thing because it can limit the exposure of a system. On the other hand, this could end up making a system or service unavailable, which could have a bigger negative impact than if the vulnerability were just reported and handled manually (especially in cases of false positives). Quiz: 1. Which of the following is not considered a vulnerability scan type? A.Credentialed B.Network-based C.Agent-based D.Inactive 2. What is the third step of vulnerability assessment? A.Risk assessment B.Analysis C.Identification D.Remediation 3. In a(n) _____ scan, vulnerability scanning tools are used by an account that is actually logged in to the system (or sometimes network) being scanned. A.Agent-based B.Credential C.Credentialed D.Account 4. Which of the following is associated with updates to virus scanning programs? A.Signature updates B.Scan updates C.Malware updates D.Worm updates 5. A risk register is a document that security professionals and project managers use to address risk _____. A.Management B.Reports C.Tools D.Assessments Answers: 1. Inactive 2. Risk assessment 3. Credentialed 4. Signature updates 5. Management
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.